注:高版本(14以上)docker执行login命令,默认使用https,且harbor必须使用域名,只是用ip访问是不行的。
假设使用的网址是:www.harbor.mobi,本机ip是192.168.75.100
因为这个网址是虚拟的,所以需要在本机hosts文件中添加
echo "192.168.75.100 www.harbor.mobi" >> /etc/hosts
- 修改harbor.yml配置文件
只是用https访问,关闭http访问
#set hostname
hostname: www.harbor.mobi
#http:
# port: 80
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/www.harbor.mobi.crt
private_key: /data/cert/www.harbor.mobi.key
# 注意证书路径,直接在该路径下操作生成证书
- 一键生成证书脚本
#!/bin/bash
# 在该目录下操作生成证书,正好供harbor.yml使用
mkdir -p /data/cert
cd /data/cert
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt
openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert
cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt
update-ca-trust
- docker 操作
# 把这三个证书文件复制到docker相应的目录下,注意最后的路径名,要跟上面的保持一致
mkdir -p /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.key /etc/docker/certs.d/ywww.harbor.mobi/
cp ca.crt /etc/docker/certs.d/www.harbor.mobi/
最终docker目录结构:
/etc/docker/certs.d/
└── www.harbor.mobi
├── www.harbor.mobi.cert <-- Server certificate signed by CA
├── www.harbor.mobi.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
# 先停止harbor
cd /usr/local/harbor
docker-compose down -v
# 重启docker
systemctl restart docker.service
- harbor操作
# 重新生成配置文件,增加上其他chart功能等
./prepare --with-notary --with-clair --with-chartmuseum
# 启动
docker-compose up -d
- helm操作
# 增加仓库,因为使用的自签名证书,所以命令上需要加上,若不加上则会报错:Error: Looks like "https://www.harbor.mobi/chartrepo/myrepo" is not a valid chart repository or cannot be reached: Get https://www.harbor.mobi/chartrepo/myrepo/index.yaml: x509: certificate signed by unknown authority
helm repo add --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key myrepo https://www.harbor.mobi/chartrepo/myrepo
# 更新仓库
helm repo update
# 推送应用,同理也需要加上自签名证书,还需要加上用户名和密码
# 错误用法1:没有加自签名证书
helm push --username=admin --password=Harbor12345 app myrepo
Pushing app-0.1.0.tgz to myrepo...
Error: Post https://www.harbor.mobi/api/chartrepo/myrepo/charts: x509: certificate signed by unknown authority
Error: plugin "push" exited with error
# 错误用法2:没有加上用户名和密码
helm push --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key app myrepo
Pushing app-0.1.0.tgz to myrepo...
Error: 401: could not properly parse response JSON: {"code":401,"message":"UnAuthorized"}
Error: plugin "push" exited with error
# 正确用法1,推送chart目录,app是chart应用目录
helm push --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key --username=admin --password=Harbor12345 app myrepo
# 正确用法2,推送tgz文件,redis.tgz是chart应用文件
helm push --ca-file /usr/local/harbor/cert/ca.crt --cert-file /usr/local/harbor/cert/www.harbor.mobi.cert --key-file /usr/local/harbor/cert/www.harbor.mobi.key --username=admin --password=Harbor12345 redis.tgz myrepo
- helm push命令用法
注意:命令中关于使用自签名的部分有变量,暂不知道咋使用的
考虑如下:先配置好相关变量,使用helm push命令的时候加上变量就行,不用加具体的签名证书路径
helm push --help
Helm plugin to push chart package to ChartMuseum
Examples:
$ helm push mychart-0.1.0.tgz chartmuseum # push .tgz from "helm package"
$ helm push . chartmuseum # package and push chart directory
$ helm push . --version="7c4d121" chartmuseum # override version in Chart.yaml
$ helm push . https://my.chart.repo.com # push directly to chart repo URL
Usage:
helm push [flags]
Flags:
--access-token string Send token in Authorization header [$HELM_REPO_ACCESS_TOKEN]
--auth-header string Alternative header to use for token auth [$HELM_REPO_AUTH_HEADER]
--ca-file string Verify certificates of HTTPS-enabled servers using this CA bundle [$HELM_REPO_CA_FILE]
--cert-file string Identify HTTPS client using this SSL certificate file [$HELM_REPO_CERT_FILE]
--context-path string ChartMuseum context path [$HELM_REPO_CONTEXT_PATH]
-f, --force Force upload even if chart version exists
-h, --help help for helm
--insecure Connect to server with an insecure way by skipping certificate verification [$HELM_REPO_INSECURE]
--key-file string Identify HTTPS client using this SSL key file [$HELM_REPO_KEY_FILE]
-p, --password string Override HTTP basic auth password [$HELM_REPO_PASSWORD]
-u, --username string Override HTTP basic auth username [$HELM_REPO_USERNAME]
-v, --version string Override chart version pre-push
问题总结:
1.报错:x509: certificate signed by unknown authority
解决办法:加上自签名证书,可以参考docker的那个
2.报错:Error: 401: could not properly parse response JSON: {"code":401,"message":"UnAuthorized"}
解决办法:加上用户名和密码