碼上快樂

相關內容    簡體    繁體

Helm方式安裝harbor

本文轉載自   查看原文   2019-10-21 16:29   527    docker-kubernetes

Helm安裝harbor

 

docker(22):dockers企業級私有倉庫harbor

Harbor 支持多種安裝方式,源碼目錄下面默認有一個安裝腳本(make/install.sh),采用 docker-compose 的形式運行 Harbor 各個組件,這里介紹另外一種簡單的安裝方法helm。Harbor 官方提供了對應的 Helm Chart。

 

 

1 下載

 下載Harbor Chart 包到要安裝的集群上,切換到我們需要安裝的分支,比如我們這里使用 1.0.0分支

 

git clone https://github.com/goharbor/harbor-helm
cd harbor-helm
git checkout 1.0.0

 

2 創建持久化StorageClass

#cat harbor-data-sc.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: harbor-data
provisioner: fuseim.pri/ifs

 

 

kubectl create -f harbor-data-sc.yaml
storageclass.storage.k8s.io "harbor-data" created

 

 

 

3 自定義安裝文件

修改Helm Chart 包values.yaml文件,我這里修改了ingress域名和存儲pv

 

expose:
  # 設置暴露服務的方式。將類型設置為 ingress、clusterIP或nodePort並補充對應部分的信息。
  type: ingress
  tls:
    # 是否開啟 tls,注意:如果類型是 ingress 並且tls被禁用,則在pull/push鏡像時,則必須包含端口。詳細查看文檔:https://github.com/goharbor/harbor/issues/5291。
    enabled: true
    # 如果你想使用自己的 TLS 證書和私鑰,請填寫這個 secret 的名稱,這個 secret 必須包含名為 tls.crt 和 tls.key 的證書和私鑰文件,如果沒有設置則會自動生成證書和私鑰文件。
    secretName: ""
    # 默認 Notary 服務會使用上面相同的證書和私鑰文件,如果你想用一個獨立的則填充下面的字段,注意只有類型是 ingress 的時候才需要。
    notarySecretName: ""
    # common name 是用於生成證書的,當類型是 clusterIP 或者 nodePort 並且 secretName 為空的時候才需要
    commonName: ""
  ingress:
    hosts:
  core: harbor.wangxu.com notary: notary.wangxu.com
    annotations:
      ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
  clusterIP:
    # ClusterIP 服務的名稱
    name: harbor
    ports:
      httpPort: 80
      httpsPort: 443
      # Notary 服務監聽端口,只有當 notary.enabled 設置為 true 的時候有效
      notaryPort: 4443
  nodePort:
    # NodePort 服務名稱
    name: harbor
    ports:
      http:
        port: 80
        nodePort: 30002
      https: 
        port: 443
        nodePort: 30003
      notary: 
        port: 4443
        nodePort: 30004

# Harbor 核心服務外部訪問 URL。主要用於:
# 1) 補全 portal 頁面上面顯示的 docker/helm 命令
# 2) 補全返回給 docker/notary 客戶端的 token 服務 URL

# 格式:protocol://domain[:port]。
# 1) 如果 expose.type=ingress,"domain"的值就是 expose.ingress.hosts.core 的值 
# 2) 如果 expose.type=clusterIP,"domain"的值就是 expose.clusterIP.name 的值
# 3) 如果 expose.type=nodePort,"domain"的值就是 k8s 節點的 IP 地址

# 如果在代理后面部署 Harbor,請將其設置為代理的 URL
externalURL: https://harbor.wangxu.com

# 默認情況下開啟數據持久化,在k8s集群中需要動態的掛載卷默認需要一個StorageClass對象。
# 如果你有已經存在可以使用的持久卷,需要在"storageClass"中指定你的 storageClass 或者設置 "existingClaim"。
#
# 對於存儲 docker 鏡像和 Helm charts 包,你也可以用 "azure""gcs""s3""swift" 或者 "oss",直接在 "imageChartStorage" 區域設置即可
persistence:
  enabled: true
  # 設置成"keep"避免在執行 helm 刪除操作期間移除 PVC,留空則在 chart 被刪除后刪除 PVC
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      # 使用一個存在的 PVC(必須在綁定前先手動創建)
      existingClaim: ""
      # 指定"storageClass",或者使用默認的 StorageClass 對象,設置成"-"禁用動態分配掛載卷
   storageClass: "harbor-data"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: "" storageClass: "harbor-data"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
 existingClaim: "harbor-data"
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # 如果使用外部的數據庫服務,下面的設置將會被忽略
    database:
      existingClaim: "" storageClass: "harbor-data"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # 如果使用外部的 Redis 服務,下面的設置將會被忽略
    redis:
      existingClaim: "" storageClass: "harbor-data"
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
  # 定義使用什么存儲后端來存儲鏡像和 charts 包,詳細文檔地址:https://github.com/docker/distribution/blob/master/docs/configuration.md#storage 
  imageChartStorage:
    # 正對鏡像和chart存儲是否禁用跳轉,對於一些不支持的后端(例如對於使用minio的`s3`存儲),需要禁用它。為了禁止跳轉,只需要設置`disableredirect=true`即可,詳細文檔地址:https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
    disableredirect: false
    # 指定存儲類型:"filesystem", "azure", "gcs", "s3", "swift", "oss",在相應的區域填上對應的信息。
    # 如果你想使用 pv 則必須設置成"filesystem"類型
    type: filesystem
    filesystem:
      rootdirectory: /storage
      #maxthreads: 100
    azure:
      accountname: accountname
      accountkey: base64encodedaccountkey
      container: containername
      #realm: core.windows.net
    gcs:
      bucket: bucketname
      # The base64 encoded json file which contains the key
      encodedkey: base64-encoded-json-key-file
      #rootdirectory: /gcs/object/name/prefix
      #chunksize: "5242880"
    s3:
      region: us-west-1
      bucket: bucketname
      #accesskey: awsaccesskey
      #secretkey: awssecretkey
      #regionendpoint: http://myobjects.local
      #encrypt: false
      #keyid: mykeyid
      #secure: true
      #v4auth: true
      #chunksize: "5242880"
      #rootdirectory: /s3/object/name/prefix
      #storageclass: STANDARD
    swift:
      authurl: https://storage.myprovider.com/v3/auth
      username: username
      password: password
      container: containername
      #region: fr
      #tenant: tenantname
      #tenantid: tenantid
      #domain: domainname
      #domainid: domainid
      #trustid: trustid
      #insecureskipverify: false
      #chunksize: 5M
      #prefix:
      #secretkey: secretkey
      #accesskey: accesskey
      #authversion: 3
      #endpointtype: public
      #tempurlcontainerkey: false
      #tempurlmethods:
    oss:
      accesskeyid: accesskeyid
      accesskeysecret: accesskeysecret
      region: regionname
      bucket: bucketname
      #endpoint: endpoint
      #internal: false
      #encrypt: false
      #secure: true
      #chunksize: 10M
      #rootdirectory: rootdirectory

imagePullPolicy: IfNotPresent

logLevel: debug
# Harbor admin 初始密碼,Harbor 啟動后通過 Portal 修改該密碼
harborAdminPassword: "Harbor12345"
# 用於加密的一個 secret key,必須是一個16位的字符串
secretKey: "not-a-secure-key"

# 如果你通過"ingress"保留服務,則下面的Nginx不會被使用
nginx:
  image:
    repository: goharbor/nginx-photon
    tag: v1.7.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## 額外的 Deployment 的一些 annotations
  podAnnotations: {}

portal:
  image:
    repository: goharbor/harbor-portal
    tag: v1.7.0
  replicas: 1
# resources:
#  requests:
#    memory: 256Mi
#    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

core:
  image:
    repository: goharbor/harbor-core
    tag: v1.7.0
  replicas: 1
# resources:
#  requests:
#    memory: 256Mi
#    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

adminserver:
  image:
    repository: goharbor/harbor-adminserver
    tag: v1.7.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

jobservice:
  image:
    repository: goharbor/harbor-jobservice
    tag: v1.7.0
  replicas: 1
  maxJobWorkers: 10
  # jobs 的日志收集器:"file", "database" or "stdout"
  jobLogger: file
# resources:
#   requests:
#     memory: 256Mi
#     cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

registry:
  registry:
    image:
      repository: goharbor/registry-photon
      tag: v2.6.2-v1.7.0
  controller:
    image:
      repository: goharbor/harbor-registryctl
      tag: v1.7.0
  replicas: 1
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

chartmuseum:
  enabled: true
  image:
    repository: goharbor/chartmuseum-photon
    tag: v0.7.1-v1.7.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

clair:
  enabled: true
  image:
    repository: goharbor/clair-photon
    tag: v2.0.7-v1.7.0
  replicas: 1
  # 用於從 Internet 更新漏洞數據庫的http(s)代理
  httpProxy:
  httpsProxy:
  # clair 更新程序的間隔,單位為小時,設置為0來禁用
  updatersInterval: 12
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

notary:
  enabled: true
  server:
    image:
      repository: goharbor/notary-server-photon
      tag: v0.6.1-v1.7.0
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  signer:
    image:
      repository: goharbor/notary-signer-photon
      tag: v0.6.1-v1.7.0
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

database:
  # 如果使用外部的數據庫,則設置 type=external,然后填寫 external 區域的一些連接信息
  type: internal
  internal:
    image:
      repository: goharbor/harbor-db
      tag: v1.7.0
    # 內部的數據庫的初始化超級用戶的密碼
    password: "changeit"
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.1"
    port: "5432"
    username: "user"
    password: "password"
    coreDatabase: "registry"
    clairDatabase: "clair"
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"
    sslmode: "disable"
  podAnnotations: {}

redis:
  # 如果使用外部的 Redis 服務,設置 type=external,然后補充 external 部分的連接信息。
  type: internal
  internal:
    image:
      repository: goharbor/redis-photon
      tag: v1.7.0
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.2"
    port: "6379"
    # coreDatabaseIndex 必須設置為0
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    password: ""
  podAnnotations: {}

 

4 安裝

[root@k8s-master harbor-helm]# helm install --name harbor -f values.yaml . --namespace kube-ops
NAME:   harbor
LAST DEPLOYED: Mon Oct 21 14:53:15 2019
NAMESPACE: kube-ops
STATUS: DEPLOYED

RESOURCES:
==> v1/ConfigMap
NAME                         DATA  AGE
harbor-harbor-adminserver    39    3s
harbor-harbor-chartmuseum    24    3s
harbor-harbor-clair          1     3s
harbor-harbor-core           1     3s
harbor-harbor-jobservice     1     3s
harbor-harbor-notary-server  5     3s
harbor-harbor-registry       2     3s

==> v1/Deployment
NAME                         READY  UP-TO-DATE  AVAILABLE  AGE
harbor-harbor-adminserver    0/1    1           0          2s
harbor-harbor-chartmuseum    0/1    1           0          2s
harbor-harbor-clair          0/1    1           0          2s
harbor-harbor-core           0/1    1           0          2s
harbor-harbor-jobservice     0/1    1           0          2s
harbor-harbor-notary-server  0/1    1           0          2s
harbor-harbor-notary-signer  0/1    1           0          2s
harbor-harbor-portal         0/1    1           0          2s
harbor-harbor-registry       0/1    1           0          2s

==> v1/PersistentVolumeClaim
NAME                       STATUS  VOLUME                                                                       CAPACITY  ACCESS MODES  STORAGECLASS  AGE
harbor-harbor-chartmuseum  Bound   kube-ops-harbor-harbor-chartmuseum-pvc-425d2dd1-e90e-42cc-af4c-959cf5c8ae6b  5Gi       RWO           harbor-data   3s
harbor-harbor-jobservice   Bound   kube-ops-harbor-harbor-jobservice-pvc-fee241f4-cd1a-4576-9c7f-18feef3c9e71   1Gi       RWO           harbor-data   3s
harbor-harbor-registry     Bound   kube-ops-harbor-harbor-registry-pvc-951e42b5-8a83-402d-ba43-e41809af6827     5Gi       RWO           harbor-data   3s

==> v1/Pod(related)
NAME                                          READY  STATUS             RESTARTS  AGE
harbor-harbor-adminserver-66779c5c5d-n4852    0/1    ContainerCreating  0         2s
harbor-harbor-chartmuseum-94cc9cf7b-jzfms     0/1    Pending            0         2s
harbor-harbor-clair-7d6646c5df-4crst          0/1    ContainerCreating  0         2s
harbor-harbor-core-6c7c4445b-dzpcp            0/1    ContainerCreating  0         2s
harbor-harbor-database-0                      0/1    Pending            0         2s
harbor-harbor-jobservice-66dbb69cdf-m54h6     0/1    Pending            0         2s
harbor-harbor-notary-server-694b75767f-xlqhx  0/1    Pending            0         2s
harbor-harbor-notary-signer-b6f8b4564-dj8tc   0/1    Pending            0         2s
harbor-harbor-portal-8fd4f9ff9-d92m8          0/1    ContainerCreating  0         2s
harbor-harbor-redis-0                         0/1    Pending            0         2s
harbor-harbor-registry-946d7dffc-hdggn        0/2    Pending            0         2s

==> v1/Secret
NAME                       TYPE               DATA  AGE
harbor-harbor-adminserver  Opaque             4     3s
harbor-harbor-chartmuseum  Opaque             1     3s
harbor-harbor-core         Opaque             4     3s
harbor-harbor-database     Opaque             1     3s
harbor-harbor-ingress      kubernetes.io/tls  3     3s
harbor-harbor-jobservice   Opaque             1     3s
harbor-harbor-registry     Opaque             1     3s

==> v1/Service
NAME                         TYPE       CLUSTER-IP      EXTERNAL-IP  PORT(S)            AGE
harbor-harbor-adminserver    ClusterIP  10.100.68.4     <none>       80/TCP             3s
harbor-harbor-chartmuseum    ClusterIP  10.101.178.155  <none>       80/TCP             2s
harbor-harbor-clair          ClusterIP  10.105.121.19   <none>       6060/TCP           2s
harbor-harbor-core           ClusterIP  10.103.3.101    <none>       80/TCP             2s
harbor-harbor-database       ClusterIP  10.98.103.6     <none>       5432/TCP           2s
harbor-harbor-jobservice     ClusterIP  10.108.173.14   <none>       80/TCP             2s
harbor-harbor-notary-server  ClusterIP  10.99.236.15    <none>       4443/TCP           2s
harbor-harbor-notary-signer  ClusterIP  10.110.155.9    <none>       7899/TCP           2s
harbor-harbor-portal         ClusterIP  10.96.129.206   <none>       80/TCP             2s
harbor-harbor-redis          ClusterIP  10.96.89.36     <none>       6379/TCP           2s
harbor-harbor-registry       ClusterIP  10.109.222.50   <none>       5000/TCP,8080/TCP  2s

==> v1/StatefulSet
NAME                    READY  AGE
harbor-harbor-database  0/1    2s
harbor-harbor-redis     0/1    2s

==> v1beta1/Ingress
NAME                   HOSTS                                ADDRESS  PORTS  AGE
harbor-harbor-ingress  harbor.wangxu.com,notary.wangxu.com  80, 443  2s


NOTES:
Please wait for several minutes for Harbor deployment to complete.
Then you should be able to visit the Harbor portal at https://core.harbor.domain.
For more details, please visit https://github.com/goharbor/harbor.
[root@k8s-master harbor-helm]#

 

 

 

稍微等5分鍾,就可以安裝成功了,查看對應的 Pod 狀態:

[root@k8s-master harbor-helm]# kubectl get pods -n kube-ops
NAME                                           READY   STATUS    RESTARTS   AGE
harbor-harbor-adminserver-66779c5c5d-n4852     1/1     Running   1          15m
harbor-harbor-chartmuseum-94cc9cf7b-jzfms      1/1     Running   0          15m
harbor-harbor-clair-7d6646c5df-4crst           1/1     Running   0          15m
harbor-harbor-core-6c7c4445b-dzpcp             1/1     Running   3          15m
harbor-harbor-database-0                       1/1     Running   0          15m
harbor-harbor-jobservice-66dbb69cdf-m54h6      1/1     Running   8          15m
harbor-harbor-notary-server-694b75767f-xlqhx   1/1     Running   0          15m
harbor-harbor-notary-signer-b6f8b4564-dj8tc    1/1     Running   0          15m
harbor-harbor-portal-8fd4f9ff9-d92m8           1/1     Running   0          15m
harbor-harbor-redis-0                          1/1     Running   0          15m
harbor-harbor-registry-946d7dffc-hdggn         2/2     Running   0          15m
jenkins2-8b7f7bdb7-fzpp8                       1/1     Running   0          5h29m
[root@k8s-master harbor-helm]#

 

 

現在都是Running狀態了,都成功運行起來了,查看下對應的 Ingress 對象:

[root@k8s-master harbor-helm]# kubectl get ingress -n kube-ops
NAME                    HOSTS                                 ADDRESS   PORTS     AGE
harbor-harbor-ingress   harbor.wangxu.com,notary.wangxu.com             80, 443   14m

 

 

5 訪問

 

如果你有自己的真正的域名,則將上面的兩個域名解析到你的任意一個 Ingress Controller 的 Pod 所在的節點即可,我們這里為了演示方便,還是自己在本地的/etc/hosts里面添加上harbor.wangxu.com和notary.wangxu.com的映射。

10.6.76.23 harbor.wangxu.com notary.wangxu.com 
10.6.76.24 harbor.wangxu.com notary.wangxu.com

 

配置的 Ingress 中會強制跳轉到 https,所以如果你的瀏覽器有什么安全限制的話,需要信任我們這里 Ingress 對應的證書,證書文件可以通過查看 Secret 資源對象獲取:

 

 

 

 

 

 

 

 

 

 

 

然后輸入用戶名:admin,密碼:Harbor12345(當然我們也可以通過 Helm 安裝的時候自己覆蓋 harborAdminPassword)即可登錄進入 Portal 首頁:

 

 

 

 

默認情況下會有一個名叫library的項目,改項目默認是公開訪問權限的,進入項目可以看到里面還有 Helm Chart 包的管理,可以手動在這里上傳,也可以對改項目里面的鏡像進行一些配置,比如是否開啟自動掃描鏡像功能:

 

 

 

 

 

6  docker cli訪問

使用 docker cli 來進行 pull/push 鏡像,由於安裝的時候通過 Ingress 來暴露的 Harbor 的服務,而且強制使用了 https,所以如果要在終端中使用我們這里的私有倉庫的話,就需要配置上相應的證書:

[root@k8s-master harbor-helm]# docker login harbor.wangxu.com
Username: admin
Password:
Error response from daemon: Get https://harbor.wangxu.com/v2/: x509: certificate signed by unknown authority
[root@k8s-master harbor-helm]#

 

這是因為我們沒有提供證書文件,我們將使用到的ca.crt文件復制到/etc/docker/certs.d/registry.qikqiak.com目錄下面,如果該目錄不存在,則創建它。ca.crt 這個證書文件我們可以通過 Ingress 中使用的 Secret 資源對象來提供:

 

# kubectl get secret harbor-harbor-ingress -n kube-ops -o yaml
apiVersion: v1
data:
  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5VENDQWQyZ0F3SUJBZ0lSQUtNbWp6QUlHcFZKUmZxNnJDdDMySGN3RFFZSktvWklodmNOQVFFTEJRQXcKRkRFU01CQUdBMVVFQXhNSmFHRnlZbTl5TFdOaE1CNFhEVEU1TVRBeU1UQTJOVE14T0ZvWERUSXdNVEF5TURBMgpOVE14T0Zvd0ZERVNNQkFHQTFVRUF4TUphR0Z5WW05eUxXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFROEFNSUlCQ2dLQ0FRRUF1enp5anRXaStzbm55b0hWc0R1cHRERDF6ZnFvWWpsaFNGTkxBMUdtNmorWkRuR0gKVWJKeGpCMlJ5aDRvN2N5cUF6VFE3YnBhM2ZUeXJmQWo4K0RTZzdCVGNQcy8ycng1aHhrTHowWjJ5ODJ4ZmpaZgplMndPVFRvZ0NtakljZGMwOFNCVVBvSWVQRzBka2NOUnR2U2tENGFVZkx3UE42MmNWNUNidEFSazh4TGwrN3N3ClBLQUx4ZlFVTkt1RGlobXY3blRTUnVIWkoxQXFsS09CdWE4NnhpSVF6T2hlOVhaYUZTRjBGZEZUNVc0eUVkaXkKOGExelNIV0l3eklUaWs2WU82ZFE2T3N1QVV4SUFBREtMVlJYTWszMWlvZ2s0K24zYmxzTnlYR3R0OStwa0FyVwphWXJvcXRXK2FmUGxlUndDQ25DZGUydk9WMndqSTh3a291YW5Xd0lEQVFBQm8wSXdRREFPQmdOVkhROEJBZjhFCkJBTUNBcVF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlBoMnVIRm0xcnp6ekdydkFLQnRjZnMxK3I0MzFrNQpWMWtjampraUl4U0FFQ1d2dW9TSGdXVkVHNVpGRjdScVRnVFl4bEduQ0hUUXpOOXlxRnUxSXU3MmdTcXBNSkZiCmkrRG9kMllDNThhL2h6WC9mWFNhREtqRnVRaWl4QlhGM0E4SlFxL2hucWVXU2pFYnRFaWhQMVlKMGNmQXZaTDAKSmJLVXgyRUluVkhReVh0bXMvcWVHZkpLbHVCTmRVWDFoNklvM0ZzLzVjeVUxeFB3ZEpJaERmMHlYMDlKb3pRMgpydzVaeEhyNGpxT2xpRTBTZCtjRVRFVCsvR2xMUGJWRmZDVDlKZms4S1VXeHZLMnN6aDdYTmRvaGErSjNDZTgrClVPZTIvZkpmdWRWRVdjRlY4a2pOOHVudHd6SWJ2cHpJa3RmY2hWT2NHMEFUZnNXNCs5ZmFRK2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhLZ0F3SUJBZ0lRTFNicmtJYlEzVFQrT3hrSlBEMldMREFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsb1lYSmliM0l0WTJFd0hoY05NVGt4TURJeE1EWTFNekU0V2hjTk1qQXhNREl3TURZMQpNekU0V2pBY01Sb3dHQVlEVlFRREV4Rm9ZWEppYjNJdWQyRnVaM2gxTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOCkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFQUXhVTXc3ZEUzMDJLL1NyRTFkL3pmVWZLcmF5MHB3MlFOcFZNL0kKNFR4TVNjR2dYc0Y0RXZGcHM0NUYvajhIRXVrNWJIanlyR0RzaUxocjRpU294UkNLQk1pOEUvMnppVTVvSWRqUgpSWWU2aysvQU8rNUI4VXdmUHQ1VC9JM29ReUdyVmtDWXRxK2ROTHczYldVRHBJNFBoTmdETHRURTV2Y1BhRGFGCk1xRUszVlJKQmJqeHJIUndHTWNXNmhraGIvb3dNZmVGOXo3WjRUWHpPM2ZIcHpnMWhnU3dDcU9JeEhQNE5LYW4KOVNOdW0xMkpKeGgyVlZyOXFBNWg5K29tNXpySjQ0bFB5UFlFRStWRjc0MXF1QUl5eGtpcC9JMkxZYmdZZkNpUwpyRWVXM0Y2TlMrbnRDWkd6OUpySjJRc2lhVHUwR1JmZEIvNDZIN2c3SGxjQmJVMENBd0VBQWFOd01HNHdEZ1lEClZSMFBBUUgvQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlYKSFJNQkFmOEVBakFBTUM4R0ExVWRFUVFvTUNhQ0VXaGhjbUp2Y2k1M1lXNW5lSFV1WTI5dGdoRnViM1JoY25rdQpkMkZ1WjNoMUxtTnZiVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBYmJaakw5cG1Gd3RRL2tNdVhNZmNtNnpzCkVRVVBQcmhwZXREVk9sYWtOYjhlNERTaTNDcWhicTFLTmxFdEQwd0kwOVhESG1IUEw1dXpXK2dkbzRXWnRhNUYKTjhJVnJJMStwc2R1bkdYZWxNODdJNlh6YzFzMnpIVGY3VHUreHZ4V3VsYnVZRVU5OEpheXVpa0N6L2VDMm5FdApQaVg3anZvNVBwQ1RYb2tFUG5DTlVZODZYQ3ptbWVhbTNpTFIza3pSOEdmNjRydWh4MXl2VkxEdjZiQ3NkdXJ0Ck1ORE5wbTc0aXp4aWJjRmtwWGhWZWY1ZGNvNVExakVTRmxXOEd5MnRBbXYyZFdTdW5tSWRaaXZweHpGaXdyWU4KWjkxLzR2RHdJZE5OeHo5SUIrN0ZYVVpTazQveW9PZ25pTWZTTnJhMHdwclZMZjZTdysrQUdtRnB5VTYyNUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBOURGUXpEdDBUZlRZcjlLc1RWMy9OOVI4cXRyTFNuRFpBMmxVejhqaFBFeEp3YUJlCndYZ1M4V216amtYK1B3Y1M2VGxzZVBLc1lPeUl1R3ZpSktqRkVJb0V5THdUL2JPSlRtZ2gyTkZGaDdxVDc4QTcKN2tIeFRCOCszbFA4amVoRElhdFdRSmkycjUwMHZEZHRaUU9ramcrRTJBTXUxTVRtOXc5b05vVXlvUXJkVkVrRgp1UEdzZEhBWXh4YnFHU0Z2K2pBeDk0WDNQdG5oTmZNN2Q4ZW5PRFdHQkxBS280akVjL2cwcHFmMUkyNmJYWWtuCkdIWlZXdjJvRG1IMzZpYm5Pc25qaVUvSTlnUVQ1VVh2aldxNEFqTEdTS244all0aHVCaDhLSktzUjViY1hvMUwKNmUwSmtiUDBtc25aQ3lKcE83UVpGOTBIL2pvZnVEc2VWd0Z0VFFJREFRQUJBb0lCQVFDOHgzZElQRnBnZmY0YQpod3JQVVBDaVQ3SUZQOXBUZFVRLzMrbENMWEQ2OVpzN2htaGF0eUlsNGVwKy9kdGRESEh4UFlSL1NGUTlKZjlZClc0YmJnbUcrdElTWVR0WkJsczk2ZndSVG93MVdyY1g2WGltMnV1SDVVRnFBOUhyVmxnNTM5QVpkTC9KamQyd3kKYWNNM2lZWm9rTlRKVGtTaEZvdmJ5ZHh0OGJFL1R5MDFoY2dtSCtTZmxPT0g1bTJyYVNBTFF3SVY5bG9QSWlsWgpzTGFtSzZFNU1rS0pITmVuQmFjVDJwSHl0R2VEbzlXQW1uSGQ2THp0SkxTNzk2dHFZZ1FSMDdDS1VSa09xZ2tUClJWRW9WbzgyWDRHeWI5VmJxQVlIWDNYY3l0VW9QaTZvNE5qRlFUWW9yWGttRHBub25DWXRYaWp0bXljdEZmbEcKc3ZHYXpzT2RBb0dCQVBSQmFMZzhqWGJ3S0p2TzRhSUVDemhLUzlhRDlDOHd6Kzd6SmsrbmZwTDhvbzFYdmlHQwpOMStuRjNaR2NZVk9nNzViOStXdGFHQyswRnY3MjA5em00TittVWFIejAxaExoSjhwZnppc1hoN1JZTDJjQkZPCitTVW9tNlBvcDNFTmtjMEl3ZDZZU1dpUm5MOCtYT0R2UXR4VWtXNUtEVEVIZThndHRVS2V4ay9MQW9HQkFQL3YKSWZzSTZpSjlrNStHMXJYbFNJYWo0RTdsT0VhdU9MWnI0U0FsWWg1anhFU1JFNjRBeENya2h0cjZjOXVJS0p1WApJLzNRcEp4TmpCSzI4NzJ3aWMrU25kK0dvb1E1RG5Ub3QxN2FwVko2L2xkUXZqdUduZjJ2d0p0S25MVEJreE1IClJ0SzdyQmNhNGVoSWNXK2ZJN3ZpMzh3Rys5N3lNTENqaEprOXdtUkhBb0dBWXlZbUJ4dDFaVUZwaW8yNUk1WTIKbzd2cyt3QUhZQnlWVzI3U0wyVlRTUUZLVHN1K1AwWG5pbWwrYWFHQXRWZEF2VVlCNC9hM053WmQ5K2pOaG52cwpOYjF2SktVK2JpK3pqd2VRTFk0cjhqYy82VUIyRDJDYVhBNFcxN3M2TlBjSUowMlZ2UERlWTVjd0pLV0ErRUhIClJ6OEE1ZDhqYWJLYStaQXNVd1cyaEc4Q2dZQkJTWEV6cG95RGkrRXltcVQrOWFSUXBGRStEdjhTR0xOaTVaWWkKS3ljaWRYVEZ3UFJ5T01QUjVVWDVhbFpQdENZWHVyQjF1Tm1rL2Fzend2UGVlY0JOOFNyUXNIbVluUzF3NlVTTgpyOXpvYzNPYU5vQ3drcUNPN0Z5SHdMckU2WFJwTUR3QzJka0djOWNZK0JIbjFZSzZGUi9kM2hJMlJ6WGdlWFlECjJWdFRWUUtCZ1FEYXd3dStQbXNOT2JTcUJQMWtUUXp4cHpIM2svZjF1U0REczJWSmd2dEt2UlZ5YmF0WXd5SFcKVTVabmVjUi91RWZPK1VkeHQrYW9sWEtXMG5mZFo2Q0RSOW5wTmFTcDF5SVJJeStlYUpvK21ySVVrdnhKNFl1cwpETnJTbGU2QWhGNUE1QkphbjlsbUFGZ0VleWRpR2tHKzg1bEVVYTJlNElSbk1FSjRYOHJITHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
  creationTimestamp: "2019-10-21T06:53:21Z"
  labels:
    app: harbor
    chart: harbor
    heritage: Tiller
    release: harbor
  name: harbor-harbor-ingress
  namespace: kube-ops
  resourceVersion: "7297296"
  selfLink: /api/v1/namespaces/kube-ops/secrets/harbor-harbor-ingress
  uid: c35d0829-3a35-425c-ac45-fdd5db7d7694
type: kubernetes.io/tls
[root@k8s-master harbor-helm]#

 

 

其中 data 區域中 ca.crt 對應的值就是我們需要證書,不過需要注意還需要做一個 base64 的解碼,這樣證書配置上以后就可以正常訪問了。

不過由於上面的方法較為繁瑣,所以一般情況下面我們在使用 docker cli 的時候是在 docker 啟動參數后面添加一個--insecure-registry參數來忽略證書的校驗的,在 docker 啟動配置文件/etc/docker/daemon.json中修改的啟動參數:

# cat /etc/docker/daemon.json
{
    "registry-mirrors": ["http://hub-mirror.c.163.com"],
    "exec-opts": ["native.cgroupdriver=systemd"],
     "insecure-registries": ["harbor.wangxu.com"] }

 

 

 

 

然后保存重啟 docker,再使用 docker cli 就沒有任何問題了:

 

[root@k8s-master harbor-helm]# docker login harbor.wangxu.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@k8s-master harbor-helm]#

 

7  上傳鏡像

本地現在有一個名為 busybox 的鏡像,現在我們想要將該鏡像推送到我們的私有倉庫中去,應該怎樣操作呢?首先我們需要給該鏡像重新打一個harbor.wangxu.com 的前綴,然后推送的時候就可以識別到推送到鏡像倉庫

 

[root@k8s-master harbor-helm]# docker images| grep busybox
busybox                                                          latest                     19485c79a9bb        6 weeks ago       1.22MB
[root@k8s-master harbor-helm]# docker tag busybox harbor.wangxu.com/library/busybox
[root@k8s-master harbor-helm]# docker push  harbor.wangxu.com/library/busybox
The push refers to repository [harbor.wangxu.com/library/busybox]
6c0ea40aef9d: Pushed
latest: digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808 size: 527
[root@k8s-master harbor-helm]#

 

 

 

鏡像 push 成功,同樣可以測試下 pull:

[root@k8s-master ~]# docker rmi  harbor.wangxu.com/library/busybox:v1
Untagged: harbor.wangxu.com/library/busybox:v1
Untagged: harbor.wangxu.com/library/busybox@sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808
[root@k8s-master ~]# docker images|grep busy
busybox                                                          latest                     19485c79a9bb        6 weeks ago       1.22MB
[root@k8s-master ~]# docker pull harbor.wangxu.com/library/busybox:v1
v1: Pulling from library/busybox
Digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808
Status: Downloaded newer image for harbor.wangxu.com/library/busybox:v1
harbor.wangxu.com/library/busybox:v1
[root@k8s-master ~]# docker pull harbor.wangxu.com/library/busybox:latest
latest: Pulling from library/busybox
Digest: sha256:dd97a3fe6d721c5cf03abac0f50e2848dc583f7c4e41bf39102ceb42edfd1808
Status: Downloaded newer image for harbor.wangxu.com/library/busybox:latest
harbor.wangxu.com/library/busybox:latest
[root@k8s-master ~]# docker images|grep busy
busybox                                                          latest                     19485c79a9bb        6 weeks ago       1.22MB
harbor.wangxu.com/library/busybox                                latest                     19485c79a9bb        6 weeks ago       1.22MB
harbor.wangxu.com/library/busybox                                v1                         19485c79a9bb        6 weeks ago       1.22MB
[root@k8s-master ~]#

 

 

 

上傳鏡像錯誤  不要設置阻止漏洞鏡像

Error response from daemon: unknown: Cannot get the image severity.

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 使用helm安裝harbor 使用Helm安裝harbor Harbor 使用 Helm 一鍵安裝 通過helm 安裝 harbor 不成功問題處理 helm3安裝harbor到k8s集群 kubernetes實戰(十):k8s使用Helm安裝harbor helm3.1安裝及結合ceph rbd 部署harbor 通過helm搭建Harbor harbor helm倉庫使用 harbor helm倉庫使用
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM