Harbor https 自签证书配置
假设 Harbor 部署在 ip 为 192.168.20.106 的内网机器上
Harbor 配置 https 自签证书
- 生成证书颁发机构证书
生成 CA 证书私钥
openssl genrsa -out ca.key 4096生成 CA 证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=192.168.20.106" \
-key ca.key \
-out ca.crt- 生成服务器证书
生成私钥
openssl genrsa -out 192.168.20.106.key 4096生成证书签名请求(CSR)
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key 192.168.20.106.key \
-out 192.168.20.106.csr生成一个 x509 v3 扩展文件
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF如果是需要填写 IP则不需要填写 DNS 列表,只需要如下配置:
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:192.168.20.106
EOF使用 v3.ext 文件为 Harbor 主机生成证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in 192.168.20.106.csr \
-out 192.168.20.106.crt- 将
192.168.20.106.crt转换为192.168.20.106.cert
openssl x509 -inform PEM -in 192.168.20.106.crt -out 192.168.20.106.cert- 编辑 Harbor 配置文件
vi /harbor/harbor.yamlhttps:
port: 443
certificate: /ssl-file-dir/192.168.20.106.crt
private_key: /ssl-file-dir/192.168.20.106.key- 重新配置 Harbor(不会丢失数据)
/harbor-install-dir/prepare
docker compose -down -v
docker compose up -d为 Docker 配置内网镜像仓库
- 将 harbor 自签证书文件拷贝到本机中指定目录下
mkdir -p /etc/docker/certs.d/192.168.20.106
# 密码: harbor
scp harbor@192.168.20.106:/home/harbor/ssl/192.168.20.106.cert /etc/docker/certs.d/192.168.20.106/
scp harbor@192.168.20.106:/home/harbor/ssl/192.168.20.106.key /etc/docker/certs.d/192.168.20.106/
scp harbor@192.168.20.106:/home/harbor/ssl/ca.crt /etc/docker/certs.d/192.168.20.106/- 重启 Docker
systemctl restart docker- 使用内网镜像仓库 Harbor 账号登录 Docker(可以使用个人 ldap 账号登录)
docker login 192.168.20.106- 拉取镜像
# 格式:docker pull <镜像仓库地址>/<项目名>/xxx:xxx
docker pull 192.168.20.106/docker.io/mongo:6- 推送镜像到个人镜像仓库
docker tag xxx:xxx 192.168.20.106/<项目名>/xxx:xxx
docker push 192.168.20.106/<项目名>/xxx:xxx- 创建一个清单列表指定多平台镜像
# arm64 机器
docker tag xxx:xxx 192.168.20.106/<项目名>/xxx:xxx-arm64
docker push 192.168.20.106/<项目名>/xxx:xxx-arm64
# amd64 机器
docker tag xxx:xxx 192.168.20.106/<项目名>/xxx:xxx-amd64
docker push 192.168.20.106/<项目名>/xxx:xxx-amd64
# 任意机器,创建一个清单列表,并将两种平台的镜像加入其中
docker manifest create 192.168.20.106/<项目名>/xxx:xxx \
-a 192.168.20.106/<项目名>/xxx:xxx-arm64 \
-a 192.168.20.106/<项目名>/xxx:xxx-amd64
# 推送清单列表
docker manifest push 192.168.20.106/<项目名>/xxx:xxx为 k8s containerd 容器运行时配置内网镜像仓库
- 将 192.168.20.106 上的 harbor 自签证书文件拷贝到本机中指定目录下
mkdir -p /etc/certs/192.168.20.106
# 密码: harbor
scp harbor@192.168.20.106:/home/harbor/ssl/192.168.20.106.cert /etc/certs/192.168.20.106/
scp harbor@192.168.20.106:/home/harbor/ssl/192.168.20.106.key /etc/certs/192.168.20.106/
scp harbor@192.168.20.106:/home/harbor/ssl/ca.crt /etc/certs/192.168.20.106/- 修改
/etc/containerd/config.toml配置文件,设置 config_path
如果使用的 containerd 语法是版本 1,这将
"io.containerd.grpc.v1.cri"替换为 cri
vi /etc/containerd/config.toml写入
[plugin]
...
[plugin."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
# 注意删除这个层级下的其他无用配置,只保留 config_path- 重启 containerd
systemctl restart containerd- 配置证书目录
/etc/containerd/certs.d目录下的配置文件不需要重启 containerd,是实时生效的
mkdir -p /etc/containerd/certs.d/192.168.20.106/
vi /etc/containerd/certs.d/192.168.20.106/hosts.toml写入如下内容
server = "https://192.168.20.106"
[host."https://192.168.20.106"]
capabilities = ["pull", "resolve"]
ca = ["/etc/certs/192.168.20.106/ca.crt"]
client = [["/etc/certs/192.168.20.106/192.168.20.106.cert", "/etc/certs/192.168.20.106/192.168.20.106.key"]]- 拉取镜像
crictl pull 192.168.20.106/docker.io/mongo:6