Spiga

k8s生产部署(十):harbor搭建私有仓库

2021-03-27 17:09:31

截止到目前生产环境上要使用到的基础应用基本已经搭建完成,但似乎还缺少一点什么,对!就是docker镜像的仓库,如果没有私仓,我们需要把镜像手动推送各个node节点,这样太不方便了。

我们使用harbor来搭建:

一、安装

1. 确定30002,30003,30004端口没有被占用

2. helm repo add harbor https://helm.goharbor.io

3. helm search repo  harbor

4. helm pull harbor/harbor --version=1.6.1

5. tar -xf harbor-1.6.1.tgz

6. 改values里面storageClass的值nfs-storage(有3个地方)

7. 改ingress 

   ingress:
       hosts:
         core: harbor.qhfinance.com
         notary: notary.qhfinance.com

8. 改harborAdminPassword: "xxxxx" #设置密码

9. helm install harbor -f harbor-values.yaml --namespace qjy-public harbor/harbor --version 1.6.1

10. 配置host,随便一个节点的ip地址  

   vim /etc/hosts

   172.16.0.3 harbor.qhfinance.com

二、访问

访问地址http://harbor.qhfinance.com/,默认用户名/密码为:admin/xxxxx

默认harbor只有一个公共的library项目,该项目的权限和docker hub一样不需要认证就可以拉取镜像,我们把它改成私有,也可以重新创建一个私有项目。

三、配置证书

因为我们部署的Harbour是有自带凭证(CA),所以需要再Docker Client加入凭证,这样Docker Client才有办法存取到私有的注册表。

首先,在Kubernetes Master使用以下指令取得凭证

kubectl get secret/harbor-harbor-ingress -n qjy-cicd -o jsonpath="{.data.ca\.crt}" | base64 --decode
-----BEGIN CERTIFICATE-----
MIIC9TCCAd2gAwIBAgIRAI53DxTdmvybk57PU1f4RBswDQYJKoZIhvcNAQELBQAw
FDESMBAGA1UEAxMJaGFyYm9yLWNhMB4XDTIxMDUyMDAzMTE0OVoXDTIyMDUyMDAz
MTE0OVowFDESMBAGA1UEAxMJaGFyYm9yLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAlUBdQyhxz6IndIbb2LmflMt0aUigfCSPeJdSgR5amXGi3lQ9
b4CIIutS3/m6sKtD9k6E3a7Ws0kUpbDijKpHOyYHNuAJCX5dAFf3eM0j9MN4SsI6
oIdMKvI3rcUrPn1/OhyRlu+iqhiVMYwcOGxZPihZrN9SCubi9mIBCo20SNm+qwpt
i0xKkh+4VLA+TiUh+V7l6jhXEHKlFVpcTMnckE8eWzOOo/bqoKn6L6mPiE21QjsO
gGGV+CizH0Uz65AGnKTA1KeaiWltB7+KZskiCEi0FrA7sr+STs3Cdki6g+GD03xy
BdeBrdcjI6CYPWyABcXTi5zj3Kb31+s4UTGeDwIDAQABo0IwQDAOBgNVHQ8BAf8E
BAMCAqQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADbLH+3Eklx5FzZOSscCvHnOmU9QdGnF
MFt9mwEjI9ymH1lII1XXHwzwa10lMQkbZFzZOuIPKkreNugHS3ewdjQHcuBbxaOr
ZmsS3Z6LYp/QeCau4FfzJooN2OFGfZm19f5OGpjqjqoCzhzqhTKJV5gwFip3EkCR
oJ2o4maxv/mIBvS7A4FsFaMQBC9I3X7DLRf7QGLIjCFFk0ilaT6w6f5L16hOnsjW
1tlJr8Rwm8KJauAAdGUjsHxNGwjwW7beT9WEAugF6jswcL914ItbyHp0tGi7+IMp
uHSt6fltQz1RbyGZC7OUQGu4pRgngK74Kpmce741eJg5jU77U9JTuuI=
-----END CERTIFICATE-----

取得凭证后,在每一台Docker Client加入以下凭证:

mkdir -p /etc/docker/certs.d/harbor.qhfinance.com/
cat <<EOF > /etc/docker/certs.d/harbor.qhfinance.com/ca.crt
-----BEGIN CERTIFICATE-----
MIIC9TCCAd2gAwIBAgIRAI53DxTdmvybk57PU1f4RBswDQYJKoZIhvcNAQELBQAw
FDESMBAGA1UEAxMJaGFyYm9yLWNhMB4XDTIxMDUyMDAzMTE0OVoXDTIyMDUyMDAz
MTE0OVowFDESMBAGA1UEAxMJaGFyYm9yLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAlUBdQyhxz6IndIbb2LmflMt0aUigfCSPeJdSgR5amXGi3lQ9
b4CIIutS3/m6sKtD9k6E3a7Ws0kUpbDijKpHOyYHNuAJCX5dAFf3eM0j9MN4SsI6
oIdMKvI3rcUrPn1/OhyRlu+iqhiVMYwcOGxZPihZrN9SCubi9mIBCo20SNm+qwpt
i0xKkh+4VLA+TiUh+V7l6jhXEHKlFVpcTMnckE8eWzOOo/bqoKn6L6mPiE21QjsO
gGGV+CizH0Uz65AGnKTA1KeaiWltB7+KZskiCEi0FrA7sr+STs3Cdki6g+GD03xy
BdeBrdcjI6CYPWyABcXTi5zj3Kb31+s4UTGeDwIDAQABo0IwQDAOBgNVHQ8BAf8E
BAMCAqQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADbLH+3Eklx5FzZOSscCvHnOmU9QdGnF
MFt9mwEjI9ymH1lII1XXHwzwa10lMQkbZFzZOuIPKkreNugHS3ewdjQHcuBbxaOr
ZmsS3Z6LYp/QeCau4FfzJooN2OFGfZm19f5OGpjqjqoCzhzqhTKJV5gwFip3EkCR
oJ2o4maxv/mIBvS7A4FsFaMQBC9I3X7DLRf7QGLIjCFFk0ilaT6w6f5L16hOnsjW
1tlJr8Rwm8KJauAAdGUjsHxNGwjwW7beT9WEAugF6jswcL914ItbyHp0tGi7+IMp
uHSt6fltQz1RbyGZC7OUQGu4pRgngK74Kpmce741eJg5jU77U9JTuuI=
-----END CERTIFICATE-----
EOF

修改完成后,重新启动docker.service:

systemctl restart docker.service

测试

docker login harbor.qhfinance.com
Username: admin
Password: xxxxx
Login Succeeded

四、配置免密登录

#命名空间是qjy-cicd,因为harbor安装在qjy-cicd命名空间下
kubectl create secret docker-registry harbor-secret --docker-server=harbor.qhfinance.com --docker-username=admin --docker-password=xxxxx -n qjy-cicd

#命名空间是qjy-public,因为应用安装在qjy-public命名空间下,需要拉去镜像
kubectl create secret docker-registry harbor-secret --docker-server=harbor.qhfinance.com --docker-username=admin --docker-password=xxxxx -n qjy-public

kubectl patch sa default --namespace=qjy-public -p '{"imagePullSecrets": [{"name": "harbor-secret"}]}'

五、上传下载镜像

docker tag zq-apigateway:1.0.0 harbor.qhfinance.com/library/zq-apigateway:1.0.0
docker push harbor.qhfinance.com/library/zq-apigateway:1.0.0
docker pull harbor.qhfinance.com/library/zq-apigateway:1.0.0