09-[信创]-麒麟系统部署Harbor仓库https并连接k8s

原创

果果和熊猫 2025-04-24 10:38:38 博主文章分类：CICD ©著作权

文章标签 docker github nginx 文章分类 Docker 云计算

©著作权归作者所有：来自51CTO博客作者果果和熊猫的原创作品，请联系作者获取转载授权，否则将追究法律责任

09-[信创]-麒麟系统部署Harbor仓库https并连接k8s_nginx

下载docker-compose

https://github.com/docker/compose/releases/tag/1.22.0

wget https://github.com/docker/compose/releases/download/1.22.0/docker-compose-Linux-x86_64
#下载docker-compose
#这是下载了个命令
#然后将这条命令  移动到 /usr/bin/改名为docker-compose
mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
#然后给他执行权限
chmod +x /usr/bin/docker-compose

去下载harbor仓库

https://github.com/

搜索harbor 找个老版本2.5.2的

https://github.com/goharbor/harbor

#找个目录 
cd /data
wget https://github.com/goharbor/harbor/releases/download/v2.5.0/harbor-offline-installer-v2.5.0.tgz
#下载 
tar xf harbor-offline-installer-v2.5.0.tgz
#解压
cd harbor/
#进入解压的目录
mkdir certs
cd certs
#创建个证书
#创建ca证书私钥
openssl genrsa -out ca.key 4096

#生成ca证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=aqsc.com" \
-key ca.key \
-out ca.crt

#创建私钥
openssl genrsa -out aqsc.com.key 4096


#创建证书请求文件  我的域名为aqsc.com  改为自己的域名
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=aqsc.com" \
-key aqsc.com.key \
-out aqsc.com.csr


#生成x509 v3扩展名文件  签发
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=aqsc.com
DNS.2=aqsc
DNS.3=images.aqsc.com
EOF


#生成证书  
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in aqsc.com.csr \
-out aqsc.com.crt
cd ..
#返回上一级harbor目录
cp harbor.yml.tmpl harbor.yml
#这是个模板 给他改个名字

[root@images ~]# egrep -v "#|^$" /data/harbor/harbor.yml
hostname: images.aqsc.com
http:
  port: 80
https:
  port: 443
  certificate: /data/harbor/certs/aqsc.com.crt
  private_key: /data/harbor/certs/aqsc.com.key
  # 证书目录
harbor_admin_password: Harbor@2025@Images
# 
database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
data_volume: /data
trivy:
  ignore_unfixed: false
  skip_update: false
  offline_scan: false
  insecure: false
jobservice:
  max_job_workers: 10
notification:
  webhook_job_max_retry: 10
chart:
  absolute_url: disabled
log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.5.0
proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy
upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false

#保存退出
./install.sh
#执行这个命令
docker-compose ps
#查看下

[root@images harbor]# docker-compose ps
      Name                     Command                       State                              Ports
------------------------------------------------------------------------------------------------------------------------
# 内核 ↓
harbor-core         /harbor/entrypoint.sh            Up (health: starting)
# 数据库 ↓
harbor-db           /docker-entrypoint.sh 96 13      Up (health: starting)
# 任务管理 ↓
harbor-jobservice   /harbor/entrypoint.sh            Up (health: starting)
# 日志 ↓
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (health: starting)   127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up (health: starting)
# nginx ↓
nginx               nginx -g daemon off;             Up (health: starting)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis               redis-server /etc/redis.conf     Up (health: starting)
registry            /home/harbor/entrypoint.sh       Up (health: starting)
registryctl         /home/harbor/start.sh            Up (health: starting)

这个nginx是做的反向代理反向代理到8080 代理到内核机器里面

如果说我们需要修改一下harbor.yml文件比如改个域名

这时候我们就要执行

[root@images harbor]# /data/harbor/prepare

./prepare
#从新读取你的文件
#然后再执行 
docker-compose restart
#重启
#然后再
./install.sh

浏览器输入域名或者ip

如果属于域名需要修改下hosts文件

#位置在:
C:\Windows\System32\drivers\etc\hosts
10.1.19.57      images.aqsc.com
#加上这么一条内容,这样就能通过域名访问了

访问账号admin 密码Harbor#2025@+++Images

浏览器打开

创建个项目

[root@images harbor]# mkdir -p /etc/docker/certs.d/images.aqsc.com
[root@images harbor]# cp /data/harbor/certs/aqsc.com.crt /etc/docker/certs.d/images.aqsc.com/

[root@images harbor]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.1.19.57      images.aqsc.com

[root@images harbor]# docker login images.aqsc.com

在k8s上的操作

所有k8s节点（包括master和node）

[root@images harbor]# for i in 51 52 53 54 55 56 ; do ssh 10.1.19.${i} mkdir -p /etc/docker/certs.d/images.aqsc.com/ ; done
[root@images harbor]# for i in 51 52 53 54 55 56 ; do scp /data/harbor/certs/aqsc.com.crt 10.1.19.${i}:/etc/docker/certs.d/images.aqsc.com/ ; done