云原生yaml部署harbor
云原生yaml部署harbor
1 、创建自定义证书
安装 Harbor 我们会默认使用 HTTPS 协议,需要 TLS 证书,如果我们没用自己设定自定义证书文件,那么 Harbor 将自动创建证书文件,不过这个有效期只有一年时间,所以这里我们生成自签名证书,为了避免频繁修改证书,将证书有效期为 100 年
1.1 安装 cfssl
fssl 是 CloudFlare 开源的一款 PKI/TLS 工具,cfssl 包含一个命令行工具和一个用于签名,验证并且捆绑 TLS 证书的HTTP API服务,使用 Go 语言编写wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*mkdir /root/harbor-ca
cd /root/harbor-ca
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.jsonvim ca-config.json
----------------------------------------------------
{"signing": {"default": {"expiry": "876000h"},"profiles": {"harbor": {"expiry": "876000h","usages": ["signing","key encipherment","server auth"]}}}
}
------------------------------------------------------
vim ca-csr.json
-----------------------------------------------------
{"CN": "CA","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "hangzhou","L": "hangzhou","O": "harbor","OU": "System"}]
}
------------------------------------------------------cfssl gencert -initca ca-csr.json | cfssljson -bare catree
├── ca-config.json #这是刚才的json
├── ca.csr
├── ca-csr.json #这也是刚才申请证书的json
├── ca-key.pem
├── ca.pemvim harbor-csr.json
-----------------------------------------------------
{"CN": "harbor","hosts": ["example.net","*.example.net"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "US","ST": "CA","L": "San Francisco","O": "harbor","OU": "System"}]
}
---------------------------------------------------
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=harbor harbor-csr.json | cfssljson -bare harbortree
.
├── ca-config.json
├── ca.csr
├── ca-csr.json
├── ca-key.pem
├── ca.pem
├── harbor.csr
├── harbor-csr.json
├── harbor-key.pem
├── harbor.pem
2、生成 Secret 资源
kubectl -n harbor create secret generic harbor-tls --from-file=tls.crt=harbor.pem --from-file=tls.key=harbor-key.pem --from-file=ca.crt=ca.pemkubectl get secret -n harbor
NAME TYPE DATA AGE
default-token-wm5gq kubernetes.io/service-account-token 3 101m
harbor-tls Opaque 3 101m
3、存储
3.1 使用nfs存储
说明:这里使用的CCE做测试,CCE有nfs插件所以吧插件安装好就行
kubectl get sc
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
copaddon-nfs copaddon-nfs Delete Immediate false 5h10m
csi-local everest-csi-provisioner Delete Immediate false 28d
csi-local-topology everest-csi-provisioner Delete WaitForFirstConsumer false 28d
3.2 使用Ceph存储
https://cloud.tencent.com/developer/article/1771617
3.3 使用本地存储
如果使用本能存储,pv需要提前创建这样pvc和pv才能bound,这里没有做测试
4、helm安装
https://www.cnblogs.com/bigberg/p/13925981.html
wget https://get.helm.sh/helm-v3.3.4-linux-amd64.tar.gztart -zxvf helm-v3.3.4-linux-amd64.tar.gzmv linux-amd64/helm /usr/local/bin/helmhelm versionvim ~/.bashrc
source <(helm completion bash)source ~/.bashrc#添加hellm常用库
helm repo add stable https://kubernetes-charts.storage.googleapis.com/
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com/
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update # Make sure we get the latest list of charts
helm repo add ali-stable https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
helm repo add harbor https://helm.goharbor.io
5、Harbor 配置清单
values.yaml
---------------------------------------------------
expose:type: clusterIPtls:### 是否启用 https 协议enabled: truecertSource: secretauto:commonName: "harbor.example.net"secret:secretName: "harbor-tls"notarySecretName: ""## 如果Harbor部署在代理后,将其设置为代理的URL
externalURL: https://harbor.example.net### Harbor 各个组件的持久化配置,并将 storageClass 设置为集群默认的 storageClass
persistence:enabled: trueresourcePolicy: "keep"persistentVolumeClaim:registry:existingClaim: ""storageClass: "copaddon-nfs" #替换自己的storageClasssubPath: ""accessMode: ReadWriteOncesize: 100Gichartmuseum:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gijobservice:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gidatabase:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Giredis:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gitrivy:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gi### 默认用户名 admin 的密码配置,注意:密码中一定要包含大小写字母与数字
harborAdminPassword: "Harbor12345"### 设置日志级别
logLevel: info#各个组件 CPU & Memory 资源相关配置
nginx:resources:requests:memory: 256Micpu: 500m
portal:resources:requests:memory: 256Micpu: 500m
core:resources:requests:memory: 256Micpu: 1000m
jobservice:resources:requests:memory: 256Micpu: 500m
registry:registry:resources:requests:memory: 256Micpu: 500mcontroller:resources:requests:memory: 256Micpu: 500m
clair:clair:resources:requests:memory: 256Micpu: 500madapter:resources:requests:memory: 256Micpu: 500m
notary:server:resources:requests:memory: 256Micpu: 500msigner:resources:requests:memory: 256Micpu: 500m
database:internal:resources:requests:memory: 256Micpu: 500m
redis:internal:resources:requests:memory: 256Micpu: 500m
trivy:enabled: trueresources:requests:cpu: 200mmemory: 512Milimits:cpu: 1000mmemory: 1024Mi#开启 chartmuseum,使 Harbor 能够存储 Helm 的 chart
chartmuseum:enabled: trueresources:requests:memory: 256Micpu: 500mimageChartStorage:disableredirect: falsetype: s3s3:region: cn-hangzhou-1bucket: harboraccesskey: VGZQY32LMFQOQPVNTDSJsecretkey: YZMMYqoy1ypHaqGOUfwLvdAj9A731iDYDjYqwkU5regionendpoint: http://172.16.7.1secure: false
6、harbor安装
#添加helm仓库
helm repo add harbor https://helm.goharbor.io#部署harbor
helm install harbor harbor/harbor -f values.yaml -n harbor[root@cce-master1 harbor]# kubectl get pod -n harbor
NAME READY STATUS RESTARTS AGE
harbor-chartmuseum-7cd988b687-4wtgq 1/1 Running 0 95m
harbor-core-c98769b5f-dvfd2 1/1 Running 7 95m
harbor-database-0 1/1 Running 0 95m
harbor-jobservice-64b4c7f78d-nq62c 1/1 Running 7 95m
harbor-nginx-68cc879c9-z4vbt 1/1 Running 0 95m
harbor-notary-server-755bcf666c-7mnsv 1/1 Running 7 95m
harbor-notary-signer-7fd848d99d-hkq4v 1/1 Running 7 95m
harbor-portal-c4fd99765-j2gz5 1/1 Running 0 95m
harbor-redis-0 1/1 Running 0 95m
harbor-registry-5cddfdb544-2gxwb 2/2 Running 0 95m
harbor-trivy-0 1/1 Running 0 95m
7、host 配置域名
vim harbor-ingress.yaml
-----------------------------------------------------------
apiVersion: extensions/v1beta1
kind: Ingress
metadata:annotations:kubernetes.io/ingress.class: nginxmeta.helm.sh/release-name: harbor-ingressmeta.helm.sh/release-namespace: harbornginx.ingress.kubernetes.io/backend-protocol: HTTPSnginx.ingress.kubernetes.io/force-ssl-redirect: "true"nginx.ingress.kubernetes.io/proxy-body-size: 4096mnginx.ingress.kubernetes.io/proxy-connect-timeout: "60"nginx.ingress.kubernetes.io/proxy-read-timeout: "600"nginx.ingress.kubernetes.io/proxy-request-buffering: "off"nginx.ingress.kubernetes.io/proxy-send-timeout: "600"nginx.ingress.kubernetes.io/ssl-redirect: "true"name: harbor-ingressnamespace: harbor
spec:rules:- host: harbor.example.nethttp:paths:- backend:serviceName: harborservicePort: 443path: /pathType: ImplementationSpecifictls:- secretName: harbor-tls----------------------------------------------
kubectl apply -f harbor-ingress.yaml
[root@cce-master1 harbor]# kubectl get ing -n harbor
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
harbor-ingress <none> harbor.example.net 10.11.95.235,10.11.95.236,10.11.95.237 80, 443 60m注意:有dns服务的使用dns服务进行解析,没有的在hosts配置
10.11.95.10 harbor.example.net
vip 域名
8、访问harbor
9、push镜像到harbor
[root@cce-master1 harbor]# docker login harbor.example.net
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
[root@cce-master1 harbor]# docker push harbor.example.net/zhanghsn/nginx:1.0.0
The push refers to repository [harbor.example.net/zhanghsn/nginx]
72baebde5d18: Layer already exists
7cc1656e082b: Layer already exists
9603c7cd65a5: Layer already exists
1b1488e87f04: Layer already exists
ce340e24e009: Layer already exists
b68cf29a812f: Layer already exists
2d6e6cb0ca0f: Layer already exists
2cdad21de743: Pushed
d98115be1360: Layer already exists
9181274ddb85: Layer already exists
8a9c8d550d42: Layer already exists
b5108119e7b9: Pushed
ccf55224b076: Layer already exists
7ada66628583: Pushed
1.0.0: digest: sha256:7c847c07c1829b11d166a9fc78eef0649a81f134c5e12106066e814c4f9d393f size: 3250完了在harbor上查看镜像是否上传
云原生yaml部署harbor相关推荐
- 国内首发,这款 Serverless 云原生一体化部署工具正式开源!
12 月 19 日,腾讯在 2020 Techo Park 开发者大会上集中发布了三大开源项目.其中,云开发 CloudBase Framework 作为腾讯开源的国内首个基于 Serverless ...
- Horizon: 网易云音乐开源的云原生应用部署平台
公众号关注 「奇妙的 Linux 世界」 设为「星标」,每天带你玩转 Linux ! Horizon 网易云音乐开源的一个云原生应用程序持续交付 (CD) 平台,平台团队可以让开发人员将他们的代码 ...
- 云原生|kubernetes |部署k8s图形化管理组件 kuboard v3
前言: kubernetes的图形化管理工具是非常多的,比较常用的比如官方的kubernetes dashboard,青云的kubesphere,私有化部署的rancher等等.官方的dashboar ...
- 云原生|kubernetes部署和运行维护中的错误汇总(不定时更新)
一, 安装的etcd版本是3.4,如果是安装的etcd3下面的配置应该不会报错. 查询etcd状态报错: conflicting environment variable "ETCD_NAM ...
- 【云原生】迁移Harbor镜像仓库到阿里云容器仓库ACR
目录 一.摘要 二.前言 三.配置阿里云ACR 1.创建用户AK(访问控制) 2.创建个人实例(个人版) 四.配置Harbor仓库 1.新建目标规则 2.新建复制规则 五.执行迁移 六.验证 一.摘要 ...
- Sentinel云原生K8S部署实
部署的流程图 部署的详细过程 编译Docker镜像 Sentinel源码下载 https://gitee.com/pingfanrenbiji/Sentinel.git Sentinel-dashbo ...
- 云原生之部署Nacos
一.简介 在KubeSphere 上部署nacos服务,并且连接我们之前部署的MySQL数据库. 之前我们已经部署了MySQL有状态副本集. 二.首先Nacos的ConfigMap配置文件 进入配置中 ...
- 云原生|kubernetes|部署MySQL一主多从复制集群(基于Binlog+Position的复制)
前言: MySQL集群的架构比较多,目前来说,基本没有一个统一的标准,常见的集群架构是MySQL cluster(官方的)或者简单的一主多从式集群.下面说一下主从复制的一下概念. MySQL 主从复制 ...
- 秒云容器云平台:一站式云原生PaaS平台
本篇文章开始之前,我们以目前室内装修里比较流行的2种方式做对比,来讲一下所谓的"半包"和"全包"的区别.简单讲半包和全包的差别其实就是辅材和主材由谁提供的问题. ...
最新文章
- 数据结构与算法:14 Leetcode同步练习(五)
- 启动Oracle 10g
- 并查集 HDOJ 5441 Travel
- 计算时间差的Oracle函数
- VMware Horizon虚拟桌面工具箱之审计与远程协助
- 第十八章 8string类insert成员函数的使用
- linux字符处理工具 新手教程
- 清橙 A1120 拦截导弹 -- 动态规划(最长上升子序列)
- MySQL Study之--Percona Server版本
- UI进阶--Quartz2D和触摸事件的简单使用:简易涂鸦板
- 4G DTU使用教程
- 关于万能头文件的使用
- GPU产品源代码被盗?AMD 证实称仅为测试文件
- 开源 java CMS - FreeCMS1.9发布。
- Quick BI功能篇之(一):20分钟入门
- ADT(abstract data types)抽象数据类型
- 医学图像处理眼科检查
- C++模板编程(18)---模板实例化instantiation
- opencv实训记录(大家来找茬辅助外挂)
- 票务公司加价将儿童机票售成年人赚取差价