文章目录

  • 1.harbor自签证书配置https
  • 2.containerd对接harbor(在所有节点上操作)
  • 3.配置k8s执行yaml自动拉取
  • 4.测试

1.harbor自签证书配置https

harbor建议还是配置https,没有配置的https的情况测试了很多方法都没成功过0.0
(这里配置是参考这位大佬的文章)

这里开始生成证书,觉得我这里步骤乱的可以直接去看大佬的原文章
root@compute02_16:39:13_/data/server/harbor/certs $openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................................................++
.......................................................................................++
e is 65537 (0x10001)root@compute02_16:39:46_/data/server/harbor/certs $openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/CN=harbor.yh.com" \
> -key ca.key  -out ca.crt
root@compute02_16:40:05_/data/server/harbor/certs $ll
总用量 8
-rw-r--r-- 1 root root 1797 8月  25 16:40 ca.crt
-rw-r--r-- 1 root root 3247 8月  25 16:39 ca.key
root@compute02_16:40:07_/data/server/harbor/certs $openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................++
...................................................................................++
e is 65537 (0x10001)root@compute02_16:40:14_/data/server/harbor/certs $openssl req  -new -sha512  -subj "/CN=harbor.yh.com"  -key server.key  -out \
> server.csrroot@compute02_16:40:43_/data/server/harbor/certs $ll
总用量 16
-rw-r--r-- 1 root root 1797 8月  25 16:40 ca.crt
-rw-r--r-- 1 root root 3247 8月  25 16:39 ca.key
-rw-r--r-- 1 root root 1590 8月  25 16:40 server.csr
-rw-r--r-- 1 root root 3243 8月  25 16:40 server.keyroot@compute02_17:25:33_/data/server/harbor $cat certs/v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.yh.comroot@compute02_16:41:33_/data/server/harbor/certs $openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/CN=harbor.yh.com
Getting CA Private Keyroot@compute02_16:44:31_/data/server/harbor $vim harbor.yml
hostname: harbor.yh.com# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 8080# https related config
https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginxcertificate: /data/server/harbor/certs/server.crtprivate_key: /data/server/harbor/certs/server.keyroot@compute02_16:43:04_/data/server/harbor $./prepare
prepare base dir is set to /data/server/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dirroot@compute02_16:45:45_/data/server/harbor $docker-compose down
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping redis             ... done
Stopping registry          ... done
Stopping harbor-db         ... done
Stopping registryctl       ... done
Stopping harbor-portal     ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing harbor-core       ... done
Removing redis             ... done
Removing registry          ... done
Removing harbor-db         ... done
Removing registryctl       ... done
Removing harbor-portal     ... done
Removing harbor-log        ... done
Removing network harbor_harborroot@compute02_16:45:45_/data/server/harbor $docker-compose up -d
root@compute02_17:21:13_/data/server/harbor $netstat -lntup|egrep '8080|443'
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      32071/docker-proxy
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      32057/docker-proxy [root@k8s-node04 ~]# ctr -n k8s.io image pull harbor.yh.com:8080/test/nginx:v1
INFO[0000] trying next host                              error="failed to do request: Head \"https://harbor.yh.com:8080/v2/test/nginx/manifests/v1\": http: server gave HTTP response to HTTPS client" host="harbor.yh.com:8080"
ctr: failed to resolve reference "harbor.yh.com:8080/test/nginx:v1": failed to do request: Head "https://harbor.yh.com:8080/v2/test/nginx/manifests/v1": http: server gave HTTP response to HTTPS client

2.containerd对接harbor(在所有节点上操作)

 [root@k8s-master ~]#  ctr -n k8s.io image pull harbor.yh.com/test/nginx:v1
INFO[0000] trying next host                              error="failed to do request: Head \"https://harbor.yh.com/v2/test/nginx/manifests/v1\": x509: certificate signed by unknown authority" host=harbor.yh.com
ctr: failed to resolve reference "harbor.yh.com/test/nginx:v1": failed to do request: Head "https://harbor.yh.com/v2/test/nginx/manifests/v1": x509: certificate signed by unknown authority
[root@k8s-master ~]# yum install -y ca-certificates
[root@k8s-master ~]# cp -a server.crt /etc/pki/ca-trust/source/anchors/
[root@k8s-master ~]# ln -s /etc/pki/ca-trust/source/anchors/server.crt /etc/ssl/certs/
[root@k8s-master ~]# update-ca-trust
[root@k8s-master ~]# nerdctl login -u admin harbor.yh.com
Enter Password: Login Succeeded
[root@k8s-master ~]#  ctr -n k8s.io image pull harbor.yh.com/test/nginx:v1
harbor.yh.com/test/nginx:v1:                                                      resolved       |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:48d56bae87c65ca642b0a1d13c3dc97c4430994991e5531ff123f77cdf975fae: done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:6f28985ad1843afd6fd4fe0b42a30bfab63c27d302362e7341e3316e8ba25ced:    done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:6084105296a952523c36eea261af38885f41e9d1d0001b4916fa426e45377ffe:   exists         |++++++++++++++++++++++++++++++++++++++|
layer-sha256:29f7ebf60efda2064ed8f3ca5f748b757c9eb4194e8db766ee370067d2c72210:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:158aac73782cb5bf2f03cc3b3f9afa49ce582c26a546f6dba65994d1c7ddd43d:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:879a7c160ac652fea0b56d0d28a9fe5a4dfb9716fe0147c5d163a841c8d83fae:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:de58cd48a671f1121ff5cc9f04cb93916d1a71f25c378f3048975421d87f5a05:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:be704f37b5f442aeb0ee33e0a86d08263d23e7343321b4fc96b68d71e869e3b4:    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.7 s                                                                    total:  51.2 M (30.1 MiB/s)
unpacking linux/amd64 sha256:48d56bae87c65ca642b0a1d13c3dc97c4430994991e5531ff123f77cdf975fae...
done: 11.646226ms

3.配置k8s执行yaml自动拉取

k8s执行yaml使用的命令是这个,现在还是拉取失败的
[root@k8s-node02 ~]# crictl pull harbor.yh.cn/yw/centos:v7
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and
unpack image "harbor.yh.cn/yw/centos:v7": failed to resolve reference
"harbor.yh.cn/yw/centos:v7": failed to do request: Head
"https://harbor.yh.cn/v2/yw/centos/manifests/v7": x509: certificate signed by
unknown authority 增加(150-154行;159-160行;)cat -n /etc/containerd/config.toml  144      [plugins."io.containerd.grpc.v1.cri".registry]145        config_path = ""146147        [plugins."io.containerd.grpc.v1.cri".registry.auths]148149        [plugins."io.containerd.grpc.v1.cri".registry.configs]150          [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.yh.cn".tls]151            ca_file = "/etc/ssl/certs/server.crt"152          [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.yh.cn".auth]153            username = "admin"154            password = "Harbor12345"155156        [plugins."io.containerd.grpc.v1.cri".registry.headers]157158        [plugins."io.containerd.grpc.v1.cri".registry.mirrors]159          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.yh.cn"]160            endpoint = ["https://harbor.yh.cn"]161162      [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]163        tls_cert_file = ""164        tls_key_file = ""重启测试
[root@k8s-node02 ~]# systemctl restart containerd
[root@k8s-node02 ~]# crictl pull harbor.yh.cn/yw/centos:v7
Image is up to date for
sha256:eeb6ee3f44bd0b5103bb561b4c16bcb82328cfe5809ab675bb17ab3a16c517c9

4.测试

删除刚刚所有节点上测试拉取的镜像
ctr -n k8s.io image rm harbor.yh.com/test/nginx:v1
通过yaml去拉取测试
[root@k8s-master ~]# cat nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: demonamespace: sa
spec:selector:matchLabels:app: demotemplate:metadata:labels:app: demospec:nodeSelector:kubernetes.io/hostname: k8s-node02containers:- image: harbor.yh.com/test/nginx:v1imagePullPolicy: IfNotPresentname: nginxports:- containerPort: 80protocol: TCP我这里目前就一个master跟两个node节点 都分别测试是不是都能执行yaml后拉取成功
[root@k8s-master ~]#  kubect apply -f nginx.yaml
[root@k8s-master ~]# kubectl -n sa get pod -o wide()
NAME                    READY   STATUS        RESTARTS   AGE     IP
NODE         NOMINATED NODE   READINESS GATES
demo-56768bf96f-l7fl7   1/1     Running       0          3s      10.16.0.131
k8s-node02   <none>           <none>
jenkins-0               1/1     Running       0          2d16h   10.16.0.140
k8s-master   <none>           <none>测试node1
[root@k8s-master ~]# egrep 'nodeSelector|hostname' nginx.yaml nodeSelector:kubernetes.io/hostname: k8s-node01
[root@k8s-master ~]# kubectl apply -f nginx.yaml
deployment.apps/demo configured
[root@k8s-master ~]# kubectl -n sa get pod -o wide
NAME                    READY   STATUS        RESTARTS   AGE     IP
NODE         NOMINATED NODE   READINESS GATES
demo-56768bf96f-9ptq2   0/1     Terminating   0          7m1s    10.16.0.16
k8s-node02   <none>           <none>
demo-56768bf96f-l7fl7   1/1     Running       0          3s      10.16.0.131
k8s-node01   <none>           <none>
jenkins-0               1/1     Running       0          2d16h   10.16.0.140
k8s-master   <none>           <none>
测试master
[root@k8s-master ~]# kubectl -n sa get pod -o wide
NAME                    READY   STATUS    RESTARTS   AGE     IP
NODE         NOMINATED NODE   READINESS GATES
demo-5dfdfc7bbc-dnr2c   1/1     Running   0          3s      10.16.0.150
k8s-master   <none>           <none>
jenkins-0               1/1     Running   0          2d16h   10.16.0.140
k8s-master   <none>           <none>

k8s containerd对接harbor私有仓库相关推荐

  1. Kubernetes-------kubeadm安装dashboard、Harbor私有仓库

    K8S kubeadm安装dashboard.Harbor私有仓库 K8S 一.安装dashboard 所有节点安装dashboard 方法一 所有节点上传dashboard镜像 dashboard. ...

  2. k8s-kubeadm和Harbor私有仓库部署

    部署k8s-kubeadm 文章目录 环境准备 需求: 环境部署 部署K8S集群 //设定kubectl //所有节点部署网络插件flannel //测试 pod 资源创建 部署 Dashboard ...

  3. 这就是你日日夜夜想要的docker!!!---------Harbor私有仓库

    文章目录 一.Harbor私有仓库介绍 1.什么是Harbor?有什么作用? 2.harbor的特性 3.harbor配置文件参数 二.部署Harbor私有仓库 1.harbor服务器安装harbor ...

  4. K8S使用habor作为私有仓库

    K8S使用habor作为私有仓库 1.修改每个node上的docker认证仓库 # 将每个node节点上的docker同样需要配置可信任仓库 vi /etc/docker/daemon.json #修 ...

  5. Docker harbor私有仓库部署与管理

    Docker harbor私有仓库部署与管理. 前言 一.什么是Harbor 二.Harbor的特性 三.Harbor的构成 四.Harbor部署 4.1 环境准备 4.2 部署Docker Comp ...

  6. Docker容器私有仓库——Harbor私有仓库的搭建

    Docker容器私有仓库--Harbor私有仓库的搭建 一.Harbor介绍 1.Harbor概念 2.Harbor的核心组件 3.Harbor的优点 二.Harbor搭建的环境准备 1.当前Harb ...

  7. docker 从harbor 拉取镜像慢_Kubernetes-通过Rancher从Harbor私有仓库拉取镜像

    引言   前一篇文章详细描述了如何使用rancher搭建Kubernetes高可用集群,集群搭建好了后,我们就需要开始部署应用了,那么如何从私有镜像仓库拉取镜像呢? 原理   Harbor使用了基于角 ...

  8. k8s实战之从私有仓库拉取镜像 - kubernetes

    1.实战目的 从私有docker仓库拉取镜像,部署pod.上一篇中,我们搭建了私有的镜像仓库,这一篇我们将与k8s结合实战使用私有仓库. 2.登录docker 为了完成本次实战,需要登录docker, ...

  9. Docker容器之harbor私有仓库部署与管理

    Docker容器之harbor私有仓库部署与管理 前言 一.Harbor概述 二.Harbor的特性 三.Harbor的构成 四.Harbor私有仓库搭建 (1)安装docker-compose (2 ...

最新文章

  1. 南开校长曹雪涛团队12篇论文被调查“可信性”,此前被举报实验图片有PS痕迹...
  2. 注意2018年数据中心的这5大发展趋势
  3. K8s Pod 钩子生命周期
  4. 竞价账户烧钱的七大病因和处理办法
  5. 咨询报告生成:使用python生成pptx格式的报告
  6. 深入理解java虚拟机 (三) 第二版
  7. python中的多线程的优点_Python中多线程编程的优点是什么?
  8. Delphi 与 DirectX 之 DelphiX(49): TDIB.DoGrayScale;
  9. COOC1.9软件 一键做共现矩阵与相异矩阵
  10. 应用软件,操作系统,CPU的关系
  11. 通过改变浏览器Cookie切换当前网站马甲
  12. java大华监控_JAVA实现大华摄像头WEB方式实时显示视频,H5界面展示方式思路。
  13. Vulnhub--bulldog
  14. 学计算机惠普和联想笔记本哪个好,笔记本做得好,未必只有惠普和联想
  15. Mac iOS 模拟器录制屏幕生成Gif
  16. for 循环练习题(2)
  17. STM32HAL----红外遥控(NEC)
  18. ssm+jsp校友交流平台
  19. Dozer-Mapping
  20. 测试代理IP有效性的几种方式-芝麻ip

热门文章

  1. 电脑系统(U盘安装):装机版U盘启动制作教程(附安装包)
  2. MinClock迷你桌面时钟1.5
  3. 和python有关的职位_和的解释|和的意思|汉典“和”字的基本解释
  4. Android 虚拟分区详解(二) 虚拟分区布局
  5. 数据库设计------(数据库设计基本概念)、需求分析(数据字典)
  6. Qt识别文件类型的正确姿势
  7. 稳定的货源社区源码分享
  8. 全文检索工具elasticsearch:第一章:理论知识
  9. potplay alist(alist+potplayer打造个人高清影视)
  10. 第一批量化管理数据发布前征询合作意向