k8s containerd对接harbor私有仓库
文章目录
- 1.harbor自签证书配置https
- 2.containerd对接harbor(在所有节点上操作)
- 3.配置k8s执行yaml自动拉取
- 4.测试
1.harbor自签证书配置https
harbor建议还是配置https,没有配置的https的情况测试了很多方法都没成功过0.0
(这里配置是参考这位大佬的文章)
这里开始生成证书,觉得我这里步骤乱的可以直接去看大佬的原文章
root@compute02_16:39:13_/data/server/harbor/certs $openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................................................++
.......................................................................................++
e is 65537 (0x10001)root@compute02_16:39:46_/data/server/harbor/certs $openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=harbor.yh.com" \
> -key ca.key -out ca.crt
root@compute02_16:40:05_/data/server/harbor/certs $ll
总用量 8
-rw-r--r-- 1 root root 1797 8月 25 16:40 ca.crt
-rw-r--r-- 1 root root 3247 8月 25 16:39 ca.key
root@compute02_16:40:07_/data/server/harbor/certs $openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................++
...................................................................................++
e is 65537 (0x10001)root@compute02_16:40:14_/data/server/harbor/certs $openssl req -new -sha512 -subj "/CN=harbor.yh.com" -key server.key -out \
> server.csrroot@compute02_16:40:43_/data/server/harbor/certs $ll
总用量 16
-rw-r--r-- 1 root root 1797 8月 25 16:40 ca.crt
-rw-r--r-- 1 root root 3247 8月 25 16:39 ca.key
-rw-r--r-- 1 root root 1590 8月 25 16:40 server.csr
-rw-r--r-- 1 root root 3243 8月 25 16:40 server.keyroot@compute02_17:25:33_/data/server/harbor $cat certs/v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.yh.comroot@compute02_16:41:33_/data/server/harbor/certs $openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/CN=harbor.yh.com
Getting CA Private Keyroot@compute02_16:44:31_/data/server/harbor $vim harbor.yml
hostname: harbor.yh.com# http related config
http:# port for http, default is 80. If https enabled, this port will redirect to https portport: 8080# https related config
https:# https port for harbor, default is 443port: 443# The path of cert and key files for nginxcertificate: /data/server/harbor/certs/server.crtprivate_key: /data/server/harbor/certs/server.keyroot@compute02_16:43:04_/data/server/harbor $./prepare
prepare base dir is set to /data/server/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dirroot@compute02_16:45:45_/data/server/harbor $docker-compose down
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping registryctl ... done
Stopping harbor-portal ... done
Stopping harbor-log ... done
Removing nginx ... done
Removing harbor-jobservice ... done
Removing harbor-core ... done
Removing redis ... done
Removing registry ... done
Removing harbor-db ... done
Removing registryctl ... done
Removing harbor-portal ... done
Removing harbor-log ... done
Removing network harbor_harborroot@compute02_16:45:45_/data/server/harbor $docker-compose up -d
root@compute02_17:21:13_/data/server/harbor $netstat -lntup|egrep '8080|443'
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 32071/docker-proxy
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 32057/docker-proxy [root@k8s-node04 ~]# ctr -n k8s.io image pull harbor.yh.com:8080/test/nginx:v1
INFO[0000] trying next host error="failed to do request: Head \"https://harbor.yh.com:8080/v2/test/nginx/manifests/v1\": http: server gave HTTP response to HTTPS client" host="harbor.yh.com:8080"
ctr: failed to resolve reference "harbor.yh.com:8080/test/nginx:v1": failed to do request: Head "https://harbor.yh.com:8080/v2/test/nginx/manifests/v1": http: server gave HTTP response to HTTPS client
2.containerd对接harbor(在所有节点上操作)
[root@k8s-master ~]# ctr -n k8s.io image pull harbor.yh.com/test/nginx:v1
INFO[0000] trying next host error="failed to do request: Head \"https://harbor.yh.com/v2/test/nginx/manifests/v1\": x509: certificate signed by unknown authority" host=harbor.yh.com
ctr: failed to resolve reference "harbor.yh.com/test/nginx:v1": failed to do request: Head "https://harbor.yh.com/v2/test/nginx/manifests/v1": x509: certificate signed by unknown authority
[root@k8s-master ~]# yum install -y ca-certificates
[root@k8s-master ~]# cp -a server.crt /etc/pki/ca-trust/source/anchors/
[root@k8s-master ~]# ln -s /etc/pki/ca-trust/source/anchors/server.crt /etc/ssl/certs/
[root@k8s-master ~]# update-ca-trust
[root@k8s-master ~]# nerdctl login -u admin harbor.yh.com
Enter Password: Login Succeeded
[root@k8s-master ~]# ctr -n k8s.io image pull harbor.yh.com/test/nginx:v1
harbor.yh.com/test/nginx:v1: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:48d56bae87c65ca642b0a1d13c3dc97c4430994991e5531ff123f77cdf975fae: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:6f28985ad1843afd6fd4fe0b42a30bfab63c27d302362e7341e3316e8ba25ced: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:6084105296a952523c36eea261af38885f41e9d1d0001b4916fa426e45377ffe: exists |++++++++++++++++++++++++++++++++++++++|
layer-sha256:29f7ebf60efda2064ed8f3ca5f748b757c9eb4194e8db766ee370067d2c72210: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:158aac73782cb5bf2f03cc3b3f9afa49ce582c26a546f6dba65994d1c7ddd43d: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:879a7c160ac652fea0b56d0d28a9fe5a4dfb9716fe0147c5d163a841c8d83fae: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:de58cd48a671f1121ff5cc9f04cb93916d1a71f25c378f3048975421d87f5a05: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:be704f37b5f442aeb0ee33e0a86d08263d23e7343321b4fc96b68d71e869e3b4: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.7 s total: 51.2 M (30.1 MiB/s)
unpacking linux/amd64 sha256:48d56bae87c65ca642b0a1d13c3dc97c4430994991e5531ff123f77cdf975fae...
done: 11.646226ms
3.配置k8s执行yaml自动拉取
k8s执行yaml使用的命令是这个,现在还是拉取失败的
[root@k8s-node02 ~]# crictl pull harbor.yh.cn/yw/centos:v7
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and
unpack image "harbor.yh.cn/yw/centos:v7": failed to resolve reference
"harbor.yh.cn/yw/centos:v7": failed to do request: Head
"https://harbor.yh.cn/v2/yw/centos/manifests/v7": x509: certificate signed by
unknown authority 增加(150-154行;159-160行;)cat -n /etc/containerd/config.toml 144 [plugins."io.containerd.grpc.v1.cri".registry]145 config_path = ""146147 [plugins."io.containerd.grpc.v1.cri".registry.auths]148149 [plugins."io.containerd.grpc.v1.cri".registry.configs]150 [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.yh.cn".tls]151 ca_file = "/etc/ssl/certs/server.crt"152 [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.yh.cn".auth]153 username = "admin"154 password = "Harbor12345"155156 [plugins."io.containerd.grpc.v1.cri".registry.headers]157158 [plugins."io.containerd.grpc.v1.cri".registry.mirrors]159 [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.yh.cn"]160 endpoint = ["https://harbor.yh.cn"]161162 [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]163 tls_cert_file = ""164 tls_key_file = ""重启测试
[root@k8s-node02 ~]# systemctl restart containerd
[root@k8s-node02 ~]# crictl pull harbor.yh.cn/yw/centos:v7
Image is up to date for
sha256:eeb6ee3f44bd0b5103bb561b4c16bcb82328cfe5809ab675bb17ab3a16c517c9
4.测试
删除刚刚所有节点上测试拉取的镜像
ctr -n k8s.io image rm harbor.yh.com/test/nginx:v1
通过yaml去拉取测试
[root@k8s-master ~]# cat nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:name: demonamespace: sa
spec:selector:matchLabels:app: demotemplate:metadata:labels:app: demospec:nodeSelector:kubernetes.io/hostname: k8s-node02containers:- image: harbor.yh.com/test/nginx:v1imagePullPolicy: IfNotPresentname: nginxports:- containerPort: 80protocol: TCP我这里目前就一个master跟两个node节点 都分别测试是不是都能执行yaml后拉取成功
[root@k8s-master ~]# kubect apply -f nginx.yaml
[root@k8s-master ~]# kubectl -n sa get pod -o wide()
NAME READY STATUS RESTARTS AGE IP
NODE NOMINATED NODE READINESS GATES
demo-56768bf96f-l7fl7 1/1 Running 0 3s 10.16.0.131
k8s-node02 <none> <none>
jenkins-0 1/1 Running 0 2d16h 10.16.0.140
k8s-master <none> <none>测试node1
[root@k8s-master ~]# egrep 'nodeSelector|hostname' nginx.yaml nodeSelector:kubernetes.io/hostname: k8s-node01
[root@k8s-master ~]# kubectl apply -f nginx.yaml
deployment.apps/demo configured
[root@k8s-master ~]# kubectl -n sa get pod -o wide
NAME READY STATUS RESTARTS AGE IP
NODE NOMINATED NODE READINESS GATES
demo-56768bf96f-9ptq2 0/1 Terminating 0 7m1s 10.16.0.16
k8s-node02 <none> <none>
demo-56768bf96f-l7fl7 1/1 Running 0 3s 10.16.0.131
k8s-node01 <none> <none>
jenkins-0 1/1 Running 0 2d16h 10.16.0.140
k8s-master <none> <none>
测试master
[root@k8s-master ~]# kubectl -n sa get pod -o wide
NAME READY STATUS RESTARTS AGE IP
NODE NOMINATED NODE READINESS GATES
demo-5dfdfc7bbc-dnr2c 1/1 Running 0 3s 10.16.0.150
k8s-master <none> <none>
jenkins-0 1/1 Running 0 2d16h 10.16.0.140
k8s-master <none> <none>
k8s containerd对接harbor私有仓库相关推荐
- Kubernetes-------kubeadm安装dashboard、Harbor私有仓库
K8S kubeadm安装dashboard.Harbor私有仓库 K8S 一.安装dashboard 所有节点安装dashboard 方法一 所有节点上传dashboard镜像 dashboard. ...
- k8s-kubeadm和Harbor私有仓库部署
部署k8s-kubeadm 文章目录 环境准备 需求: 环境部署 部署K8S集群 //设定kubectl //所有节点部署网络插件flannel //测试 pod 资源创建 部署 Dashboard ...
- 这就是你日日夜夜想要的docker!!!---------Harbor私有仓库
文章目录 一.Harbor私有仓库介绍 1.什么是Harbor?有什么作用? 2.harbor的特性 3.harbor配置文件参数 二.部署Harbor私有仓库 1.harbor服务器安装harbor ...
- K8S使用habor作为私有仓库
K8S使用habor作为私有仓库 1.修改每个node上的docker认证仓库 # 将每个node节点上的docker同样需要配置可信任仓库 vi /etc/docker/daemon.json #修 ...
- Docker harbor私有仓库部署与管理
Docker harbor私有仓库部署与管理. 前言 一.什么是Harbor 二.Harbor的特性 三.Harbor的构成 四.Harbor部署 4.1 环境准备 4.2 部署Docker Comp ...
- Docker容器私有仓库——Harbor私有仓库的搭建
Docker容器私有仓库--Harbor私有仓库的搭建 一.Harbor介绍 1.Harbor概念 2.Harbor的核心组件 3.Harbor的优点 二.Harbor搭建的环境准备 1.当前Harb ...
- docker 从harbor 拉取镜像慢_Kubernetes-通过Rancher从Harbor私有仓库拉取镜像
引言 前一篇文章详细描述了如何使用rancher搭建Kubernetes高可用集群,集群搭建好了后,我们就需要开始部署应用了,那么如何从私有镜像仓库拉取镜像呢? 原理 Harbor使用了基于角 ...
- k8s实战之从私有仓库拉取镜像 - kubernetes
1.实战目的 从私有docker仓库拉取镜像,部署pod.上一篇中,我们搭建了私有的镜像仓库,这一篇我们将与k8s结合实战使用私有仓库. 2.登录docker 为了完成本次实战,需要登录docker, ...
- Docker容器之harbor私有仓库部署与管理
Docker容器之harbor私有仓库部署与管理 前言 一.Harbor概述 二.Harbor的特性 三.Harbor的构成 四.Harbor私有仓库搭建 (1)安装docker-compose (2 ...
最新文章
- 南开校长曹雪涛团队12篇论文被调查“可信性”,此前被举报实验图片有PS痕迹...
- 注意2018年数据中心的这5大发展趋势
- K8s Pod 钩子生命周期
- 竞价账户烧钱的七大病因和处理办法
- 咨询报告生成:使用python生成pptx格式的报告
- 深入理解java虚拟机 (三) 第二版
- python中的多线程的优点_Python中多线程编程的优点是什么?
- Delphi 与 DirectX 之 DelphiX(49): TDIB.DoGrayScale;
- COOC1.9软件 一键做共现矩阵与相异矩阵
- 应用软件,操作系统,CPU的关系
- 通过改变浏览器Cookie切换当前网站马甲
- java大华监控_JAVA实现大华摄像头WEB方式实时显示视频,H5界面展示方式思路。
- Vulnhub--bulldog
- 学计算机惠普和联想笔记本哪个好,笔记本做得好,未必只有惠普和联想
- Mac iOS 模拟器录制屏幕生成Gif
- for 循环练习题(2)
- STM32HAL----红外遥控(NEC)
- ssm+jsp校友交流平台
- Dozer-Mapping
- 测试代理IP有效性的几种方式-芝麻ip
热门文章
- 电脑系统(U盘安装):装机版U盘启动制作教程(附安装包)
- MinClock迷你桌面时钟1.5
- 和python有关的职位_和的解释|和的意思|汉典“和”字的基本解释
- Android 虚拟分区详解(二) 虚拟分区布局
- 数据库设计------(数据库设计基本概念)、需求分析(数据字典)
- Qt识别文件类型的正确姿势
- 稳定的货源社区源码分享
- 全文检索工具elasticsearch:第一章:理论知识
- potplay alist(alist+potplayer打造个人高清影视)
- 第一批量化管理数据发布前征询合作意向