harbor镜像仓库-https访问的证书配置

生成CA证书

随便搞个什么文件夹，用于存放生成的证书

创建key文件：

 root@eb7023:/data/certs>openssl genrsa -out ca.key 4096Generating RSA private key, 4096 bit long modulus............++.........................++e is 65537 (0x10001)

生成证书

**http://harbor23.com**这里是我harbor仓库的域名，即harbor配置文件中hostname的值，也可以写ip

 root@eb7023:/data/certs>openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/CN=harbor23.com"  -key ca.key  -out ca.crtroot@eb7023:/data/certs>lltotal 8-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key

生成服务器证书

创建私钥

 root@eb7023:/data/certs>openssl genrsa -out server.key 4096Generating RSA private key, 4096 bit long modulus........................................................................................................................................................++.............................................................................++e is 65537 (0x10001)

生成证书签名请求

 root@eb7023:/data/certs>openssl req  -new -sha512  -subj "/CN=harbor23.com"  -key server.key  -out server.csrroot@eb7023:/data/certs>lltotal 16-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key

生成harbor仓库主机的证书

首先创建一个 v3.ext 文件

root@eb7023:/data/certs>cat > v3.ext <<-EOF

 authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names]DNS.1=harbor23.comEOFroot@eb7023:/data/certs>root@eb7023:/data/certs>lltotal 20-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext

生成harbor仓库主机的证书

 root@eb7023:/data/certs>openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crtSignature oksubject=/CN=harbor23.comGetting CA Private Keyroot@eb7023:/data/certs>lltotal 28-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root   17 Sep 11 14:48 ca.srl-rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext

到目前为止所有需要的证书文件就生成完毕了，下面需要一些配置

配置和安装证书

把server.crt文件和server.key文件拷贝到目录/data/cert下

因为我前面一直是在这个路径操作的就省略了该步骤

下面要修改harbor的配置文件修改以下配置项

 root@eb7023:/data/certs>vim ~/harbor/harbor.yml hostname: harbor23.comhttps:port: 443certificate: /data/certs/server.crtprivate_key: /data/certs/server.key

接下来就可重启以下harbor仓库了,注意这里要CD到harbor解压目录

 #导入配置root@eb7023:/root/harbor>./prepare prepare base dir is set to /root/harborClearing the configuration file: /config/log/logrotate.confClearing the configuration file: /config/log/rsyslog_docker.confClearing the configuration file: /config/nginx/nginx.confClearing the configuration file: /config/core/envClearing the configuration file: /config/core/app.confClearing the configuration file: /config/registry/config.ymlClearing the configuration file: /config/registry/root.crtClearing the configuration file: /config/registryctl/envClearing the configuration file: /config/registryctl/config.ymlClearing the configuration file: /config/db/envClearing the configuration file: /config/jobservice/envClearing the configuration file: /config/jobservice/config.ymlGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlloaded secret from file: /secret/keys/secretkeyGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir##停止当前运行的harborroot@eb7023:/root/harbor>docker-compose down -v/usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.from cryptography.hazmat.backends import default_backendStopping harbor-jobservice ... doneStopping harbor-portal     ... doneStopping registry          ... doneStopping registryctl       ... doneStopping redis             ... doneStopping harbor-db         ... doneStopping harbor-log        ... doneRemoving nginx             ... doneRemoving harbor-jobservice ... doneRemoving harbor-core       ... doneRemoving harbor-portal     ... doneRemoving registry          ... doneRemoving registryctl       ... doneRemoving redis             ... doneRemoving harbor-db         ... doneRemoving harbor-log        ... doneRemoving network harbor_harbor##后台运行的harborroot@eb7023:/root/harbor>docker-compose up -d/usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.from cryptography.hazmat.backends import default_backendCreating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating registry      ... doneCreating harbor-db     ... doneCreating registryctl   ... doneCreating harbor-portal ... doneCreating redis         ... doneCreating harbor-core   ... doneCreating harbor-jobservice ... doneCreating nginx             ... done

为docker配置harbor认证

将server证书cp到docker所在的机器固定目录中

 #笔者这里的certs.d是已经存在的，如果不存在需要mkdirroot@eb7023:/root/harbor>cd /etc/docker/certs.d/root@eb7023:/etc/docker/certs.d>lltotal 0root@eb7023:/etc/docker/certs.d>mkdir -p /etc/docker/certs.d/harbor23.com      root@eb7023:/etc/docker/certs.d>cd /data/certs/root@eb7023:/data/certs>lltotal 28-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root   17 Sep 11 14:48 ca.srl-rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root  231 Sep 11 14:48 v3.extroot@eb7023:/data/certs>cp server.crt  /etc/docker/certs.d/harbor23.com/server.crt

然后docker直接login即可

 root@eb7023:/data/certs>docker login harbor23.comUsername: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

这里我的docker和harbor是在同一台机器上的，如果是其他机器也复制crt文件即可

 root@eb7023:/data/certs>scp server.crt root@eb7045:/etc/docker/certs.d/harbor23.com/server.crtroot@eb7045's password: server.crt                                    100% 1830     2.1MB/s   00:00

在eb7045可以登录验证一下：

 root@eb7045:/etc/docker/certs.d/harbor23.com>docker login harbor23.comUsername: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

到这里配置完成。

参考链接：https://zhuanlan.zhihu.com/p/234918875