Harbor2.0

官方下載

? https://github.com/goharbor/harbor/releases/

官方文檔

? https://goharbor.io/docs/2.0.0/install-config/

docker配置注冊(cè)表, oss存儲(chǔ)驅(qū)動(dòng)

? https://docs.docker.com/registry/configuration/#storage

? https://docs.docker.com/registry/storage-drivers/oss/

配置https訪問(wèn)

生成證書頒發(fā)機(jī)構(gòu)證書

cd /data/harbor
mkdir certs.d  && cd certs.d

#生成CA證書私鑰
openssl genrsa -out ca.key 4096

# 生成CA證書
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.com" \
 -key ca.key \
 -out ca.crt

生成服務(wù)器證書

# 生成私鑰
openssl genrsa -out www.harbor.com.key 4096

# 生成證書簽名請(qǐng)求（CSR）
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.com" \
    -key www.harbor.com.key \
    -out www.harbor.com.csr

# 生成一個(gè)x509 v3擴(kuò)展文件纤怒。
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.harbor.com
DNS.2=harbor
DNS.3=www
EOF

# 使用該v3.ext文件為您的Harbor主機(jī)生成證書。
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in www.harbor.com.csr \
    -out www.harbor.com.crt

配置harbor

配置harbor.yml

hostname: www.harbor.com           # 配置什么地址，拉取就要用這個(gè)地址
  certificate: /data/harbor/certs.d/www.harbor.com.crt
  private_key: /data/harbor/certs.d/www.harbor.com.key
harbor_admin_password: 123456
data_volume: /data/harbor_data

mkdir -p /data/harbor_data/  
# 初始化安裝
./install.sh --with-notary --with-clair --with-trivy  --with-chartmuseum

# 重加載配置文件： ./prepare  --with-notary --with-clair --with-trivy  --with-chartmuseum
# 重建實(shí)例：  docker-compose down -v   && docker-compose up -d

docker訪問(wèn)

配置hosts

cat >>/etc/hosts<<-EOF
10.0.0.4  www.harbor.com
EOF

通過(guò)https訪問(wèn)

生產(chǎn)客戶端證書

# Docker守護(hù)程序?qū)?crt文件解釋為CA證書，并將.cert文件解釋為客戶端證書。
openssl x509 -inform PEM -in www.harbor.com.crt -out www.harbor.com.cert

mkdir  /etc/docker/certs.d/www.harbor.com
cp www.harbor.com.cert www.harbor.com
cp www.harbor.com.key www.harbor.com
cp ca.crt  www.harbor.com

# 把www.harbor.com文件夾移到docker的/etc/docker/certs.d/供docker使用
systemctl daemon-reload
systemctl restart docker.service

通過(guò)http訪問(wèn)

www.harbor.com添加到倉(cāng)庫(kù)信任

cat >/etc/docker/daemon.json<<-EOF
{
        "registry-mirrors": [
                "https://6zmzhe7k.mirror.aliyuncs.com"
        ],
        "insecure-registries": [
                "www.harbor.com"
        ]
}

EOF

systemctl daemon-reload
systemctl restart docker.service