一、下载并解压 Harbor 安装包
Harbor有两种形式的安装包:在线安装包和离线安装包
在这里,我们下载的是离线安装包 [harbor-offline-installer-v2.10.3.tgz]
将上面的压缩包传到harbor主目录下,然后解压
1
| [root@harbor ~]# tar -xzf harbor-offline-installer-v2.10.3.tgz
|
二、为Harbor和docker创建 HTTPS 证书
默认情况下,Harbor在不创建证书的环境下工作,这样就可以通过 HTTP 协议连接它。但是HTTP连接只适用于不连接外网的测试或开发环境。
而在有外网环境下使用Harbor,可能会造成人为攻击,所以在生产环境下,都应该使用HTTPS。
要使用HTTPS,必须配置SSL证书。可以使用第三方CA机构颁发的证书,或者使用自签发的证书。
在这里我们创建的是自签名的证书
1、生成自签名证书
Step1:创建生成证书的shell脚本
1 2 3 4
| [root@harbor ~]# mkdir ws && cd ws [root@harbor ws]# mkdir config/certs -p [root@harbor certs]# cd config/certs [root@harbor certs]# touch generate.sh && chmod 700 generate.sh
|
generate.sh
内容如下:需要自己将域名harbor.home.cloud
改成自己定义的域名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
| #!/bin/bash
WORK_DIR=/root/ws/config/certs NEW_DIR=`date "+%Y%m%d%H%M%S"` SAVE_DIR=$WORK_DIR/$NEW_DIR
CA_KEY_PATH=$SAVE_DIR/ca.key CA_CERT_PATH=$SAVE_DIR/ca.crt SERVER_KEY_PATH=$SAVE_DIR/harbor.home.cloud.key SERVER_CSR_PATH=$SAVE_DIR/harbor.home.cloud.csr SERVER_CERT_PATH=$SAVE_DIR/harbor.home.cloud.crt SERVER_CERT_CRT_PATH=$SAVE_DIR/harbor.home.cloud.cert
cd $WORK_DIR mkdir $SAVE_DIR
echo -e "Generate CA Key" openssl genrsa -out $CA_KEY_PATH 4096;
echo -e "Generate CA Cert" openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Nanjing/L=Nanjing/O=Zhuoya Tech/OU=Personal/CN=Habor Root CA" \ -key $CA_KEY_PATH \ -out $CA_CERT_PATH
echo -e "Generate Server Key" openssl genrsa -out $SERVER_KEY_PATH 4096;
echo -e "Generate Server Cert Signing Request" openssl req -sha512 -new \ -subj "/C=CN/ST=Nanjing/L=Nanjing/O=Zhuoya Tech/OU=Personal/CN=harbor.home.cloud" \ -key $SERVER_KEY_PATH \ -out $SERVER_CSR_PATH
echo -e "Generate x509 v3 extension file" cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names
[alt_names] DNS.1=habor.home.cloud DNS.2=habor EOF
echo -e "Generate Server Cert using v3.ext file" openssl x509 -req -sha512 -days 365 \ -extfile v3.ext \ -CA $CA_CERT_PATH -CAkey $CA_KEY_PATH -CAcreateserial \ -in $SERVER_CSR_PATH \ -out $SERVER_CERT_PATH echo -e "Tranform Server Cert from pem to cert format" openssl x509 -inform PEM -in $SERVER_CERT_PATH -out $SERVER_CERT_CRT_PATH;
|
Step2:然后运行以下命令生成证书
1 2 3 4 5 6 7 8 9
| [root@harbor certs]# ./generate.sh Generate CA Key Generate CA Cert Generate Server Key Generate Server Cert Signing Request Generate x509 v3 extension file Generate Server Cert using v3.ext file Certificate request self-signature ok subject=C=CN, ST=Nanjing, L=Nanjing, O=Zhuoya Tech, OU=Personal, CN=harbor.home.cloud
|
2、为Harbor和Docker提供证书
Step1:拷贝证书到指定目录
1 2
| [root@harbor ~]# mkdir /data/cert -p [root@harbor ~]# cp /home/harbor/config/certs/20240727084326/harbor.home.cloud.cert /home/harbor/config/certs/20240727084326/harbor.home.cloud.key /data/cert
|
Step2:拷贝证书到docker配置目录
1 2
| [root@harbor ~]# mkdir /etc/docker/certs.d/harbor.home.cloud -p [root@harbor ~]# cp /home/harbor/config/certs/20240727084326/harbor.home.cloud.cert /home/harbor/config/certs/20240727084326/harbor.home.cloud.key /home/harbor/config/certs/20240727084326/ca.crt /etc/docker/certs.d/harbor.home.cloud
|
说明:如果将nginx默认的443
端口映射到其他的端口,需要将harbor.home.cloud
替换成:harbor.home.cloud:port
目录或harbor_IP:port
三、Windows安装HarborCA证书