首页 > 其他分享 >k8s部署 harbor

k8s部署 harbor

时间:2023-09-28 12:39:17浏览次数:54  
标签:tls crt harbor 部署 certs myapp docker k8s


1.创建 Harbor 的命名空间:

kubectl create ns harbor

2.创建harbor秘钥

主harbor秘钥

mkdir -p /home/master/harbor_crt
cd  /home/master/harbor_crt

## 获得证书
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt  -subj  "/C=CN/ST=Guangdong/L=Guangzhou/O=example/OU=example/CN=10.1.1.221"

## 生成证书签名请求
openssl req -newkey rsa:4096 -nodes -sha256 -keyout tls.key -out tls.csr  -subj  "/C=CN/ST=Guangdong/L=Guangzhou/O=example/OU=example/CN=10.1.1.221"


cat > extfile.cnf <<EOF
subjectAltName = IP:10.1.1.221
EOF


## 生成证书
openssl x509 -req -days 3650 -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial  -extfile extfile.cnf -out tls.crt


#创建秘钥
cd  /home/master/harbor_crt

kubectl create secret generic harbor-tls --from-file=tls.crt --from-file=tls.key --from-file=ca.crt -n harbor

kubectl -n harbor get secret  harbor-tls

让系统信任我们的根证书(可选)
update-ca-trust extract 命令将PEM格式的根证书内容附加到/etc/ssl/certs/ca-certificates.crt ,而/etc/ssl/certs/ca-certificates.crt 包含了系统自带的各种可信根证书.

cp /home/master/harbor_crt/tls.crt /usr/local/share/ca-certificates

update-ca-trust extract

3.添加 Harbor Helm Chart 仓库

#添加仓库
helm repo add harbor https://helm.goharbor.io 

#更新yum
helm repo update

#查看包
helm search repo harbor

从 Helm 仓库中拉取 Harbor Chart:

cd /home/master
#拉取包
helm pull harbor/harbor --version v1.11.1


#解压包
tar -zxvf harbor-1.11.1.tgz

cd harbor

4.配置 Harbor 的 values.yaml 文件

主Harbor配置
vim values.yaml

#expose.type="nodePort"			// 用NodePort访问、如果想用域名就改成Ingress
#expose.tls.enabled="false"		// 关闭证书
##第一处修改第一行,开始找
expose:
  type: nodePort
  tls:
    enabled: true
    certSource: secret
    auto:
      commonName: ""
    secret:
      secretName: "harbor-tls"
      notarySecretName: "harbor-tls"

#第二处修改
  nodePort:
    name: harbor
    ports:
      http:
        port: 80
        #nodePort: 30002
      https:
        port: 443
        nodePort: 30003
      notary:
        port: 4443
        #nodePort: 30004
  loadBalancer:
    name: harbor
    IP: ""
    ports:
      httpPort: 80
      httpsPort: 443
      notaryPort: 4443
    annotations: {}
    sourceRanges: []
#填写node节点ip
externalURL: https://10.1.1.221:30003


#第三处修改
#storageClass 填写动态存储 kubectl get sc
persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      existingClaim: ""
      storageClass: "nfs-boge"
      subPath: ""
      accessMode: ReadWriteMany
      size: 20Gi
      annotations: {}
    chartmuseum:
      existingClaim: ""
      storageClass: "nfs-boge"
      subPath: ""
      accessMode: ReadWriteMany
      size: 5Gi
      annotations: {}
    jobservice:
      jobLog:
        existingClaim: ""
        storageClass: "nfs-boge"
        subPath: ""
        accessMode: ReadWriteMany
        size: 5Gi
        annotations: {}
    database:
      existingClaim: ""
      storageClass: "nfs-boge"
      subPath: ""
      accessMode: ReadWriteMany
      size: 5Gi
      annotations: {}
    redis:
      existingClaim: ""
      storageClass: "nfs-boge"
      subPath: ""
      accessMode: ReadWriteMany
      size: 5Gi
      annotations: {}
    trivy:
      existingClaim: ""
      storageClass: "nfs-boge"
      subPath: ""
      accessMode: ReadWriteMany
      size: 5Gi
      annotations: {}


#replicas: 1
replicas: 3

5.安装harbor

#安装主harbor
cd /home/master/harbor
helm install harbor . -f values.yaml -n harbor




kubectl -n harbor get po

#访问url
https://10.1.1.221:30003
#默认用户:admin
#默认密码:Harbor12345

#查看
helm -n harbor ls
#卸载
helm uninstall harbor  -n harbor

6.服务器配置镜像仓库

因此要让docker信任我们的证书,为docker配置harbor证书
在/etc/docker目录下创建certs.d 文件夹,然后在 certs.d 文件夹下创建

mkdir -p /etc/docker/certs.d/

cd /home/master/harbor_crt


#转换tls.crt为tls.cert,供docker使用,Docker 守护进程将.crt文件解释为 CA 证书,将.cert文件解释为客户端证书
openssl x509 -inform PEM -in tls.crt -out tls.cert

#将前面创建了HTTPS的证书ca.crt、tls.cert、tls.key证书复制到(每一台docker主机都需要)
cp ca.crt /etc/docker/certs.d/
cp tls.key /etc/docker/certs.d/
cp tls.cert /etc/docker/certs.d/


scp -r  /etc/docker/certs.d/* root@k8s-node01:/etc/docker/certs.d/
scp -r  /etc/docker/certs.d/* root@k8s-node02:/etc/docker/certs.d/


cat > /etc/docker/daemon.json <<EOF
{
    "registry-mirrors": ["https://nr240upq.mirror.aliyuncs.com", "https://registry.docker-cn.com", "https://docker.mirrors.ustc.edu.cn", "https://dockerhub.azk8s.cn", "http://hub-mirror.c.163.com"],
  "max-concurrent-downloads": 10,
  "log-driver": "json-file",
  "log-level": "warn",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
    },
  "insecure-registries":
        ["127.0.0.1"],
    "insecure-registries": ["https://10.1.1.221:30003","https://10.1.1.222:30003"],
  "data-root":"/var/lib/docker"
}
EOF
 
 
#重启docker
systemctl daemon-reload && systemctl restart docker

7.使用仓库

#登入仓库网站
docker login -u admin -p Harbor12345 10.1.1.221:30003

#下载镜像
docker pull wangyanglinux/myapp:v2
docker pull wangyanglinux/myapp:v3

#给镜像打上标签
docker tag wangyanglinux/myapp:v2 10.1.1.221:30003/library/myapp:v2
docker tag wangyanglinux/myapp:v3 10.1.1.221:30003/library/myapp:v3

#镜像上传
docker push 10.1.1.221:30003/library/myapp:v2
docker push 10.1.1.221:30003/library/myapp:v3

#删除镜像
docker rmi 10.1.1.221:30003/library/myapp:v2
docker rmi 10.1.1.221:30003/library/myapp:v3

#打包
docker save wangyanglinux/myapp:v2  > /root/myapp-v2.tar

#加载包
docker load -i /root/myapp-v2.tar


#使用kubernetes任一节点主机IP和30002端口即可访问UI管理界面。


#卸载harbor
kubectl delete ns harbor node-harbor --force
kubectl -n node-harbor get pv |grep node | awk 'NR!=1{print $1}' | xargs kubectl delete pv

rm -rf /nfs_dir/node-harbor-*

8.仓库管理-新建目标

k8s部署 harbor_linux

复制管理-新建规则

k8s部署 harbor_容器_02

测试复制

k8s部署 harbor_linux_03


标签:tls,crt,harbor,部署,certs,myapp,docker,k8s
From: https://blog.51cto.com/dxbp/7637923

相关文章

  • k8s部署nginx+php+mysql
    mysql部署参考我之前文档一.hostPath创建项目1.编辑dockerfilevidockerfileiFROMdocker.io/openshift/base-centos7:latest#MAINTAINERfeiyu"[email protected]"RUNyummakecacheRUNyum-yinstallphp-fpmphpphp-gdphp-mysqlphp-mbstringphp-xmlphp-mcryptphp-im......
  • k8s部署mysql 5.7
    1.创建秘钥#创建秘钥kubectlcreatesecretgenericmysql-root-password--from-literal=password=1234562.创建pvc#查看sc[root@k8s-master01mysql]#kubectlgetscNAMEPROVISIONERRECLAIMPOLICYVOLUMEBINDINGMODEALLOWVOLUMEEXPA......
  • k8s安装rook-ceph1.8
    前提Kubernetes集群各节点主机安装lvm2软件:yum-yinstalllvm2Kubernetes集群各节点主机内核版本不低于4.17Kubernetes集群有至少3个工作节点(master和worker),且每个工作节点都有一块初系统盘以外的未格式化的裸盘(工作节点是虚拟机时,未格式化的裸盘可以是虚拟磁盘),用于创......
  • ceph部署和使用详细教程
    一、ceph介绍1、ceph起源Ceph项目最早起源于Sage就读博士期间的工作(最早的成果于2004年发表),并随后贡献给开源社区。在经过了数年的发展之后,目前已得到众多云计算厂商的支持并被广泛应用。RedHat及OpenStack都可与Ceph整合以支持虚拟机镜像的后端存储。但是在2014年OpenStack火爆的......
  • sealos 离线安装k8s
    目录1.修改主机名2.添加主机名与IP地址解析3.升级服务器内核,时间同步,关闭防火墙,重启服务器4.sealos安装5.离线环境安装,离线环境只需要提前导入镜像5.1加载离线包部署6.kubernetes集群可用性验证7.扩展安装8.sealos版本3.3-基本命令1.修改主机名hostnamectlset-hostnamek8s-m......
  • K8S错误整理
    目录1.calico-node报错Readinessprobefailed:calico/nodeisnotready:BIRDisnotready2.error:MetricsAPInotavailablea.k8s版本:v1.24.4b.k8s1.203.Unabletoupdatecniconfig:nonetworksfoundin/etc/cni/net.d 1.calico-node报错Readinessprobefailed:ca......
  • helm3安装部署三、执行helm警告kube/config文件不安全问题
    目录一、安装篇二、配置仓库篇三、执行helm警告kube/config文件不安全问题四、helm自动补全命令五、安装、卸载软件HELM是k8的包管理工具,像linux系统的包管理器,如yum,apt等,很方便的把yaml文件部署到k8s上面!一、安装篇1.helm包下载地址:wgethttps://get.helm.sh/helm-v3.6.1-l......
  • 系统通用部署手册v02
    目录一、centos71.挂载本地ISO镜像2.下载默认插件3.关闭防火墙3.配置zabbix监控4.修改主机名5.JDK安装与环境设置:6.Tomcat安装7.安装redis8.Memcached安装一、centos71.挂载本地ISO镜像 mkdir-p/etc/yum.repos.d/bakmv/etc/yum.repos.d/CentOS*/etc/yum.repos.d/bakcat>......
  • K8s Pod与宿主机时区不同步
    目录本机替换上海时间一、通过定制Dockerfile添加时区二、通过将时区文件挂在到Pod中三、通过环境变量定义时区四、修改k8s表空间时区本机替换上海时间sudotimedatectlset-timezoneAsia/Shanghai&&sudontpdatetime.windows.com一、通过定制Dockerfile添加时区$catDockerf......
  • freeipa docker compose部署
    dockercompose文件version:"3.3"services:freeipa:image:freeipa/freeipa-server:centos-7container_name:freeipadomainname:freeipa.default.cncontainer_name:freeipa_idcnetworks:my_macvlan_net:ipv4_addr......