Helm | Docs Helm 中文手册
env
There are 2 ENV values, one is for the harbor registry FQDN, another is used for the workspace of image to store
harborurl=your-harbor.com project=catalog-apps
Install the certificate on the machine
we leverage the openssl to get certificate from harbor registry and store it in docker configure path.
sudo mkdir -p /etc/docker/certs.d/${harborurl}
openssl s_client -showcerts -connect registry.${harborurl}:443 </dev/null | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' |sudo tee -a /etc/docker/certs.d/${harborurl}/ca.crt
or alternative way:
wget --no-proxy http://${harborurl}:8081/ca.crt
sudo mkdir -p /etc/docker/certs.d/${harborurl}
sudo mv ca.crt /etc/docker/certs.d/${harborurl}
sudo systemctl restart docker
On edge node
Add the certificate to the trust pool
sudo cp ca.crt /usr/local/share/ca-certificates/habor-ca.crt sudo update-ca-certificates --fresh
Login the harbor registry
run this command on orchestrator server to get the the credential of harbor registry.
credential=$(kubectl get -n harbor secrets harbor-admin-credential -o json | jq .metadata.annotations | grep -oP "(?<=\"credential).*(?=}})" | tr -d '"\')
credential=${credential#:}
echo "credential=$credential"
Note
NOTE: copy the above print to edge node.
# Username: admin; Password: Harbor12345
user=${credential%:*}
pass=${credential#*:}
docker login ${harborurl}
Docker push
push your docker image to harbor registry
dockimg=test
ov=latest
nv=latest
docker tag $dockimg:$ov ${harborurl}/${project}/$dockimg:$nv
docker push ${harborurl}/${project}/$dockimg:$nv
Push helm chart
first install helm tool.
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null sudo apt-get install apt-transport-https --yes echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list sudo apt-get update sudo apt-get install helm
check your helm-chart before you push to harbor registry
chart=mychartpath helm install . --dry-run --debug ./$chart
then push your helm chart to harbor registry
chartball=xxx.tgz
chratpath=<helm-dir>
reponame=iotedge-repo
tar czvf $chartball $chratpath
helm plugin install https://github.com/chartmuseum/helm-push
helm repo add --username ${user} --password ${pass} --ca-file /etc/docker/certs.d/${harborurl}/ca.crt $reponame https://registry.${harborurl}/chartrepo/${project}
helm cm-push -u ${user} -p ${pass} --ca-file /etc/docker/certs.d/${harborurl}/ca.crt $chartball $reponame
Batch Push helm charts
for SUBDIR in */; do
# Remove trailing slash
SUBDIR_NAME="${SUBDIR%/}"
echo $SUBDIR_NAME
if [ -e $SUBDIR_NAME/Chart.yaml ]
then
echo "This is a Helm Chart file"
tar -czf "${SUBDIR_NAME}.tgz" "$SUBDIR_NAME"
helm cm-push -u ${user} -p ${pass} --ca-file /etc/docker/certs.d/${harborurl}/ca.crt ${SUBDIR_NAME}.tgz $reponame
rm ${SUBDIR_NAME}.tgz
else
echo "Not a Helm Chart file, skip"
fi
done
Trouble shooting
upload the certs into new cluster
mkdir -p /opt/certs
cd /opt/certs
wget --no-proxy http://${harborurl}:8081/ca.crt
wget --no-proxy http://${harborurl}:8081/harbor.com.crt
wget --no-proxy http://${harborurl}:8081/harbor.com.key
update the rke2 registry
$ cat /etc/rancher/rke2/registries.yaml
---
# Define the proxy registry to pull images from
mirrors:
zz-iotedge-harbor.sh.intel.com:
endpoint:
- "https://zz-iotedge-harbor.sh.intel.com"
configs:
"zz-iotedge-harbor.sh.intel.com":
auth:
username: admin
password: 1q2w3e@intelQ_0
tls:
cert_file: /opt/certs/harbor.com.crt
key_file: /opt/certs/harbor.com.key
ca_file: /opt/certs/ca.crt
insecure_skip_verify: true
restart the service
$ sudo systemctl restart rke2-server # Make sure it's in effect. $ sudo cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml [plugins."io.containerd.grpc.v1.cri".registry.configs."zz-iotedge-harbor.sh.intel.com".auth] username = "admin" password = "1q2w3e@intelQ_0" [plugins."io.containerd.grpc.v1.cri".registry.configs."zz-iotedge-harbor.sh.intel.com".tls] ca_file = "/opt/certs/ca.crt" cert_file = "/opt/certs/harbor.com.crt" key_file = "/opt/certs/harbor.com.key" insecure_skip_verify = true
标签:harbor,app,harborurl,opea,certs,helm,--,ca From: https://www.cnblogs.com/shaohef/p/18429870