部署Harbor及使用自签名证书

Harbor 是Docker私有仓库,是学习 K8S 的基础设施。

一、规划

主机
操作系统 centos9
ip地址 192.168.10.249
域名 harbor.bravexist.cn
配置 2c2g100g
版本 harbor-offline-installer-v2.14.1.tgz
主机名 Harbor-Server

CentOS-9-Stream-基础配置

Docker基础操作

Github Release

提前下载好安装包,提前安装好 Docker, 配置好镜像加速。

二、安装

2.1 解压软件

  1. 创建工作目录
1
mkdir -p /opt/softwares
  1. 解压
1
tar -xf harbor-offline-installer-v2.14.1.tgz -C /opt/softwares
  1. 进入目录
1
cd /opt/softwares/harbor

2.2 自签名证书

  1. 创建证书的工作目录
1
mkdir -pv /opt/softwares/harbor/certs/{ca,server,client}
  1. 进入证书的工作目录
1
cd /opt/softwares/harbor/certs

2.2.1 生成CA私钥、证书

  1. 生成CA私钥
1
openssl genrsa -out ca/ca.key 4096
  1. 生成ca的自签名证书
1
2
3
4
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=bravexist.cn" \
 -key ca/ca.key \
 -out ca/ca.crt

2.2.2 生成 Harbor 服务器的证书文件及客户端证书

  1. 生成 harbor 主机的私钥
1
openssl genrsa -out server/harbor.bravexist.cn.key 4096
  1. 生成 harbor 主机的证书申请
1
2
3
4
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.bravexist.cn" \
    -key server/harbor.bravexist.cn.key \
    -out server/harbor.bravexist.cn.csr
  1. 生成x509 v3扩展文件
1
2
3
4
5
6
7
8
9
10
11
12
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=bravexist.cn
DNS.2=bravexist
DNS.3=harbor.bravexist.cn
EOF
  1. 使用”v3.ext”给 harbor主机签发证书
1
2
3
4
5
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
    -in server/harbor.bravexist.cn.csr \
    -out server/harbor.bravexist.cn.crt
  1. crt 文件转换为 cert 客户端证书文件
1
openssl x509 -inform PEM -in server/harbor.bravexist.cn.crt -out server/harbor.bravexist.cn.cert

2.2.3 准备 docker 客户端证书

1
2
# cp server/harbor.bravexist.cn.{cert,key} client/
cp ca/ca.crt client/

2.3 修改 Harbor 配置文件

1
cd /opt/softwares/harbor
1
cp harbor.yml.tmpl harbor.yml
1
vim harbor.yml
1
2
3
4
### 修改主要的内容
hostname: harbor.bravexist.cn
  certificate: /opt/softwares/harbor/certs/server/harbor.bravexist.cn.crt
  private_key: /opt/softwares/harbor/certs/server/harbor.bravexist.cn.key

不查看注释

1
egrep -v '^.*#|^$' harbor.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
[root@Harbor-Server /opt/softwares/harbor]# egrep -v '^.*#|^$' harbor.yml
hostname: harbor.bravexist.cn
http:
  port: 80
https:
  port: 443
  certificate: /opt/softwares/harbor/certs/server/harbor.bravexist.cn.crt
  private_key: /opt/softwares/harbor/certs/server/harbor.bravexist.cn.key
harbor_admin_password: Harbor12345
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
  conn_max_lifetime: 5m
  conn_max_idle_time: 0
data_volume: /data
trivy:
  ignore_unfixed: false
  skip_update: false
  skip_java_db_update: false
  offline_scan: false
  security_check: vuln
  insecure: false
  timeout: 5m0s
jobservice:
  max_job_workers: 10
  max_job_duration_hours: 24
  job_loggers:
    - STD_OUTPUT
    - FILE
notification:
  webhook_job_max_retry: 3
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.14.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy
upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false
cache:
  enabled: false
  expire_hours: 24
[root@Harbor-Server /opt/softwares/harbor]#

2.4 安装

1
2
cd /opt/softwares/harbor
./install.sh

2.5 放行防火墙,测试访问

1
2
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload

hosts文件修改解析

1
2
3
### C:\Windows\System32\drivers\etc\hosts
### Docker
192.168.10.249 harbor.bravexist.cn

访问 https://harbor.bravexist.cn

安装根证书可解决 HTTPS 不安全的问题。 

1
2
admin
Harbor12345

2.6 docker 客户端验证

1
2
3
cat >> /etc/hosts << EOF
192.168.10.249 harbor.bravexist.cn
EOF
1
docker login -uadmin -p'Harbor12345' https://harbor.bravexist.cn
1
2
3
4
[root@Harbor-Server ~]# docker login -uadmin -p'Harbor12345' https://harbor.bravexist.cn
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://harbor.bravexist.cn/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority
[root@Harbor-Server ~]#

报错,解决

1
mkdir -p /etc/docker/certs.d/harbor.bravexist.cn
1
cp /opt/softwares/harbor/certs/client/* /etc/docker/certs.d/harbor.bravexist.cn/

思路

把根证书放到此目录,信任根证书即可。

注意

及时退出,否则能看到明文密码

1
more ~/.docker/config.json
1
2
3
4
5
6
7
8
9
[root@Harbor-Server ~]# more .docker/config.json
{
        "auths": {
                "harbor.bravexist.cn": {
                        "auth": "YWRtaW46SGFyYm9yMTIzNDU="
                }
        }
}
[root@Harbor-Server ~]#
1
2
3
[root@Harbor-Server ~]# echo YWRtaW46SGFyYm9yMTIzNDU= |base64 -d |more
admin:Harbor12345
[root@Harbor-Server ~]#
1
docker logout https://harbor.bravexist.cn