通過helm在k8s上搭建Harbor

環(huán)境:
kuberneters版本:v1.22.3
helm版本:v3.7.1
helm chart版本:1.8.0

下文所需yaml文件在DeploymentFiles可下載

Harbor 是一個(gè)開源注冊(cè)表,它通過策略和基于角色的訪問控制來保護(hù)工件,確保鏡像被掃描且沒有漏洞,并將鏡像簽名為受信任的。

前期準(zhǔn)備

1、安裝helm

官網(wǎng)地址:【https://helm.sh/zh/docs/
helm是k8s的包管理器,是查找、分享和使用軟件構(gòu)建k8s的最優(yōu)方式。
charts代表著helm包,它包含在k8s集群內(nèi)部運(yùn)行應(yīng)用程序,工具或服務(wù)所需的所有資源定義;
repository是用來存放和共享charts的地方;
release是運(yùn)行在k8s集群中的chart的實(shí)例。

$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
$ chmod 700 get_helm.sh
$ ./get_helm.sh
2、創(chuàng)建namespace
kubectl create namespace harbor
3、掛載NFS與創(chuàng)建目錄

nfs服務(wù)的部署在另一篇文章,在此不贅述 (http://www.itdecent.cn/p/2c20efbd5855
①掛載nfs

$sudo vim /etc/exports
#增加以下內(nèi)容
/hdd/nfs *(rw,sync,no_root_squash,no_subtree_check)

②在/hdd/nfs下創(chuàng)建所需要的目錄

sudo mkdir -p /hdd/nfs/harbor/registry
sudo mkdir -p /hdd/nfs/harbor/chartmuseum
sudo mkdir -p /hdd/nfs/harbor/jobservice
sudo mkdir -p /hdd/nfs/harbor/database
sudo mkdir -p /hdd/nfs/harbor/redis
sudo mkdir -p /hdd/nfs/harbor/trivy

③修改文件目錄權(quán)限
文件權(quán)限很重要,在這踩了很大的坑,Redis和database一直報(bào)權(quán)限不足
-R 代表harbor下的所有文件夾

sudo chmod -R 777 /hdd/nfs/harbor

如果以上權(quán)限還不夠的話,將文件屬主改為你當(dāng)前用戶

sudo chown -R 1000:1000 /hdd/nfs/
4、創(chuàng)建PV和PVC

①創(chuàng)建PV部署文件harbor-pv.yaml
spec.nfs.path和spec.nfs.server根據(jù)自己實(shí)際路徑和IP填寫;
spec.storageClassName與PVC中的storageClassName保持一致。
spec.capacity.storage可根據(jù)實(shí)際情況調(diào)整,PVC<=PV。

#registry-PV
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-registry
  labels:
    app: harbor-registry
spec:
  capacity:
    storage: 20Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "harbor"
  mountOptions:
    - hard
  nfs:
    path: /hdd/nfs/harbor/registry
    server: 192.168.100.24
---
#harbor-chartmuseum-pv
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-chartmuseum
  labels:
    app: harbor-chartmuseum
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "harbor"
  mountOptions:
    - hard
  nfs:
    path: /hdd/nfs/harbor/chartmuseum
    server: 192.168.100.24
---
#harbor-jobservice-pv
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-jobservice
  labels:
    app: harbor-jobservice
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "harbor"
  mountOptions:
    - hard
  nfs:
    path: /hdd/nfs/harbor/jobservice
    server: 192.168.100.24
---
#harbor-database-pv
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-database
  labels:
    app: harbor-database
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "harbor"
  mountOptions:
    - hard
  nfs:
    path: /hdd/nfs/harbor/database
    server: 192.168.100.24
---
#harbor-redis-pv
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-redis
  labels:
    app: harbor-redis
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "harbor"
  mountOptions:
    - hard
  nfs:
    path: /hdd/nfs/harbor/redis
    server: 192.168.100.24
---
#harbor-trivy-pv
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-trivy
  labels:
    app: harbor-trivy
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "harbor"
  mountOptions:
    - hard
  nfs:
    path: /hdd/nfs/harbor/trivy
    server: 192.168.100.24

創(chuàng)建PV資源
-f 指定資源配置文件
PV相對(duì)集群而言,所以不需要指定命名空間

kubectl apply -f /etc/kubernetes/harbor/harbor-pv.yaml

②創(chuàng)建PVC部署文件harbor-pvc.yaml

#harbor-registry-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-registry
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "harbor"
  resources:
    requests:
      storage: 20Gi
  selector:
    matchLabels:
      app: harbor-registry
---
#harbor-chartmuseum-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-chartmuseum
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "harbor"
  resources:
    requests:
      storage: 5Gi
  selector:
    matchLabels:
      app: harbor-chartmuseum
---
#harbor-jobservice-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-jobservice
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "harbor"
  resources:
    requests:
      storage: 5Gi
  selector:
    matchLabels:
      app: harbor-jobservice 
---
#harbor-database-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-database
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "harbor"
  resources:
    requests:
      storage: 5Gi
  selector:
    matchLabels:
      app: harbor-database  
---
#harbor-redis-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-redis
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "harbor"
  resources:
    requests:
      storage: 5Gi
  selector:
    matchLabels:
      app: harbor-redis
---
#harbor-trivy-pvc
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-trivy
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "harbor"
  resources:
    requests:
      storage: 5Gi
  selector:
    matchLabels:
      app: harbor-trivy

創(chuàng)建PVC資源
-n 指定命名空間

kubectl apply -f /etc/kubernetes/harbor/harbor-pvc.yaml -n harbor

創(chuàng)建自定義證書

默認(rèn)情況下,harbor不附帶證書??梢栽跊]有安全性的情況下部署,通過HTTP連接。要配置HTTPS必須創(chuàng)建SSL證書。
創(chuàng)建/home/master/harbor_crt文件夾,cd進(jìn)入harbor_crt文件夾內(nèi)操作(可選,個(gè)人為了統(tǒng)一好管理)
①生成證書文件

## 獲得證書
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt  -subj  "/C=CN/ST=Guangdong/L=Guangzhou/O=example/OU=example/CN=192.168.100.51"

## 生成證書簽名請(qǐng)求
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout tls.key -out tls.csr  -subj  "/C=CN/ST=Guangdong/L=Guangzhou/O=example/OU=example/CN=192.168.100.51"

通過IP連接時(shí),CN貌似是不生效的,會(huì)被忽略,因此需要?jiǎng)?chuàng)建一個(gè)配置文件來指定IP地址:

$vim extfile.cnf
#填入以下內(nèi)容
subjectAltName = IP:192.168.100.51
## 生成證書
$ openssl x509 -req -days 3650 -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial  -extfile extfile.cnf -out tls.crt

②生成secret資源
創(chuàng)建 Kubernetes 的 Secret 資源,且將證書文件導(dǎo)入:

kubectl create secret generic harbor-tls --from-file=tls.crt --from-file=tls.key --from-file=ca.crt -n harbor

設(shè)置harbor配置清單

①從官網(wǎng)【https://github.com/goharbor/harbor-helm】下載v1.7.4Latest版本的values.yaml文件
②修改配置文件
我采用的是nodePort方式,修改expose.type為nodePort,按照別的方式的修改相應(yīng)type即可。
externalURL,選擇你任意可用的節(jié)點(diǎn)IP:port(注意協(xié)議與端口號(hào)匹配);盡量別去修改默認(rèn)密碼,我第一次的時(shí)候是改成了別的密碼,因?yàn)楦鞣N坑刪除多次release然后pgdata沒刪干凈,默認(rèn)密碼一直登不上去。
內(nèi)容太多注釋部分被我刪除了,仔細(xì)對(duì)照下

expose:
  type: nodePort
  tls:
    enabled: true
    certSource: secret
    auto:
      commonName: ""
    secret:
      secretName: "harbor-tls"
      notarySecretName: "harbor-tls"
.(不變)
.
.
  nodePort:
    name: harbor
    ports:
      http:
        port: 80
        nodePort: 30002
      https:
        port: 443
        nodePort: 30003
      notary:
        port: 4443
        nodePort: 30004
  loadBalancer:
.(不變)
.
.
externalURL: https://192.168.100.51:30003

internalTLS:
. (不變)
.
.

persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      existingClaim: "harbor-registry"
      storageClass: "harbor"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 20Gi
    chartmuseum:
      existingClaim: "harbor-chartmuseum"
      storageClass: "harbor"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: "harbor-jobservice"
      storageClass: "harbor"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    database:
      existingClaim: "harbor-database"
      storageClass: "harbor"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    redis:
      existingClaim: "harbor-redis"
      storageClass: "harbor"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    trivy:
      existingClaim: "harbor-trivy"
      storageClass: "harbor"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
.(不變)
.

安裝harbor

①添加helm倉庫

$ helm repo add harbor https://helm.goharbor.io

②部署harbor

helm install harbor harbor/harbor -f /etc/kubernetes/harbor/deployment_nodeport.yaml -n harbor

③查看是否部署完成

$ kubectl get deployment -n harbor

④訪問harbor
瀏覽器輸入地址(前面配置的externalURL)
默認(rèn)用戶:admin
默認(rèn)密碼:Harbor12345

服務(wù)器配置鏡像倉庫

在Ubuntu上通過docker login訪問前面部署好的harbor時(shí)出錯(cuò)


圖片.png

①因此要讓docker信任我們的證書,為docker配置harbor證書
在/etc/docker目錄下創(chuàng)建certs.d 文件夾,然后在 certs.d 文件夾下創(chuàng)建192.168.100.51:30003(IP:port)文件夾

$ mkdir -p /etc/docker/certs.d/192.168.100.51:30003

轉(zhuǎn)換tls.crt為tls.cert,供docker使用,Docker 守護(hù)進(jìn)程將.crt文件解釋為 CA 證書,將.cert文件解釋為客戶端證書。

$cd harbor_tls/
$sudo openssl x509 -inform PEM -in tls.crt -out tls.cert

將前面創(chuàng)建了HTTPS的證書ca.crt、tls.cert、tls.key證書復(fù)制到192.168.100.51:30003文件夾內(nèi)(每一臺(tái)docker主機(jī)都需要)

$sudo cp harbor_tls/ca.crt /etc/docker/certs.d/192.168.100.51\:30003/
$sudo cp harbor_tls/tls.key /etc/docker/certs.d/192.168.100.51\:30003/
$sudo cp harbor_tls/tls.cert /etc/docker/certs.d/192.168.100.51\:30003/
#重啟docker
$sudo systemctl daemon-reload
$sudo systemctl restart docker.service

②讓系統(tǒng)信任我們的根證書(可選)
update-ca-certificates命令將PEM格式的根證書內(nèi)容附加到/etc/ssl/certs/ca-certificates.crt ,而/etc/ssl/certs/ca-certificates.crt 包含了系統(tǒng)自帶的各種可信根證書.

$sudo cp harbor_tls/tls.crt /usr/local/share/ca-certificates
$sudo update-ca-certificates

再次訪問harbor,成功登陸~快樂!


圖片.png

參考文檔:【http://www.mydlq.club/article/66/#documentTop

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容