前述Harbor入門到實(shí)踐中為了快速拉起Harbor服務(wù)焦人，Harbor服務(wù)僅配置HTTP連接茂蚓，沒有配置HTTPS衙荐。而HTTP連接的方式僅在測試或開發(fā)環(huán)境中泣崩，且在在docker登錄客戶端需要去配置insecure-registry吼和，docker無法直接通過用戶米和密碼即login擎值。
要配置HTTPD，必須創(chuàng)建SSL證書鲫忍，在生產(chǎn)環(huán)境中最好從受信任的第三方購買CA簽名證書膏燕。此處采用自簽名證書。

1.生成證書頒發(fā)機(jī)構(gòu)證書

生成CA證書私鑰

# mkdir -p /root/harbor/ssl
# cd /root/harbor/ssl
# openssl genrsa -out ca.key 4096
# ll
total 4
-rw------- 1 root root 3243 Mar 26 10:54 ca.key

生成CA證書

# openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
 -key ca.key \
 -out ca.crt
調(diào)整-subj選項(xiàng)中的值以反映組織悟民。如果使用FQDN連接Harbor主機(jī)坝辫，則必須將其指定為通用名稱（CN）屬性。
如果是ip訪問,將yourdomain.com改成ip地址射亏；

# cat /etc/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.26.37.129 docker harbor.local
# openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Fujian/L=Fuzhou/O=Luorf/OU=Personal/CN=harbor.local" \
 -key ca.key \
 -out ca.crt
# ll
total 8
-rw-r--r-- 1 root root 2041 Mar 26 12:41 ca.crt
-rw------- 1 root root 3243 Mar 26 10:54 ca.key

2.生成服務(wù)器證書

證書通常包含一個(gè).crt文件和一個(gè).key文件
生成私鑰

# openssl genrsa -out yourdomain.com.key 4096
# openssl genrsa -out harbor.local.key 4096
# ll
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key

生成證書簽名請求（CSR）

# openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key yourdomain.com.key \
    -out yourdomain.com.csr
調(diào)整-subj選項(xiàng)中的值以反映組織近忙。如果使用FQDN連接Harbor主機(jī)，則必須將其指定為通用名稱（CN）屬性智润。
如果是ip訪問,將yourdomain.com改成ip地址

# openssl req -sha512 -new \
    -subj "/C=CN/ST=Fujian/L=Fuzhou/O=Luorf/OU=Personal/CN=harbor.local" \
    -key harbor.local.key \
    -out harbor.local.csr
# ll
total 16
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key

生成一個(gè)x509 v3擴(kuò)展文件
無論使用FQDN還是IP地址連接到Harbor主機(jī)及舍，都必須創(chuàng)建此文件，以便可以為Harbor主機(jī)生成符合主題備用名稱（SAN）和x509 v3的證書擴(kuò)展要求窟绷。替換DNS條目以反映域

# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.local
EOF

如果是ip訪問
# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:172.26.37.129
EOF

使用該v3.ext文件為Harbor主機(jī)生成證書

# openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in yourdomain.com.csr \
    -out yourdomain.com.crt
如果是ip訪問锯玛， 將 harbor.od.com 改成 ip地址
# openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in harbor.local.csr \
    -out harbor.local.crt
# ll
total 28
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root   41 Mar 26 14:37 ca.srl
-rw-r--r-- 1 root root 2065 Mar 26 14:37 harbor.local.crt
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
-rw-r--r-- 1 root root  231 Mar 26 14:37 v3.ext

3.提供證書給Harbor和Docker

生成后ca.crt，yourdomain.com.crt和yourdomain.com.key文件，必須將它們提供給Harbor和docker攘残，重新配置它們
將服務(wù)器證書和密鑰復(fù)制到Harbor主機(jī)上的certficates文件夾中拙友。

# cp harbor.local.crt /data/cert/
# cp harbor.local.key /data/cert/

轉(zhuǎn)換yourdomain.com.crt為yourdomain.com.cert，供Docker使用歼郭。
Docker守護(hù)程序?qū)?crt文件解釋為CA證書遗契，并將.cert文件解釋為客戶端證書。

# openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
# openssl x509 -inform PEM -in harbor.local.crt -out harbor.local.cert
# ll
total 32
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root   41 Mar 26 14:37 ca.srl
-rw-r--r-- 1 root root 2065 Mar 26 14:38 harbor.local.cert
-rw-r--r-- 1 root root 2065 Mar 26 14:37 harbor.local.crt
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
-rw-r--r-- 1 root root  231 Mar 26 14:37 v3.ext

將服務(wù)器證書病曾，密鑰和CA文件復(fù)制到Harbor主機(jī)上的Docker證書文件夾中牍蜂。必須首先創(chuàng)建適當(dāng)?shù)奈募A。

# cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
# cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
# cp ca.crt /etc/docker/certs.d/yourdomain.com/

# mkdir -p /etc/docker/certs.d/harbor.local/
# cp harbor.local.cert /etc/docker/certs.d/harbor.local/
# cp harbor.local.key /etc/docker/certs.d/harbor.local/
# cp ca.crt /etc/docker/certs.d/harbor.local/
# ll /etc/docker/certs.d/harbor.local/
total 12
-rw-r--r-- 1 root root 2037 Mar 26 14:40 ca.crt
-rw-r--r-- 1 root root 2065 Mar 26 14:39 harbor.local.cert
-rw------- 1 root root 3243 Mar 26 14:39 harbor.local.key
如果將默認(rèn)nginx端口443映射到其他端口知态，請創(chuàng)建文件夾/etc/docker/certs.d/yourdomain.com:port或/etc/docker/certs.d/harbor_IP:port捷兰。(省略)

重新啟動(dòng)Docker Engine

# systemctl restart docker

以下示例說明了使用自定義證書的配置。

/etc/docker/certs.d/
    └── yourdomain.com:port
       ├── yourdomain.com.cert  <-- Server certificate signed by CA
       ├── yourdomain.com.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate
# tree /etc/docker/certs.d/
/etc/docker/certs.d/
└── harbor.local
    ├── ca.crt
    ├── harbor.local.cert
    └── harbor.local.key

4.重新配置harbor

# cd /root/harbor
# cp -p harbor.yml harbor.yml.bak20230326
# vi harbor.yml
修改以下內(nèi)容
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.local

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/harbor.local.crt 
  private_key: /data/cert/harbor.local.key

執(zhí)行harbor部署(此處略负敏，已成功部署)
# ./install.sh

重新配置為支持https

運(yùn)行prepare腳本以啟用HTTPS贡茅。
# ./prepare
停止harbor并刪除現(xiàn)有實(shí)例（鏡像數(shù)據(jù)保留在文件系統(tǒng)中，不會丟失任何數(shù)據(jù)其做。）
# docker-compose down -v
重啟harbor
# docker-compose up -d
# docker ps |grep harbor
d4170f45b469   goharbor/harbor-jobservice:v2.3.2    "/harbor/entrypoint.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-jobservice
9de01fdc84da   goharbor/nginx-photon:v2.3.2         "nginx -g 'daemon of…"   6 minutes ago   Up 6 minutes (healthy)   0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp   nginx
839ad5e59519   goharbor/harbor-core:v2.3.2          "/harbor/entrypoint.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-core
97e39e780d6d   goharbor/harbor-portal:v2.3.2        "nginx -g 'daemon of…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-portal
2e965c47ddb9   goharbor/registry-photon:v2.3.2      "/home/harbor/entryp…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    registry
9d55cca88bf6   goharbor/harbor-db:v2.3.2            "/docker-entrypoint.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-db
f1871916ace3   goharbor/redis-photon:v2.3.2         "redis-server /etc/r…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    redis
c0b9f1d592b1   goharbor/harbor-registryctl:v2.3.2   "/home/harbor/start.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    registryctl
69e47f6ed041   goharbor/harbor-log:v2.3.2           "/bin/sh -c /usr/loc…"   6 minutes ago   Up 6 minutes (healthy)   127.0.0.1:1514->10514/tcp

5.驗(yàn)證HTTPS連接

訪問https網(wǎng)頁：https://172.26.37.129
添加hosts可以直接訪問http://harbor.local

從Docker客戶端登錄Harbor
獲取Harbor客戶端登錄證書

# mkdir /etc/docker/certs.d/harbor.local
# scp 172.26.37.129:/root/harbor/ssl/ca.crt /etc/docker/certs.d/harbor.local/

登錄Harbor

Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

參考URL:

https://goharbor.io/docs/2.0.0/install-config/configure-https/
https://www.cnblogs.com/cjwnb/p/13441071.html
https://blog.csdn.net/networken/article/details/107502461