【原創】kubernetes部署高可用Harbor

前言

本文Harbor高可用依照Harbor官網部署，主要思路如下，大家可以根據具體情況選擇搭建。

• 部署Postgresql高可用集群。（本文選用Stolon進行管理，請查看文章《kubernetes下Stolon部署高可用Postgresql》）
• 部署redis高可用集群。（本文選用Helm對redis進行高可用部署，請查看文章《kubernetes部署高可用redis》，該文以整理好redis編排文件可直接使用）
• 部署Harbor高可用集群。（本文主要闡述Harbor的高可用部署，為《kubernetes搭建Harbor無坑及Harbor倉庫同步》補充部分，請先行閱讀）

一、Harbor部署前准備

本文僅說明高可用配置，其余部署請查看《kubernetes搭建Harbor無坑及Harbor倉庫同步》

.安裝方式

• helm安裝
• 直接使用博主整理好的編排文件安裝（通過Helm生成）

1.helm安裝

安裝Helm請查看《kubernetes搭建Harbor無坑及Harbor倉庫同步》，其中包含Helm安裝。

1.1.下載 harbor-helm

git clone https://github.com/goharbor/harbor-helm.git
cd XXX/harbor-helm

1.2.修改value.yaml

database的Postgresql配置

database:
  # if external database is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: external
  internal:
    image:
      repository: goharbor/harbor-db
      tag: v1.8.2-dev
    # The initial superuser password for internal database
    password: "changeit"
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "stolon-proxy-service" #管理postgresql的stolon的service，因為都在Pod中可相互訪問
    port: "5432"
    username: "postgres"
    password: "password1"
    coreDatabase: "registry"
    clairDatabase: "clair"
    notaryServerDatabase: "notaryserver"
    notarySignerDatabase: "notarysigner"
    sslmode: "disable"
  ## Additional deployment annotations
  podAnnotations: {}

redis的配置

redis:
  # if external Redis is used, set "type" to "external"
  # and fill the connection informations in "external" section
  type: external
  internal:
    image:
      repository: goharbor/redis-photon
      tag: v1.8.2-dev
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "10.8.4.133" #haproxy的地址通過haproxy管理redis集群
    port: "6379"
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    password: ""

修改Harbor其他組件replicas(副本數)

# 例如nginx的副本數更改
nginx:
  image:
    repository: goharbor/nginx-photon
    tag: v1.8.2-dev
  replicas: 3

1.3.准備Harbor所需的registry、notarysigner、notaryserver、clair數據庫，Harbor會自動在其中建表。

執行sql語句腳本，供stolon-init-database-job.yaml使用

cat <<EOF > ./postgresql.sh
#!/bin/bash

host="stolon-proxy-service"
user="postgres"
db="postgres"
export PGPASSWORD="password1"

args=(
        # force postgres to not use the local unix socket (test "external" connectibility)
        --host "$host"
        --username "$user"
        --dbname "$db"
        --quiet --no-align --tuples-only
)

if select="$(echo 'SELECT 1' | psql "${args[@]}")" && [ "$select" = '1' ]; then
   echo "====notaryserver==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-notaryserver.sql"
   echo "====notarysigner==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-notarysigner.sql"
   echo "====registry==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-registry.sql"
   echo "====clair==database==creating===="
   psql -h stolon-proxy-service -p 5432 -U postgres -f "/docker-entrypoint-initdb.d/initial-clair.sql"   
   exit 0
fi
exit 1
EOF

創建registry數據庫

cat <<EOF > ./initial-registry.sql
CREATE DATABASE registry ENCODING 'UTF8';
\c registry;
CREATE TABLE schema_migrations(version bigint not null primary key, dirty boolean not null);
EOF

創建notaryserver數據庫

cat <<EOF > ./initial-notaryserver.sql
CREATE DATABASE notaryserver;
CREATE USER server;
alter user server with encrypted password 'password';
GRANT ALL PRIVILEGES ON DATABASE notaryserver TO server;
EOF

創建notarysigner數據庫

cat <<EOF > ./initial-notarysigner.sql
CREATE DATABASE notarysigner;
CREATE USER signer;
alter user signer with encrypted password 'password';
GRANT ALL PRIVILEGES ON DATABASE notarysigner TO signer;                                                           
EOF

創建clair數據庫

cat <<EOF > ./initial-clair.sql
CREATE DATABASE clair;
EOF

創建一個job的yaml（stolon-init-database-job.yaml），用於創建數據庫，注意更改腳本的掛載位置，並復制腳本到各個節點或為node和yaml加上nodeselect標簽，只在當前標簽node下復制腳本

apiVersion: batch/v1
kind: Job
metadata:
  name: stolon-init-database-job
spec:
  template:
    spec:
      containers:
      - name: stolon-proxy
        image: sorintlab/stolon:master-pg10
        command:
          - "/bin/bash"
          - "/docker-entrypoint-initdb.d/postgresql.sh"
        volumeMounts:
        - mountPath: /docker-entrypoint-initdb.d
          name: database
      restartPolicy: OnFailure     #失敗重啟
      volumes:
        - name: database
          hostPath:
            path: /root/tmp/harbor/stolon/examples/kubernetes/sql
  activeDeadlineSeconds: 600   #10分鍾沒有complete，不再重啟並移除Pod

1.3.部署Postgresql、redis

• 按照《kubernetes下Stolon部署高可用Postgresql》部署Postgresql，注意加入stolon-init-database-job.yaml。
• 按照《kubernetes部署高可用redis》部署redis，之后用haproxy管理redis集群（不可直接使用redis的service暴露，service會訪問到slave節點，redis副本是只讀不可寫的，在harbor中會有報錯）
• 部署haproxy
  1. 安裝haproxy
     yum -y install haproxy
cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg-back
vim /etc/haproxy/haproxy.cfg
  2. 加入配置

defaults REDIS
mode tcp
timeout connect 1m
timeout server 6m
timeout client 6m

frontend ft_redis
 bind 0.0.0.0:6379 name redis
 default_backend bk_redis

backend bk_redis
 option tcp-check
 tcp-check connect
 tcp-check send PING\r\n
 tcp-check expect string +PONG
 tcp-check send info\ replication\r\n
 tcp-check expect string role:master
 tcp-check send QUIT\r\n
 tcp-check expect string +OK
 server R1 redis-0.redis-headless.default.svc.cluster.local:6379 check inter 1s
 server R2 redis-1.redis-headless.default.svc.cluster.local:6379 check inter 1s
 server R3 redis-2.redis-headless.default.svc.cluster.local:6379 check inter 1s

listen admin_stats
        stats   enable
        bind    *:9090
        mode    http
        option  httplog
        log     global
        maxconn 10
        stats   refresh 30s
        stats   uri /admin 
        stats   realm haproxy
        stats   auth admin:admin
        stats   hide-version 
        stats   admin if TRUE

systemctl start haproxy && systemctl enable haproxy && systemctl status haproxy
訪問 harbor節點Ip:9090/admin如圖所示，便成功

⚠️k8s master節點高可用可閱讀《haproxy+keepalive實現master集群高可用》

1.4.部署Harbor

安裝harbor並將日志寫入文件，可編輯文件保留.yaml編排文件，以便以后使用

helm install . --debug --name hub |sed 'w harbor.yaml'

或執行以下命令，編排chart不執行，作用生成編排文件，刪除多余部分，進行使用

helm install . --debug --dry-run --name hub |sed 'w harbor.yaml'

2.通過整理好的編排文件執行

鏈接:https://pan.baidu.com/s/1cr1fnWGHc-70HAxx1YH4kg 密碼:21a8
直接使用這個編排文件可能會有問題，最好勤勞以下使用helm跑，也可避免更改配置遺漏或錯誤的問題，適用用於實驗，如若搭建請注意修改Volum、requestsource等Pod設置