linux-部署harbor的https認證

雪竹子發表於2024-10-30
LinuxHTTP

一、安裝docker

1.下載docker的rpm包

[root@harbor.yuanlinux.com ~]# ll
-rw-r--r-- 1 root root 101239922 Apr 12 15:29 docker-rpm-20_10_24.tar.gz

2.解壓並安裝軟體包

[root@harbor.yuanlinux.com ~]# tar xf docker-rpm-20_10_24.tar.gz
[root@harbor.yuanlinux.com ~]# cd docker-rpm-20.10/
[root@harbor.yuanlinux.com ~/docker-rpm-20.10]# yum -y localinstall *.rpm

3.新增自動補全功能

[root@harbor.yuanliunx.com ~]# yum -y install bash-completion
[root@harbor.yuanliunx.com ~]# source /usr/share/bash-completion/bash_completion

4.配置映象加速

[root@harbor.yuanliunx.com ~/docker-rpm-20.10]# mkdir -p /etc/docker
[root@harbor.yuanliunx.com ~/docker-rpm-20.10]# tee /etc/docker/daemon.json <<-'EOF'
> {
> "registry-mirrors": ["自己的加速地址"]
> }
> EOF
[root@harbor.yuanliunx.com ~/docker-rpm-20.10]# systemctl daemon-reload
[root@harbor.yuanliunx.com ~/docker-rpm-20.10]# systemctl restart docker

5.驗證映象加速是否成功

[root@harbor.yuanliunx.com ~]# docker info | grep "Registry Mirrors" -A 1
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Registry Mirrors:
https://tuv7rqqq.mirror.aliyuncs.com/

6.將docker設定為開機自啟動

[root@harbor.yuanliunx.com ~]# systemctl enable --now docker

二、安裝docker compose

1.新增epel源

[root@harbor.yuanliunx.com ~]# curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

2.安裝docker-compose

[root@harbor.yuanliunx.com ~]# yum -y install docker-compose

3.檢視docker-compose版本

[root@harbor.yuanliunx.com ~]# docker-compose version
docker-compose version 1.18.0, build 8dd22a9
docker-py version: 2.6.1
CPython version: 3.6.8
OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017

三、安裝harbor

1.下載harbor軟體包

[root@harbor.yuanlinux.com ~]# ll
-rw-r--r-- 1 root root 610192663 Apr 12 09:23 harbor-offline-installer-v1.10.10.tgz

2.建立工作目錄

[root@harbor.yuanlinux.com ~]# mkdir -pv /data/softwares

3.解壓harbor軟體包

[root@harbor.yuanlinux.com ~]# tar xf harbor-offline-installer-v1.10.10.tgz -C /data/softwares/

4.建立證書的工作目錄

[root@harbor.yuanlinux.com ~]# mkdir -pv /data/softwares/harbor/certs/{ca,server,client}

5.生成自建CA證書

5.1 進入證書目錄

[root@harbor.yuanlinux.com ~]# cd /data/softwares/harbor/certs/

5.2 生成CA私鑰

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl genrsa -out ca/ca.key 4096

5.3 生成ca的自簽名證書

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yuanlinux.com" \
> -key ca/ca.key \
> -out ca/ca.crt

6.生成harbor伺服器的證書檔案及客戶端證書

6.1 生成harbor主機的私鑰

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl genrsa -out server/harbor.yuanlinux.com.key 4096
Generating RSA private key, 4096 bit long modulus

6.2 生成harbor主機的證書申請

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.yuanlinux.com" \
-key server/harbor.yuanlinux.com.key \
-out server/harbor.yuanlinux.com.csr

6.3 生成x509 v3擴充套件檔案

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yuanlinux.com
DNS.2=yuanlinux
DNS.3=harbor.yuanlinux.com
EOF

6.4 使用"v3.ext"給harbor主機簽發證書

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
-in server/harbor.yuanlinux.com.csr \
-out server/harbor.yuanlinux.com.crt

6.5 將crt檔案轉換為cert客戶端證書檔案

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# openssl x509 -inform PEM -in server/harbor.yuanlinux.com.crt -out server/harbor.yuanlinux.com.cert

6.6 準備docker客戶端證書

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# cp server/harbor.yuanlinux.com.{cert,key} client/
[root@harbor.yuanlinux.cn /data/softwares/harbor/certs]# cp ca/ca.crt client/
[root@harbor.yuanlinux.cn /data/softwares/harbor/certs]# ll client/
total 12
-rw-r--r-- 1 root root 2029 Apr 12 20:21 ca.crt
-rw-r--r-- 1 root root 2118 Apr 12 20:21 harbor.yuanlinux.com.cert
-rw-r--r-- 1 root root 3243 Apr 12 20:21 harbor.yuanlinux.com.key

6.7 檢視所有證書檔案結果

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# ll -R
.:
total 4
drwxr-xr-x 2 root root 48 Apr 12 20:20 ca
drwxr-xr-x 2 root root 83 Apr 12 20:21 client
drwxr-xr-x 2 root root 131 Apr 12 20:21 server
-rw-r--r-- 1 root root 272 Apr 12 20:19 v3.ext
./ca:
total 12
-rw-r--r-- 1 root root 2029 Apr 12 20:18 ca.crt
-rw-r--r-- 1 root root 3243 Apr 12 20:16 ca.key
-rw-r--r-- 1 root root 17 Apr 12 20:20 ca.srl
./client:
total 12
-rw-r--r-- 1 root root 2029 Apr 12 20:21 ca.crt
-rw-r--r-- 1 root root 2118 Apr 12 20:21 harbor.yuanlinux.com.cert
-rw-r--r-- 1 root root 3243 Apr 12 20:21 harbor.yuanlinux.com.key
./server:
total 16
-rw-r--r-- 1 root root 2118 Apr 12 20:21 harbor.yuanlinux.com.cert
-rw-r--r-- 1 root root 2118 Apr 12 20:20 harbor.yuanlinux.com.crt
-rw-r--r-- 1 root root 1716 Apr 12 20:19 harbor.yuanlinux.com.csr
-rw-r--r-- 1 root root 3243 Apr 12 20:18 harbor.yuanlinux.com.key

7.配置harbor伺服器使用證書

7.1 切換工作目錄

[root@harbor.yuanlinux.com /data/softwares/harbor/certs]# cd ..
[root@harbor.yuanlinux.com /data/softwares/harbor]#

7.2 修改配置檔案

[root@harbor.yuanlinux.com /data/softwares/harbor]# cat -n harbor.yml
#修改這幾行
5 hostname: harbor.yuanlinux.com
17 certificate: /data/softwares/harbor/certs/server/harbor.yuanlinux.com.crt
18 private_key: /data/softwares/harbor/certs/server/harbor.yuanlinux.com.key
27 harbor_admin_password: 1

8. 安裝harbor服務

[root@harbor.yuanlinux.com /data/softwares/harbor]# ./install.sh

9.驗證

9.1 Windows驗證harbor的https

# C:\Windows\System32\drivers\etc\hosts
10.0.0.250 harbor.yuanlinux.com

https://harbor.yuanlinux.com/

image-20230412203245325

image-20230412203251501

9.2 Linux驗證harbor的https

9.2.1 配置地址解析
[root@harbor.yuanlinux.com ~]# echo 10.0.0.250 harbor.yuanlinux.com >> /etc/hosts
9.2.2 在docker客戶端節點建立自簽證書域名存放路徑
[root@harbor.yuanlinux.com ~]# mkdir -pv /etc/docker/certs.d/harbor.yuanlinux.com
9.2.3 服務端將證書檔案複製到客戶端docker節點,若不執行該操作,則會報錯"x509: certificate signed by unknown authority"
[root@harbor.yuanlinux.com ~]# cp /data/softwares/harbor/certs/client/* /etc/docker/certs.d/harbor.yuanlinux.com/
[root@harbor.yuanlinux.com ~]# ll /etc/docker/certs.d/harbor.yuanlinux.com/
total 12
-rw-r--r-- 1 root root 2029 Apr 12 20:35 ca.crt
-rw-r--r-- 1 root root 2118 Apr 12 20:35 harbor.linuxyuan.com.cert
-rw-r--r-- 1 root root 3243 Apr 12 20:35 harbor.linuxyuan.com.key
9.2.4 登入驗證
[root@harbor.yuanliunx.com /data/softwares/harbor]# docker login -u admin -p 1 harbor.yuanlinux.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded

9.2.5退出登入

[root@harbor.yuanlinux.com ~]# more /root/.docker/config.json
{
"auths": {
"harbor.yuanlinux.com": {
"auth": "YWRtaW46MQ=="
}
}
}
#改檔案儲存harbor密碼,要及時退出
[root@harbor.yuanlinux.com ~]# docker logout harbor.yuanlinux.com
Removing login credentials for harbor.yuanlinux.com
[root@harbor.yuanlinux.com ~]# more /root/.docker/config.json
{
"auths": {}
}
echo YWRtaW46MQ== | base64 -d | more

補充

harbor有時重啟機器會有服務起不來,要檢視一下
#進入harbor目錄
[root@harbor.yuanliunx.com /data/softwares/harbor]# docker-compose ps
#沒起來的話,可以先解除安裝,然後重新載入
[root@harbor.yuanliunx.com /data/softwares/harbor]# docker-compose down -v -t 1
[root@harbor.yuanliunx.com /data/softwares/harbor]# docker-compose up -d

相關文章