Harbor文档学习笔记第1篇-部署harbor

1、硬件环境

资源 最少 推荐
cpu 2 4
ram 4gb 8gb
disk 40gb 160gb

2、软件环境

software version
docker docker-ce17.06+
docker compose 1.8+
openssl 最新即可

3、网络环境

|port|protocol|usage|
|443|https|https访问api|
|4443|https|connect docker|
|80|http|http访问api|
以上端口均可以通过配置文件进行自定义

4、下载online包

harbor在线安装包
tar vxf harbor-online-installer-v2.1.0.tgz

5、生成ssl证书

认证一般有两种情况,如果是生产环境可以从三方CA提供商那获取证书,比如Let’s Encrypt;如果是测试环境或者无法访问外网的,可以利用openssl生成自签名证书,本文就采用自签名方式
获取证书私钥
openssl genrsa -out ca.key 4096
获取证书
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key ca.key -out ca.crt

获取服务端私钥
openssl genrsa -out harbor.com.key 4096
获取csr
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key harbor.com.key -out harbor.com.csr

cat v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.com
DNS.2=harbor
DNS.3=harbor

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.com.csr -out harbor.com.crt

为docker与harbor配置

 mkdir -p /data/cert
 cp harbor.com.crt harbor.com.key /data/cert/  
 mkdir -p /etc/docker/certs.d/harbor.com   
 cp harbor.com.cert /etc/docker/certs.d/harbor.com/
 cp harbor.com.key /etc/docker/certs.d/harbor.com/
 cp ca.crt /etc/docker/certs.d/harbor.com/  
 systemctl restart docker  

cp harbor.com.crt /etc/pki/ca-trust/source/anchors/harbor.com.crt
update-ca-trust

6、部署

其实部署分两种情况

  • 先不配置https,安装完后在配置https
  • 先配置https,再进行安装
    先安装再配置https
    cd harbor
    ./install.sh
    安装完成后

Creating harbor-log ... done
Creating redis ... done
Creating harbor-db ... done
Creating registry ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----

访问http://192.168.0.161
输入账号密码admin/Harbor12345

配置https
cat harbor.yml

# Configuration file of Harbor

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/harbor.com.crt
  private_key: /data/cert/harbor.com.key
  
  。。。。。

重新生成配置文件
./prepare

docker-compose down -v
docker-compose up -d

访问https://harbor.com
11str12

先配置再安装
区别不大,有一些组件是必须开启https访问后才能安装的
./install.sh --with-notary --with-trivy --with-clair --with-chartmuseum

7、问题

需要注意点1:
这里docker作为访问harbor的客户端,如果harbor配置了https,根据ca认证的原理,docker客户端需要授权证书ca.crt才可以正常访问harbor,即如本文配置所见,docker也需要配置相关目录来放置,同时还需要配置daemon.json,具体如下
11asd

但是在这篇文章公网部署registry中在添加ssl后,并没有对docker客户端进行配置相应的ca证书,这是因为该文中使用了第三方的ca授权认证,客户端在请求registry时会通过该机构下发的证书进行认证,而本文中是自签名的证书,需要手动将授权证书上传至客户端

至于http访问就无需多说

需要注意点2:
每个docker客户端需要进行hosts映射
echo "192.168.0.161 harbor.com" >> /etc/hosts