Harbor自建证书实现Https访问

一、环境准备

主机名:harbor250.lyx.com IP:10.0.0.250

二、 准备Harbor安装包

root@harbor250:~# wget https://github.com/goharbor/harbor/releases/download/v2.12.2/harbor-offline-installer-v2.12.2.tgz

三、 安装docker,docker-compose并解压harbor安装包

root@harbor250:~# tar xf oldboyedu-autoinstall-docker-docker-compose.tar.gz

root@harbor250:~# ./install-docker.sh i

root@harbor250:~# tar xf harbor-offline-installer-v2.12.2.tgz -C /usr/local/

四、 配置CA证书

1、进入到harbor程序根目录

root@harbor250:/usr/local/harbor# ll

total 636508

drwxr-xr-x 2 root root 4096 Mar 25 10:30 ./

drwxr-xr-x 11 root root 4096 Mar 25 10:30 ../

-rw-r--r-- 1 root root 3646 Jan 16 22:10 common.sh

-rw-r--r-- 1 root root 651727378 Jan 16 22:11 harbor.v2.12.2.tar.gz

-rw-r--r-- 1 root root 14288 Jan 16 22:10 harbor.yml.tmpl

-rwxr-xr-x 1 root root 1975 Jan 16 22:10 install.sh*

-rw-r--r-- 1 root root 11347 Jan 16 22:10 LICENSE

-rwxr-xr-x 1 root root 2211 Jan 16 22:10 prepare*

2、创建存放证书的目录

root@harbor250:/usr/local/harbor# mkdir -pv certs/{ca,harbor-server,docker-client}

mkdir: created directory 'certs'

mkdir: created directory 'certs/ca'

mkdir: created directory 'certs/harbor-server'

mkdir: created directory 'certs/docker-client'

root@harbor250:/usr/local/harbor# tree certs

certs

├── ca

├── docker-client

└── harbor-server

3 directories, 0 files

3、 创建CA的私钥

root@harbor250:/usr/local/harbor# cd certs/

root@harbor250:/usr/local/harbor/certs# openssl genrsa -out ca/ca.key 4096

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ └── ca.key

├── docker-client

└── harbor-server

3 directories, 1 file

4、 基于自建的CA私钥创建CA证书(注意,证书签发的域名范围)

root@harbor250:/usr/local/harbor/certs# openssl req -x509 -new -nodes -sha512 -days 3650 \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=oldboyedu.com" \

-key ca/ca.key \

-out ca/ca.crt

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

3 directories, 2 files

5、查看自建证书信息

root@harbor250:/usr/local/harbor/certs# openssl x509 -in ca/ca.crt -noout -text

五、 配置harbor服务端证书

1、生成harbor服务器私钥

root@harbor250:/usr/local/harbor/certs# openssl genrsa -out harbor-server/harbor250.oldboyedu.com.key 4096

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

└── harbor250.oldboyedu.com.key

3 directories, 3 files

2、 harbor服务器基于私钥签发证书认证请求(csr文件)让自建CA认证

root@harbor250:/usr/local/harbor/certs# openssl req -sha512 -new \

-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor250.oldboyedu.com" \

-key harbor-server/harbor250.oldboyedu.com.key \

-out harbor-server/harbor250.oldboyedu.com.csr

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.csr

└── harbor250.oldboyedu.com.key

3 directories, 4 files

3、 生成x509 v3 的扩展文件用于认证

root@harbor250:/usr/local/harbor/certs# cat > harbor-server/v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

alt_names

DNS.1=harbor250.oldboyedu.com

EOF

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 5 files

4、基于 x509 v3 的扩展文件认证签发harbor server证书

root@harbor250:/usr/local/harbor/certs# openssl x509 -req -sha512 -days 3650 \

-extfile harbor-server/v3.ext \

-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \

-in harbor-server/harbor250.oldboyedu.com.csr \

-out harbor-server/harbor250.oldboyedu.com.crt

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

└── harbor-server

├── harbor250.oldboyedu.com.crt

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 6 files

5、修改harbor的配置文件使用自建证书

root@harbor250:/usr/local/harbor/certs# cp ../harbor.yml{.tmpl,}

root@harbor250:/usr/local/harbor/certs# vim ../harbor.yml

...

hostname: harbor250.oldboyedu.com

https:

...

certificate: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.crt

private_key: /usr/local/harbor/certs/harbor-server/harbor250.oldboyedu.com.key

...

harbor_admin_password: 1

...

data_volume: /var/lib/harbor

...

6、安装harbor服务

root@harbor250:/usr/local/harbor/certs# ../install.sh

六、访问harbor的webUI

#在windows上做hosts解析

10.0.0.250 harbor250.oldboyedu.com

#访问测试

https://harbor250.oldboyedu.com/harbor/projects/1/repositories

七、 配置docker客户端证书

1、生成docker客户端证书

root@harbor250:/usr/local/harbor/certs# cp ca/ca.crt harbor-server/harbor250.oldboyedu.com.key docker-client/

root@harbor250:/usr/local/harbor/certs# cp harbor-server/harbor250.oldboyedu.com.crt docker-client/harbor250.oldboyedu.com.cert

root@harbor250:/usr/local/harbor/certs# tree

.

├── ca

│ ├── ca.crt

│ └── ca.key

├── docker-client

│ ├── ca.crt

│ ├── harbor250.oldboyedu.com.cert

│ └── harbor250.oldboyedu.com.key

└── harbor-server

├── harbor250.oldboyedu.com.crt

├── harbor250.oldboyedu.com.csr

├── harbor250.oldboyedu.com.key

└── v3.ext

3 directories, 9 files

2、docker客户端创建自建证书的目录结构(注意域名的名称和目录要一致~)

root@elk91:~# mkdir -pv /etc/docker/certs.d/harbor250.oldboyedu.com/

3、 拷贝docker client证书文件到客户端

root@elk91:~# echo 10.0.0.250 harbor250.oldboyedu.com >> /etc/hosts

root@elk91:~# scp harbor250.oldboyedu.com:/usr/local/harbor/certs/docker-client/* /etc/docker/certs.d/harbor250.oldboyedu.com/

root@elk91:~# ll /etc/docker/certs.d/harbor250.oldboyedu.com/

total 20

drwxr-xr-x 2 root root 4096 Mar 25 12:10 ./

drwxr-xr-x 3 root root 4096 Mar 25 12:01 ../

-rw-r--r-- 1 root root 2049 Mar 25 12:10 ca.crt

-rw-r--r-- 1 root root 2155 Mar 25 12:10 harbor250.oldboyedu.com.cert

-rw------- 1 root root 3272 Mar 25 12:10 harbor250.oldboyedu.com.key

4、 客户端登录测试

root@elk91:~# docker login -u admin -p 1 harbor250.oldboyedu.com

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Configure a credential helper to remove this warning. See

https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

相关推荐
会飞的鱼先生1 小时前
Node.js-http模块
网络协议·http·node.js
-qOVOp-5 小时前
408第三季part2 - 计算机网络 - ip分布首部格式与分片
网络协议·tcp/ip·计算机网络
数通Dinner5 小时前
RSTP 拓扑收敛机制
网络·网络协议·tcp/ip·算法·信息与通信
G等你下课10 小时前
AJAX请求跨域问题
前端·javascript·http
qq_1715388512 小时前
TCP/IP协议精解:IP协议——互联网世界的邮政编码系统
网络·网络协议·tcp/ip
兮动人13 小时前
获取终端外网IP地址
java·网络·网络协议·tcp/ip·获取终端外网ip地址
用户87621910624513 小时前
【计算机网络】HTTP 版本
http
拾光拾趣录13 小时前
无状态协议下的用户状态管理:Web应用如何保持用户登录态
前端·http·https
摘星编程13 小时前
深入理解责任链模式:从HTTP中间件到异常处理的实战应用
http·设计模式·中间件·责任链模式·实战应用
海外空间恒创科技14 小时前
一台香港原生ip站群服务器多少钱?
服务器·网络协议·tcp/ip