zoukankan      html  css  js  c++  java
  • Harbor仓库配置https访问

    注:高版本(14以上)docker执行login命令,默认使用https,且harbor必须使用域名,只是用ip访问是不行的。

    假设使用的网址是:www.harbor.mobi,本机ip是192.168.75.100

    因为这个网址是虚拟的,所以需要在本机hosts文件中添加

    echo "192.168.75.100  www.harbor.mobi" >> /etc/hosts
    

    把yourdomain.com换成实际使用的域名或者ip或者ip:port,要跟harbor.yml文件中的配置信息保持一致

    #set hostname
    hostname: www.harbor.mobi
    
    #http:
    #  port: 80
    
    https:
      # https port for harbor, default is 443
      port: 443
      # The path of cert and key files for nginx
      certificate: /data/cert/www.harbor.mobi.crt
      private_key: /data/cert/www.harbor.mobi.key
    # 注意证书路径
    

    一键脚本文件:

    #!/bin/bash
    
    # 在该目录下操作生成证书,正好供harbor.yml使用
    mkdir -p /data/cert
    cd /data/cert
    
    openssl genrsa -out ca.key 4096
    openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
    openssl genrsa -out www.harbor.mobi.key 4096
    openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr
    
    cat > v3.ext <<-EOF
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1=www.harbor.mobi
    DNS.2=harbor
    DNS.3=ks-allinone
    EOF
    
    openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt
        
    openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert
    
    cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt 
    update-ca-trust
    
    # 把这三个复制到docke下
    mkdir -p /etc/docker/certs.d/www.harbor.mobi/
    cp www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/
    cp www.harbor.mobi.key /etc/docker/certs.d/ywww.harbor.mobi/
    cp ca.crt /etc/docker/certs.d/www.harbor.mobi/
    
    
    最终docker目录结构:
    /etc/docker/certs.d/
        └── www.harbor.mobi
           ├── www.harbor.mobi.cert  <-- Server certificate signed by CA
           ├── www.harbor.mobi.key   <-- Server key signed by CA
           └── ca.crt               <-- Certificate authority that signed the registry certificate
    # 重启docker
    systemctl restart docker.service
    
    # 停止
    docker-compose down -v
    
    # 重新生成配置文件
    ./prepare --with-notary --with-clair --with-chartmuseum
    
    # 启动
    docker-compose up -d
    

    官方步骤示例:

    #set hostname
    hostname: yourdomain.com
    
    http:
      port: 80
    
    https:
      # https port for harbor, default is 443
      port: 443
      # The path of cert and key files for nginx
      certificate: /data/cert/yourdomain.com.crt
      private_key: /data/cert/yourdomain.com.key
    
    # 生成使用的相关证书
    openssl genrsa -out ca.key 4096
    
    openssl req -x509 -new -nodes -sha512 -days 3650 
        -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" 
        -key ca.key 
        -out ca.crt
    
    openssl genrsa -out yourdomain.com.key 4096
    
    openssl req -sha512 -new 
        -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" 
        -key yourdomain.com.key 
        -out yourdomain.com.csr
    
    cat > v3.ext <<-EOF
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1=yourdomain.com
    DNS.2=yourdomain
    DNS.3=hostname
    EOF
    
    openssl x509 -req -sha512 -days 3650 
        -extfile v3.ext 
        -CA ca.crt -CAkey ca.key -CAcreateserial 
        -in yourdomain.com.csr 
        -out yourdomain.com.crt
    
    openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
    
    # 把这三个复制到docke下
    cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
    cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
    cp ca.crt /etc/docker/certs.d/yourdomain.com/
    
    
    最终docker目录结构:
    /etc/docker/certs.d/
        └── yourdomain.com:port
           ├── yourdomain.com.cert  <-- Server certificate signed by CA
           ├── yourdomain.com.key   <-- Server key signed by CA
           └── ca.crt               <-- Certificate authority that signed the registry certificate
    # 重启docker
    systemctl restart docker.service
    
    cp 192.168.75.100.crt /etc/pki/ca-trust/source/anchors/192.168.75.100.crt 
    update-ca-trust
    
    # harbor证书配置
    cp yourdomain.com.crt /data/cert/
    cp yourdomain.com.key /data/cert/
    
    # 重新生成配置文件
    ./prepare --with-notary --with-clair --with-chartmuseum
    
    # 停止
    docker-compose down -v
    
    # 启动
    docker-compose up -d
    
    

    问题:
    使用docker login 命令登陆的话报错

    docker login https://192.168.75.100
    
    x509: cannot validate certificate for 192.168.75.100 because it doesn't contain any IP SANs
    
    排查步骤:
    检查harbor.yml文件中hostname变量的值是否跟生成证书使用的一致
    
    
  • 相关阅读:
    Unity核心对象模型
    自适应XAML布局经验总结 (四)区域布局设计模式
    自适应XAML布局经验总结 (三) 局部布局设计模式2
    自适应XAML布局经验总结 (二) 局部布局设计模式1
    自适应XAML布局经验总结 (一)原则和页面结构设计
    WPF核心对象模型-类图和解析
    谈谈XAML前端开发
    arpg网页游戏特效播放(一)
    arpg网页游戏之地图(四)
    arpg网页游戏之地图(三)
  • 原文地址:https://www.cnblogs.com/sanduzxcvbnm/p/11956347.html
Copyright © 2011-2022 走看看