部署harbor

---

下载软件包

---
  1. 安装docker
  2. 安装docker-compose
  3. 下载harbor离线安装包
    github仓库软件包下载地址
1
2
[root@opt ~]# wget https://github.com/goharbor/harbor/releases/download/v2.11.1/harbor-offline-installer-v2.11.1.tgz
[root@opt ~]# tar -xvf harbor-offline-installer-v2.11.1.tgz

http方式

---
  1. 复制配置文件并修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@harbor ~]# cp harbor.yml.tmpl harbor.yml
[root@harbor ~]# vim harbor.yml
# 设置域名
hostname: harbor.local.com
# 注释https相关配置
# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
#https:
  # https port for harbor, default is 443
  #port: 443
  # The path of cert and key files for nginx
  #certificate: /your/certificate/path
  #private_key: /your/private/key/path

https方式(建议)

---

生成自签名证书

这里我们使用https://github.com/Fishdrowned/ssl提供的shell脚本生成ssl证书,证书有效期是 2 年,可以修改 ca.cnf 来修改这个年限。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# 克隆项目
[root@tiaoban opt]# git clone https://github.com/Fishdrowned/ssl.git
# 一键生成证书
[root@tiaoban opt]# cd ssl
[root@tiaoban ssl]# ./gen.cert.sh harbor.local.com # 生成harbor.local.com域名的证书
Removing dir out
Creating output structure
Done
Generating a RSA private key
...................................+++++
....+++++
writing new private key to 'out/root.key.pem'
-----
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
....................................+++++
e is 65537 (0x010001)
Using configuration from ./ca.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'Guangdong'
localityName          :ASN.1 12:'Guangzhou'
organizationName      :ASN.1 12:'Fishdrowned'
organizationalUnitName:ASN.1 12:'harbor.local.com'
commonName            :ASN.1 12:'*.harbor.local.com
Certificate is to be certified until Aug 12 10:49:02 2025 GMT (730 days)

Write out database with 1 new entries
Data Base Updated

Certificates are located in:
lrwxrwxrwx 1 root root 43 8月  13 18:49 /opt/ssl/out/harbor.local.com/harbor.local.com.bundle.crt -> ./20230813-1849/harbor.local.com.bundle.crt
lrwxrwxrwx 1 root root 36 8月  13 18:49 /opt/ssl/out/harbor.local.com/harbor.local.com.crt -> ./20230813-1849/harbor.local.com.crt
lrwxrwxrwx 1 root root 15 8月  13 18:49 /opt/ssl/out/harbor.local.com/harbor.local.com.key.pem -> ../cert.key.pem
lrwxrwxrwx 1 root root 11 8月  13 18:49 /opt/ssl/out/harbor.local.com/root.crt -> ../root.crt

# 查看证书文件
[root@tiaoban ssl]# cd out/harbor.local.com/
[root@tiaoban harbor.local.com]# ll
总用量 0
drwxr-xr-x 2 root root 101 8月  13 18:49 20230813-1849
lrwxrwxrwx 1 root root  43 8月  13 18:49 harbor.local.com.bundle.crt -> ./20230813-1849/harbor.local.com.bundle.crt
lrwxrwxrwx 1 root root  36 8月  13 18:49 harbor.local.com.crt -> ./20230813-1849/harbor.local.com.crt
lrwxrwxrwx 1 root root  15 8月  13 18:49 harbor.local.com.key.pem -> ../cert.key.pem
lrwxrwxrwx 1 root root  11 8月  13 18:49 root.crt -> ../root.crt

# 拷贝证书至harbor目录
[root@tiaoban harbor.local.com]# cp harbor.local.com.crt /opt/harbor/
[root@tiaoban harbor.local.com]# cp harbor.local.com.key.pem /opt/harbor/

修改配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[root@harbor ~]# cp harbor.yml.tmpl harbor.yml
[root@harbor ~]# vim harbor.yml
# 设置域名
hostname: harbor.local.com
# 注释http相关配置
# http related config
# http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  # port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /opt/harbor/harbor.local.com.crt 
  private_key: /opt/harbor/harbor.local.com.key.pem
data_volume: /data/harbor

执行安装脚本

---

运行install.sh脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@harbor  harbor]# ./install.sh 
[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0)                                                                                                                                            
[+] Running 10/10
 ✔ Network harbor_harbor        Created                                                                                                                       0.3s 
 ✔ Container harbor-log         Started                                                                                                                       1.8s 
 ✔ Container harbor-portal      Started                                                                                                                      12.8s 
 ✔ Container registry           Started                                                                                                                      13.1s 
 ✔ Container redis              Started                                                                                                                      13.2s 
 ✔ Container registryctl        Started                                                                                                                      11.4s 
 ✔ Container harbor-db          Started                                                                                                                      12.0s 
 ✔ Container harbor-core        Started                                                                                                                      14.3s 
 ✔ Container nginx              Started                                                                                                                      18.2s 
 ✔ Container harbor-jobservice  Started                                                                                                                      18.1s 
✔ ----Harbor has been installed and started successfully.----

访问Harbor并登录

---

  • 初始用户名admin
  • 初始密码Harbor12345

创建systemd服务管理脚本

---
  • <font style="background-color:rgba(255, 255, 255, 0);">vim /lib/systemd/system/harbor.service</font>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor

[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml up
ExecReload=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml restart
ExecStop=/usr/local/bin/docker-compose -f /opt/harbor/docker-compose.yml down

[Install]
WantedBy=multi-user.target

<font style="background-color:rgba(255, 255, 255, 0);">systemctl enable harbor --now</font>

授权访问

---

docker授权访问

---
  1. docker配置文件私有仓库设置
    <font style="background-color:rgba(255, 255, 255, 0);">[root@master ~]# vim /etc/docker/daemon.json</font>
1
2
3
4
5
6
7
8
9
{
    "registry-mirrors": [
        "https://mirror.ccs.tencentyun.com",
        "https://o2j0mc5x.mirror.aliyuncs.com"
    ],
    "insecure-registries": [
        "https://harbor.local.com"
    ]
}
  1. 重启docker
    <font style="background-color:rgba(255, 255, 255, 0);">systemctl daemon-reload</font>
    <font style="background-color:rgba(255, 255, 255, 0);">systemctl restart docker</font>
  2. master节点登陆测试
1
2
3
4
5
6
7
[root@tiaoban ~]# docker login harbor.local.com -u admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
  1. 推送镜像测试
1
2
3
4
5
6
7
8
9
10
11
12
[root@tiaoban ~]# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
5cc84ad355aa: Pull complete 
Digest: sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
[root@tiaoban ~]# docker tag busybox:latest harbor.local.com/library/busybox:latest
[root@tiaoban ~]# docker push harbor.local.com/library/busybox:latest
The push refers to repository [harbor.local.com/library/busybox]
01fd6df81c8e: Pushed 
latest: digest: sha256:62ffc2ed7554e4c6d360bce40bbcf196573dd27c4ce080641a2c59867e732dee size: 527

Containerd授权访问

---
  1. 修改配置文件
1
2
3
4
5
6
7
[root@master1 ~]# mkdir -p /etc/containerd/certs.d/harbor.local.com
[root@master1 ~]# cat > /etc/containerd/certs.d/harbor.local.com/hosts.toml << EOF
server = "https://harbor.local.com"
[host."https://harbor.local.com"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true
EOF
  1. 重启containerd
1
[root@master1 ~]# systemctl restart containerd
  1. 登录测试
1
2
3
4
5
6
7
8
[root@master1 ~]# nerdctl login -u admin -p Harbor12345 --insecure-registry harbor.local.com
WARN[0000] WARNING! Using --password via the CLI is insecure. Use --password-stdin. 
WARN[0000] skipping verifying HTTPS certs for "harbor.local.com" 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
  1. 推送镜像测试
1
2
3
[root@master1 ~]# nerdctl pull busybox
[root@master1 ~]# nerdctl tag busybox:latest harbor.local.com/library/busybox:latest
[root@master1 ~]# nerdctl push --insecure-registry harbor.local.com/library/busybox:latest

kubernets授权访问

---

由于harbor采用了用户名密码认证,所以在镜像下载时,如果仓库类型为私有,则需要配置sercet才可以拉取镜像。

  1. 创建认证secret
1
kubectl create secret docker-registry registry-secret --namespace=default --docker-server=harbor.local.com --docker-username=admin --docker-password=Harbor12345
  1. 查看secret
1
2
3
# kubectl get secrets 
NAME              TYPE                             DATA   AGE
registry-secret   kubernetes.io/dockerconfigjson   1      9s
  1. 使用相应的私有registry中镜像的Pod资源的定义,即可通过imagePullSecrets字段使用此Secret对象
1
2
3
4
5
6
7
8
9
10
11
apiVersion: v1
kind: Pod 
metadata:
  name: secret-imagepull-demo
  namespace: default
spec:
  imagePullSecrets:
  - name: registry-secret
  containers:
  - image: 192.168.10.14/k8s/nginx:v1
    name: myapp