第14章 k8s使用Harbor私有镜像仓库
1.安装部署harbor
实施方案:
方案1:Harbor本身也是运行在k8s里的
方案2:Harbor独立运行在k8s之外的
注意:
1.新版本的harbor部署比较麻烦,需要节点和系统都需要拷贝证书
2.Docker还要信任harbor的地址
步骤:
#1.下载地址
https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-offline-installer-v2.10.0.tgz
#2.解压安装
tar zxf harbor-offline-installer-v2.10.0.tgz
#3.生成证书
https://goharbor.io/docs/2.10.0/install-config/
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=luffy/OU=Personal/CN=luffy.com" \
-key ca.key \
-out ca.crt
openssl genrsa -out luffy.com.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=luffy/OU=Personal/CN=luffy.com" \
-key luffy.com.key \
-out luffy.com.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=luffy.com
DNS.2=luffy
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in luffy.com.csr \
-out luffy.com.crt
#4.给harbor复制证书
mkdir /data/cert/ -p
cp luffy.com.crt /data/cert/
cp luffy.com.key /data/cert/
#5.给docker复制证书
openssl x509 -inform PEM -in luffy.com.crt -out luffy.com.cert
mkdir -p /etc/docker/certs.d/luffy.com/
cp luffy.com.cert /etc/docker/certs.d/luffy.com/
cp luffy.com.key /etc/docker/certs.d/luffy.com/
cp ca.crt /etc/docker/certs.d/luffy.com/
cp /etc/docker/certs.d/luffy.com/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
#6.重启docker
systemctl restart docker
#7.配置harbor
vim /opt/harbor/harbor.yml
hostname: luffy.com
https:
port: 443
certificate: /data/cert/luffy.com.crt
private_key: /data/cert/luffy.com.key
harbor_admin_password: Harbor12345
#8.安装harbor
./prepare
./install.sh
docker compose ps
#9.在harbor的web页面上创建仓库
base
app
#10.修改镜像标签
docker tag openjdk:8 luffy.com/base/openjdk:8
#11.推送镜像
docker push luffy.com/base/openjdk:8
2.给节点分发harbor证书
1)拷贝harbor证书所有node节点都操作
scp -r 10.0.0.61:/etc/docker/certs.d/ /etc/docker/
cp /etc/docker/certs.d/luffy.com/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
2)node节点重启docker
systemctl restart docker.socket
3)配置hosts解析(所有Node节点)
vim /etc/hosts
10.0.0.61 luffy.com
4)登录Harbor(只要一台node查看即可)
[root@node-01 ~]# docker login luffy.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
5)将Docker登录信息(只要一台node查看即可)(PS: 改成你自己的码@cow)
[root@node-01 ~]# cat /root/.docker/config.json |base64
ewoJImF1dGhzIjogewoJCSJsdWZmeS5jb20iOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9Cn0=
6)创建并secrets资源
注意:secret资源是区分命名空间的
cat > harbor-secret.yaml << 'EOF'
apiVersion: v1
kind: Secret
metadata:
name: harbor-secret
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSJsdWZmeS5jb20iOiB7CgkJCSJhdXRoIjogIllXUnRhVzQ2U0dGeVltOXlNVEl6TkRVPSIKCQl9Cgl9Cn0=
type: kubernetes.io/dockerconfigjson
EOF
kubectl apply -f harbor-secret.yaml
7)编写资源配置清单
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-dp
labels:
app: nginx-dp
spec:
replicas: 2
selector:
matchLabels:
app: nginx-dp
template:
metadata:
name: nginx-dp
labels:
app: nginx-dp
spec:
imagePullSecrets:
- name: harbor-secret
containers:
- name: nginx
image: luffy.com/base/nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
更新: 2024-09-09 15:56:12