harbor镜像仓库-https访问的证书配置 （docker配置harbor https证书）

harbor镜像仓库-https访问的证书配置

生成CA证书

随便搞个什么文件夹，用于存放生成的证书

创建key文件：

root@eb7023:/data/certs>openssl genrsa -out ca.key 4096
 Generating RSA private key, 4096 bit long modulus
 ............++
 .........................++
 e is 65537 (0x10001)

生成证书

**http://harbor23.com**这里是我harbor仓库的域名，即harbor配置文件中hostname的值，也可以写ip

root@eb7023:/data/certs>openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/CN=harbor23.com"  -key ca.key  -out ca.crt
 root@eb7023:/data/certs>ll
 total 8
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key

生成服务器证书

创建私钥

root@eb7023:/data/certs>openssl genrsa -out server.key 4096
 Generating RSA private key, 4096 bit long modulus
 ........................................................................................................................................................++
 .............................................................................++
 e is 65537 (0x10001)

生成证书签名请求

root@eb7023:/data/certs>openssl req  -new -sha512  -subj "/CN=harbor23.com"  -key server.key  -out server.csr
 root@eb7023:/data/certs>ll
 total 16
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key

生成harbor仓库主机的证书

首先创建一个 v3.ext 文件

root@eb7023:/data/certs>cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth 
 subjectAltName = @alt_names
 [alt_names]
 DNS.1=harbor23.com
 EOF
 root@eb7023:/data/certs>
 root@eb7023:/data/certs>ll
 total 20
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key
 -rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext

生成harbor仓库主机的证书

root@eb7023:/data/certs>openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
 Signature ok
 subject=/CN=harbor23.com
 Getting CA Private Key
 root@eb7023:/data/certs>ll
 total 28
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root   17 Sep 11 14:48 ca.srl
 -rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key
 -rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext

到目前为止所有需要的证书文件就生成完毕了，下面需要一些配置

配置和安装证书

把server.crt文件和server.key文件拷贝到目录/data/cert下

因为我前面一直是在这个路径操作的就省略了该步骤

下面要修改harbor的配置文件 修改以下配置项

root@eb7023:/data/certs>vim ~/harbor/harbor.yml 
 hostname: harbor23.com
 https:
   port: 443
   certificate: /data/certs/server.crt
   private_key: /data/certs/server.key

接下来就可重启以下harbor仓库了,注意这里要CD到harbor解压目录

#导入配置
 root@eb7023:/root/harbor>./prepare 
 prepare base dir is set to /root/harbor
 Clearing the configuration file: /config/log/logrotate.conf
 Clearing the configuration file: /config/log/rsyslog_docker.conf
 Clearing the configuration file: /config/nginx/nginx.conf
 Clearing the configuration file: /config/core/env
 Clearing the configuration file: /config/core/app.conf
 Clearing the configuration file: /config/registry/config.yml
 Clearing the configuration file: /config/registry/root.crt
 Clearing the configuration file: /config/registryctl/env
 Clearing the configuration file: /config/registryctl/config.yml
 Clearing the configuration file: /config/db/env
 Clearing the configuration file: /config/jobservice/env
 Clearing the configuration file: /config/jobservice/config.yml
 Generated configuration file: /config/log/logrotate.conf
 Generated configuration file: /config/log/rsyslog_docker.conf
 Generated configuration file: /config/nginx/nginx.conf
 Generated configuration file: /config/core/env
 Generated configuration file: /config/core/app.conf
 Generated configuration file: /config/registry/config.yml
 Generated configuration file: /config/registryctl/env
 Generated configuration file: /config/db/env
 Generated configuration file: /config/jobservice/env
 Generated configuration file: /config/jobservice/config.yml
 loaded secret from file: /secret/keys/secretkey
 Generated configuration file: /compose_location/docker-compose.yml
 Clean up the input dir
 ##停止当前运行的harbor
 root@eb7023:/root/harbor>docker-compose down -v
 /usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
   from cryptography.hazmat.backends import default_backend
 Stopping harbor-jobservice ... done
 Stopping harbor-portal     ... done
 Stopping registry          ... done
 Stopping registryctl       ... done
 Stopping redis             ... done
 Stopping harbor-db         ... done
 Stopping harbor-log        ... done
 Removing nginx             ... done
 Removing harbor-jobservice ... done
 Removing harbor-core       ... done
 Removing harbor-portal     ... done
 Removing registry          ... done
 Removing registryctl       ... done
 Removing redis             ... done
 Removing harbor-db         ... done
 Removing harbor-log        ... done
 Removing network harbor_harbor
 ##后台运行的harbor
 root@eb7023:/root/harbor>docker-compose up -d
 /usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
   from cryptography.hazmat.backends import default_backend
 Creating network "harbor_harbor" with the default driver
 Creating harbor-log ... done
 Creating registry      ... done
 Creating harbor-db     ... done
 Creating registryctl   ... done
 Creating harbor-portal ... done
 Creating redis         ... done
 Creating harbor-core   ... done
 Creating harbor-jobservice ... done
 Creating nginx             ... done

为docker配置harbor认证

将server证书cp到docker所在的机器固定目录中

#笔者这里的certs.d是已经存在的，如果不存在需要mkdir
 root@eb7023:/root/harbor>cd /etc/docker/certs.d/
 root@eb7023:/etc/docker/certs.d>ll
 total 0root@eb7023:/etc/docker/certs.d>mkdir -p /etc/docker/certs.d/harbor23.com      
 root@eb7023:/etc/docker/certs.d>cd /data/certs/
 root@eb7023:/data/certs>ll
 total 28
 -rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt
 -rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key
 -rw-r--r-- 1 root root   17 Sep 11 14:48 ca.srl
 -rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt
 -rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr
 -rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key
 -rw-r--r-- 1 root root  231 Sep 11 14:48 v3.ext
 root@eb7023:/data/certs>cp server.crt  /etc/docker/certs.d/harbor23.com/server.crt

然后docker直接login即可

root@eb7023:/data/certs>docker login harbor23.com
 Username: admin
 Password: 
 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 Configure a credential helper to remove this warning. See
 https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 Login Succeeded

这里我的docker和harbor是在同一台机器上的，如果是其他机器也复制crt文件即可

root@eb7023:/data/certs>scp server.crt root@eb7045:/etc/docker/certs.d/harbor23.com/server.crt
 root@eb7045's password: 
 server.crt                                    100% 1830     2.1MB/s   00:00

在eb7045可以登录验证一下：

root@eb7045:/etc/docker/certs.d/harbor23.com>docker login harbor23.com
 Username: admin
 Password: 
 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 Configure a credential helper to remove this warning. See
 https://docs.docker.com/engine/reference/commandline/login/#credentials-store

 Login Succeeded

到这里配置完成。