harbor
Habor是由VMWare中国团队开源的容器镜像仓库。事实上,Habor是在Docker Registry上进行了相应的企业级扩展,从而获得了更加广泛的应用,这些新的企业级特性包括:管理用户界面,基于角色的访问控制 ,水平扩展,同步,AD/LDAP集成以及审计日志等
一. 手动部署
curl -L https://github.com/docker/compose/releases/download/1.23.1/docker-compose-`uname -s`-`uname -m` -o /usr/bin/docker-compose chmod +x /usr/local/bin/docker-compose
wget https://storage.googleapis.com/harbor-releases/release-1.6.0/harbor-offline-installer-v1.6.2.tgztar zxf harbor-offline-installer-v1.6.2.tgz
# mkdir /etc/pki/ca_test //创建CA更证书的目录# cd /etc/pki/ca_test# mkdir root server client newcerts //创建几个相关的目录# echo 01 > serial //定义序列号为01# echo 01 > crlnumber //定义crl号为01# touch index.txt //创建index.txt# cd ..# vi tls/openssl.cnf //改配置文件default_ca = CA_default 改为 default_ca = CA_test[ CA_default ] 改为 [ CA_test ]dir = /etc/pki/CA 改为 dir = /etc/pki/ca_testcertificate = $dir/cacert.pem 改为 certificate = $dir/root/ca.crtprivate_key = $dir/private/cakey.pe 改为 private_key = $dir/root/ca.key# openssl genrsa -out /etc/pki/ca_test/root/ca.key //生成私钥# openssl req -new -key /etc/pki/ca_test/root/ca.key -out /etc/pki/ca_test/root/ca.csr //生成请求文件,会让我们填写一些指标,这里要注意:如果在这一步填写了相应的指标,比如Country Name、State or Province Name、hostname。# openssl x509 -req -days 3650 -in /etc/pki/ca_test/root/ca.csr -signkey /etc/pki/ca_test/root/ca.key -out /etc/pki/ca_test/root/ca.crt //生成crt文件
# cd /etc/pki/ca_test/server# openssl genrsa -out server.key //生成私钥文件# openssl req -new -key server.key -out server.csr//生成证书请求文件,填写信息需要和ca.csr中的Organization Name保持一致# openssl ca -in server.csr -cert /etc/pki/ca_test/root/ca.crt -keyfile /etc/pki/ca_test/root/ca.key -out server.crt -days 3650 //用根证书签名server.csr,最后生成公钥文件server.crt,此步骤会有两个地方需要输入ySign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
如果做ssl的双向认证,还需要给客户端生成一个证书,步骤和上面的基本一致# cd /etc/pki/ca_test/client# openssl genrsa -out client.key //生成私钥文件# openssl req -new -key client.key -out client.csr //生成请求文件,填写信息需要和ca.csr中的Organization Name保持一致# openssl ca -in client.csr -cert /etc/pki/ca_test/root/ca.crt -keyfile /etc/pki/ca_test/root/ca.key -out client.crt -days 3650 //签名client.csr, 生成client.crt,此步如果出现failed to update databaseTXT_DB error number 2需执行:# sed -i ‘s/unique_subject = yes/unique_subject = no/‘ /etc/pki/ca_test/index.txt.attr执行完,再次重复执行签名client.csr那个操作
这两个网址和腾讯云都提供免费的ssl服务
https://freessl.org/
https://www.trustocean.com/
# cd harbor编辑配置文件 # vim harbor.cfg 1)定义hostname(如 harbor.yuankeedu.com) 2)定义ui_url_protocol为https3)定义ssl_cert/ssl_key 放置好ssl证书,修改路径4)定义harbor_admin_password安装 # sh install.sh //自动安装完成
修改后:
hostname = h.uedu.mlui_url_protocol = httpsmax_job_workers = 10 customize_crt = onssl_cert = /root/harbor/START-uedu-ml.pemssl_cert_key = /root/harbor/START-uedu-ml.keysecretkey_path = /dataadmiral_url = NAlog_rotate_count = 50log_rotate_size = 200Mhttp_proxy =https_proxy =no_proxy = 127.0.0.1,localhost,ui,registry
访问
https://h.uedu.ml/
admin 默认密码为 Harbor12345
拉取公共镜像
docker pull tomcat
docker tag tomcat h.uedu.ml/aikerlinux/tomcat:latest //打标签为上传做准备
把tomcat镜像推送到harbor
docker login https://h.uedu.ml
输入用户名和密码
docker push h.uedu.ml/aikerlinux/tomcat:latest
以下操作在master上执行:
1)创建secret
kubectl create secret docker-registry my-secret --docker-server=h.uedu.ml --docker-username=admin --docker-password=Harbor12345
创建完成后,可以用以下命令查看:
# kubectl get secret
2)定义一个pod 首先,需要在harbo私有仓库里推送一个httpd的镜像
,地址为h.uedu.ml/aikerlinux/httpd:latest
docker pull httpd docker tag httpd h.uedu.ml/aikerlinux/httpd:latest docker login https://h.uedu.mldocker push h.uedu.ml/aikerlinux/httpd:latest
然后再定义一个部署http pod的yaml文件
[root@master ~]# vim httpd.yaml apiVersion: v1kind: Podmetadata: name: httpd-podspec: containers: - image: h.uedu.ml/aikerlinux/httpd name: httpd-pod imagePullSecrets: - name: my-secret
# kubectl create -f httpd.yaml # kubectl describe pod httpd-pod //查看pod创建过程的信息,可能会存在的问题