Harbor (https)安装和配置

本文档使用 cfssl 1.6.5版本来生成 SSL证书,以 docker compose 安装形式来安装 harbor 2.12.4 版本。

背景信息

名称IP
harbor 服务器192.168.4.11
docker 客户端192.168.4.6

下载 cfssl 文件

可以从https://github.com/cloudflare/cfssl/tags 中下载找到需要的版本。以 1.6.5 版本为例:

下载以下三个文件:

  1. cfssl_linux_amd64: https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64
  2. cfssljson_linux_amd64: https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64
  3. cfssl-certinfo_linux-amd64: https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl-certinfo_1.6.5_linux_amd64

下载后赋予执行权限,并把文件移动到/usr/bin/目录中:

chmod +x cfssl*
mv cfssl_1.6.5_linux_amd64 /usr/bin/cfssl/cfssl
mv cfssljson_1.6.5_linux_amd64 /usr/bin/cfssljson/cfssljson
mv cfssl-certinfo_1.6.5_linux_amd64 /usr/bin/cfssl-certinfo

生成SSL证书

把 ssl 证书都放在/data/harbor_ssl/里:

mkdir /data/harbor_ssl/
cd /data/harbor_ssl/

生成需要的 json 文件:

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "harbor": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "Harbor",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cat > reg.harbor.com-csr.json <<EOF
{
  "CN": "reg.harbor.com",
  "hosts": [
    "192.168.4.11",
    "reg.harbor.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing"
    }
  ]
}
EOF

生成证书:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=harbor reg.harbor.com-csr.json | cfssljson -bare reg.harbor.com

安装 harbor

离线下载 harbor 安装地址:https://github.com/goharbor/harbor/tags

以 2.12.4 版本为例:https://github.com/goharbor/harbor/releases/download/v2.12.4/harbor-offline-installer-v2.12.4.tgz

把下载的离线包放在/data 目录下:

cd /data
tar xzf harbor-offline-installer-v2.12.4.tgz
cd harbor/
cp harbor.yml.tmpl harbor.yml

解压后编辑 harbor.yml,修改配置文件:

  1. 修改 hostname:
hostname: reg.harbor.com
  1. 配置 https 证书:
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/harbor_ssl/reg.harbor.com.pem
  private_key: /data/harbor_ssl/reg.harbor.com-key.pem

harbor 默认的账号密码:admin/Harbor12345

如果需要修改默认密码,可以修改harbor_admin_password

执行安装脚本:

./prepare

此时会导入一个goharbor/prepare:v2.12.4镜像,并且看到 docker-compose.yml 文件。

查看 docker-compose.yml 文件里所需要的镜像:

# grep 'image:' docker-compose.yml 
    image: goharbor/harbor-log:v2.12.4
    image: goharbor/registry-photon:v2.12.4
    image: goharbor/harbor-registryctl:v2.12.4
    image: goharbor/harbor-db:v2.12.4
    image: goharbor/harbor-core:v2.12.4
    image: goharbor/harbor-portal:v2.12.4
    image: goharbor/harbor-jobservice:v2.12.4
    image: goharbor/redis-photon:v2.12.4
    image: goharbor/nginx-photon:v2.12.4

如 dockerhub 环境不顺畅,即可提前准备需要的镜像。

启动 harbor:

docker-compose down
docker-compose up -d

启动客户端通过设定 host 来访问 https://reg.harbor.com。

注意:如果修改了证书等信息。需要执行docker-compose down停止 harbor,然后重新执行./prepare配置 harbor,再执行docker-compose up -d启动 harbor。

客户端登录

客户机没配置证书的话,会出现以下错误信息

# docker login reg.harbor.com
Username: admin
Password: 
INFO[0008] Error logging in to endpoint, trying next endpoint  error="Get \"https://reg.harbor.com/v2/\": tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match reg.harbor.com"
Get "https://reg.harbor.com/v2/": tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match reg.harbor.com

有两种方法:

  • 一种是配置/etc/docker/daemon.json 文件,访问 reg.harbor.com 更改使用 http 协议:
{
  "insecure-registries": ["192.168.4.11", "reg.harbor.com"]
}

配置完后重启 docker:

systemctl restart docker
  • 一种把证书放入 docker 信任中

把 reg.harbor.com.pem 证书放入到 /etc/docker/certs.d/reg.harbor.com/ 目录中。注意一定是 crt 文件,否则 docker 无法直接使用。

mkdir -p /etc/docker/certs.d/reg.harbor.com/
scp 192.168.4.11:/data/harbor_ssl/reg.harbor.com.pem /etc/docker/certs.d/reg.harbor.com/reg.harbor.com.crt

4、再次登录就会正常登录

# docker login reg.harbor.com
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

登录成功后,会生成一个~/.docker/config.json文件,记录 reg.harbor.com 的登录信息:

{
	"auths": {
		"reg.harbor.com": {
			"auth": "YWRtaW46SGFyYm9yMTIzNDU="
		}
	}