Kubernetes之kubeadm集群优化篇—harbor添加更新SSL证书

docker 从docker 仓库中推送或获取镜像都是默认走https协议的。需要配置ssl证书,否则将无法方面,为了解决这以问题,我们有2个方案:

修改docker配置文件,关闭证书 "insecure-registries"。关闭证书校验
配置ssl证书,配置harbor走https协议

对比:
  • 关闭证书校验,也就是不加密,不走https协议。带来的问题就是不安全,能都收到数据篡改和数据劫持等风险。且修改insecure-registries参数是需要重启docker服务的,是会终断容器业务的,并且每次修改仓库ip,或新增仓库,或修改网段都需要重启docker
  • 配置ssl证书,也是实现数据加密保障数据安全。官方建议采用https方式运行,下面我们介绍如何配置harbor添加ssl证书。
证书分类

ssl证书分为:自签名证书、公网证书

自签名证书就是通过自建CA的方面,创建签名证书,具有加密的功能,一般仅供内部使用。公网证书是受信任的证书提供商签名的证书,由于我们所有的系统、浏览器内置的受信任的根证书颁发机构中都默认有了公网证书提供商的CA证书,公网证书可以直接使用。内网证书需要导入自签名的CA跟证书才能使用。简单来说,公网证书相对方便,一般基于域名进行签名。私有证书供内部使用,一般需要导入自签名CA证书,或提前预制导入CA证书,私有证书的优势在于自签名,无需通过第三方证书供应商。为了方便起见,我们采用公网免费ca证书。使用域名的形式配置证书,这样就可以实现一次配置多处使用。

公网ssl证书申请
  • 公网ssl证书提供商有很多,如赛门铁克、geotrust 、沃通 等等。免费的单二级域名ssl证书也有很多,如geotrust、Let's Encrypt、Free ssl等。三方平台一般都会提供各个厂商的ssl证书申请。下面我们就用阿里云的SSL证书服务来申请免费的证书。、
  • 在阿里云的证书服务中找到购买证书,选择免费证书。
  • 点击申请,输入域名 地址 ,联系人等。按照提示进行dns配置,域名验证
  • 找到已颁发证书,点击下载证书

因为公网ssl证书每次使用期限仅有一年时间,所以更换ssl证书时,也可以使用以下方法:

1、修改harbor配置文件
# cd /opt/app/harbor
# ls
common  common.sh  docker-compose.yml  harbor.v2.0.0.tar.gz  harbor.yml  harbor.yml.tmpl  install.sh  LICENSE  prepare  ssl

修改Harbor相关https的配置,指定ssl证书的路径

# vim harbor.yml
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  #  certificate: /your/certificate/path
  #  private_key: /your/private/key/path
  certificate: /opt/app/harbor/ssl/peogoo.com.pem
  private_key: /opt/app/harbor/ssl/peogoo.com.key
2、修改harbor后需要预编译下harbor
# cd /opt/app/harbor
# ls
common  common.sh  docker-compose.yml  harbor.v2.0.0.tar.gz  harbor.yml  harbor.yml.tmpl  install.sh  LICENSE  prepare  ssl
# ./prepare
prepare base dir is set to /opt/app/harbor
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/passwd
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
3、重新关闭启动harbor
# cd /opt/app/harbor
# docker-compose down
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping harbor-portal     ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing harbor-core       ... done
Removing harbor-db         ... done
Removing redis             ... done
Removing harbor-portal     ... done
Removing registryctl       ... done
Removing registry          ... done
Removing harbor-log        ... done
Removing network harbor_harbor

# docker-compose start
Starting log         ... done
Starting postgresql  ... done
Starting redis       ... done
Starting portal      ... done
Starting registry    ... done
Starting core        ... done
Starting jobservice  ... done
Starting proxy       ... done
Starting registryctl ... done

# docker ps
CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS                             PORTS                                         NAMES
2d680a4205f1        goharbor/nginx-photon:v2.0.0         "nginx -g 'daemon of..."   5 months ago        Up 27 seconds (health: starting)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp   nginx
65c3dc2e985a        goharbor/harbor-jobservice:v2.0.0    "/harbor/entrypoint...."   5 months ago        Up 27 seconds (health: starting)                                                 harbor-jobservice
6c5eebed24f9        goharbor/harbor-core:v2.0.0          "/harbor/entrypoint...."   5 months ago        Up 27 seconds (health: starting)                                                 harbor-core
2b6477408c44        goharbor/harbor-db:v2.0.0            "/docker-entrypoint...."   5 months ago        Up 28 seconds (health: starting)   5432/tcp                                      harbor-db
ebb763bea740        goharbor/redis-photon:v2.0.0         "redis-server /etc/r..."   5 months ago        Up 28 seconds (health: starting)   6379/tcp                                      redis
3c68c72a79c0        goharbor/harbor-portal:v2.0.0        "nginx -g 'daemon of..."   5 months ago        Up 29 seconds (health: starting)   8080/tcp                                      harbor-portal
2aa053eaa705        goharbor/harbor-registryctl:v2.0.0   "/home/harbor/start...."   5 months ago        Up 29 seconds (health: starting)                                                 registryctl
c3a6086e810e        goharbor/registry-photon:v2.0.0      "/home/harbor/entryp..."   5 months ago        Up 28 seconds (health: starting)   5000/tcp                                      registry
dec4b5284ff8        goharbor/harbor-log:v2.0.0           "/bin/sh -c /usr/loc..."   5 months ago        Up 30 seconds (health: starting)    127.0.0.1:1514->10514/tcp                     harbor-log
4、重新登录harbor
# docker login harbor.peogoo.com
相关推荐
年薪丰厚1 小时前
如何在K8S集群中查看和操作Pod内的文件?
docker·云原生·容器·kubernetes·k8s·container
zhangj11251 小时前
K8S Ingress 服务配置步骤说明
云原生·容器·kubernetes
岁月变迁呀1 小时前
kubeadm搭建k8s集群
云原生·容器·kubernetes
墨水\\1 小时前
二进制部署k8s
云原生·容器·kubernetes
Source、1 小时前
k8s-metrics-server
云原生·容器·kubernetes
上海运维Q先生1 小时前
面试题整理15----K8s常见的网络插件有哪些
运维·网络·kubernetes
颜淡慕潇1 小时前
【K8S问题系列 |19 】如何解决 Pod 无法挂载 PVC问题
后端·云原生·容器·kubernetes
大熊程序猿3 小时前
K8s证书过期
云原生·容器·kubernetes
魏 无羡13 小时前
linux CentOS系统上卸载docker
linux·kubernetes·centos
Karoku06613 小时前
【k8s集群应用】kubeadm1.20高可用部署(3master)
运维·docker·云原生·容器·kubernetes