Harbor,TLS部署
环境:
Ubuntu20.04
harbor版本:harbor-offline-installer-v2.6.1.tgz
下载连接:https://github.com/goharbor/harbor/releases/tag/v2.6.1
1.环境准备安装docker-ce,docker-compose;
2.安装harbor;
3.修改harbor文件,并签发证书;证书签发方法参考文档:https://goharbor.io/docs/2.6.0/install-config/configure-https/
自签名CA机构:
# mkdir /usr/local/src/Harbor/certs #创建证书的保存目录;
# cd /usr/local/src/Harbor/certs
# openssl genrsa -out ca.key 4096 #创建ca.key;
# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=LiaoNing/L=ShenYang/O=example/OU=Personal/CN=guofei.com" \
> -key ca.key \
> -out ca.crt #自签证书;
生成服务器证书:
# mkdir harbor_private_key
# openssl genrsa -out guofei.com.key 4096 #创建harbor用的私钥;
# openssl req -sha512 -new \
> -subj "/C=CN/ST=LiaoNing/L=ShenYang/O=example/OU=Personal/CN=guofei.com" \
> -key guofei.com.key \
> -out guofei.com.csr #生成证书签名请求;
# cat > v3.ext <<-EOF
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1=guofei.com
> DNS.2=guofei
> DNS.3=harbor.guofei.com
> EOF #生成x509 v3的扩展文件;
使用v3.ext文件,为harbor主机生成证书;
# openssl x509 -req -sha512 -days 3650 \
> -extfile v3.ext \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in guofei.com.csr \
> -out harbor.guofei.com.crt
修改harbor.yml配置文件:/usr/local/src/Hardor/harbor/harbor.yml
6 hostname: harbor.guofei.com
20 certificate:/usr/local/src/Harbor/certs/harbor.guofei.com.crt
21 private_key:/usr/local/src/Harbor/certs/guofei.com.key
37 harbor_admin_password: harbor@12345 #harbor管理用户密码;
42 password: root@123 #数据库密码;
50 data_volume: /data #数据保存映射路径,一般为单独的镜像盘或者共享存储等;
4.安装harbor:
# ./install.sh --with-trivy --with-chartmuseum #--with-trivy:让harbor支持代码扫描;
5.客户端上传测试:
5.1 客户端想要登录https创建的harbor必须要由公钥文件(xxx.crt);
harbor服务端:
# scp -P 2200 ./harbor.guofei.com.crt test@192.168.1.20:/tmp #将公钥文件传输给目标主机;
客户端:
# mkdir /etc/docker/certs.d/harbor.guofei.com/ #创建公钥保存目录;
# mv /tmp/harbor.guofei.com.crt /etc/docker/certs.d/harbor.guofei.com/ #注意目录一定不要写错;
# chown root:root /etc/docker/certs.d/harbor.guofei.com/harbor.guofei.com.crt
# vim /etc/hosts #客户端配置域名解析;
192.168.1.30 harbor.guofei.com
5.2 测试
# docker login harbor.guofei.com #直接使用域名登录,输入harbor账号密码;
上传镜像测试,步骤略;
6.配置haproxy负载均衡和keepalived高可用
环境:Harbor-LB-A,192.168.1.23,Harbor-LB-B,192.168.1.24,双节点,VIP:192.168.1.200-204;
# find / -name keepalived* #查找keepalived配置模板;
# cp /usr/share/doc/keepalived/samples/keepalived.conf.vrrp /etc/keepalived/keepalived.conf
# vim /etc/keepalived/keepalived.conf #B节点同样配置不过要修改权重和state为BACKUP;
Harbor-LB-A:
vrrp_instance VI_1 {
state MASTER
interface ens33
garp_master_delay 10
smtp_alert
virtual_router_id 51
priority 100 #优先级数值越大越优先;
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.200 dev ens33 label ens33:0
192.168.1.201 dev ens33 label ens33:1
192.168.1.202 dev ens33 label ens33:2
192.168.1.203 dev ens33 label ens33:3
192.168.1.204 dev ens33 label ens33:4
}
nopreempt|preempt #配置抢占模式;
preempt delay 300 #定义抢占模式下延迟多久再抢占;
}
Harbor-LB-B:
vrrp_instance VI_1 {
state BACKUP
interface ens33
garp_master_delay 10
smtp_alert
virtual_router_id 51
priority 80s
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.200 dev ens33 label ens33:0
192.168.1.201 dev ens33 label ens33:1
192.168.1.202 dev ens33 label ens33:2
192.168.1.203 dev ens33 label ens33:3
192.168.1.204 dev ens33 label ens33:4
}
nopreempt|preempt
preempt delay 300
}
重启keepalived并配置自启动;
7.配置haproxy
listen harbor-80
bind 192.168.1.200:80 #由keepalive声明的VIP;
mode tcp
balance source
server 192.168.1.30 192.168.1.30:80 check inter 3s fall 3 rise 5
server 192.168.1.31 192.168.1.31:80 check inter 3s fall 3 rise 5
listen harbor-443
bind 192.168.1.200:443
mode tcp
balance source
server 192.168.1.30 192.168.1.30:443 check inter 3s fall 3 rise 5
server 192.168.1.31 192.168.1.31:443 check inter 3s fall 3 rise 5
如果出现haproxy因为没有绑定VIP而无法启动的状况,可以配置sysctl.conf,增加net.ipv4.ip_nonlocal_bind = 1即可;
8.访问测试https://192.168.1.200/
