十三、搭建SSL的私有harbor仓库

一、实验环境

 
System OS: CentOS Linux release 7.6.1810 (Core)
docker version: Docker version 20.10.1

node1 192.168.32.211 docker+harbor
node2 192.168.32.212 docker

harbor软件版本:
harbor-offline-installer-v2.1.2

二、部署ssl的私有harbor仓库

1、安装docker

#下载docker-ce的yum源
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/docker-ce.repo
#把docker-ce源的地址修改为清华源的地址
sed -i 's#download.docker.com#mirrors.tuna.tsinghua.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
#更新docker-ce.repo
yum makecache fast
#安装docker-ce
yum install -y docker-ce

2、安装Docker Compose

方法一:
https://github.com/docker/compose/releases
方法二:
yum install -y docker-compose

[root@node1 ~]# docker-compose -v
docker-compose version 1.18.0, build 8dd22a9

3、部署Harbor HTTP

#上传harbor-offline-installer-v2.1.2.tgz
cd /app
tar harbor-offline-installer-v2.1.2.tgz
cd harbor 
cp harbor.yml.tmpl harbor.yml 

########################################harbor.yml配置文件######################################
vim harbor.yml 
# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.32.211

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
#https:
  # https port for harbor, default is 443
#  port: 443
  # The path of cert and key files for nginx
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: 123456
......
####################################end###################################################


./prepare 

./install.sh
[root@node1 harbor]# docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                   PORTS                       NAMES
4289e237bf1e   goharbor/harbor-jobservice:v2.1.2    "/harbor/entrypoint.…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-jobservice
775f3d56527f   goharbor/nginx-photon:v2.1.2         "nginx -g 'daemon of…"   3 minutes ago   Up 3 minutes (healthy)   0.0.0.0:80->8080/tcp        nginx
3fa161a8dd62   goharbor/harbor-core:v2.1.2          "/harbor/entrypoint.…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-core
518b19e39709   goharbor/harbor-registryctl:v2.1.2   "/home/harbor/start.…"   3 minutes ago   Up 3 minutes (healthy)                               registryctl
decebb8bffd5   goharbor/harbor-db:v2.1.2            "/docker-entrypoint.…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-db
0393da381782   goharbor/redis-photon:v2.1.2         "redis-server /etc/r…"   3 minutes ago   Up 3 minutes (healthy)                               redis
8aac2bb9c083   goharbor/registry-photon:v2.1.2      "/home/harbor/entryp…"   3 minutes ago   Up 3 minutes (healthy)                               registry
48b17d48e306   goharbor/harbor-portal:v2.1.2        "nginx -g 'daemon of…"   3 minutes ago   Up 3 minutes (healthy)                               harbor-portal
25e5d96537ca   goharbor/harbor-log:v2.1.2           "/bin/sh -c /usr/loc…"   3 minutes ago   Up 3 minutes (healthy)   127.0.0.1:1514->10514/tcp   harbor-log

4、生成SSL证书

4.1搭建CA服务器

CA服务器上操作,本操作为node1

 
#安装openssl
yum -y install openssl 
#openssl配置文件信息
#####################################################
 vim /etc/pki/tls/openssl.cnf 
[CA_default]
dir  :ca的工作目录变量。被下方参数引用(注意:centos5上,此参数要改成绝对路径,不能用相对路径);
certs    :证书存放位置;
crl_dir     :吊销证书的存放位置;
database    :索引文件数据库。签署的所有证书索引文件。自动生成;
new_certs_dir    :刚签署的证书存放位置;
certificate       :ca自己的证书位置;
serial        :下一个证书的编号;
crlnumber         :已吊销证书的证书编号;
crl        :当前正在使用的证书吊销列表文件;
private_key        :ca自己的私钥,安全性很高(可以加密私钥位置文件,让别人拿到也看不了。但是每次使用都得
解密);
##################################end###############################


#进入CA的工作目录
mkdir /harbor_CA
cd /harbor_CA
#创建自己的CA证书(不使用第三方权威机构的CA来认证,自己充当CA的角色)
(umask 077; openssl genrsa -out ca.key 2048) 
生成自签名证书(使用已有私钥cakey.pem自行签发根证书)
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt 

###########################需要填写的信息#############################
Country Name (2 letter code) [XX]:CN          #国家代码
State or Province Name (full name) []:SC      #所在省份
Locality Name (eg, city) [Default City]:CD    #所在城市 
Organization Name (eg, company) [Default Company Ltd]:test    #机构名称
Organizational Unit Name (eg, section) []:test   #部门名称
Common Name (eg, your name or your server's hostname) []:www.ywx.com  #主机名称(重要)
Email Address []:test@163.com    #邮箱地址
#########################end############################################

cd /harbor_CA 
#创建索引文件
touch index.txt 
#证书编号位置
touch serial 
#自定义开始证书编号
echo 01 > serial 
#已吊销证书编号文件
touch crlnumber 

4.2为harbor生成证书请求文件

本操作为node1

#创建证书目录并进入
mkdir /root/harbor_ssl
cd /root/harbor_ssl
#生成harbor私钥
(umask 077; openssl genrsa -out harbor.key 1024) 
#根据私钥,创建证书申请文件
 openssl req -new -nodes -key /root/harbor_ssl/harbor.key -out /root/harbor_ssl/harbor.csr  -days 365 
 
 ###########################填写信息############################
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN     #国家代码
State or Province Name (full name) []:SC   #所在省份
Locality Name (eg, city) [Default City]:SC  #所在城市 
Organization Name (eg, company) [Default Company Ltd]:TEST  #机构名称
Organizational Unit Name (eg, section) []:TEST  #部门名称
Common Name (eg, your name or your server's hostname) []:www.ywx.com   #主机名称(重要)
Email Address []:test@163.com   #邮箱地址

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    #空
An optional company name []:   #空
[root@node1 harbor_ssl]# 
#############################end###################################

4.3 将harbor证书申请文件复制到CA服务器上,有CA进行数字签名

本操作在node1

生成注册表主机的证书

1) 如果您使用的是像reg.yourdomain.com这样的FQDN 来连接您的注册表主机,请运行以下命令以生成注册表主机的证书:

openssl x509 -req -days 365 -in yourdomain.com.csr -CA /harbor_CA/ca.crt -CAkey /harbor_CA/ca.key -CAcreateserial -out yourdomain.com.crt

2) 如果你使用IP,比如192.168.32.211来连接你的注册表主机,你可以运行下面的命令:

echo subjectAltName = IP:192.168.32.211 > extfile.cnf
openssl x509 -req -in /root/harbor_ssl/harbor.csr -CA /harbor_CA/ca.crt -CAkey /harbor_CA/ca.key -CAcreateserial -extfile /root/harbor_ssl/extfile.cnf -days 365 -out /root/harbor_ssl/harbor.crt

拷贝回harbor主机

4.4修改harbar的配置文件并重新安装部署

本操作在node1

 
#配置文件修改
 cd /app/harbor/
 vim harbor.yaml
 ##############################配置文件修改##################
 # Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 192.168.32.211

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
#https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /root/harbor_ssl/harbor.crt
  private_key: /root/harbor_ssl/harbor.key

# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
#   # set enabled to true means internal tls is enabled
#   enabled: true
#   # put your cert and key files on dir
#   dir: /etc/harbor/tls/internal

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: 123456
。。。。
###########################################end###################################

#重新部署https的harbor
./prepare 
./install.sh
#重启harbor的容器
docker-compose  down 
docker-compose  up -d

5、访问测试

6、把harbor.crt证书拷贝到docker主机

本操作在node2

在具有Docker守护进程的机器上,确保选项“-insecure-registry”不存在,并且您必须将上述步骤中生成的harbor.crt复制到/etc/docker/certs.d/reg.yourdomain.com(或您的注册表主机IP),如果该目录不存在,请创建它。如果您将nginx端口443映射到另一个端口,则应改为创建/etc/docker/certs.d/reg.yourdomain.com:port(或您的注册表主机IP:端口)目录。然后运行任何docker命令来验证设置。

#创建证书目录
[root@node2 docker]# mkdir -p /etc/docker/certs.d/192.168.32.211
#从192.168.32.211上拉取harbor.crt证书
[root@node2 docker]# cd /etc/docker/certs.d/192.168.32.211
[root@node2 192.168.32.211]# scp -r 192.168.32.211:/root/harbor_ssl/harbor.crt ./
[root@node2 192.168.32.211]# ls
harbor.crt

#重启docker
[root@node2 192.168.32.211]# systemctl restart docker

7、上传/下载镜像测试

本操作在node2

上传镜像文件

 
[root@node2 ~]# docker login https://192.168.32.211
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded


[root@node2 ~]# docker tag busybox:latest 192.168.32.211/library/busybox:latest
[root@node2 ~]# docker push 192.168.32.211/library/busybox:latest
The push refers to repository [192.168.32.211/library/busybox]
de168d3b8ec4: Pushed 
latest: digest: sha256:31a54a0cf86d7354788a8265f60ae6acb4b348a67efbcf7c1007dd3cf7af05ab size: 527

下载镜像文件

[root@node2 ~]# docker rmi 192.168.32.211/busybox
Untagged: 192.168.32.211/busybox:latest
[root@node2 ~]# docker rmi 192.168.32.211/library/busybox
Untagged: 192.168.32.211/library/busybox:latest
Untagged: 192.168.32.211/library/busybox@sha256:31a54a0cf86d7354788a8265f60ae6acb4b348a67efbcf7c1007dd3cf7af05ab
[root@node2 ~]# docker images
REPOSITORY             TAG       IMAGE ID       CREATED       SIZE
192.168.32.211/nginx   latest    ae2feff98a0c   9 days ago    133MB
nginx                  latest    ae2feff98a0c   9 days ago    133MB
busybox                latest    219ee5171f80   3 weeks ago   1.23MB

下载镜像文件
[root@node2 ~]# docker pull 192.168.32.211/library/busybox:latest
latest: Pulling from library/busybox
Digest: sha256:31a54a0cf86d7354788a8265f60ae6acb4b348a67efbcf7c1007dd3cf7af05ab
Status: Downloaded newer image for 192.168.32.211/library/busybox:latest
192.168.32.211/library/busybox:latest
[root@node2 ~]# docker images
REPOSITORY                       TAG       IMAGE ID       CREATED       SIZE
192.168.32.211/nginx             latest    ae2feff98a0c   9 days ago    133MB
nginx                            latest    ae2feff98a0c   9 days ago    133MB
192.168.32.211/library/busybox   latest    219ee5171f80   3 weeks ago   1.23MB
busybox                          latest    219ee5171f80   3 weeks ago   1.23MB

 

posted @ 2020-12-25 14:58  yaowx  阅读(501)  评论(1编辑  收藏  举报