目录[-]
官方文档 https://goharbor.io/docs/1.10/install-config/configure-https/
harbor服务端
安装先决条件:
cd /etc/yum.repos.d
mv 11bee.repo 11bee.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all && yum makecache
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
设置稳定的仓库
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
安装Docker CE:
yum -y install docker-ce
systemctl start docker
systemctl enable docker
wget -P /home/q/www http://10.64.0.11:9999/misc/kickstart/soft_data/docker-compose-Linux-x86_64.octet-stream
mv /home/q/www/docker-compose-Linux-x86_64.octet-stream /home/q/www/docker-compose
ln -s /home/q/www/docker-compose /usr/local/bin/docker-compose
chmod 755 /home/q/www/docker-compose
wget -P /home/q/www http://10.64.0.11:9999/misc/kickstart/soft_data/harbor-online-installer-v1.10.2.tgz
tar zxvf /home/q/www/harbor-online-installer-v1.10.2.tgz -C /home/q/www/
在生产环境中,您应该从CA获得证书。在测试或开发环境中,您可以生成自己的CA。要生成CA证书,请运行以下命令。
生成证书颁发机构证书
1.生成CA证书私钥。
openssl genrsa -out ca.key 4096
2.生成CA证书。
mkdir /home/q/www/harbor/ssl_cert
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.corp.11bee.com" \
-key ca.key \
-out ca.crt
生成服务器证书
证书通常包含一个.crt文件和一个.key文件,例如yourdomain.com.crt和yourdomain.com.key。
1.生成私钥。
openssl genrsa -out harbor.corp.11bee.com.key 4096
2.生成证书签名请求(CSR)。
调整-subj选项中的值以反映您的组织。如果使用FQDN连接Harbor主机,则必须将其指定为公用名(CN)属性,并在密钥和CSR文件名中使用它。
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.corp.11bee.com" \
-key harbor.corp.11bee.com.key \
-out harbor.corp.11bee.com.csr
3.生成一个x509 v3扩展文件。
无论您使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为您的Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映您的域。
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.corp.11bee.com
DNS.2=harbor.corp.11bee
DNS.3=harbor.corp
DNS.4=corp
EOF
4.使用v3.ext文件为您的Harbor主机生成证书。
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.corp.11bee.com.csr \
-out harbor.corp.11bee.com.crt
提供证书给Harbor和Docker
harbor服务端执行
mkdir /data/cert/
cp harbor.corp.11bee.com.crt /data/cert/
cp harbor.corp.11bee.com.key /data/cert/
openssl x509 -inform PEM -in harbor.corp.11bee.com.crt -out harbor.corp.11bee.com.cert
docker客户端上执行
mkdir /etc/docker/certs.d/harbor.corp.11bee.com/ -p
cp harbor.corp.11bee.com.cert /etc/docker/certs.d/harbor.corp.11bee.com/
cp harbor.corp.11bee.com.key /etc/docker/certs.d/harbor.corp.11bee.com/
cp ca.crt /etc/docker/certs.d/harbor.corp.11bee.com/
修改harbor.yml配置文件
vim /home/q/www/harbor/harbor.yml
...
hostname: harbor.corp.11bee.com
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /home/q/www/harbor/ssl_cert/harbor.corp.11bee.com.cert
private_key: /home/q/www/harbor/ssl_cert/harbor.corp.11bee.com.key
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: hGJ$5lz6
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: 9n2jb6r5
...
安装harbor
sh /home/q/www/harbor/install.sh
检查harbor服务是否正常
[root@l-redis3.db.p1 /home/q/www/harbor]# docker-compose ps
Name Command State Ports
---------------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up (healthy)
harbor-db /docker-entrypoint.sh Up (healthy) 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up (healthy)
harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up (healthy) 8080/tcp
nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->8080/tcp
redis redis-server /etc/redis.conf Up (healthy) 6379/tcp
registry /home/harbor/entrypoint.sh Up (healthy) 5000/tcp
registryctl /home/harbor/start.sh Up (healthy)
docker客户端
[root@l-es5.db.beta.p1 ~]# cat /etc/docker/daemon.json
{
"insecure-registries":["harbor.corp.11bee.com"]
}
#重新加载配置
systemctl daemon-reload
#重启docker
systemctl restart docker
#查看docker的新配置是否生效
docker info
#登录私有仓库
docker login harbor.corp.11be.com
#查看镜像
[root@l-es5.db.beta.p1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
nginx mainline e791337790a6 3 months ago 127MB
daocloud.io/centos latest 470671670cac 6 months ago 237MB
centos 7 5e35e350aded 8 months ago 203MB
#在项目中标记镜像
[root@l-es1.db.beta.p1 ~]# docker tag centos:7 harbor.corp.11bee.com/centos/centos:7
[root@l-es1.db.beta.p1 ~]# docker push harbor.corp.11bee.com/centos/centos:7
The push refers to repository [harbor.corp.11bee.com/centos/centos]
77b174a6a187: Pushed
7: digest: sha256:285bc3161133ec01d8ca8680cd746eecbfdbc1faa6313bd863151c4b26d7e5a5 size: 529