Harbor配置自簽名證書，docker login+web https訪問，helm chart推送應用

注：高版本（14以上）docker執行login命令，默認使用https，且harbor必須使用域名，只是用ip訪問是不行的。

假設使用的網址是：www.harbor.mobi，本機ip是192.168.75.100

因為這個網址是虛擬的，所以需要在本機hosts文件中添加

echo "192.168.75.100  www.harbor.mobi" >> /etc/hosts

• 修改harbor.yml配置文件
  只是用https訪問，關閉http訪問

#set hostname
hostname: www.harbor.mobi

#http:
#  port: 80

https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/www.harbor.mobi.crt
  private_key: /data/cert/www.harbor.mobi.key
# 注意證書路徑，直接在該路徑下操作生成證書

• 一鍵生成證書腳本

#!/bin/bash

# 在該目錄下操作生成證書，正好供harbor.yml使用
mkdir -p /data/cert
cd /data/cert

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF

openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt
    
openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert

cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt 
update-ca-trust

• docker 操作

# 把這三個證書文件復制到docker相應的目錄下，注意最后的路徑名，要跟上面的保持一致
mkdir -p /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.key /etc/docker/certs.d/ywww.harbor.mobi/
cp ca.crt /etc/docker/certs.d/www.harbor.mobi/


最終docker目錄結構：
/etc/docker/certs.d/
    └── www.harbor.mobi
       ├── www.harbor.mobi.cert  <-- Server certificate signed by CA
       ├── www.harbor.mobi.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate

# 先停止harbor
cd /usr/local/harbor
docker-compose down -v

# 重啟docker
systemctl restart docker.service

• harbor操作

# 重新生成配置文件,增加上其他chart功能等
./prepare --with-notary --with-clair --with-chartmuseum

# 啟動
docker-compose up -d

• helm操作

# 增加倉庫，因為使用的自簽名證書，所以命令上需要加上，若不加上則會報錯：Error: Looks like "https://www.harbor.mobi/chartrepo/myrepo" is not a valid chart repository or cannot be reached: Get https://www.harbor.mobi/chartrepo/myrepo/index.yaml: x509: certificate signed by unknown authority
helm repo add --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key myrepo https://www.harbor.mobi/chartrepo/myrepo

# 更新倉庫
helm repo update

# 推送應用，同理也需要加上自簽名證書，還需要加上用戶名和密碼
# 錯誤用法1：沒有加自簽名證書
helm push --username=admin --password=Harbor12345 app myrepo
Pushing app-0.1.0.tgz to myrepo...
Error: Post https://www.harbor.mobi/api/chartrepo/myrepo/charts: x509: certificate signed by unknown authority
Error: plugin "push" exited with error

# 錯誤用法2：沒有加上用戶名和密碼
helm push --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key app myrepo
Pushing app-0.1.0.tgz to myrepo...
Error: 401: could not properly parse response JSON: {"code":401,"message":"UnAuthorized"}
Error: plugin "push" exited with error

# 正確用法1，推送chart目錄，app是chart應用目錄
helm push --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key --username=admin --password=Harbor12345 app myrepo
# 正確用法2，推送tgz文件，redis.tgz是chart應用文件
helm push --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key --username=admin --password=Harbor12345 redis.tgz myrepo

• helm push命令用法
  注意：命令中關於使用自簽名的部分有變量，暫不知道咋使用的
  考慮如下：先配置好相關變量，使用helm push命令的時候加上變量就行，不用加具體的簽名證書路徑

helm push --help
Helm plugin to push chart package to ChartMuseum

Examples:

  $ helm push mychart-0.1.0.tgz chartmuseum       # push .tgz from "helm package"
  $ helm push . chartmuseum                       # package and push chart directory
  $ helm push . --version="7c4d121" chartmuseum   # override version in Chart.yaml
  $ helm push . https://my.chart.repo.com         # push directly to chart repo URL

Usage:
  helm push [flags]

Flags:
      --access-token string   Send token in Authorization header [$HELM_REPO_ACCESS_TOKEN]
      --auth-header string    Alternative header to use for token auth [$HELM_REPO_AUTH_HEADER]
      --ca-file string        Verify certificates of HTTPS-enabled servers using this CA bundle [$HELM_REPO_CA_FILE]
      --cert-file string      Identify HTTPS client using this SSL certificate file [$HELM_REPO_CERT_FILE]
      --context-path string   ChartMuseum context path [$HELM_REPO_CONTEXT_PATH]
  -f, --force                 Force upload even if chart version exists
  -h, --help                  help for helm
      --insecure              Connect to server with an insecure way by skipping certificate verification [$HELM_REPO_INSECURE]
      --key-file string       Identify HTTPS client using this SSL key file [$HELM_REPO_KEY_FILE]
  -p, --password string       Override HTTP basic auth password [$HELM_REPO_PASSWORD]
  -u, --username string       Override HTTP basic auth username [$HELM_REPO_USERNAME]
  -v, --version string        Override chart version pre-push

問題總結：
1.報錯：x509: certificate signed by unknown authority
解決辦法：加上自簽名證書，可以參考docker的那個
2.報錯：Error: 401: could not properly parse response JSON: {"code":401,"message":"UnAuthorized"}
解決辦法：加上用戶名和密碼