一、环境准备
主机名:harbor250.lyx.com IP:10.0.0.250
二、 准备Harbor安装包
root@harbor250:~# wget https://github.com/goharbor/harbor/releases/download/v2.12.2/harbor-offline-installer-v2.12.2.tgz
三、 安装docker,docker-compose并解压harbor安装包
root@harbor250:~# tar xf oldboyedu-autoinstall-docker-docker-compose.tar.gz
root@harbor250:~# ./install-docker.sh i
root@harbor250:~# tar xf harbor-offline-installer-v2.12.2.tgz -C /usr/local/
四、 配置CA证书
1、进入到harbor程序根目录
root@harbor250:/usr/local/harbor# ll
total 636508
drwxr-xr-x 2 root root 4096 Mar 25 10:30 ./
drwxr-xr-x 11 root root 4096 Mar 25 10:30 ../
-rw-r--r-- 1 root root 3646 Jan 16 22:10 common.sh
-rw-r--r-- 1 root root 651727378 Jan 16 22:11 harbor.v2.12.2.tar.gz
-rw-r--r-- 1 root root 14288 Jan 16 22:10 harbor.yml.tmpl
-rwxr-xr-x 1 root root 1975 Jan 16 22:10 install.sh*
-rw-r--r-- 1 root root 11347 Jan 16 22:10 LICENSE
-rwxr-xr-x 1 root root 2211 Jan 16 22:10 prepare*
2、创建存放证书的目录
root@harbor250:/usr/local/harbor# mkdir -pv certs/{ca,harbor-server,docker-client}
mkdir: created directory 'certs'
mkdir: created directory 'certs/ca'
mkdir: created directory 'certs/harbor-server'
mkdir: created directory 'certs/docker-client'
root@harbor250:/usr/local/harbor# tree certs
certs
├── ca
├── docker-client
└── harbor-server
3 directories, 0 files
3、 创建CA的私钥
root@harbor250:/usr/local/harbor# cd certs/
root@harbor250:/usr/local/harbor/certs# openssl genrsa -out ca/ca.key 4096
root@harbor250:/usr/local/harbor/certs# tree
.
├── ca
│ └── ca.key
├── docker-client
└── harbor-server
3 directories, 1 file
4、 基于自建的CA私钥创建CA证书(注意,证书签发的域名范围)
root@harbor250:/usr/local/harbor/certs# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=oldboyedu.com" \
-key ca/ca.key \
-out ca/ca.crt
root@harbor250:/usr/local/harbor/certs# tree
.
├── ca
│ ├── ca.crt
│ └── ca.key
├── docker-client
└── harbor-server
3 directories, 2 files
5、查看自建证书信息
root@harbor250:/usr/local/harbor/certs# openssl x509 -in ca/ca.crt -noout -text
五、 配置harbor服务端证书
1、生成harbor服务器私钥
root@harbor250:/usr/local/harbor/certs# openssl genrsa -out harbor-server/harbor250.oldboyedu.com.key 4096
root@harbor250:/usr/local/harbor/certs# tree
.
├── ca
│ ├── ca.crt
│ └── ca.key
├── docker-client
└── harbor-server
└── harbor250.oldboyedu.com.key
3 directories, 3 files
2、 harbor服务器基于私钥签发证书认证请求(csr文件)让自建CA认证
root@harbor250:/usr/local/harbor/certs# openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor250.oldboyedu.com" \
-key harbor-server/harbor250.oldboyedu.com.key \
-out harbor-server/harbor250.oldboyedu.com.csr
root@harbor250:/usr/local/harbor/certs# tree
.
├── ca
│ ├── ca.crt
│ └── ca.key
├── docker-client
└── harbor-server
├── harbor250.oldboyedu.com.csr
└── harbor250.oldboyedu.com.key
3 directories, 4 files
3、 生成x509 v3 的扩展文件用于认证
root@harbor250:/usr/local/harbor/certs# cat > harbor-server/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
alt_names
EOF
root@harbor250:/usr/local/harbor/certs# tree
.
├── ca
│ ├── ca.crt
│ └── ca.key
├── docker-client
└── harbor-server
├── harbor250.oldboyedu.com.csr
├── harbor250.oldboyedu.com.key
└── v3.ext
3 directories, 5 files
4、基于 x509 v3 的扩展文件认证签发harbor server证书
root@harbor250:/usr/local/harbor/certs# openssl x509 -req -sha512 -days 3650 \
-extfile harbor-server/v3.ext \
-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
-in harbor-server/harbor250.oldboyedu.com.csr \
-out harbor-server/harbor250.oldboyedu.com.crt
root@harbor250:/usr/local/harbor/certs# tree
.
├── ca
│ ├── ca.crt
│ └── ca.key
├── docker-client
└── harbor-server
├── harbor250.oldboyedu.com.crt
├── harbor250.oldboyedu.com.csr
├── harbor250.oldboyedu.com.key
└── v3.ext
3 directories, 6 files
5、修改harbor的配置文件使用自建证书
root@harbor250:/usr/local/harbor/certs# cp ../harbor.yml{.tmpl,}
root@harbor250:/usr/local/harbor/certs# vim ../harbor.yml
...
hostname: harbor250.oldboyedu.com
https:
...
certificate: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.crt
private_key: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.key
...
harbor_admin_password: 1
...
data_volume: /var/lib/harbor
...
6、安装harbor服务
root@harbor250:/usr/local/harbor/certs# ../install.sh
六、访问harbor的webUI
#在windows上做hosts解析
10.0.0.250 harbor250.oldboyedu.com
#访问测试
https://harbor250.oldboyedu.com/harbor/projects/1/repositories
七、 配置docker客户端证书
1、生成docker客户端证书
root@harbor250:/usr/local/harbor/certs# cp ca/ca.crt harbor-server/harbor250.oldboyedu.com.key docker-client/
root@harbor250:/usr/local/harbor/certs# cp harbor-server/harbor250.oldboyedu.com.crt docker-client/harbor250.oldboyedu.com.cert
root@harbor250:/usr/local/harbor/certs# tree
.
├── ca
│ ├── ca.crt
│ └── ca.key
├── docker-client
│ ├── ca.crt
│ ├── harbor250.oldboyedu.com.cert
│ └── harbor250.oldboyedu.com.key
└── harbor-server
├── harbor250.oldboyedu.com.crt
├── harbor250.oldboyedu.com.csr
├── harbor250.oldboyedu.com.key
└── v3.ext
3 directories, 9 files
2、docker客户端创建自建证书的目录结构(注意域名的名称和目录要一致~)
root@elk91:~# mkdir -pv /etc/docker/certs.d/harbor250.oldboyedu.com/
3、 拷贝docker client证书文件到客户端
root@elk91:~# echo 10.0.0.250 harbor250.oldboyedu.com >> /etc/hosts
root@elk91:~# scp harbor250.oldboyedu.com:/usr/local/harbor/certs/docker-client/* /etc/docker/certs.d/harbor250.oldboyedu.com/
root@elk91:~# ll /etc/docker/certs.d/harbor250.oldboyedu.com/
total 20
drwxr-xr-x 2 root root 4096 Mar 25 12:10 ./
drwxr-xr-x 3 root root 4096 Mar 25 12:01 ../
-rw-r--r-- 1 root root 2049 Mar 25 12:10 ca.crt
-rw-r--r-- 1 root root 2155 Mar 25 12:10 harbor250.oldboyedu.com.cert
-rw------- 1 root root 3272 Mar 25 12:10 harbor250.oldboyedu.com.key
4、 客户端登录测试
root@elk91:~# docker login -u admin -p 1 harbor250.oldboyedu.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded