官网部署地址:https://goharbor.io/docs/2.6.0/install-config/harbor-ha-helm/
- 下载Download Harbor helm chart:
helm repo add harbor https://helm.goharbor.io
helm fetch harbor/harbor --untar
- 手动生成https证书 用默认证书会有问题,需要手动生成
Linux系统下生成证书
生成秘钥key,运行:
$ openssl genrsa -des3 -out server.key 2048
1
会有两次要求输入密码,输入同一个即可
输入密码
然后你就获得了一个server.key文件.
以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:
$ openssl rsa -in server.key -out server.key
创建服务器证书的申请文件server.csr,运行:
openssl req -new -key server.key -out server.csr
其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填.
创建CA证书:
openssl req -new -x509 -key server.key -out ca.crt -days 3650
此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名.
创建自当前日期起有效期为期十年的服务器证书server.crt:
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
ls你的文件夹,可以看到一共生成了5个文件:
ca.crt ca.srl server.crt server.csr server.key
1
其中,server.crt和server.key就是你的nginx需要的证书文件.
kubectl create secret tls harbor.lingxd.com --key harbor.lingxd.com.key --cert harbor.lingxd.com.crt -n harbor
- 修改values.yaml
expose:
type: ingress
tls:
enabled: true
certSource: secret
auto:
commonName: ""
secret:
secretName: "harbor.lingxd.com" #上一步生成的证书名
notarySecretName: "harbor.lingxd.com" #上一步生成的证书名
ingress:
hosts:
core: harbor.lingxd.com #设置访问域名
notary: notary.lingxd.com
controller: default
kubeVersionOverride: ""
className: ""
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: nginx ##注意手动添加这个,不然域名访问404
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
notary:
annotations: {}
labels: {}
harbor:
annotations: {}
labels: {}
clusterIP:
name: harbor
annotations: {}
ports:
httpPort: 80
httpsPort: 443
notaryPort: 4443
nodePort:
name: harbor
ports:
http:
port: 80
nodePort: 30002
https:
port: 443
nodePort: 30003
notary:
port: 4443
nodePort: 30004
loadBalancer:
name: harbor
IP: ""
ports:
httpPort: 80
httpsPort: 443
notaryPort: 4443
annotations: {}
sourceRanges: []
externalURL: https://harbor.lingxd.com:30409 #修改这个
internalTLS:
enabled: true
certSource: "auto"
trustCa: ""
core:
secretName: ""
crt: ""
key: ""
jobservice:
secretName: ""
crt: ""
key: ""
registry:
secretName: ""
crt: ""
key: ""
portal:
secretName: ""
crt: ""
key: ""
chartmuseum:
secretName: ""
crt: ""
key: ""
trivy:
secretName: ""
crt: ""
key: ""
ipFamily:
ipv6:
enabled: true
ipv4:
enabled: true
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: ""
storageClass: "course-nfs-storage" #设置持久化存储
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
annotations: {}
chartmuseum:
existingClaim: ""
storageClass: "course-nfs-storage"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
annotations: {}
jobservice:
jobLog:
existingClaim: ""
storageClass: "course-nfs-storage"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
annotations: {}
scanDataExports:
existingClaim: ""
storageClass: "course-nfs-storage"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
annotations: {}
database:
existingClaim: ""
storageClass: "course-nfs-storage"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
annotations: {}
redis:
existingClaim: ""
storageClass: "course-nfs-storage"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
annotations: {}
trivy:
existingClaim: ""
storageClass: "course-nfs-storage"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
annotations: {}
imageChartStorage:
disableredirect: false
type: filesystem
filesystem:
rootdirectory: /storage
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
existingSecret: ""
gcs:
bucket: bucketname
encodedkey: base64-encoded-json-key-file
existingSecret: ""
useWorkloadIdentity: false
s3:
region: us-west-1
bucket: bucketname
swift:
authurl: https://storage.myprovider.com/v3/auth
username: username
password: password
container: containername
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
imagePullPolicy: IfNotPresent
imagePullSecrets:
updateStrategy:
type: RollingUpdate
logLevel: info
harborAdminPassword: "Harbor12345"
caSecretName: ""
secretKey: "not-a-secure-key"
existingSecretSecretKey: ""
proxy:
httpProxy:
httpsProxy:
noProxy: 127.0.0.1,localhost,.local,.internal
components:
- core
- jobservice
- trivy
enableMigrateHelmHook: false
nginx:
image:
repository: goharbor/nginx-photon
tag: v2.6.2
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
portal:
image:
repository: goharbor/harbor-portal
tag: v2.6.2
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
core:
image:
repository: goharbor/harbor-core
tag: v2.6.2
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
startupProbe:
enabled: true
initialDelaySeconds: 10
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
secret: ""
secretName: ""
xsrfKey: ""
priorityClassName:
artifactPullAsyncFlushDuration:
gdpr:
deleteUser: false
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: v2.6.2
replicas: 1
revisionHistoryLimit: 10
serviceAccountName: ""
automountServiceAccountToken: false
maxJobWorkers: 10
jobLoggers:
- file
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
secret: ""
priorityClassName:
registry:
serviceAccountName: ""
automountServiceAccountToken: false
registry:
image:
repository: goharbor/registry-photon
tag: v2.6.2
controller:
image:
repository: goharbor/harbor-registryctl
tag: v2.6.2
replicas: 1
revisionHistoryLimit: 10
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
secret: ""
relativeurls: false
credentials:
username: "harbor_registry_user"
password: "harbor_registry_password"
existingSecret: ""
middleware:
enabled: false
type: cloudFront
cloudFront:
baseurl: example.cloudfront.net
keypairid: KEYPAIRID
duration: 3000s
ipfilteredby: none
privateKeySecret: "my-secret"
upload_purging:
enabled: true
age: 168h
interval: 24h
dryrun: false
chartmuseum:
enabled: true
serviceAccountName: ""
automountServiceAccountToken: false
absoluteUrl: false
image:
repository: goharbor/chartmuseum-photon
tag: v2.6.2
replicas: 1
revisionHistoryLimit: 10
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
indexLimit: 0
trivy:
enabled: true
image:
repository: goharbor/trivy-adapter-photon
tag: v2.6.2
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
debugMode: false
vulnType: "os,library"
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
ignoreUnfixed: false
insecure: false
gitHubToken: ""
skipUpdate: false
offlineScan: false
securityCheck: "vuln"
timeout: 5m0s
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
notary:
enabled: true
server:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/notary-server-photon
tag: v2.6.2
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
signer:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/notary-signer-photon
tag: v2.6.2
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
secretName: ""
database:
type: internal
internal:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/harbor-db
tag: v2.6.2
password: "changeit"
shmSizeLimit: 512Mi
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName:
initContainer:
migrator: {}
permissions: {}
external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer"
existingSecret: ""
sslmode: "disable"
maxIdleConns: 100
maxOpenConns: 900
podAnnotations: {}
redis:
type: internal
internal:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/redis-photon
tag: v2.6.2
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName:
external:
addr: "192.168.0.2:6379"
sentinelMasterSet: ""
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
chartmuseumDatabaseIndex: "3"
trivyAdapterIndex: "5"
password: ""
existingSecret: ""
podAnnotations: {}
exporter:
replicas: 1
revisionHistoryLimit: 10
podAnnotations: {}
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/harbor-exporter
tag: v2.6.2
nodeSelector: {}
tolerations: []
affinity: {}
cacheDuration: 23
cacheCleanInterval: 14400
priorityClassName:
metrics:
enabled: false
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
serviceMonitor:
enabled: false
additionalLabels: {}
interval: ""
metricRelabelings:
[]
relabelings:
[]
trace:
enabled: false
provider: jaeger
sample_rate: 1
jaeger:
endpoint: http://hostname:14268/api/traces
otel:
endpoint: hostname:4318
url_path: /v1/traces
compression: false
insecure: true
timeout: 10s
cache:
enabled: false
expireHours: 24
- 部署
helm install harbor /root/k8s/harbor/ -n harbor
默认账号密码为:admin/Harbor12345,我这里已经修改过了。
- 修改docker 配置,解决https 报错问题
[root@localhost harbor]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
"insecure-registries": ["https://harbor.lingxd.com:30409"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
systemctl daemon-reload
systemctl restart docker
