Kubernetes之kubeadm集群优化篇—harbor添加更新SSL证书

docker 从docker 仓库中推送或获取镜像都是默认走https协议的。需要配置ssl证书,否则将无法方面,为了解决这以问题,我们有2个方案:

修改docker配置文件,关闭证书 "insecure-registries"。关闭证书校验
配置ssl证书,配置harbor走https协议

对比:
  • 关闭证书校验,也就是不加密,不走https协议。带来的问题就是不安全,能都收到数据篡改和数据劫持等风险。且修改insecure-registries参数是需要重启docker服务的,是会终断容器业务的,并且每次修改仓库ip,或新增仓库,或修改网段都需要重启docker
  • 配置ssl证书,也是实现数据加密保障数据安全。官方建议采用https方式运行,下面我们介绍如何配置harbor添加ssl证书。
证书分类

ssl证书分为:自签名证书、公网证书

自签名证书就是通过自建CA的方面,创建签名证书,具有加密的功能,一般仅供内部使用。公网证书是受信任的证书提供商签名的证书,由于我们所有的系统、浏览器内置的受信任的根证书颁发机构中都默认有了公网证书提供商的CA证书,公网证书可以直接使用。内网证书需要导入自签名的CA跟证书才能使用。简单来说,公网证书相对方便,一般基于域名进行签名。私有证书供内部使用,一般需要导入自签名CA证书,或提前预制导入CA证书,私有证书的优势在于自签名,无需通过第三方证书供应商。为了方便起见,我们采用公网免费ca证书。使用域名的形式配置证书,这样就可以实现一次配置多处使用。

公网ssl证书申请
  • 公网ssl证书提供商有很多,如赛门铁克、geotrust 、沃通 等等。免费的单二级域名ssl证书也有很多,如geotrust、Let's Encrypt、Free ssl等。三方平台一般都会提供各个厂商的ssl证书申请。下面我们就用阿里云的SSL证书服务来申请免费的证书。、
  • 在阿里云的证书服务中找到购买证书,选择免费证书。
  • 点击申请,输入域名 地址 ,联系人等。按照提示进行dns配置,域名验证
  • 找到已颁发证书,点击下载证书

因为公网ssl证书每次使用期限仅有一年时间,所以更换ssl证书时,也可以使用以下方法:

1、修改harbor配置文件
# cd /opt/app/harbor
# ls
common  common.sh  docker-compose.yml  harbor.v2.0.0.tar.gz  harbor.yml  harbor.yml.tmpl  install.sh  LICENSE  prepare  ssl

修改Harbor相关https的配置,指定ssl证书的路径

# vim harbor.yml
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  #  certificate: /your/certificate/path
  #  private_key: /your/private/key/path
  certificate: /opt/app/harbor/ssl/peogoo.com.pem
  private_key: /opt/app/harbor/ssl/peogoo.com.key
2、修改harbor后需要预编译下harbor
# cd /opt/app/harbor
# ls
common  common.sh  docker-compose.yml  harbor.v2.0.0.tar.gz  harbor.yml  harbor.yml.tmpl  install.sh  LICENSE  prepare  ssl
# ./prepare
prepare base dir is set to /opt/app/harbor
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/passwd
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
3、重新关闭启动harbor
# cd /opt/app/harbor
# docker-compose down
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping harbor-portal     ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing harbor-core       ... done
Removing harbor-db         ... done
Removing redis             ... done
Removing harbor-portal     ... done
Removing registryctl       ... done
Removing registry          ... done
Removing harbor-log        ... done
Removing network harbor_harbor

# docker-compose start
Starting log         ... done
Starting postgresql  ... done
Starting redis       ... done
Starting portal      ... done
Starting registry    ... done
Starting core        ... done
Starting jobservice  ... done
Starting proxy       ... done
Starting registryctl ... done

# docker ps
CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS                             PORTS                                         NAMES
2d680a4205f1        goharbor/nginx-photon:v2.0.0         "nginx -g 'daemon of..."   5 months ago        Up 27 seconds (health: starting)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp   nginx
65c3dc2e985a        goharbor/harbor-jobservice:v2.0.0    "/harbor/entrypoint...."   5 months ago        Up 27 seconds (health: starting)                                                 harbor-jobservice
6c5eebed24f9        goharbor/harbor-core:v2.0.0          "/harbor/entrypoint...."   5 months ago        Up 27 seconds (health: starting)                                                 harbor-core
2b6477408c44        goharbor/harbor-db:v2.0.0            "/docker-entrypoint...."   5 months ago        Up 28 seconds (health: starting)   5432/tcp                                      harbor-db
ebb763bea740        goharbor/redis-photon:v2.0.0         "redis-server /etc/r..."   5 months ago        Up 28 seconds (health: starting)   6379/tcp                                      redis
3c68c72a79c0        goharbor/harbor-portal:v2.0.0        "nginx -g 'daemon of..."   5 months ago        Up 29 seconds (health: starting)   8080/tcp                                      harbor-portal
2aa053eaa705        goharbor/harbor-registryctl:v2.0.0   "/home/harbor/start...."   5 months ago        Up 29 seconds (health: starting)                                                 registryctl
c3a6086e810e        goharbor/registry-photon:v2.0.0      "/home/harbor/entryp..."   5 months ago        Up 28 seconds (health: starting)   5000/tcp                                      registry
dec4b5284ff8        goharbor/harbor-log:v2.0.0           "/bin/sh -c /usr/loc..."   5 months ago        Up 30 seconds (health: starting)    127.0.0.1:1514->10514/tcp                     harbor-log
4、重新登录harbor
# docker login harbor.peogoo.com
相关推荐
昌sit!5 小时前
K8S node节点没有相应的pod镜像运行故障处理办法
云原生·容器·kubernetes
A ?Charis8 小时前
Gitlab-runner running on Kubernetes - hostAliases
容器·kubernetes·gitlab
北漂IT民工_程序员_ZG9 小时前
k8s集群安装(minikube)
云原生·容器·kubernetes
2301_8061313615 小时前
Kubernetes的基本构建块和最小可调度单元pod-0
云原生·容器·kubernetes
SilentCodeY16 小时前
containerd配置私有仓库registry
容器·kubernetes·containerd·镜像·crictl
binqian1 天前
【k8s】ClusterIP能http访问,但是不能ping 的原因
http·容器·kubernetes
探索云原生1 天前
GPU 环境搭建指南:如何在裸机、Docker、K8s 等环境中使用 GPU
ai·云原生·kubernetes·go·gpu
是垚不是土1 天前
Istio流量镜像测试
运维·kubernetes·云计算·istio
蚊子不吸吸1 天前
DevOps开发运维简述
linux·运维·ci/cd·oracle·kubernetes·gitlab·devops
软件技术员1 天前
acmessl.cn推荐一款好用的免费申请ssl证书的平台
网络·网络协议·ssl