探索Harbor的部署过程

首先申请证书,这里使用一个自动生成自签证书的脚本,具体是谁写的也没有去深究,是在rancher网站看到的。

自签证书脚本如下:

#!/bin/bash -e

# * 为必改项

# * 服务器FQDN或颁发者名(更换为你自己的域名)

CN=’demo.test.com’

# 扩展信任IP或域名

## 一般ssl证书只信任域名的访问请求,有时候需要使用ip去访问server,那么需要给ssl证书添加扩展IP,用逗号隔开。

SSL_IP=’172.16.91.145,172.16.155.36′

SSL_DNS=’demo.cnrancher.com,www.rancher.com’

# 国家名(2个字母的代号)

C=CN

# 证书加密位数

SSL_SIZE=4096

# 证书有效期

DATE=${DATE:-3650}

# 配置文件

SSL_CONFIG=’openssl.cnf’

if [[ -z $SILENT ]]; then

echo “—————————-“

echo “| SSL Cert Generator |”

echo “—————————-“

echo

fi

export CA_KEY=${CA_KEY-“cakey.pem”}

export CA_CERT=${CA_CERT-“cacerts.pem”}

export CA_SUBJECT=ca-$CN

export CA_EXPIRE=${DATE}

export SSL_CONFIG=${SSL_CONFIG}

export SSL_KEY=$CN.key

export SSL_CSR=$CN.csr

export SSL_CERT=$CN.crt

export SSL_EXPIRE=${DATE}

export SSL_SUBJECT=${CN}

export SSL_DNS=${SSL_DNS}

export SSL_IP=${SSL_IP}

export K8S_SECRET_COMBINE_CA=${K8S_SECRET_COMBINE_CA:-‘true’}

[[ -z $SILENT ]] && echo “–> Certificate Authority”

if [[ -e ./${CA_KEY} ]]; then

[[ -z $SILENT ]] && echo “====> Using existing CA Key ${CA_KEY}”

else

[[ -z $SILENT ]] && echo “====> Generating new CA key ${CA_KEY}”

openssl genrsa -out ${CA_KEY} ${SSL_SIZE} > /dev/null

fi

if [[ -e ./${CA_CERT} ]]; then

[[ -z $SILENT ]] && echo “====> Using existing CA Certificate ${CA_CERT}”

else

[[ -z $SILENT ]] && echo “====> Generating new CA Certificate ${CA_CERT}”

openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_EXPIRE} -out ${CA_CERT} -subj “/CN=${CA_SUBJECT}” > /dev/null || exit 1

fi

echo “====> Generating new config file ${SSL_CONFIG}”

cat > ${SSL_CONFIG} <

[req]

req_extensions = v3_req

distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = clientAuth, serverAuth

EOM

if [[ -n ${SSL_DNS} || -n ${SSL_IP} ]]; then

cat >> ${SSL_CONFIG} <

subjectAltName = @alt_names

[alt_names]

EOM

IFS=”,”

dns=(${SSL_DNS})

dns+=(${SSL_SUBJECT})

for i in “${!dns[@]}”; do

echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}

done

if [[ -n ${SSL_IP} ]]; then

ip=(${SSL_IP})

for i in “${!ip[@]}”; do

echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}

done

fi

fi

[[ -z $SILENT ]] && echo “====> Generating new SSL KEY ${SSL_KEY}”

openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} > /dev/null || exit 1

[[ -z $SILENT ]] && echo “====> Generating new SSL CSR ${SSL_CSR}”

openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj “/CN=${SSL_SUBJECT}” -config ${SSL_CONFIG} > /dev/null || exit 1

[[ -z $SILENT ]] && echo “====> Generating new SSL CERT ${SSL_CERT}”

openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \

-days ${SSL_EXPIRE} -extensions v3_req -extfile ${SSL_CONFIG} > /dev/null || exit 1

if [[ -z $SILENT ]]; then

echo “====> Complete”

echo “keys can be found in volume mapped to $(pwd)”

echo

echo “====> Output results as YAML”

echo “—“

echo “ca_key: |”

cat $CA_KEY | sed ‘s/^/ /’

echo

echo “ca_cert: |”

cat $CA_CERT | sed ‘s/^/ /’

echo

echo “ssl_key: |”

cat $SSL_KEY | sed ‘s/^/ /’

echo

echo “ssl_csr: |”

cat $SSL_CSR | sed ‘s/^/ /’

echo

echo “ssl_cert: |”

cat $SSL_CERT | sed ‘s/^/ /’

echo

fi

if [[ -n $K8S_SECRET_NAME ]]; then

if [[ -n $K8S_SECRET_COMBINE_CA ]]; then

[[ -z $SILENT ]] && echo “====> Adding CA to Cert file”

cat ${CA_CERT} >> ${SSL_CERT}

fi

[[ -z $SILENT ]] && echo “====> Creating Kubernetes secret: $K8S_SECRET_NAME”

kubectl –kubeconfig=kube_configxxx.yml delete secret $K8S_SECRET_NAME –ignore-not-found

if [[ -n $K8S_SECRET_SEPARATE_CA ]]; then

kubectl –kubeconfig=kube_configxxx.yml create secret generic \

$K8S_SECRET_NAME \

–from-file=”tls.crt=${SSL_CERT}” \

–from-file=”tls.key=${SSL_KEY}” \

–from-file=”ca.crt=${CA_CERT}”

else

kubectl –kubeconfig=kube_configxxx.yml create secret tls \

$K8S_SECRET_NAME \

–cert=${SSL_CERT} \

–key=${SSL_KEY}

fi

if [[ -n $K8S_SECRET_LABELS ]]; then

[[ -z $SILENT ]] && echo “====> Labeling Kubernetes secret”

IFS=$’ \n\t’ # We have to reset IFS or label secret will misbehave on some systems

kubectl label secret \

$K8S_SECRET_NAME \

$K8S_SECRET_LABELS

fi

fi

echo “4. 重命名服务证书”

cp ${CN}.key tls.key

cp ${CN}.crt tls.crt

当前内容已被隐藏,您需要登录才能查看

修改harbor.conf文件

hostname = xxx.com

ui_url_protocol = https

ssl_cert = /root/cert/demo.test.com.crt

ssl_cert_key = /root/cert/demo.test.com.key

db_password = 123456

安装harbor

./install.sh

探索Harbor的部署过程

备注:

1,hostname中不能带有_线等符号

开始申请的hostname为images_xxx.com,在给docker配置insecure-registries过程中,无法启动。最终修改为xxx.com故障排除。

[root@images_kubernetes harbor]# cat /etc/docker/daemon.json

{

“insecure-registries”: [“xxx.com”]

}

2,#The password for the root user of Harbor DB. Change this before any production use.这个密码一定要改。

最初在安装过程中,没有改密码。始终有一个docker是反复重启的状态,查看日志提示连接不到数据库。后来发现是:db_password = 选项修改密码后,故障排除。

版权声明

文章来源:生保博客

 

 

「点点赞赏,手留余香」

    还没有人赞赏,快来当第一个赞赏的人吧!
0 条回复 A 作者 M 管理员
    所有的伟大,都源于一个勇敢的开始!
欢迎您,新朋友,感谢参与互动!欢迎您 {{author}},您在本站有{{commentsCount}}条评论