環(huán)境:
kuberneters版本:v1.22.3
helm版本:v3.7.1
helm chart版本:1.8.0
下文所需yaml文件在DeploymentFiles可下載
Harbor 是一個(gè)開源注冊(cè)表磺芭,它通過策略和基于角色的訪問控制來(lái)保護(hù)工件,確保鏡像被掃描且沒有漏洞,并將鏡像簽名為受信任的隅居。
前期準(zhǔn)備
1赞警、安裝helm
官網(wǎng)地址:【https://helm.sh/zh/docs/】
helm是k8s的包管理器花竞,是查找侮攀、分享和使用軟件構(gòu)建k8s的最優(yōu)方式倦沧。
charts代表著helm包蔗怠,它包含在k8s集群內(nèi)部運(yùn)行應(yīng)用程序墩弯,工具或服務(wù)所需的所有資源定義;
repository是用來(lái)存放和共享charts的地方寞射;
release是運(yùn)行在k8s集群中的chart的實(shí)例渔工。
$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
$ chmod 700 get_helm.sh
$ ./get_helm.sh
2、創(chuàng)建namespace
kubectl create namespace harbor
3桥温、掛載NFS與創(chuàng)建目錄
nfs服務(wù)的部署在另一篇文章引矩,在此不贅述 (http://www.reibang.com/p/2c20efbd5855)
①掛載nfs
$sudo vim /etc/exports
#增加以下內(nèi)容
/hdd/nfs *(rw,sync,no_root_squash,no_subtree_check)
②在/hdd/nfs下創(chuàng)建所需要的目錄
sudo mkdir -p /hdd/nfs/harbor/registry
sudo mkdir -p /hdd/nfs/harbor/chartmuseum
sudo mkdir -p /hdd/nfs/harbor/jobservice
sudo mkdir -p /hdd/nfs/harbor/database
sudo mkdir -p /hdd/nfs/harbor/redis
sudo mkdir -p /hdd/nfs/harbor/trivy
③修改文件目錄權(quán)限
文件權(quán)限很重要,在這踩了很大的坑,Redis和database一直報(bào)權(quán)限不足
-R 代表harbor下的所有文件夾
sudo chmod -R 777 /hdd/nfs/harbor
如果以上權(quán)限還不夠的話脓魏,將文件屬主改為你當(dāng)前用戶
sudo chown -R 1000:1000 /hdd/nfs/
4兰吟、創(chuàng)建PV和PVC
①創(chuàng)建PV部署文件harbor-pv.yaml
spec.nfs.path和spec.nfs.server根據(jù)自己實(shí)際路徑和IP填寫;
spec.storageClassName與PVC中的storageClassName保持一致茂翔。
spec.capacity.storage可根據(jù)實(shí)際情況調(diào)整混蔼,PVC<=PV。
#registry-PV
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-registry
labels:
app: harbor-registry
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: "harbor"
mountOptions:
- hard
nfs:
path: /hdd/nfs/harbor/registry
server: 192.168.100.24
---
#harbor-chartmuseum-pv
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-chartmuseum
labels:
app: harbor-chartmuseum
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: "harbor"
mountOptions:
- hard
nfs:
path: /hdd/nfs/harbor/chartmuseum
server: 192.168.100.24
---
#harbor-jobservice-pv
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-jobservice
labels:
app: harbor-jobservice
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: "harbor"
mountOptions:
- hard
nfs:
path: /hdd/nfs/harbor/jobservice
server: 192.168.100.24
---
#harbor-database-pv
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-database
labels:
app: harbor-database
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: "harbor"
mountOptions:
- hard
nfs:
path: /hdd/nfs/harbor/database
server: 192.168.100.24
---
#harbor-redis-pv
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-redis
labels:
app: harbor-redis
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: "harbor"
mountOptions:
- hard
nfs:
path: /hdd/nfs/harbor/redis
server: 192.168.100.24
---
#harbor-trivy-pv
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-trivy
labels:
app: harbor-trivy
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: "harbor"
mountOptions:
- hard
nfs:
path: /hdd/nfs/harbor/trivy
server: 192.168.100.24
創(chuàng)建PV資源
-f 指定資源配置文件
PV相對(duì)集群而言珊燎,所以不需要指定命名空間
kubectl apply -f /etc/kubernetes/harbor/harbor-pv.yaml
②創(chuàng)建PVC部署文件harbor-pvc.yaml
#harbor-registry-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-registry
spec:
accessModes:
- ReadWriteOnce
storageClassName: "harbor"
resources:
requests:
storage: 20Gi
selector:
matchLabels:
app: harbor-registry
---
#harbor-chartmuseum-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-chartmuseum
spec:
accessModes:
- ReadWriteOnce
storageClassName: "harbor"
resources:
requests:
storage: 5Gi
selector:
matchLabels:
app: harbor-chartmuseum
---
#harbor-jobservice-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-jobservice
spec:
accessModes:
- ReadWriteOnce
storageClassName: "harbor"
resources:
requests:
storage: 5Gi
selector:
matchLabels:
app: harbor-jobservice
---
#harbor-database-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-database
spec:
accessModes:
- ReadWriteOnce
storageClassName: "harbor"
resources:
requests:
storage: 5Gi
selector:
matchLabels:
app: harbor-database
---
#harbor-redis-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-redis
spec:
accessModes:
- ReadWriteOnce
storageClassName: "harbor"
resources:
requests:
storage: 5Gi
selector:
matchLabels:
app: harbor-redis
---
#harbor-trivy-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-trivy
spec:
accessModes:
- ReadWriteOnce
storageClassName: "harbor"
resources:
requests:
storage: 5Gi
selector:
matchLabels:
app: harbor-trivy
創(chuàng)建PVC資源
-n 指定命名空間
kubectl apply -f /etc/kubernetes/harbor/harbor-pvc.yaml -n harbor
創(chuàng)建自定義證書
默認(rèn)情況下惭嚣,harbor不附帶證書』谡可以在沒有安全性的情況下部署晚吞,通過HTTP連接。要配置HTTPS必須創(chuàng)建SSL證書谋国。
創(chuàng)建/home/master/harbor_crt文件夾槽地,cd進(jìn)入harbor_crt文件夾內(nèi)操作(可選,個(gè)人為了統(tǒng)一好管理)
①生成證書文件
## 獲得證書
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=example/OU=example/CN=192.168.100.51"
## 生成證書簽名請(qǐng)求
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout tls.key -out tls.csr -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=example/OU=example/CN=192.168.100.51"
通過IP連接時(shí)芦瘾,CN貌似是不生效的捌蚊,會(huì)被忽略,因此需要?jiǎng)?chuàng)建一個(gè)配置文件來(lái)指定IP地址:
$vim extfile.cnf
#填入以下內(nèi)容
subjectAltName = IP:192.168.100.51
## 生成證書
$ openssl x509 -req -days 3650 -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out tls.crt
②生成secret資源
創(chuàng)建 Kubernetes 的 Secret 資源近弟,且將證書文件導(dǎo)入:
kubectl create secret generic harbor-tls --from-file=tls.crt --from-file=tls.key --from-file=ca.crt -n harbor
設(shè)置harbor配置清單
①?gòu)墓倬W(wǎng)【https://github.com/goharbor/harbor-helm】下載v1.7.4Latest版本的values.yaml文件
②修改配置文件
我采用的是nodePort方式缅糟,修改expose.type為nodePort,按照別的方式的修改相應(yīng)type即可祷愉。
externalURL窗宦,選擇你任意可用的節(jié)點(diǎn)IP:port(注意協(xié)議與端口號(hào)匹配);盡量別去修改默認(rèn)密碼二鳄,我第一次的時(shí)候是改成了別的密碼赴涵,因?yàn)楦鞣N坑刪除多次release然后pgdata沒刪干凈,默認(rèn)密碼一直登不上去订讼。
內(nèi)容太多注釋部分被我刪除了句占,仔細(xì)對(duì)照下
expose:
type: nodePort
tls:
enabled: true
certSource: secret
auto:
commonName: ""
secret:
secretName: "harbor-tls"
notarySecretName: "harbor-tls"
.(不變)
.
.
nodePort:
name: harbor
ports:
http:
port: 80
nodePort: 30002
https:
port: 443
nodePort: 30003
notary:
port: 4443
nodePort: 30004
loadBalancer:
.(不變)
.
.
externalURL: https://192.168.100.51:30003
internalTLS:
. (不變)
.
.
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: "harbor-registry"
storageClass: "harbor"
subPath: ""
accessMode: ReadWriteOnce
size: 20Gi
chartmuseum:
existingClaim: "harbor-chartmuseum"
storageClass: "harbor"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: "harbor-jobservice"
storageClass: "harbor"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
database:
existingClaim: "harbor-database"
storageClass: "harbor"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
redis:
existingClaim: "harbor-redis"
storageClass: "harbor"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
trivy:
existingClaim: "harbor-trivy"
storageClass: "harbor"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
.(不變)
.
安裝harbor
①添加helm倉(cāng)庫(kù)
$ helm repo add harbor https://helm.goharbor.io
②部署harbor
helm install harbor harbor/harbor -f /etc/kubernetes/harbor/deployment_nodeport.yaml -n harbor
③查看是否部署完成
$ kubectl get deployment -n harbor
④訪問harbor
瀏覽器輸入地址(前面配置的externalURL)
默認(rèn)用戶:admin
默認(rèn)密碼:Harbor12345
服務(wù)器配置鏡像倉(cāng)庫(kù)
在Ubuntu上通過docker login訪問前面部署好的harbor時(shí)出錯(cuò)
①因此要讓docker信任我們的證書,為docker配置harbor證書
在/etc/docker目錄下創(chuàng)建certs.d 文件夾躯嫉,然后在 certs.d 文件夾下創(chuàng)建192.168.100.51:30003(IP:port)文件夾
$ mkdir -p /etc/docker/certs.d/192.168.100.51:30003
轉(zhuǎn)換tls.crt為tls.cert,供docker使用杨拐,Docker 守護(hù)進(jìn)程將.crt文件解釋為 CA 證書祈餐,將.cert文件解釋為客戶端證書。
$cd harbor_tls/
$sudo openssl x509 -inform PEM -in tls.crt -out tls.cert
將前面創(chuàng)建了HTTPS的證書ca.crt哄陶、tls.cert帆阳、tls.key證書復(fù)制到192.168.100.51:30003文件夾內(nèi)(每一臺(tái)docker主機(jī)都需要)
$sudo cp harbor_tls/ca.crt /etc/docker/certs.d/192.168.100.51\:30003/
$sudo cp harbor_tls/tls.key /etc/docker/certs.d/192.168.100.51\:30003/
$sudo cp harbor_tls/tls.cert /etc/docker/certs.d/192.168.100.51\:30003/
#重啟docker
$sudo systemctl daemon-reload
$sudo systemctl restart docker.service
②讓系統(tǒng)信任我們的根證書(可選)
update-ca-certificates命令將PEM格式的根證書內(nèi)容附加到/etc/ssl/certs/ca-certificates.crt ,而/etc/ssl/certs/ca-certificates.crt 包含了系統(tǒng)自帶的各種可信根證書.
$sudo cp harbor_tls/tls.crt /usr/local/share/ca-certificates
$sudo update-ca-certificates
再次訪問harbor,成功登陸~快樂蜒谤!
