Harbor是构建企业级私有docker镜像的仓库的开源解决方案,它是Docker Registry的更高级封装,它除了提供友好的Web UI界面,角色和用户权限管理,用户操作审计等功能外,它还整合了K8s的插件(Add-ons)仓库。

准备工作

详细配置参数,参考:https://github.com/goharbor/harbor-helm

创建存储池

这里使用storageClass,则需要先创建storageClass,请参考ceph。

  1. cmd.sh "sudo modprobe rbd"
  2. ceph osd pool create k8s 256

创建秘钥:

  1. cat << EOF | kubectl create -f -
  2. apiVersion: v1
  3. kind: Secret
  4. metadata:
  5.   name: ceph-admin-secret
  6. type: "kubernetes.io/rbd"
  7. data:
  8.   key: $(grep key /etc/ceph/ceph.client.admin.keyring |awk '{printf "%s", $NF}'|base64)
  9. EOF

创建存储类:

  1. cat << EOF | kubectl create -f -
  2. apiVersion: storage.k8s.io/v1
  3. kind: StorageClass
  4. metadata:
  5.   name: ceph-rbd
  6. provisioner: kubernetes.io/rbd
  7. parameters:
  8.    monitors: 192.168.56.111:6789
  9.    adminId: admin
  10.    adminSecretName: ceph-admin-secret
  11.    adminSecretNamespace: default
  12.    pool: k8s
  13.    userId: admin
  14.    userSecretName: ceph-admin-secret
  15.    userSecretNamespace: default
  16. # 设置回收策略默认为:Retain
  17. reclaimPolicy: Retain
  18. # 添加动态扩容
  19. allowVolumeExpansion: true
  20. EOF

将存储类设置为默认:

  1. kubectl patch storageclass ceph-rbd -p \
  2.     '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

创建命名空间

  1. kubectl create namespace harbor

添加仓库

  1. helm repo add harbor https://helm.goharbor.io

创建证书

使用letsencrypt生成证书文件

参考 使用Cert Manager配置Let’s Encrypt证书 ,先要创建一个ClusterIssuer:javachen-space-letsencrypt-prod。

  1. cat << EOF | kubectl create -f -
  2. apiVersion: cert-manager.io/v1alpha2
  3. kind: ClusterIssuer
  4. metadata:
  5.   name: javachen-space-letsencrypt-prod
  6. spec:
  7.   acme:
  8.     server: https://acme-v02.api.letsencrypt.org/directory
  9.     email: junecloud@163.com
  10.     privateKeySecretRef:
  11.       name: javachen-space-letsencrypt-prod
  12.     solvers:
  13.     - selector:
  14.         dnsNames:
  15.         - '*.javachen.space'
  16.       dns01:
  17.         webhook:
  18.           groupName: acme.javachen.space 
  19.           solverName: godaddy
  20.           config:
  21.             authApiKey: e4hN4QrFgzdo_RHXe1ef2qpBPmiJPD2ZUcW
  22.             authApiSecret: QsHuDdnnCbzp5DmEQzq4ts
  23.             production: true
  24.             ttl: 600
  25. EOF

因为证书是有命名空间的,所以需要在harbor命名空间创建证书:

  1. cat << EOF | kubectl create -f -   
  2. apiVersion: cert-manager.io/v1alpha2
  3. kind: Certificate
  4. metadata:
  5.   name: harbor-cert-prod
  6.   namespace: harbor
  7. spec:
  8.   secretName: harbor-javachen-space-cert
  9.   renewBefore: 240h
  10.   groupName: acme.javachen.space 
  11.   dnsNames:
  12.   - "*.javachen.space"
  13.   issuerRef:
  14.     name: javachen-space-letsencrypt-prod
  15.     kind: ClusterIssuer
  16. EOF

安装Harbor

不配置存储,使用默认的证书,禁用clair、notary、chartmuseum,通过helm3安装:

  1. helm install harbor harbor/harbor --namespace harbor --debug \
  2.   --set externalURL=https://harbor.javachen.space  \
  3.   --set expose.ingress.hosts.core=harbor.javachen.space \
  4.   --set expose.ingress.hosts.notary=harbor.javachen.space \
  5.   --set persistence.enabled=false \
  6.   --set clair.enabled=false \
  7.   --set notary.enabled=false \
  8.   --set chartmuseum.enabled=false \
  9.   --set harborAdminPassword=admin123

配置存储,使用默认的证书,通过helm3安装:

  1. helm install harbor harbor/harbor --namespace harbor --debug \
  2.   --set externalURL=https://harbor.javachen.space  \
  3.   --set expose.ingress.hosts.core=harbor.javachen.space \
  4.   --set expose.ingress.hosts.notary=harbor.javachen.space \
  5.   --set persistence.persistentVolumeClaim.registry.storageClass=ceph-rbd \
  6.   --set persistence.persistentVolumeClaim.registry.size=50Gi \
  7.   --set persistence.persistentVolumeClaim.chartmuseum.storageClass=ceph-rbd \
  8.   --set persistence.persistentVolumeClaim.jobservice.storageClass=ceph-rbd \
  9.   --set persistence.persistentVolumeClaim.database.storageClass=ceph-rbd \
  10.   --set persistence.persistentVolumeClaim.database.size=5Gi \
  11.   --set persistence.persistentVolumeClaim.redis.storageClass=ceph-rbd \
  12.   --set harborAdminPassword=admin123

配置存储,使用前面letsencrypt生成的harbor-javachen-space-cert证书,通过helm3安装:

  1. helm install harbor harbor/harbor --namespace harbor --debug \
  2.   --set externalURL=https://harbor.javachen.space  \
  3.   --set expose.tls.secretName="harbor-javachen-space-cert" \
  4.   --set expose.tls.notarySecretName="notary-javachen-space-cert" \
  5.   --set expose.ingress.hosts.core=harbor.javachen.space \
  6.   --set expose.ingress.hosts.notary=notary.javachen.space \
  7.   --set persistence.persistentVolumeClaim.registry.storageClass=ceph-rbd \
  8.   --set persistence.persistentVolumeClaim.registry.size=50Gi \
  9.   --set persistence.persistentVolumeClaim.chartmuseum.storageClass=ceph-rbd \
  10.   --set persistence.persistentVolumeClaim.jobservice.storageClass=ceph-rbd \
  11.   --set persistence.persistentVolumeClaim.database.storageClass=ceph-rbd \
  12.   --set persistence.persistentVolumeClaim.database.size=5Gi \
  13.   --set persistence.persistentVolumeClaim.redis.storageClass=ceph-rbd \
  14.   --set harborAdminPassword=admin123

配置存储,使用ingress自动生成证书(参考 结合Cert-Manager完成Harbor的Https证书自动签发),通过helm3安装:
创建harbor-values.yaml

  1. expose:
  2.   type: ingress
  3.   tls:
  4.     enabled: true
  5.    # 这里可以随意填写一个,cert-manager会自动创建并挂载
  6.     secretName: "harbor-javachen-space-cert"
  7.     notarySecretName: "notary-javachen-space-cert"
  8.     commonName: ""
  9.   ingress:
  10.     hosts:
  11.       core: harbor.javachen.space
  12.       notary: notary.javachen.space
  13.     annotations:
  14.       ingress.kubernetes.io/ssl-redirect: "true"
  15.       cert-manager.io/issuer: javachen-space-letsencrypt-prod
  16. externalURL: https://harbor.javachen.space
  17. harborAdminPassword: admin123
  18. persistence:
  19.   persistentVolumeClaim:
  20.     registry:
  21.       storageClass: ceph-rbd
  22.       size: 50Gi
  23.     chartmuseum:
  24.       storageClass: ceph-rbd
  25.     jobservice:
  26.       storageClass: ceph-rbd
  27.     database:
  28.       storageClass: ceph-rbd
  29.       size: 5Gi
  30.     redis:
  31.       storageClass: ceph-rbd

运行安装:

  1. helm install harbor harbor/harbor -n harbor -f harbor-values.yaml

查看状态

  1. kubectl get pod -o wide -n harbor
  3. #如果pod初始化很慢,可以查看具体日志:
  4. kubectl describe pod harbor-harbor-database-0 -n harbor
  6. kubectl get pod,pv,pvc,sc,ingress,deployment,ingress -n harbor

如果下载镜像慢,则手动下载:

  1. docker pull busybox:latest
  2. docker pull goharbor/harbor-db:v1.9.3

查看rbd上创建的块:

  1. $ rbd list k8s
  2. kubernetes-dynamic-pvc-44f0325a-ec2e-414c-bc93-34503050fa1d
  3. kubernetes-dynamic-pvc-76dedc13-a83d-485e-a4cb-41280cd0e7d0
  4. kubernetes-dynamic-pvc-99414704-8eac-4adc-aa65-9a458fe859ec
  5. kubernetes-dynamic-pvc-c8dd8c01-07b1-4d31-9b82-0aecf9f76f3c
  6. kubernetes-dynamic-pvc-f9b96d83-3859-4942-8c25-c72c515bb997

查看Rancher上创建的pvc:
image-20191101182137146
在ceph节点上查看挂载信息

  1. cmd.sh "mount |grep rbd|grep /var/lib/kubelet/pods"

image-20191101182311225

查看证书

  1. kubectl get secret -n harbor
  3. kubectl get secret -n harbor harbor-harbor-ingress \
  4.     -o jsonpath="{.data.ca\.crt}" | base64 --decode

可以将证书导入到docker证书目录下面,这样docker就会信任该镜像仓库

  1. kubectl get secret -n harbor harbor-harbor-ingress \
  2.     -o jsonpath="{.data.ca\.crt}" | base64 --decode | \
  3.     sudo tee /etc/docker/certs.d/harbor.javachen.space/ca.crt

可以查看harbor密码:

  1. kubectl get secret -n harbor harbor-harbor-core -o \
  2.     jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode

浏览器访问服务

浏览器访问harbor:https://harbor.javachen.space/ ,用户名和密码:admin/admin123,可以看到证书是被浏览器信任的。

docker 登陆验证

docker登陆:

  1. $ docker login harbor.javachen.space
  2. Username: admin
  3. Password:

在kubernetes中使用harbor,为了避免输入账号密码,需要创建secret。以下操作在master上执行:
创建secret

  1. kubectl create secret docker-registry harbor-registry-secret \
  2.     --docker-server=harbor.javachen.space -n harbor --docker-username=admin \
  3.     --docker-password=admin123

创建完成后,可以用以下命令查看:

  1. kubectl get secret  -n harbor

出现异常:

  1. x509: certificate is valid for ingress.local, not harbor.javachen.space

参考:解决harbor+cert-manager出现ingress-nginx x509: certificate is valid for ingress.local
原因:在于证书的CA签发组织不对,使用Helm生成的证书默认域名是ingress.local,不是harbor.javachen.space。
出现异常:

  1. Error response from daemon: Get https://harbor.javachen.space/v2/: x509: certificate signed by unknown authority

参考前面,将harbor证书导入到docker证书目录下面,这样docker就会信任该镜像仓库

  1. sudo mkdir -p /etc/docker/certs.d/harbor.javachen.space/
  3. kubectl get secret -n harbor harbor-harbor-ingress \
  4.     -o jsonpath="{.data.ca\.crt}" | base64 --decode | \
  5.     sudo tee /etc/docker/certs.d/harbor.javachen.space/ca.crt

上传下载测试

在harbor管理界面,创建一个soft项目
上传镜像:

  1. $ docker images
  2. rancher/pause     3.1       da86e6ba6ca1        21 months ago       742kB
  5. docker tag rancher/pause:3.1 harbor.javachen.space/soft/pause:3.2
  6. docker push harbor.javachen.space/soft/pause:3.2
  8. docker tag rancher/pause:3.1 harbor.javachen.space/soft/pause:latest
  9. docker push harbor.javachen.space/soft/pause:latest

然后,在harbor管理界面中查看上传的镜像。

升级

升级到harbor2.0对应的chart版本为1.4.0

  1. $ helm search repo harbor
  2. NAME             CHART VERSION    APP VERSION    DESCRIPTION
  3. harbor/harbor    1.4.0            2.0.0          An open source trusted cloud native registry th...

升级:

  1. helm upgrade harbor harbor/harbor -n harbor --version 1.4.0 -f harbor-values.yaml

卸载

  1. #删除release
  2. helm del --purge harbor
  4. #删除pvc
  5. kubectl delete pvc -n harbor data-harbor-harbor-redis-0 \
  6.     database-data-harbor-harbor-database-0 \
  7.   harbor-harbor-chartmuseum \
  8.   harbor-harbor-jobservice \
  9.   harbor-harbor-registry
  12. kubectl delete pod,service,deploy,statefulset,ingress,secret,pvc,replicaset,\
  13.     daemonset,ConfigMap --all -n harbor
  15. #删除证书
  16. kubectl delete Certificate,secret harbor-javachen-space-cert -n harbor
  18. #还要删除rbd上的块
  19. rbd list k8s