前述Harbor入门到实践中为了快速拉起Harbor服务,Harbor服务仅配置HTTP连接,没有配置HTTPS。而HTTP连接的方式仅在测试或开发环境中,且在在docker登录客户端需要去配置insecure-registry,docker无法直接通过用户米和密码即login。
要配置HTTPD,必须创建SSL证书,在生产环境中最好从受信任的第三方购买CA签名证书。此处采用自签名证书。
1.生成证书颁发机构证书
生成CA证书私钥
# mkdir -p /root/harbor/ssl
# cd /root/harbor/ssl
# openssl genrsa -out ca.key 4096
# ll
total 4
-rw------- 1 root root 3243 Mar 26 10:54 ca.key
生成CA证书
# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key ca.key \
-out ca.crt
调整-subj选项中的值以反映组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。
如果是ip访问,将yourdomain.com改成ip地址;
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.26.37.129 docker harbor.local
# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Fujian/L=Fuzhou/O=Luorf/OU=Personal/CN=harbor.local" \
-key ca.key \
-out ca.crt
# ll
total 8
-rw-r--r-- 1 root root 2041 Mar 26 12:41 ca.crt
-rw------- 1 root root 3243 Mar 26 10:54 ca.key
2.生成服务器证书
证书通常包含一个.crt文件和一个.key文件
生成私钥
# openssl genrsa -out yourdomain.com.key 4096
# openssl genrsa -out harbor.local.key 4096
# ll
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
生成证书签名请求(CSR)
# openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
调整-subj选项中的值以反映组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。
如果是ip访问,将yourdomain.com改成ip地址
# openssl req -sha512 -new \
-subj "/C=CN/ST=Fujian/L=Fuzhou/O=Luorf/OU=Personal/CN=harbor.local" \
-key harbor.local.key \
-out harbor.local.csr
# ll
total 16
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
生成一个x509 v3扩展文件
无论使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映域
# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.local
EOF
如果是ip访问
# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:172.26.37.129
EOF
使用该v3.ext文件为Harbor主机生成证书
# openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt
如果是ip访问, 将 harbor.od.com 改成 ip地址
# openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.local.csr \
-out harbor.local.crt
# ll
total 28
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root 41 Mar 26 14:37 ca.srl
-rw-r--r-- 1 root root 2065 Mar 26 14:37 harbor.local.crt
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
-rw-r--r-- 1 root root 231 Mar 26 14:37 v3.ext
3.提供证书给Harbor和Docker
生成后ca.crt,yourdomain.com.crt和yourdomain.com.key文件,必须将它们提供给Harbor和docker,重新配置它们
将服务器证书和密钥复制到Harbor主机上的certficates文件夹中。
# cp harbor.local.crt /data/cert/
# cp harbor.local.key /data/cert/
转换yourdomain.com.crt为yourdomain.com.cert,供Docker使用。
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书。
# openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
# openssl x509 -inform PEM -in harbor.local.crt -out harbor.local.cert
# ll
total 32
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root 41 Mar 26 14:37 ca.srl
-rw-r--r-- 1 root root 2065 Mar 26 14:38 harbor.local.cert
-rw-r--r-- 1 root root 2065 Mar 26 14:37 harbor.local.crt
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
-rw-r--r-- 1 root root 231 Mar 26 14:37 v3.ext
将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。必须首先创建适当的文件夹。
# cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
# cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
# cp ca.crt /etc/docker/certs.d/yourdomain.com/
# mkdir -p /etc/docker/certs.d/harbor.local/
# cp harbor.local.cert /etc/docker/certs.d/harbor.local/
# cp harbor.local.key /etc/docker/certs.d/harbor.local/
# cp ca.crt /etc/docker/certs.d/harbor.local/
# ll /etc/docker/certs.d/harbor.local/
total 12
-rw-r--r-- 1 root root 2037 Mar 26 14:40 ca.crt
-rw-r--r-- 1 root root 2065 Mar 26 14:39 harbor.local.cert
-rw------- 1 root root 3243 Mar 26 14:39 harbor.local.key
如果将默认nginx端口443映射到其他端口,请创建文件夹/etc/docker/certs.d/yourdomain.com:port或/etc/docker/certs.d/harbor_IP:port。(省略)
重新启动Docker Engine
# systemctl restart docker
以下示例说明了使用自定义证书的配置。
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
# tree /etc/docker/certs.d/
/etc/docker/certs.d/
└── harbor.local
├── ca.crt
├── harbor.local.cert
└── harbor.local.key
4.重新配置harbor
# cd /root/harbor
# cp -p harbor.yml harbor.yml.bak20230326
# vi harbor.yml
修改以下内容
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.local
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /data/cert/harbor.local.crt
private_key: /data/cert/harbor.local.key
执行harbor部署(此处略,已成功部署)
# ./install.sh
重新配置为支持https
运行prepare脚本以启用HTTPS。
# ./prepare
停止harbor并删除现有实例(镜像数据保留在文件系统中,不会丢失任何数据。)
# docker-compose down -v
重启harbor
# docker-compose up -d
# docker ps |grep harbor
d4170f45b469 goharbor/harbor-jobservice:v2.3.2 "/harbor/entrypoint.…" 6 minutes ago Up 6 minutes (healthy) harbor-jobservice
9de01fdc84da goharbor/nginx-photon:v2.3.2 "nginx -g 'daemon of…" 6 minutes ago Up 6 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp nginx
839ad5e59519 goharbor/harbor-core:v2.3.2 "/harbor/entrypoint.…" 6 minutes ago Up 6 minutes (healthy) harbor-core
97e39e780d6d goharbor/harbor-portal:v2.3.2 "nginx -g 'daemon of…" 6 minutes ago Up 6 minutes (healthy) harbor-portal
2e965c47ddb9 goharbor/registry-photon:v2.3.2 "/home/harbor/entryp…" 6 minutes ago Up 6 minutes (healthy) registry
9d55cca88bf6 goharbor/harbor-db:v2.3.2 "/docker-entrypoint.…" 6 minutes ago Up 6 minutes (healthy) harbor-db
f1871916ace3 goharbor/redis-photon:v2.3.2 "redis-server /etc/r…" 6 minutes ago Up 6 minutes (healthy) redis
c0b9f1d592b1 goharbor/harbor-registryctl:v2.3.2 "/home/harbor/start.…" 6 minutes ago Up 6 minutes (healthy) registryctl
69e47f6ed041 goharbor/harbor-log:v2.3.2 "/bin/sh -c /usr/loc…" 6 minutes ago Up 6 minutes (healthy) 127.0.0.1:1514->10514/tcp
5.验证HTTPS连接
访问https网页:https://172.26.37.129
添加hosts可以直接访问http://harbor.local
从Docker客户端登录Harbor
获取Harbor客户端登录证书
# mkdir /etc/docker/certs.d/harbor.local
# scp 172.26.37.129:/root/harbor/ssl/ca.crt /etc/docker/certs.d/harbor.local/
登录Harbor
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
参考URL:
https://goharbor.io/docs/2.0.0/install-config/configure-https/
https://www.cnblogs.com/cjwnb/p/13441071.html
https://blog.csdn.net/networken/article/details/107502461
