4、https方式部署harbor
主机规划
| 主机名 | ip | 用途 |
|---|---|---|
| k8s-harbor-01-140 | 10.0.0.140 | harbor |
| Docker-test-01 | 10.0.0.101 | 测试https访问harbor,已经提前安装配置好 |
官方文档:https://goharbor.io/docs/2.0.0/install-config/configure-https/
生成证书颁发机构证书
1、生成CA证书私钥。
在生产环境中,您应该从CA获得证书。在测试或开发环境中,您可以生成自己的CA。
#创建目录保存证书(可选)
root@k8s-harbor-01-140:~# mkdir -p /opt/soft/certs
root@k8s-harbor-01-140:~# cd /opt/soft/certs/
#生成 CA 证书私钥。
root@k8s-harbor-01-140:/opt/soft/certs# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
..........................................................................................................................++++
...........++++
e is 65537 (0x010001)
2、生成 CA 证书。
调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。
xmtx.harbor.com
root@k8s-harbor-01-140:/opt/soft/certs# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=xmtx.harbor.com" \
> -key ca.key \
> -out ca.crt
生成服务器证书
证书通常包含一个.crt文件和一个.key文件,例如yourdomain.com.crt和yourdomain.com.key。
1、生成私钥。
root@k8s-harbor-01-140:/opt/soft/certs# openssl genrsa -out xmtx.harbor.com.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................++++
....................++++
e is 65537 (0x010001)
2、生成证书签名请求(CSR)。
调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性,并在密钥和CSR文件名中使用它。
root@k8s-harbor-01-140:/opt/soft/certs# openssl req -sha512 -new \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=xmtx.harbor.com" \
> -key xmtx.harbor.com.key \
> -out xmtx.harbor.com.csr
3、生成一个x509 v3扩展文件。
无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域。
root@k8s-harbor-01-140:/opt/soft/certs# cat > v3.ext <<-EOF
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1=xmtx.harbor.com
> DNS.2=xmtx.harbor
> DNS.3=harbor
> EOF
4、使用v3.ext为Harbor主机生成证书
root@k8s-harbor-01-140:/opt/soft/certs# openssl x509 -req -sha512 -days 3650 \
> -extfile v3.ext \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in xmtx.harbor.com.csr \
> -out xmtx.harbor.com.crt
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = xmtx.harbor.com
Getting CA Private Key
提供证书给Harbor和Docker
生成后ca.crt,.crt和.key文件,必须将它们提供给harbor和docker,和重新配置harbor使用它们。
#创建文件夹用以存放证书
root@k8s-harbor-01-140:/opt/soft/certs# mkdir -p /opt/data/cert/
#将服务器证书和密钥复制到 Harbor 主机上的证书文件夹中。
root@k8s-harbor-01-140:/opt/soft/certs# cp xmtx.harbor.com.crt /opt/data/cert/
root@k8s-harbor-01-140:/opt/soft/certs# cp xmtx.harbor.com.key /opt/data/cert/
#转换 .crt为 .cert,供Docker使用
root@k8s-harbor-01-140:/opt/soft/certs# openssl x509 -inform PEM -in xmtx.harbor.com.crt -out xmtx.harbor.com.cert
#将服务器证书,密钥和CA文件复制到Docker证书文件夹中
root@k8s-harbor-01-140:/opt/soft/certs# scp xmtx.harbor.com.cert 10.0.0.101:/etc/docker/certs.d/xmtx.harbor.com/
root@k8s-harbor-01-140:/opt/soft/certs# scp xmtx.harbor.com.key 10.0.0.101:/etc/docker/certs.d/xmtx.harbor.com/
root@k8s-harbor-01-140:/opt/soft/certs# scp ca.crt 10.0.0.101:/etc/docker/certs.d/xmtx.harbor.com/
部署harbor
部署harbor前需要安装docker及docker-compose。
安装docker
#安装依赖
root@k8s-harbor-01-140:~# sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
#信任 Docker 的 GPG 公钥
root@k8s-harbor-01-140:~# mkdir /etc/apt/keyrings/
root@k8s-harbor-01-140:~# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
#添加软件仓库
root@k8s-harbor-01-140:~# echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
#更新信息
root@k8s-harbor-01-140:~# sudo apt-get update
#安装docker
root@k8s-harbor-01-140:~# apt install docker-ce
#查看版本
root@k8s-harbor-01-140:~# docker --version
Docker version 20.10.17, build 100c701
安装docker-compose
#下载二进制包
root@k8s-harbor-01-140:/usr/local/bin# wget https://github.com/docker/compose/releases/download/v2.3.4/docker-compose-linux-x86_64
#下载速度太慢的话可以使用国内的地址,将版本号改为要下的就行
#curl -L https://get.daocloud.io/docker/compose/releases/download/v2.3.4/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
#修改文件名
root@k8s-harbor-01-140:/usr/local/bin# cp docker-compose-linux-x86_64 docker-compose
#添加可执行权限
root@k8s-harbor-01-140:/usr/local/bin# chmod +x docker-compose
#验证
root@k8s-harbor-01-140:/usr/local/bin# docker-compose --version
Docker Compose version v2.3.4
安装harbor
#解压离线版安装包
root@k8s-harbor-01-140:/opt/soft/harbor# tar zxvf harbor-offline-installer-v2.5.3.tgz
harbor/harbor.v2.5.3.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
root@k8s-harbor-01-140:/opt/soft/harbor# cd harbor/
#复制默认配置文件
root@k8s-harbor-01-140:/opt/soft/harbor/harbor# cp harbor.yml.tmpl harbor.yml
#根据需求修改参数
root@k8s-harbor-01-140:/opt/soft/harbor/harbor# vim harbor.yml
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: xmtx.harbor.com #修改为自己的域名
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /opt/data/cert/xmtx.harbor.com.crt #修改为自己的证书路径
private_key: /opt/data/cert/xmtx.harbor.com.key #修改为自己的证书路径
#数据存放目录
data_volume: /opt/data/harbor
#安装
root@k8s-harbor-01-140:/opt/soft/harbor/harbor# ./install.sh --with-trivy --with-chartmuseum
..................................................
✔ ----Harbor has been installed and started successfully.----
验证
#测试登录
root@Docker-test-01:~# docker login xmtx.harbor.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· .NET Core 中如何实现缓存的预热?
· 阿里巴巴 QwQ-32B真的超越了 DeepSeek R-1吗?
· 如何调用 DeepSeek 的自然语言处理 API 接口并集成到在线客服系统
· 【译】Visual Studio 中新的强大生产力特性