云原生yaml部署harbor

1 、创建自定义证书

安装 Harbor 我们会默认使用 HTTPS 协议,需要 TLS 证书,如果我们没用自己设定自定义证书文件,那么 Harbor 将自动创建证书文件,不过这个有效期只有一年时间,所以这里我们生成自签名证书,为了避免频繁修改证书,将证书有效期为 100 年

1.1 安装 cfssl

fssl 是 CloudFlare 开源的一款 PKI/TLS 工具,cfssl 包含一个命令行工具和一个用于签名,验证并且捆绑 TLS 证书的HTTP API服务,使用 Go 语言编写wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*mkdir /root/harbor-ca
cd /root/harbor-ca
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.jsonvim ca-config.json
----------------------------------------------------
{"signing": {"default": {"expiry": "876000h"},"profiles": {"harbor": {"expiry": "876000h","usages": ["signing","key encipherment","server auth"]}}}
}
------------------------------------------------------
vim ca-csr.json
-----------------------------------------------------
{"CN": "CA","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "hangzhou","L": "hangzhou","O": "harbor","OU": "System"}]
}
------------------------------------------------------cfssl gencert -initca ca-csr.json | cfssljson -bare catree
├── ca-config.json #这是刚才的json
├── ca.csr
├── ca-csr.json    #这也是刚才申请证书的json
├── ca-key.pem
├── ca.pemvim harbor-csr.json
-----------------------------------------------------
{"CN": "harbor","hosts": ["example.net","*.example.net"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "US","ST": "CA","L": "San Francisco","O": "harbor","OU": "System"}]
}
---------------------------------------------------
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=harbor harbor-csr.json | cfssljson -bare harbortree
.
├── ca-config.json
├── ca.csr
├── ca-csr.json
├── ca-key.pem
├── ca.pem
├── harbor.csr
├── harbor-csr.json
├── harbor-key.pem
├── harbor.pem

2、生成 Secret 资源

kubectl -n harbor create secret generic harbor-tls --from-file=tls.crt=harbor.pem --from-file=tls.key=harbor-key.pem --from-file=ca.crt=ca.pemkubectl get secret -n harbor
NAME                           TYPE                                  DATA   AGE
default-token-wm5gq            kubernetes.io/service-account-token   3      101m
harbor-tls                     Opaque                                3      101m

3、存储

3.1 使用nfs存储

说明:这里使用的CCE做测试,CCE有nfs插件所以吧插件安装好就行

kubectl get  sc
NAME                 PROVISIONER               RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
copaddon-nfs         copaddon-nfs              Delete          Immediate              false                  5h10m
csi-local            everest-csi-provisioner   Delete          Immediate              false                  28d
csi-local-topology   everest-csi-provisioner   Delete          WaitForFirstConsumer   false                  28d

3.2 使用Ceph存储

https://cloud.tencent.com/developer/article/1771617

3.3 使用本地存储

如果使用本能存储,pv需要提前创建这样pvc和pv才能bound,这里没有做测试

4、helm安装

https://www.cnblogs.com/bigberg/p/13925981.html

wget https://get.helm.sh/helm-v3.3.4-linux-amd64.tar.gztart -zxvf helm-v3.3.4-linux-amd64.tar.gzmv linux-amd64/helm /usr/local/bin/helmhelm versionvim ~/.bashrc
source <(helm completion bash)source ~/.bashrc#添加hellm常用库
helm repo add stable https://kubernetes-charts.storage.googleapis.com/
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com/
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update # Make sure we get the latest list of charts
helm repo add ali-stable    https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
helm repo add harbor https://helm.goharbor.io

5、Harbor 配置清单

values.yaml
---------------------------------------------------
expose:type: clusterIPtls:### 是否启用 https 协议enabled: truecertSource: secretauto:commonName: "harbor.example.net"secret:secretName: "harbor-tls"notarySecretName: ""## 如果Harbor部署在代理后,将其设置为代理的URL
externalURL: https://harbor.example.net### Harbor 各个组件的持久化配置,并将 storageClass 设置为集群默认的 storageClass
persistence:enabled: trueresourcePolicy: "keep"persistentVolumeClaim:registry:existingClaim: ""storageClass: "copaddon-nfs" #替换自己的storageClasssubPath: ""accessMode: ReadWriteOncesize: 100Gichartmuseum:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gijobservice:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gidatabase:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Giredis:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gitrivy:existingClaim: ""storageClass: "copaddon-nfs"subPath: ""accessMode: ReadWriteOncesize: 5Gi### 默认用户名 admin 的密码配置,注意:密码中一定要包含大小写字母与数字
harborAdminPassword: "Harbor12345"### 设置日志级别
logLevel: info#各个组件 CPU & Memory 资源相关配置
nginx:resources:requests:memory: 256Micpu: 500m
portal:resources:requests:memory: 256Micpu: 500m
core:resources:requests:memory: 256Micpu: 1000m
jobservice:resources:requests:memory: 256Micpu: 500m
registry:registry:resources:requests:memory: 256Micpu: 500mcontroller:resources:requests:memory: 256Micpu: 500m
clair:clair:resources:requests:memory: 256Micpu: 500madapter:resources:requests:memory: 256Micpu: 500m
notary:server:resources:requests:memory: 256Micpu: 500msigner:resources:requests:memory: 256Micpu: 500m
database:internal:resources:requests:memory: 256Micpu: 500m
redis:internal:resources:requests:memory: 256Micpu: 500m
trivy:enabled: trueresources:requests:cpu: 200mmemory: 512Milimits:cpu: 1000mmemory: 1024Mi#开启 chartmuseum,使 Harbor 能够存储 Helm 的 chart
chartmuseum:enabled: trueresources:requests:memory: 256Micpu: 500mimageChartStorage:disableredirect: falsetype: s3s3:region: cn-hangzhou-1bucket: harboraccesskey: VGZQY32LMFQOQPVNTDSJsecretkey: YZMMYqoy1ypHaqGOUfwLvdAj9A731iDYDjYqwkU5regionendpoint: http://172.16.7.1secure: false

6、harbor安装

#添加helm仓库
helm repo add harbor https://helm.goharbor.io#部署harbor
helm install harbor harbor/harbor -f values.yaml -n harbor[root@cce-master1 harbor]# kubectl get pod -n harbor
NAME                                    READY   STATUS    RESTARTS   AGE
harbor-chartmuseum-7cd988b687-4wtgq     1/1     Running   0          95m
harbor-core-c98769b5f-dvfd2             1/1     Running   7          95m
harbor-database-0                       1/1     Running   0          95m
harbor-jobservice-64b4c7f78d-nq62c      1/1     Running   7          95m
harbor-nginx-68cc879c9-z4vbt            1/1     Running   0          95m
harbor-notary-server-755bcf666c-7mnsv   1/1     Running   7          95m
harbor-notary-signer-7fd848d99d-hkq4v   1/1     Running   7          95m
harbor-portal-c4fd99765-j2gz5           1/1     Running   0          95m
harbor-redis-0                          1/1     Running   0          95m
harbor-registry-5cddfdb544-2gxwb        2/2     Running   0          95m
harbor-trivy-0                          1/1     Running   0          95m

7、host 配置域名

vim harbor-ingress.yaml
-----------------------------------------------------------
apiVersion: extensions/v1beta1
kind: Ingress
metadata:annotations:kubernetes.io/ingress.class: nginxmeta.helm.sh/release-name: harbor-ingressmeta.helm.sh/release-namespace: harbornginx.ingress.kubernetes.io/backend-protocol: HTTPSnginx.ingress.kubernetes.io/force-ssl-redirect: "true"nginx.ingress.kubernetes.io/proxy-body-size: 4096mnginx.ingress.kubernetes.io/proxy-connect-timeout: "60"nginx.ingress.kubernetes.io/proxy-read-timeout: "600"nginx.ingress.kubernetes.io/proxy-request-buffering: "off"nginx.ingress.kubernetes.io/proxy-send-timeout: "600"nginx.ingress.kubernetes.io/ssl-redirect: "true"name: harbor-ingressnamespace: harbor
spec:rules:- host: harbor.example.nethttp:paths:- backend:serviceName: harborservicePort: 443path: /pathType: ImplementationSpecifictls:- secretName: harbor-tls----------------------------------------------
kubectl apply -f harbor-ingress.yaml
[root@cce-master1 harbor]# kubectl get ing -n harbor
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME             CLASS    HOSTS                ADDRESS                                  PORTS     AGE
harbor-ingress   <none>   harbor.example.net   10.11.95.235,10.11.95.236,10.11.95.237   80, 443   60m注意:有dns服务的使用dns服务进行解析,没有的在hosts配置
10.11.95.10 harbor.example.net
vip  域名

8、访问harbor

9、push镜像到harbor

[root@cce-master1 harbor]# docker login  harbor.example.net
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
[root@cce-master1 harbor]# docker push harbor.example.net/zhanghsn/nginx:1.0.0
The push refers to repository [harbor.example.net/zhanghsn/nginx]
72baebde5d18: Layer already exists
7cc1656e082b: Layer already exists
9603c7cd65a5: Layer already exists
1b1488e87f04: Layer already exists
ce340e24e009: Layer already exists
b68cf29a812f: Layer already exists
2d6e6cb0ca0f: Layer already exists
2cdad21de743: Pushed
d98115be1360: Layer already exists
9181274ddb85: Layer already exists
8a9c8d550d42: Layer already exists
b5108119e7b9: Pushed
ccf55224b076: Layer already exists
7ada66628583: Pushed
1.0.0: digest: sha256:7c847c07c1829b11d166a9fc78eef0649a81f134c5e12106066e814c4f9d393f size: 3250完了在harbor上查看镜像是否上传

云原生yaml部署harbor相关推荐

  1. 国内首发,这款 Serverless 云原生一体化部署工具正式开源!

    12 月 19 日,腾讯在 2020 Techo Park 开发者大会上集中发布了三大开源项目.其中,云开发 CloudBase Framework 作为腾讯开源的国内首个基于 Serverless ...

  2. Horizon: 网易云音乐开源的云原生应用部署平台

    公众号关注 「奇妙的 Linux 世界」 设为「星标」,每天带你玩转 Linux ! ​ Horizon 网易云音乐开源的一个云原生应用程序持续交付 (CD) 平台,平台团队可以让开发人员将他们的代码 ...

  3. 云原生|kubernetes |部署k8s图形化管理组件 kuboard v3

    前言: kubernetes的图形化管理工具是非常多的,比较常用的比如官方的kubernetes dashboard,青云的kubesphere,私有化部署的rancher等等.官方的dashboar ...

  4. 云原生|kubernetes部署和运行维护中的错误汇总(不定时更新)

    一, 安装的etcd版本是3.4,如果是安装的etcd3下面的配置应该不会报错. 查询etcd状态报错: conflicting environment variable "ETCD_NAM ...

  5. 【云原生】迁移Harbor镜像仓库到阿里云容器仓库ACR

    目录 一.摘要 二.前言 三.配置阿里云ACR 1.创建用户AK(访问控制) 2.创建个人实例(个人版) 四.配置Harbor仓库 1.新建目标规则 2.新建复制规则 五.执行迁移 六.验证 一.摘要 ...

  6. Sentinel云原生K8S部署实

    部署的流程图 部署的详细过程 编译Docker镜像 Sentinel源码下载 https://gitee.com/pingfanrenbiji/Sentinel.git Sentinel-dashbo ...

  7. 云原生之部署Nacos

    一.简介 在KubeSphere 上部署nacos服务,并且连接我们之前部署的MySQL数据库. 之前我们已经部署了MySQL有状态副本集. 二.首先Nacos的ConfigMap配置文件 进入配置中 ...

  8. 云原生|kubernetes|部署MySQL一主多从复制集群(基于Binlog+Position的复制)

    前言: MySQL集群的架构比较多,目前来说,基本没有一个统一的标准,常见的集群架构是MySQL cluster(官方的)或者简单的一主多从式集群.下面说一下主从复制的一下概念. MySQL 主从复制 ...

  9. 秒云容器云平台:一站式云原生PaaS平台

    本篇文章开始之前,我们以目前室内装修里比较流行的2种方式做对比,来讲一下所谓的"半包"和"全包"的区别.简单讲半包和全包的差别其实就是辅材和主材由谁提供的问题. ...

最新文章

  1. 数据结构与算法:14 Leetcode同步练习(五)
  2. 启动Oracle 10g
  3. 并查集 HDOJ 5441 Travel
  4. 计算时间差的Oracle函数
  5. VMware Horizon虚拟桌面工具箱之审计与远程协助
  6. 第十八章 8string类insert成员函数的使用
  7. linux字符处理工具 新手教程
  8. 清橙 A1120 拦截导弹 -- 动态规划(最长上升子序列)
  9. MySQL Study之--Percona Server版本
  10. UI进阶--Quartz2D和触摸事件的简单使用:简易涂鸦板
  11. 4G DTU使用教程
  12. 关于万能头文件的使用
  13. GPU产品源代码被盗?AMD 证实称仅为测试文件
  14. 开源 java CMS - FreeCMS1.9发布。
  15. Quick BI功能篇之(一):20分钟入门
  16. ADT(abstract data types)抽象数据类型
  17. 医学图像处理眼科检查
  18. C++模板编程(18)---模板实例化instantiation
  19. opencv实训记录(大家来找茬辅助外挂)
  20. 票务公司加价将儿童机票售成年人赚取差价

热门文章

  1. php钓鱼怎么使用方法,盘钩使用方法
  2. 2014高考英语听力,男约女终于成功了
  3. C++ 使用Poco库操作 json 文件
  4. vim全局搜索当前目录
  5. 语法糖 Syntactic sugar: 复杂代码的等价简洁替代
  6. 耳机的危害有多严重?哪种耳机对耳朵伤害小?
  7. vue 点击当前路由怎么重新加载_Vue 路由切换时页面内容没有重新加载的解决方法...
  8. 傅里叶级数的复数形式
  9. 揭露数据不一致的利器 —— 实时核对系统
  10. 电商平台订单号生成策略