harbor镜像仓库-https访问的证书配置 (docker配置harbor https证书)
harbor镜像仓库-https访问的证书配置
生成CA证书
随便搞个什么文件夹,用于存放生成的证书
创建key文件:
root@eb7023:/data/certs>openssl genrsa -out ca.key 4096Generating RSA private key, 4096 bit long modulus............++.........................++e is 65537 (0x10001)
生成证书
**http://harbor23.com**这里是我harbor仓库的域名,即harbor配置文件中hostname的值,也可以写ip
root@eb7023:/data/certs>openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=harbor23.com" -key ca.key -out ca.crtroot@eb7023:/data/certs>lltotal 8-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
生成服务器证书
创建私钥
root@eb7023:/data/certs>openssl genrsa -out server.key 4096Generating RSA private key, 4096 bit long modulus........................................................................................................................................................++.............................................................................++e is 65537 (0x10001)
生成证书签名请求
root@eb7023:/data/certs>openssl req -new -sha512 -subj "/CN=harbor23.com" -key server.key -out server.csrroot@eb7023:/data/certs>lltotal 16-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key
生成harbor仓库主机的证书
首先创建一个 v3.ext 文件
root@eb7023:/data/certs>cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names]DNS.1=harbor23.comEOFroot@eb7023:/data/certs>root@eb7023:/data/certs>lltotal 20-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root 231 Sep 11 14:48 v3.ext
生成harbor仓库主机的证书
root@eb7023:/data/certs>openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crtSignature oksubject=/CN=harbor23.comGetting CA Private Keyroot@eb7023:/data/certs>lltotal 28-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 17 Sep 11 14:48 ca.srl-rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root 231 Sep 11 14:48 v3.ext
到目前为止所有需要的证书文件就生成完毕了,下面需要一些配置
配置和安装证书
把server.crt文件和server.key文件拷贝到目录/data/cert下
因为我前面一直是在这个路径操作的就省略了该步骤
下面要修改harbor的配置文件 修改以下配置项
root@eb7023:/data/certs>vim ~/harbor/harbor.yml hostname: harbor23.comhttps:port: 443certificate: /data/certs/server.crtprivate_key: /data/certs/server.key
接下来就可重启以下harbor仓库了,注意这里要CD到harbor解压目录
#导入配置root@eb7023:/root/harbor>./prepare prepare base dir is set to /root/harborClearing the configuration file: /config/log/logrotate.confClearing the configuration file: /config/log/rsyslog_docker.confClearing the configuration file: /config/nginx/nginx.confClearing the configuration file: /config/core/envClearing the configuration file: /config/core/app.confClearing the configuration file: /config/registry/config.ymlClearing the configuration file: /config/registry/root.crtClearing the configuration file: /config/registryctl/envClearing the configuration file: /config/registryctl/config.ymlClearing the configuration file: /config/db/envClearing the configuration file: /config/jobservice/envClearing the configuration file: /config/jobservice/config.ymlGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlloaded secret from file: /secret/keys/secretkeyGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir##停止当前运行的harborroot@eb7023:/root/harbor>docker-compose down -v/usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.from cryptography.hazmat.backends import default_backendStopping harbor-jobservice ... doneStopping harbor-portal ... doneStopping registry ... doneStopping registryctl ... doneStopping redis ... doneStopping harbor-db ... doneStopping harbor-log ... doneRemoving nginx ... doneRemoving harbor-jobservice ... doneRemoving harbor-core ... doneRemoving harbor-portal ... doneRemoving registry ... doneRemoving registryctl ... doneRemoving redis ... doneRemoving harbor-db ... doneRemoving harbor-log ... doneRemoving network harbor_harbor##后台运行的harborroot@eb7023:/root/harbor>docker-compose up -d/usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.from cryptography.hazmat.backends import default_backendCreating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating registry ... doneCreating harbor-db ... doneCreating registryctl ... doneCreating harbor-portal ... doneCreating redis ... doneCreating harbor-core ... doneCreating harbor-jobservice ... doneCreating nginx ... done
为docker配置harbor认证
将server证书cp到docker所在的机器固定目录中
#笔者这里的certs.d是已经存在的,如果不存在需要mkdirroot@eb7023:/root/harbor>cd /etc/docker/certs.d/root@eb7023:/etc/docker/certs.d>lltotal 0root@eb7023:/etc/docker/certs.d>mkdir -p /etc/docker/certs.d/harbor23.com root@eb7023:/etc/docker/certs.d>cd /data/certs/root@eb7023:/data/certs>lltotal 28-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 17 Sep 11 14:48 ca.srl-rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root 231 Sep 11 14:48 v3.extroot@eb7023:/data/certs>cp server.crt /etc/docker/certs.d/harbor23.com/server.crt
然后docker直接login即可
root@eb7023:/data/certs>docker login harbor23.comUsername: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
这里我的docker和harbor是在同一台机器上的,如果是其他机器也复制crt文件即可
root@eb7023:/data/certs>scp server.crt root@eb7045:/etc/docker/certs.d/harbor23.com/server.crtroot@eb7045's password: server.crt 100% 1830 2.1MB/s 00:00
在eb7045可以登录验证一下:
root@eb7045:/etc/docker/certs.d/harbor23.com>docker login harbor23.comUsername: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
到这里配置完成。
参考链接:https://zhuanlan.zhihu.com/p/234918875
harbor镜像仓库-https访问的证书配置 (docker配置harbor https证书)相关推荐
- Harbor镜像仓库部署
一.简介 Harbor是VMware中国研发团队开发并开源企业级Registry,对中文支持很友好. Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器. Harbor具有 ...
- k8s和harbor的集成_在Kubernetes集群上部署高可用Harbor镜像仓库
在Kubernetes集群上部署高可用Harbor镜像仓库 一.Kubernetes上的高可用Harbor方案 首先,我可以肯定给出一个回答:Harbor支持在Kubernetes部署.只不过Harb ...
- podman加速配置、harbor镜像仓库部署
podman镜像加速配置 镜像加速可以使用阿里云.清华大学.网易等多个镜像加速,这里我们使用阿里云的镜像加速. 前提需要你先登录,才可以获取你的镜像加速的地址 阿里云镜像加速 // 修改配置文件 ce ...
- podman加速配置、harbor镜像仓库的部署
podman加速配置.harbor镜像仓库的部署 1. podman镜像加速配置 2. harbor镜像仓库部署 2.1 harbor简介 2.3 Harbor的功能 2.4 Docker compo ...
- 企业级|Harbor镜像仓库合体Nutanix超融合
本文所指的"合体"是从技术层面将Nutanix超融合基础架构和Harbor开源镜像仓库基于企业级需求进行的一次部署实践,旨在开源热潮中抛砖引玉似的分享一些新的尝试. 企业级 标题中 ...
- 在Kubernetes集群上部署高可用Harbor镜像仓库
这里主要介绍使用kubectl部署Harbor镜像仓库到Kubernetes集群中. 使用Helm部署,参考: https://my.oschina.net/u/2306127/blog/181969 ...
- jar k8s 自己的 部署_k8s+jenkins+harbor镜像仓库实现持续集成
一丶准备工作 1.安装好jenkins 2.安装好k8s 3.熟悉Docker,K8S,Jenkins基本使用 了解代码版本仓库(Git),容器镜像仓库(Harbor)了解Java项目发布流程 二丶H ...
- 一:部署harbor镜像仓库
Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry 也是非常必要的.之前介绍了Docke ...
- Harbor—镜像仓库
1.Harbor介绍 Docker容器应用的开发和运行离不开可靠的镜像管理,虽然Docker官方也提供了公共的镜像仓库,但是从安全和效率等方面考虑,部署我们私有环境内的Registry也是非常必要的. ...
最新文章
- 电动力学每日一题 2021/10/10
- k8s常用对象图示:Deployment、ReplicaSet、Pod它们的关系
- boost::geometry::within用法的测试程序
- On branch master nothing to commit, working tree clean
- 图像的抽线、抽丝、抽图 神马是alpha通道
- 【oracle】changePerm.sh
- 非阻塞同步算法实战(二)-BoundlessCyclicBarrier
- mingw,cygwin,gnuwin32,msys,msys2 的区别
- 【经典算法题】排列序列
- UltraEdit 注册机使用激活方法:
- eval在python中的作用_浅谈Python中eval的强大与危害
- java 支付宝转账_支付宝api实现转账到单个账号
- linux 快照工具,技术预览:CentOS 7中利用Snapper GUI管理系统快照
- 我的世界boat运行库JAVA10_boat运行库导入下载
- 转不撞南墙不回头——树规总结
- 通过js实现图片与文字的转换
- Oracle/PLSQL存储过程详解
- 物联网有哪些安全风险?物联网安全问题汇总
- Qpython读取手机短信
- 奥克兰大学CS110(Auckland University Computer Science 110)的一些算法(2022)
热门文章
- 母婴品牌与AI的碰撞:第四范式为美素佳儿提供智能推送服务
- 交通建模必学——经典瓶颈模型
- 【Python】Python“表情包”工具包真好用
- 【数据竞赛】十大重要的时间组合特征!
- 【论文解读】DCN-M:Google提出改进版DCN,用于大规模排序系统的特征交叉学习(附代码)...
- 【机器学习基础】机器学习算法中分类知识总结!
- 【小白学PyTorch】3.浅谈Dataset和Dataloader
- CVPR 2021 Short-video Face Parsing Challenge 季军方案分享
- 推荐算法炼丹笔记:非采样的负样本
- 网易云信合作伙伴招募计划全面开启!