Kubernetes之kubeadm集群优化篇—harbor添加更新SSL证书

杰哥的技术杂货铺2023-11-27 16:45

docker 从docker 仓库中推送或获取镜像都是默认走https协议的。需要配置ssl证书,否则将无法方面,为了解决这以问题,我们有2个方案:

修改docker配置文件,关闭证书 "insecure-registries"。关闭证书校验
配置ssl证书,配置harbor走https协议

对比:
  • 关闭证书校验,也就是不加密,不走https协议。带来的问题就是不安全,能都收到数据篡改和数据劫持等风险。且修改insecure-registries参数是需要重启docker服务的,是会终断容器业务的,并且每次修改仓库ip,或新增仓库,或修改网段都需要重启docker
  • 配置ssl证书,也是实现数据加密保障数据安全。官方建议采用https方式运行,下面我们介绍如何配置harbor添加ssl证书。
证书分类

ssl证书分为:自签名证书、公网证书

自签名证书就是通过自建CA的方面,创建签名证书,具有加密的功能,一般仅供内部使用。公网证书是受信任的证书提供商签名的证书,由于我们所有的系统、浏览器内置的受信任的根证书颁发机构中都默认有了公网证书提供商的CA证书,公网证书可以直接使用。内网证书需要导入自签名的CA跟证书才能使用。简单来说,公网证书相对方便,一般基于域名进行签名。私有证书供内部使用,一般需要导入自签名CA证书,或提前预制导入CA证书,私有证书的优势在于自签名,无需通过第三方证书供应商。为了方便起见,我们采用公网免费ca证书。使用域名的形式配置证书,这样就可以实现一次配置多处使用。

公网ssl证书申请
  • 公网ssl证书提供商有很多,如赛门铁克、geotrust 、沃通 等等。免费的单二级域名ssl证书也有很多,如geotrust、Let's Encrypt、Free ssl等。三方平台一般都会提供各个厂商的ssl证书申请。下面我们就用阿里云的SSL证书服务来申请免费的证书。、
  • 在阿里云的证书服务中找到购买证书,选择免费证书。
  • 点击申请,输入域名 地址 ,联系人等。按照提示进行dns配置,域名验证
  • 找到已颁发证书,点击下载证书

因为公网ssl证书每次使用期限仅有一年时间,所以更换ssl证书时,也可以使用以下方法:

1、修改harbor配置文件
复制代码 
# cd /opt/app/harbor
# ls
common  common.sh  docker-compose.yml  harbor.v2.0.0.tar.gz  harbor.yml  harbor.yml.tmpl  install.sh  LICENSE  prepare  ssl

修改Harbor相关https的配置,指定ssl证书的路径

复制代码 
# vim harbor.yml
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  #  certificate: /your/certificate/path
  #  private_key: /your/private/key/path
  certificate: /opt/app/harbor/ssl/peogoo.com.pem
  private_key: /opt/app/harbor/ssl/peogoo.com.key
2、修改harbor后需要预编译下harbor
复制代码 
# cd /opt/app/harbor
# ls
common  common.sh  docker-compose.yml  harbor.v2.0.0.tar.gz  harbor.yml  harbor.yml.tmpl  install.sh  LICENSE  prepare  ssl
# ./prepare
prepare base dir is set to /opt/app/harbor
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/passwd
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
3、重新关闭启动harbor
复制代码 
# cd /opt/app/harbor
# docker-compose down
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping harbor-portal     ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing harbor-core       ... done
Removing harbor-db         ... done
Removing redis             ... done
Removing harbor-portal     ... done
Removing registryctl       ... done
Removing registry          ... done
Removing harbor-log        ... done
Removing network harbor_harbor

# docker-compose start
Starting log         ... done
Starting postgresql  ... done
Starting redis       ... done
Starting portal      ... done
Starting registry    ... done
Starting core        ... done
Starting jobservice  ... done
Starting proxy       ... done
Starting registryctl ... done

# docker ps
CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS                             PORTS                                         NAMES
2d680a4205f1        goharbor/nginx-photon:v2.0.0         "nginx -g 'daemon of..."   5 months ago        Up 27 seconds (health: starting)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp   nginx
65c3dc2e985a        goharbor/harbor-jobservice:v2.0.0    "/harbor/entrypoint...."   5 months ago        Up 27 seconds (health: starting)                                                 harbor-jobservice
6c5eebed24f9        goharbor/harbor-core:v2.0.0          "/harbor/entrypoint...."   5 months ago        Up 27 seconds (health: starting)                                                 harbor-core
2b6477408c44        goharbor/harbor-db:v2.0.0            "/docker-entrypoint...."   5 months ago        Up 28 seconds (health: starting)   5432/tcp                                      harbor-db
ebb763bea740        goharbor/redis-photon:v2.0.0         "redis-server /etc/r..."   5 months ago        Up 28 seconds (health: starting)   6379/tcp                                      redis
3c68c72a79c0        goharbor/harbor-portal:v2.0.0        "nginx -g 'daemon of..."   5 months ago        Up 29 seconds (health: starting)   8080/tcp                                      harbor-portal
2aa053eaa705        goharbor/harbor-registryctl:v2.0.0   "/home/harbor/start...."   5 months ago        Up 29 seconds (health: starting)                                                 registryctl
c3a6086e810e        goharbor/registry-photon:v2.0.0      "/home/harbor/entryp..."   5 months ago        Up 28 seconds (health: starting)   5000/tcp                                      registry
dec4b5284ff8        goharbor/harbor-log:v2.0.0           "/bin/sh -c /usr/loc..."   5 months ago        Up 30 seconds (health: starting)    127.0.0.1:1514->10514/tcp                     harbor-log
4、重新登录harbor
复制代码 
# docker login harbor.peogoo.com
相关推荐
吠品4 小时前
免费SSL证书自动化申请:DNS代理验证
网络协议·自动化·ssl
间彧8 小时前
Kubernetes滚动发布详解
kubernetes
间彧8 小时前
在实际生产环境中,Kubernetes声明式API如何实现蓝绿部署、金丝雀发布等高级部署策略?
kubernetes
间彧8 小时前
Kubernetes声明式API相比传统命令式API在故障恢复场景下的具体优势有哪些?
kubernetes·github
间彧8 小时前
为什么说Kubernetes的API设计是其成功的关键因素之一?
kubernetes
间彧9 小时前
Kubernetes Deployment 配置简化实战:从复杂到高效
kubernetes
普普通通的南瓜12 小时前
IP证书在关键信息基础设施安全防护中的实践与挑战
网络·数据库·网络协议·tcp/ip·安全·ssl
可爱的小小小狼12 小时前
k8s:服务网格Service Mesh(服务网格)istio和envoy
kubernetes·istio·service_mesh
e***753921 小时前
在 Windows 上生成本地 SSL 证书并使用 HTTPS 访问本地 Nginx 服务器
windows·https·ssl
稚辉君.MCA_P8_Java1 天前
Gemini永久会员 containerd部署java项目 kubernetes集群
后端·spring cloud·云原生·容器·kubernetes
热门推荐
01GitHub 镜像站点02【保姆级教程】免费使用Gemini3的5种方法!免翻墙/国内直连03BongoCat - 跨平台键盘猫动画工具04UV安装并设置国内源05安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)06Linux下V2Ray安装配置指南07Google Antigravity:无法登录?早期错误、登录修复和用户反馈指南08Labelme从安装到标注:零基础完整指南09全球最强模型Grok4,国内已可免费使用!(附教程)1046个Nano-banana 精选提示词,持续更新中