配置docker和containerd,使用ca證書訪問harbor
目錄
- 配置docker和containerd,使用ca證書訪問harbor
- docker配置ca證書訪問harbor
- containerd配置ca證書訪問harbor
- 驗證證書有效性
- docker配置方法
- containerd配置方法
- 驗證證書有效性描述
harbor連結彙總
harbor部署
harbor部署 https docker 登入
瀏覽器不支援https登入harbor
配置docker和containerd,使用ca證書訪問harbor
docker配置ca證書訪問harbor
- 獲取ca證書,根據自己簽名的harbor伺服器上獲取,下載拿到
- 新增到docker所在例項,放在目錄
/etc/ssl/certs/或/usrl/local/share/ca-certificates/ - 例項更新證書,執行命令
update-ca-certificates(ubuntu)或update-ca-trust(redhat) - 重啟docker,
systemctl restart docker,登入harbor,docker login python.harbor.com -uad - 驗證拉取映象,
docker pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1
containerd配置ca證書訪問harbor
- 獲取ca證書,根據自己簽名的harbor伺服器上獲取,下載拿到
- 新增到containerd所在例項,放在目錄
/etc/ssl/certs/或/usrl/local/share/ca-certificates/ - 例項更新證書,執行命令
update-ca-certificates(ubuntu)或update-ca-trust(redhat) - 修改contianerd對應配置檔案
/etc/containerd/config.toml,新增ca證書配置內容 - 重啟containerd使用配置生效,
systemctl restart cotnainerd - 驗證拉取映象,
ctr image pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1 --user admin:12345
驗證證書有效性
openssl s_client -connect python.harbor.com:443 -CAfile /etc/ssl/certs/ca.crt
docker配置方法
-
略過
-
#複製 cp -pdr ca.crt /etc/ssl/certs/ -
#資訊證書 update-ca-trust -
#重啟docker systemctl restart docker #登入 docker login python.harbor.com -uadmin -p12345 WARNING! Using --password via the CLI is insecure. Use --password-stdin. WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded -
#拉取映象 docker pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1 v1.2.1: Pulling from k8s-a/ingress-nginx 8663204ce13b: Pull complete 897a18b2d257: Pull complete 3cb02f360cf3: Pull complete 2b63816a7692: Pull complete d61ce16aa3b6: Pull complete 4391833fbf2c: Pull complete bb397308bcd5: Pull complete 803395581751: Pull complete 153d402a7263: Pull complete c815f058cf7b: Pull complete a872540e4aca: Pull complete 4972574251d0: Pull complete 30197fe775a6: Pull complete b059831ea274: Pull complete Digest: sha256:0ad5d9fd4e60446dd85b8a4c4cf3440e31241b7c90ab140123a2f4102ee2d7e8 Status: Downloaded newer image for python.harbor.com/k8s-a/ingress-nginx:v1.2.1 python.harbor.com/k8s-a/ingress-nginx:v1.2.1
containerd配置方法
-
略
-
#複製 cp -pdr ca.crt /etc/ssl/certs/ -
#資訊證書 update-ca-trust -
#修改contianerd對應配置檔案 [plugins."io.containerd.grpc.v1.cri".registry] #中間內容省略,以下是新增內容 #指定cri映象倉庫的配置,指定了使用python.harbor.io的域名,替換為實際域名 [plugins."io.containerd.grpc.v1.cri".registry.configs."python.harbor.com"] #指定使用python.harbor.com的域名的tls配置 [plugins."io.containerd.grpc.v1.cri".registry.configs."python.harbor.com".tls] #指定ca證書路徑 ca_file = "/etc/ssl/certs/ca.crt" #避免證書驗證錯誤 insecure = true -
systemctl restart containerd.service -
ctr image pull python.harbor.com/k8s-a/ingress-nginx:v1.2.1 --user admin:12345 python.harbor.com/k8s-a/ingress-nginx:v1.2.1: resolved |++++++++++++++++++++++++++++++++++++++| manifest-sha256:0ad5d9fd4e60446dd85b8a4c4cf3440e31241b7c90ab140123a2f4102ee2d7e8: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:b059831ea2745f6578cdc2ac758b8d21b8d65609042ff2670a18f69fd7a3a348: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:8663204ce13b2961da55026a2034abb9e5afaaccf6a9cfb44ad71406dcd07c7b: done |++++++++++++++++++++++++++++++++++++++| config-sha256:f3afbfa1117b9eef6f2c9e2db06025c0c2a46a7fd10ff6f6173583850a55a7d5: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:897a18b2d2576d82166f3c65a64987eb88304a7a70fa2da6d28c4cd1fbdd6813: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:8033955817515da4a66d743cb568f64474ae8cc410c362668713dcebe8a080aa: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:a872540e4aca4d86fdfab737ffd20e2d973a9d8bc49256ee66cc883687f6c448: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:4972574251d0bc39f77f63a772c3657e5ba8708e96a3e16750cec7b4cf5be177: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:3cb02f360cf34064c6d8ba5c89b4b1ceca1c10f40d58c56e8d9e375da252e3c0: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:153d402a7263107d2d244ebdd7ef11cd0dc747f91d1465e070a033a6fcc90741: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:30197fe775a6846f2f9cb8aa7a602a1c7a486a412c4c3566ea97c937a8eafac8: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:2b63816a7692990821767908dad8a176224461a736582c64284d2c9d6f49e2bb: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:c815f058cf7bd2ff2f47ed9d7526bb2f8070354952a9e32b1b4289af3517df1b: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:d61ce16aa3b66511cc4cb2bad26b9a150ab080c4d42a49865ffc1c30e2304e76: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:4391833fbf2c065a232ebfed436c3daf79f70512222488aec415e682f053df21: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:bb397308bcd5d5b0c04aa763f3b3acb1a4a67250bc4d77ef6132db18385c06fa: done |++++++++++++++++++++++++++++++++++++++| elapsed: 1.6 s total: 102.2 (63.9 MiB/s) unpacking linux/amd64 sha256:0ad5d9fd4e60446dd85b8a4c4cf3440e31241b7c90ab140123a2f4102ee2d7e8... done: 4.744578537s驗證證書有效性描述
Verification: OK 表示驗證了ca.crt的證書鏈
verify return:1 表示證書驗證成功
openssl s_client -connect python.harbor.com:443 -CAfile /etc/ssl/certs/ca.crt CONNECTED(00000003) depth=1 C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com verify return:1 depth=0 C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com verify return:1 --- Certificate chain 0 s:C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com i:C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com --- Server certificate -----BEGIN CERTIFICATE----- MIIF4DCCA8igAwIBAgIUCVuq5ExYqOi61Q2+C/l+vqJ+jgkwDQYJKoZIhvcNAQEN BQAwbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT aGFuZ2hhaTEPMA0GA1UECgwGU21hcnRYMQwwCgYDVQQLDANMYWIxGjAYBgNVBAMM EXB5dGhvbi5oYXJib3IuY29tMB4XDTI0MTEwNDA2MzQ0OVoXDTM0MTEwMjA2MzQ0 OVowbjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhT aGFuZ2hhaTEPMA0GA1UECgwGU21hcnRYMQwwCgYDVQQLDANMYWIxGjAYBgNVBAMM EXB5dGhvbi5oYXJib3IuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC AgEApxYGwb1rixCmRXm+cKQrRESzTq+/f5r6B71H23VPRzcEqQz8eDpuhQVRGZj3 TLdNh6u110QkF87RSP9r9mrpZxmt23EbtnvFEO22Kw13ZzTLbCEJzuAMzxRr9uJs 3i1FeEKryq3S7q/Eo71a0wFexgucDqJRHotlCa3OJULDEjWg6xzQC+dvCTNWexQU OqFj7UTiVyHQ6tU3bv31X1G5Ba2y97U1wjHjk6+gtnzoaDdAfQ31sIQMq1Cgcjg/ dE5g8zoulzB5Wl2jmsdA0dwpsY2RF0E4glSDab2uAmNifhK+U1qSxbOyK4Zjm29l 6o7fTXStHs6R/mL3jGgGUWJoIgQQajHSEVumC49vGiJbMGKmh7lXvlPryqxPy/OS kof+KSyqGZ8ptoDq/oZsI3/7oF24zbqhXczSALpxVjODBXGdDEJrfBkPbekZRJF/ Qw4qOSvniwpydYEXFjADj9e+ytHfGAh/wQlPF6gYZ1xbHGONH24kmbXcp+GeqJlA M5YUEa5is3ltD6L4oKma5p+J254g/xS1q7nlbx29hlUk6pfB2WuFB/4PmKHNLVOF WlZEEuUAWmPp6OaqcSLSsXARrkmrQ2CNlI4nVhFJUGqv48gPUuo3KLAa8w6WyDeV HtnuQ8W13/0JmalkeE+PzsccXNgconEZzCYB2N6IeN7DGPECAwEAAaN2MHQwHwYD VR0jBBgwFoAUzrJR+LKQdl9311H5gzfZvyQSRhcwCQYDVR0TBAIwADALBgNVHQ8E BAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwJAYDVR0RBB0wG4IRcHl0aG9uLmhh cmJvci5jb22CBmhhcmJvcjANBgkqhkiG9w0BAQ0FAAOCAgEARznmfU7SxHty91zE rdlea45yn2mBcNC8JENFDYuRKlJ6MR+A+rWy7qvgrIix4uVYA4YSy2HguebG3Sij 0V7QjmufJ6rikFqqQ4Hxkn+x28h2jTlHvIRqwuChSYyeNqxVQMontW61v5mjr7oG E4JH8JiYBMig2xGziVgYJKlKafJNqoy6hifGIPqoce0aTGitLgT494XouCBGXXuD jeyfT/dq/TlZtzrXkUH8tctdtKuwDvFnqmGZMsLQKpTvKy7qDUZxntcNq5eJvlS2 JQCzK/a3bZh2bm+P/761dfzK2fJTaHe9f02txY6faDUieD+UZat2hmQbHIUiVqpr niGjHOgu1YPhlYjXbDX3ytLx5O9QF3PWtpQJ3/TPy0pPedfyzfLePWQ7wbuvCv9F jt9SIon3iAWm92pJs0ilrk+frKhK3rg2DOqBYH8yK0ELGGqC9l0KT99YsmmwW7dy 1ixU7E6DyKlbbLQ3diqbmXTgT6g0chR1fOM3PGdSBXbAII1x6La++QkDRad+/488 sZhuzJSCdyzxCyukUsfAOEHWXpaOo2znOwG0W2XbGhQ933Wq0CuUrQdoSoZYf8uK bC0sBy5UvVaMUgGoVW3yJ3UOov42v363ruORo0S6U7VLT7YMxwKEMJfnOg5mt11S WTDUGUH5y4M5vuar5EMHoIGs45Q= -----END CERTIFICATE----- subject=C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com issuer=C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = python.harbor.com --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2441 bytes and written 414 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 833C51D93109EDB1B9D8E9A2A8C5367C9AC8C45E872B3053A2805BA671817842 Session-ID-ctx: Master-Key: 7E11E48D49B3E3B94B0FEDC7CDAF46F2A9FE2B34834B5DB724E2C9AA76C1623525DD7E7C4DDC7B713DF727A5AAFBAEF4 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 5e 9c eb 40 9c 16 3b 67-f8 21 e9 97 d6 02 54 7a ^..@..;g.!....Tz 0010 - c7 70 37 d2 e0 c0 70 bb-19 33 ed e9 c8 30 14 5a .p7...p..3...0.Z 0020 - 83 9a 13 61 9c d8 a9 09-ae 12 da 68 c3 50 31 e0 ...a.......h.P1. 0030 - 71 82 b5 2a 92 8e 82 e7-2b 23 c3 35 cf d9 63 14 q..*....+#.5..c. 0040 - b8 c1 35 5a 27 aa 6f 0c-19 5c ed f1 bf f2 b9 8a ..5Z'.o..\...... 0050 - a4 3d fb 9d 95 2e f6 83-3e e6 9d 99 3b 51 13 8e .=......>...;Q.. 0060 - 9b 03 c4 fc 1a d4 6b 6f-a2 b3 c1 e8 f4 e8 1b cf ......ko........ 0070 - fa 0b 81 a7 96 f9 f2 2d-1b 91 02 ca 4c 34 0a ee .......-....L4.. 0080 - 4f f5 29 dc 2b 4f 2f 00-3d 0e 71 1d 2e a1 b0 3c O.).+O/.=.q....< 0090 - 9e 2f 7f b2 d0 82 de cf-a7 8d f7 ba f6 f8 94 69 ./.............i 00a0 - 91 d4 91 7e a3 ae 7b 29-bb 3f 1a 9e b6 d4 29 21 ...~..{).?....)! 00b0 - e5 c9 61 5f 74 e3 7b c2-d0 fb 1d d0 8b 33 52 d7 ..a_t.{......3R. 00c0 - e0 9b da 02 28 b8 18 ee-74 c6 0c 83 07 a0 81 d7 ....(...t....... Start Time: 1731051695 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes ---