Harbor configures HTTPS and uses docker-compose container deployment

1. Preparation

Note: Pay attention to the choice of version. Does the docker version correspond?

  1. Prepare images and binaries
    1.1 Download the harbor offline package. I packaged the image from a machine using docker save -o.

1.2 docker-compose binaries

curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
  1. Configure local resolution
echo "192.168.40.63 qiushi.cn" >> /etc/hosts

2. Deploy harbor

1.Issuing CA certificate

Browse harbor official website
https://goharbor.io/docs/2.4.0/install-config/configure-https/
[root@qiushi ~]# mkdir ssl & amp; & amp; cd ssl
[root@qiushi ssl] cat ssl.sh

# 1. Root certificate self-signed CA private key
openssl genrsa -out ca.key 4096
  
# 2. Root certificate self-signed CA crt certificate
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=xueshen/OU=k8s/CN=qiushi.cn" \
 -key ca.key \
 -out ca.crt
#Complete the issuance of a pair of self-signed CA root keys, used to issue certificates to harbor
#Parameter Description:
## C, Country, represents the country
# ST, STate, represents the province
# L, Location, represents the city
# O, Organization, represents organization, company
# OU, Organization Unit, representative department
# CN, Common Name, represents the server domain name
# emailAddress, represents the contact email address.

# 3. Client private key certificate
openssl genrsa -out qiushi.cn.key 4096

# 4. Client certificate application file csr file
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=xueshen/OU=k8s/CN=qiushi.cn" \
    -key qiushi.cn.key \
    -out qiushi.cn.csr
    
# 5. The client certificate needs to issue a SAN file
#v3.ext text file, which target domain names these certificates are issued to. The harbor domain name must choose one of the following three domain names. The issued certificate is only valid for the following three domain names.
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=qiushi.cn
DNS.2=qiushi2.cn
DNS.3=qiushi3.cn
EOF

# 6. Client certificate
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in qiushi.cn.csr \
    -out qiushi.cn.crt

# 7. The Docker daemon interprets the .crt file as a CA certificate and the .cert file as a client certificate.
openssl x509 -inform PEM -in qiushi.cn.crt -out qiushi.cn.cert

[root@qiushissl]# chmod + x ssl.sh
[root@qiushissl]# ./ssl.sh
[root@qiushissl]# ls
ssl.sh ca.crt ca.key ca.srl v3.ext qiushi.cn.crt qiushi.cn.cert< /strong> qiushi.cn.csr qiushi.cn.key

2.harbor, docker mounting certificate

Certificate to harbor mounting directory

[root@qiushi ssl]# mkdir /data/{<!-- -->ssl,install} -p
[root@qiushi ssl]# cp qiushi.cn.crt qiushi.cn.key /data/ssl

Certificate to docker mounting directory

[root@qiushi ssl]# mkdir /etc/docker/certs.d/qiushi.cn/ -p
[root@qiushi ssl]cp ca.crt qiushi.cn.cert qiushi.cn.key /etc/docker/certs.d/qiushi.cn/

3. Unzip the harbor file, which contains images, harbor.yaml, etc., and docker-compose.yaml needs to be loaded

[root@qiushi ~]# tar xzvf harbor-offline-installer-v2.3.0-rc3.tgz -C /data/install/
harbor/harbor.v2.3.0.tar.gz
harbor/prepare
harbor/LICENSE
harbor/install.sh
harbor/common.sh
harbor/harbor.yml.tmpl
[root@qiushi harbor]# docker load -i harbor.v2.3.0.tar.gz

Execute ./prepare to load the available configuration file docker-compose.yml
[root@qiushi harbor]# ./prepare
prepare base dir is set to /data/install/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
[root@qiushi harbor]# ls
common docker-compose.yml harbor.yaml.bak harbor.yml.tmpl LICENSE
common.sh harbor.v2.3.0.tar.gz harbor.yml install.sh prepare

[root@qiushi harbor]# cp harbor.yml.tmpl harbor.yml

3. Modify the configuration file: file mounting, 80 mapped port, hostname

3.1 Harbor configuration file modification

[root@qiushi ~]# cat /data/install/harbor/harbor.yml
hostname: qiushi.cn
  certificate: /data/ssl/qiushi.cn.crt #Mount directory
  private_key: /data/ssl/qiushi.cn.key #Mount directory
  port: 9999 # Port 80 is not exposed to the outside world by default
  # https port for harbor, default is 443
  port: 443
  
Mail and ldap do not need to be configured, they can be configured in the harbor web interface
Use the default settings for other configurations
Save and exit after modification
Note: Harbor’s default account password: admin/Harbor12345

3.2 Docker-compose configuration file modification (modify harbor.yml first and then load prepare to directly generate the modified one)

[root@qiushi ~]# cat /data/install/harbor/docker-compose.yml | grep port
231 proxy:
232 image: goharbor/nginx-photon:v2.3.0
233 container_name: nginx
234 restart: always
251 ports:
252 - 9999:8080 #Port 80 is not exposed to the outside world by default
253-443:8443

3.3 Docker adds a trusted private image repository

[root@qiushi ssl]# cat /etc/docker/daemon.json

{<!-- -->
"registry-mirrors":["https://vh3bm52y.mirror.aliyuncs.com","https://registry.dockercn.com","https://docker.mirrors.ustc .edu.cn","https://dockerhub.azk8s.cn","http://hubmirror.c.163.com","https://qiushi.cn"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
[root@qiushi ~]# systemctl daemon-reload
[root@qiushi ~]# systemctl restart docker

4. Verify HTTPS

Use the domain name to log in to the private image warehouse

[root@qiushi ~]# ./install.sh
[root@qiushi ~]# docker login qiushi.cn -u admin -p Harbor12345


[root@qiushi ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.3.0 fa4ecf260b3a 2 years ago 80.7MB
xuegod.cn/test/aa v1 fa4ecf260b3a 2 years ago 80.7MB
[root@qiushi ~]# docker tag goharbor/harbor-exporter:v2.3.0 qiushi.cn/test/test_image:v1
[root@qiushi ~]# docker push qiushi.cn/test/test_image:v1
The push refers to repository [qiushi.cn/test/test_image]
83cea239dd18: Pushed
48f062b756ef: Pushed
3b267db69816: Pushed
230bb4d21843: Pushed
7b63ae3694f2: Pushed
v1: digest: sha256:398f5a2058d77b5c66942f78ab871ce69990d75121b5b7ef3af7283cc73bc7a4 size: 1369

http://192.168.40.63:9999/
https://qiushi.cn

5. Configure harbor to start at boot

vim /etc/rc.local
/usr/local/bin/docker-compose -f /data/install/harbor/docker-compose.yml up -d

6.harbor private warehouse docking with K8s

Since it is not public, you need to manually enter your account and password to pull the image. You need to configure the certificate as a secret and mount it to the pod.

7. Record problems

7.1 K8s pulls the image and reports http: server gave HTTP response to HTTPS client.

Our local Docker client needs to maintain the harbor certificate; so how to maintain the certificate on the docker client?
7.1.1 One way is to set the warehouse address in the insecure-registries configuration item to allow access to the remote warehouse
7.1.2 Maintain the harbor certificate, pay special attention to the configuration in docker. The Docker daemon interprets the .crt file as a CA certificate and the .cert file as a client certificate.


7.2 Pushing images cannot use non-FQDN domain names

Note the hostname in harbor.yaml
1.Change the host name to qiushi.cn
  1.1 You can modify the local resolution or host name by doing your own experiments (modifying the host name in k8s is risky)
  1.2 Produce self-built dns registration
2. The hostname of harbor.yaml also needs to be changed.
3. If you have a DNS registration, you must also change it.
4. After modification, reinstall ../install.sh, which will not affect the installed habit.


7.3 Harbor physical machine restarts, docker restart causes problems

systemctl daemon-reload
systemctl restart docker
cd /data/install/harbor
docker-compose stop
docker-compose start
./install
Tried restarting but still not working

7.4 Advantages of docker-compose container management
Automatic restart strategy

To configure high-availability harbor, refer to this article. There are many precautions in it.
https://blog.csdn.net/avatar_2009/article/details/125266411

syntaxbug.com © 2021 All Rights Reserved.