Harbor自建证书实现Https访问

一、环境准备

主机名:harbor250.lyx.com IP:10.0.0.250

二、 准备Harbor安装包

root@harbor250:~# wget https://github.com/goharbor/harbor/releases/download/v2.12.2/harbor-offline-installer-v2.12.2.tgz

三、 安装docker,docker-compose并解压harbor安装包

root@harbor250:~# tar xf oldboyedu-autoinstall-docker-docker-compose.tar.gz

root@harbor250:~# ./install-docker.sh i

root@harbor250:~# tar xf harbor-offline-installer-v2.12.2.tgz -C /usr/local/

四、 配置CA证书

1、进入到harbor程序根目录

root@harbor250:/usr/local/harbor# ll

total 636508

drwxr-xr-x 2 root root 4096 Mar 25 10:30 ./

drwxr-xr-x 11 root root 4096 Mar 25 10:30 ../

-rw-r--r-- 1 root root 3646 Jan 16 22:10 common.sh

-rw-r--r-- 1 root root 651727378 Jan 16 22:11 harbor.v2.12.2.tar.gz

-rw-r--r-- 1 root root 14288 Jan 16 22:10 harbor.yml.tmpl

-rwxr-xr-x 1 root root 1975 Jan 16 22:10 install.sh*

-rw-r--r-- 1 root root 11347 Jan 16 22:10 LICENSE

-rwxr-xr-x 1 root root 2211 Jan 16 22:10 prepare*

2、创建存放证书的目录

root@harbor250:/usr/local/harbor# mkdir -pv certs/{ca,harbor-server,docker-client}

mkdir: created directory 'certs'

mkdir: created directory 'certs/ca'

mkdir: created directory 'certs/harbor-server'

mkdir: created directory 'certs/docker-client'

root@harbor250:/usr/local/harbor# tree certs

certs

├── ca

├── docker-client

└── harbor-server

3 directories, 0 files

3、 创建CA的私钥

root@harbor250:/usr/local/harbor# cd certs/

root@harbor250:/usr/local/harbor/certs# openssl genrsa -out ca/ca.key 4096

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ └── ca.key

├── docker-client

└── harbor-server

3 directories, 1 file

4、 基于自建的CA私钥创建CA证书(注意,证书签发的域名范围)

root@harbor250:/usr/local/harbor/certs# openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=oldboyedu.com" \

-key ca/ca.key \

-out ca/ca.crt

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

3 directories, 2 files

5、查看自建证书信息

root@harbor250:/usr/local/harbor/certs# openssl x509 -in ca/ca.crt -noout -text

五、 配置harbor服务端证书

1、生成harbor服务器私钥

root@harbor250:/usr/local/harbor/certs# openssl genrsa -out harbor-server/harbor250.oldboyedu.com.key 4096

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

└── harbor250.oldboyedu.com.key

3 directories, 3 files

2、 harbor服务器基于私钥签发证书认证请求(csr文件)让自建CA认证

root@harbor250:/usr/local/harbor/certs# openssl req -sha512 -new \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor250.oldboyedu.com" \

-key harbor-server/harbor250.oldboyedu.com.key \

-out harbor-server/harbor250.oldboyedu.com.csr

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.csr

└── harbor250.oldboyedu.com.key

3 directories, 4 files

3、 生成x509 v3 的扩展文件用于认证

root@harbor250:/usr/local/harbor/certs# cat > harbor-server/v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

alt_names

DNS.1=harbor250.oldboyedu.com

EOF

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 5 files

4、基于 x509 v3 的扩展文件认证签发harbor server证书

root@harbor250:/usr/local/harbor/certs# openssl x509 -req -sha512 -days 3650 \

-extfile harbor-server/v3.ext \

-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \

-in harbor-server/harbor250.oldboyedu.com.csr \

-out harbor-server/harbor250.oldboyedu.com.crt

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.crt

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 6 files

5、修改harbor的配置文件使用自建证书

root@harbor250:/usr/local/harbor/certs# cp ../harbor.yml{.tmpl,}

root@harbor250:/usr/local/harbor/certs# vim ../harbor.yml

...

hostname: harbor250.oldboyedu.com

https:

...

certificate: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.crt

private_key: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.key

...

harbor_admin_password: 1

...

data_volume: /var/lib/harbor

...

6、安装harbor服务

root@harbor250:/usr/local/harbor/certs# ../install.sh

六、访问harbor的webUI

#在windows上做hosts解析

10.0.0.250 harbor250.oldboyedu.com

#访问测试

https://harbor250.oldboyedu.com/harbor/projects/1/repositories

七、 配置docker客户端证书

1、生成docker客户端证书

root@harbor250:/usr/local/harbor/certs# cp ca/ca.crt harbor-server/harbor250.oldboyedu.com.key docker-client/

root@harbor250:/usr/local/harbor/certs# cp harbor-server/harbor250.oldboyedu.com.crt docker-client/harbor250.oldboyedu.com.cert

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

│ ├── ca.crt

│ ├── harbor250.oldboyedu.com.cert

│ └── harbor250.oldboyedu.com.key

└── harbor-server

├── harbor250.oldboyedu.com.crt

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 9 files

2、docker客户端创建自建证书的目录结构(注意域名的名称和目录要一致~)

root@elk91:~# mkdir -pv /etc/docker/certs.d/harbor250.oldboyedu.com/

3、 拷贝docker client证书文件到客户端

root@elk91:~# echo 10.0.0.250 harbor250.oldboyedu.com >> /etc/hosts

root@elk91:~# scp harbor250.oldboyedu.com:/usr/local/harbor/certs/docker-client/* /etc/docker/certs.d/harbor250.oldboyedu.com/

root@elk91:~# ll /etc/docker/certs.d/harbor250.oldboyedu.com/

total 20

drwxr-xr-x 2 root root 4096 Mar 25 12:10 ./

drwxr-xr-x 3 root root 4096 Mar 25 12:01 ../

-rw-r--r-- 1 root root 2049 Mar 25 12:10 ca.crt

-rw-r--r-- 1 root root 2155 Mar 25 12:10 harbor250.oldboyedu.com.cert

-rw------- 1 root root 3272 Mar 25 12:10 harbor250.oldboyedu.com.key

4、 客户端登录测试

root@elk91:~# docker login -u admin -p 1 harbor250.oldboyedu.com

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

相关推荐
不思念一个荒废的名字43 分钟前
【刷题Day22】TCP(浅)
网络·网络协议·tcp/ip
LuckyRich12 小时前
【仿Mudou库one thread per loop式并发服务器实现】HTTP协议模块实现
服务器·c++·http·性能优化
智联视频超融合平台2 小时前
智慧能源安全新纪元:当能源监测遇上视频联网的无限可能
人工智能·网络协议·音视频·能源·视频编解码
葵野寺4 小时前
【网络原理】UDP协议
网络·网络协议·udp·md5算法·udp报文格式·校验方法
JiaHao汤6 小时前
HTTP 和 HTTPS 有什么区别?
网络协议·http·https
我要喝可乐!6 小时前
Http基础
网络·网络协议·http
左灯右行的爱情6 小时前
应用层核心协议详解:HTTP, HTTPS, RPC 与 Nginx
http·rpc·https
陈辛chenxin12 小时前
【JavaWeb后端开发02】SpringBootWeb + Https协议
网络协议·http·https
爱吃烤鸡翅的酸菜鱼12 小时前
Java【网络原理】(4)HTTP协议
java·网络·后端·网络协议·http
Villiam_AY13 小时前
go语言对http协议的支持
开发语言·http·golang