0
点赞
收藏
分享

微信扫一扫

helm 部署harbor v2.6.0

Aliven888 2022-12-27 阅读 154

官网部署地址:https://goharbor.io/docs/2.6.0/install-config/harbor-ha-helm/

  • 下载Download Harbor helm chart:
helm repo add harbor https://helm.goharbor.io
helm fetch harbor/harbor --untar
  • 手动生成https证书 用默认证书会有问题,需要手动生成
Linux系统下生成证书

生成秘钥key,运行:

$ openssl genrsa -des3 -out server.key 2048
1
会有两次要求输入密码,输入同一个即可

输入密码

然后你就获得了一个server.key文件. 
以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:

$ openssl rsa -in server.key -out server.key

创建服务器证书的申请文件server.csr,运行:

openssl req -new -key server.key -out server.csr

其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填. 
创建CA证书:

openssl req -new -x509 -key server.key -out ca.crt -days 3650

此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名. 
创建自当前日期起有效期为期十年的服务器证书server.crt:

openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

ls你的文件夹,可以看到一共生成了5个文件:

ca.crt   ca.srl    server.crt   server.csr   server.key
1
其中,server.crt和server.key就是你的nginx需要的证书文件. 

kubectl create secret tls harbor.lingxd.com --key harbor.lingxd.com.key --cert harbor.lingxd.com.crt -n harbor
  • 修改values.yaml
expose:
  type: ingress  
  tls:
    enabled: true
    certSource: secret
    auto:
      commonName: ""
    secret:
      secretName: "harbor.lingxd.com" #上一步生成的证书名
      notarySecretName: "harbor.lingxd.com"  #上一步生成的证书名
  ingress:
    hosts:
      core: harbor.lingxd.com #设置访问域名
      notary: notary.lingxd.com
    controller: default
    kubeVersionOverride: ""
    className: ""
    annotations:
      ingress.kubernetes.io/ssl-redirect: "true"
      kubernetes.io/ingress.class: nginx      ##注意手动添加这个,不然域名访问404 
      ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
    notary:
      annotations: {}
      labels: {}
    harbor:
      annotations: {}
      labels: {}
  clusterIP:
    name: harbor
    annotations: {}
    ports:
      httpPort: 80
      httpsPort: 443
      notaryPort: 4443
  nodePort:
    name: harbor
    ports:
      http:
        port: 80
        nodePort: 30002
      https:
        port: 443
        nodePort: 30003
      notary:
        port: 4443
        nodePort: 30004
  loadBalancer:
    name: harbor
    IP: ""
    ports:
      httpPort: 80
      httpsPort: 443
      notaryPort: 4443
    annotations: {}
    sourceRanges: []

externalURL: https://harbor.lingxd.com:30409   #修改这个

internalTLS:
  enabled: true
  certSource: "auto"
  trustCa: ""
  core:
    secretName: ""
    crt: ""
    key: ""
  jobservice:
    secretName: ""
    crt: ""
    key: ""
  registry:
    secretName: ""
    crt: ""
    key: ""
  portal:
    secretName: ""
    crt: ""
    key: ""
  chartmuseum:
    secretName: ""
    crt: ""
    key: ""
  trivy:
    secretName: ""
    crt: ""
    key: ""

ipFamily:
  ipv6:
    enabled: true
  ipv4:
    enabled: true

persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      existingClaim: ""
      storageClass: "course-nfs-storage"   #设置持久化存储
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
      annotations: {}
    chartmuseum:
      existingClaim: ""
      storageClass: "course-nfs-storage"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
      annotations: {}
    jobservice:
      jobLog:
        existingClaim: ""
        storageClass: "course-nfs-storage"
        subPath: ""
        accessMode: ReadWriteOnce
        size: 1Gi
        annotations: {}
      scanDataExports:
        existingClaim: ""
        storageClass: "course-nfs-storage"
        subPath: ""
        accessMode: ReadWriteOnce
        size: 1Gi
        annotations: {}
    database:
      existingClaim: ""
      storageClass: "course-nfs-storage"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
      annotations: {}
    redis:
      existingClaim: ""
      storageClass: "course-nfs-storage"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
      annotations: {}
    trivy:
      existingClaim: ""
      storageClass: "course-nfs-storage"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
      annotations: {}
  imageChartStorage:
    disableredirect: false

    type: filesystem
    filesystem:
      rootdirectory: /storage
    azure:
      accountname: accountname
      accountkey: base64encodedaccountkey
      container: containername
      existingSecret: ""
    gcs:
      bucket: bucketname
      encodedkey: base64-encoded-json-key-file
      existingSecret: ""
      useWorkloadIdentity: false
    s3:
      region: us-west-1
      bucket: bucketname
    swift:
      authurl: https://storage.myprovider.com/v3/auth
      username: username
      password: password
      container: containername
    oss:
      accesskeyid: accesskeyid
      accesskeysecret: accesskeysecret
      region: regionname
      bucket: bucketname

imagePullPolicy: IfNotPresent

imagePullSecrets:

updateStrategy:
  type: RollingUpdate

logLevel: info

harborAdminPassword: "Harbor12345"

caSecretName: ""

secretKey: "not-a-secure-key"
existingSecretSecretKey: ""

proxy:
  httpProxy:
  httpsProxy:
  noProxy: 127.0.0.1,localhost,.local,.internal
  components:
    - core
    - jobservice
    - trivy

enableMigrateHelmHook: false



nginx:
  image:
    repository: goharbor/nginx-photon
    tag: v2.6.2
  serviceAccountName: ""
  automountServiceAccountToken: false
  replicas: 1
  revisionHistoryLimit: 10
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  priorityClassName:

portal:
  image:
    repository: goharbor/harbor-portal
    tag: v2.6.2
  serviceAccountName: ""
  automountServiceAccountToken: false
  replicas: 1
  revisionHistoryLimit: 10
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  priorityClassName:

core:
  image:
    repository: goharbor/harbor-core
    tag: v2.6.2
  serviceAccountName: ""
  automountServiceAccountToken: false
  replicas: 1
  revisionHistoryLimit: 10
  startupProbe:
    enabled: true
    initialDelaySeconds: 10
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  secret: ""
  secretName: ""
  xsrfKey: ""
  priorityClassName:
  artifactPullAsyncFlushDuration:
  gdpr:
    deleteUser: false

jobservice:
  image:
    repository: goharbor/harbor-jobservice
    tag: v2.6.2
  replicas: 1
  revisionHistoryLimit: 10
  serviceAccountName: ""
  automountServiceAccountToken: false
  maxJobWorkers: 10
  jobLoggers:
    - file

  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  secret: ""
  priorityClassName:

registry:
  serviceAccountName: ""
  automountServiceAccountToken: false
  registry:
    image:
      repository: goharbor/registry-photon
      tag: v2.6.2
  controller:
    image:
      repository: goharbor/harbor-registryctl
      tag: v2.6.2

  replicas: 1
  revisionHistoryLimit: 10
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  priorityClassName:
  secret: ""
  relativeurls: false
  credentials:
    username: "harbor_registry_user"
    password: "harbor_registry_password"
    existingSecret: ""
  middleware:
    enabled: false
    type: cloudFront
    cloudFront:
      baseurl: example.cloudfront.net
      keypairid: KEYPAIRID
      duration: 3000s
      ipfilteredby: none
      privateKeySecret: "my-secret"
  upload_purging:
    enabled: true
    age: 168h
    interval: 24h
    dryrun: false

chartmuseum:
  enabled: true
  serviceAccountName: ""
  automountServiceAccountToken: false
  absoluteUrl: false
  image:
    repository: goharbor/chartmuseum-photon
    tag: v2.6.2
  replicas: 1
  revisionHistoryLimit: 10
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  priorityClassName:
  indexLimit: 0

trivy:
  enabled: true
  image:
    repository: goharbor/trivy-adapter-photon
    tag: v2.6.2
  serviceAccountName: ""
  automountServiceAccountToken: false
  replicas: 1
  debugMode: false
  vulnType: "os,library"
  severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  ignoreUnfixed: false
  insecure: false
  gitHubToken: ""
  skipUpdate: false
  offlineScan: false
  securityCheck: "vuln"
  timeout: 5m0s
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 1
      memory: 1Gi
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  priorityClassName:

notary:
  enabled: true
  server:
    serviceAccountName: ""
    automountServiceAccountToken: false
    image:
      repository: goharbor/notary-server-photon
      tag: v2.6.2
    replicas: 1
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}
    priorityClassName:
  signer:
    serviceAccountName: ""
    automountServiceAccountToken: false
    image:
      repository: goharbor/notary-signer-photon
      tag: v2.6.2
    replicas: 1
    nodeSelector: {}
    tolerations: []
    affinity: {}
    podAnnotations: {}
    priorityClassName:
  secretName: ""

database:
  type: internal
  internal:
    serviceAccountName: ""
    automountServiceAccountToken: false
    image:
      repository: goharbor/harbor-db
      tag: v2.6.2
    password: "changeit"
    shmSizeLimit: 512Mi
    nodeSelector: {}
    tolerations: []
    affinity: {}
    priorityClassName:
    initContainer:
      migrator: {}
      permissions: {}
  external:
    host: "192.168.0.1"
    port: "5432"
    username: "user"
    password: "password"
    coreDatabase: "registry"
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"
    existingSecret: ""
    sslmode: "disable"
  maxIdleConns: 100
  maxOpenConns: 900
  podAnnotations: {}

redis:
  type: internal
  internal:
    serviceAccountName: ""
    automountServiceAccountToken: false
    image:
      repository: goharbor/redis-photon
      tag: v2.6.2
    nodeSelector: {}
    tolerations: []
    affinity: {}
    priorityClassName:
  external:
    addr: "192.168.0.2:6379"
    sentinelMasterSet: ""
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    trivyAdapterIndex: "5"
    password: ""
    existingSecret: ""
  podAnnotations: {}

exporter:
  replicas: 1
  revisionHistoryLimit: 10
  podAnnotations: {}
  serviceAccountName: ""
  automountServiceAccountToken: false
  image:
    repository: goharbor/harbor-exporter
    tag: v2.6.2
  nodeSelector: {}
  tolerations: []
  affinity: {}
  cacheDuration: 23
  cacheCleanInterval: 14400
  priorityClassName:

metrics:
  enabled: false
  core:
    path: /metrics
    port: 8001
  registry:
    path: /metrics
    port: 8001
  jobservice:
    path: /metrics
    port: 8001
  exporter:
    path: /metrics
    port: 8001
  serviceMonitor:
    enabled: false
    additionalLabels: {}
    interval: ""
    metricRelabelings:
      []
    relabelings:
      []

trace:
  enabled: false
  provider: jaeger
  sample_rate: 1
  jaeger:
    endpoint: http://hostname:14268/api/traces
  otel:
    endpoint: hostname:4318
    url_path: /v1/traces
    compression: false
    insecure: true
    timeout: 10s

cache:
  enabled: false
  expireHours: 24

  • 部署
helm install harbor /root/k8s/harbor/ -n harbor

默认账号密码为:admin/Harbor12345,我这里已经修改过了。

  • 修改docker 配置,解决https 报错问题
[root@localhost harbor]# cat /etc/docker/daemon.json 
{
  "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
  "insecure-registries": ["https://harbor.lingxd.com:30409"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
}

 systemctl daemon-reload 
 systemctl restart docker

举报

相关推荐

0 条评论