kubernetes如何部署Harbor企業(yè)級私有倉庫�����?
一,部署環(huán)境:
| 主機(jī) | 操作系統(tǒng) | ip地址 |
|---|
| k8s01(master) | Centos 7.3 | 172.16.1.30 |
| k8s02(node01) | Centos 7.3 | 172.16.1.31 |
| k8s03(node02) | Centos 7.3 | 172.16.1.32 |
二�����,部署Harbor
可以選擇任意一臺服務(wù)器�����,這里選擇k8s集群中的master作為harboar私有倉庫�����。
1)安裝必要的系統(tǒng)工具
[root@master ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
2)安裝docker-compose
github下載地址:https://github.com/docker/compose/releases �����,可選擇下載對應(yīng)的版本�����,例如下載1.25.0版本:
[root@master ~]# curl -L https://github.com/docker/compose/releases/download/1.25.0-rc4/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
#添加可執(zhí)行的權(quán)限:
[root@master ~]# chmod +x /usr/local/bin/docker-compose
#查看compose版本:
[root@master ~]# docker-compose -v
docker-compose version 1.25.0-rc4, build 8f3c9c58
3)下載harbor安裝包并解壓:
下載地址:https://github.com/goharbor/harbor/releases
例如下載v1.7.4版本�����。
#選擇離線安裝模式(offline):
[root@master harbor]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.4.tgz
[root@master harbor]# tar xf harbor-offline-installer-v1.7.4.tgz
[root@master harbor]# cd harbor/
[root@master harbor]# ls
common docker-compose.notary.yml harbor.v1.7.4.tar.gz open_source_license
docker-compose.chartmuseum.yml docker-compose.yml install.sh prepare
docker-compose.clair.yml harbor.cfg LICENSE
4)配置harbor
#修改harbor配置文件:
[root@master harbor]# vim harbor.cfg
修改“hostname”為本機(jī)ip地址或域名�����,其他參數(shù)暫時保持默認(rèn)即可�����,如果實際需求時可再做修改�����,配置文件詳細(xì)參數(shù)如下:
# hostname設(shè)置訪問地址�����,可以使用ip�����、域名�����,不可以設(shè)置為127.0.0.1或localhost
hostname = 172.16.1.30
# 訪問協(xié)議�����,默認(rèn)是http�����,也可以設(shè)置https�����,如果設(shè)置https�����,則nginx ssl需要設(shè)置on
ui_url_protocol = http
# mysql數(shù)據(jù)庫root用戶默認(rèn)密碼root123�����,實際使用時修改下
db_password = root123
max_job_workers = 3
customize_crt = on
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
secretkey_path = /data
admiral_url = NA
# 郵件設(shè)置�����,發(fā)送重置密碼郵件時使用
email_identity =
email_server = smtp.mydomain.com
email_server_port = 25
email_username = sample_admin@mydomain.com
email_password = abc
email_from = admin <sample_admin@mydomain.com>
email_ssl = false
# 啟動Harbor后�����,管理員UI登錄的密碼,默認(rèn)是Harbor12345
harbor_admin_password = Harbor12345
# 認(rèn)證方式�����,這里支持多種認(rèn)證方式�����,如LADP�����、本次存儲�����、數(shù)據(jù)庫認(rèn)證�����。默認(rèn)是db_auth�����,mysql數(shù)據(jù)庫認(rèn)證
auth_mode = db_auth
# LDAP認(rèn)證時配置項
ldap_url = ldaps://ldap.mydomain.com
ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
ldap_search_pwd = password
ldap_basedn = ou=people,dc=mydomain,dc=com
ldap_filter = (objectClass=person)
ldap_uid = uid
ldap_scope = 3
ldap_timeout = 5
# 是否開啟自注冊
self_registration = on
# Token有效時間�����,默認(rèn)30分鐘
token_expiration = 30
# 用戶創(chuàng)建項目權(quán)限控制�����,默認(rèn)是everyone(所有人)�����,也可以設(shè)置為adminonly(只能管理員)
project_creation_restriction = everyone
verify_remote_cert = on
5)安裝harbor
只需要執(zhí)行安裝腳本即可:
[root@master harbor]# ./install.sh #注意在harbor目錄下
6)登錄harbor web界面�����,訪問URL:http://172.16.1.30
#默認(rèn)用戶名:admin�����,密碼:Harbor12345
//以上信息可以在harbor配置文件中查看到:
//登陸界面如下:
#新建一個項目:
#新建的項目可作為一個倉庫�����,目前該倉庫中還沒有任何鏡像,可任意上傳鏡像:
7)Harbor的啟動與停止
//停止harbor:
[root@master harbor]# docker-compose stop
Stopping nginx ... done
Stopping harbor-portal ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping harbor-adminserver ... done
Stopping registryctl ... done
Stopping redis ... done
Stopping registry ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
//啟動harbor:
[root@master harbor]# docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting adminserver ... done
Starting core ... done
Starting portal ... done
Starting redis ... done
Starting jobservice ... done
Starting proxy ... done
//重啟harbor
重啟harbor一般建議先stop停止�����,再start開啟�����,直接使用restart可能會有報錯�����。
8)修改Harbor的默認(rèn)登陸密碼
#使用默認(rèn)登陸的密碼�����,可能會考慮到安全性�����。所以在Harbor的web界面中�����,已經(jīng)為我們提供了修改密碼的菜單選項�����,操作如下:
//修改admin的密碼:
三,使用Harobr私有倉庫
#修改docker配置文件:
[root@master harbor]# vim /usr/lib/systemd/system/docker.service
#重新加載并重啟docker:
[root@master harbor]# systemctl daemon-reload
[root@master harbor]# systemctl restart docker
#重啟harbor:
[root@master harbor]# docker-compose stop
[root@master harbor]# docker-compose start
2) 客戶端登陸harbor:
[root@master harbor]# docker login -uadmin -p Harbor12345 172.16.1.30:80
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
#將需要上傳到harbor倉庫的鏡像進(jìn)行push�����,例如nginx鏡像
#注意:上傳至harbor中已存在的倉庫
[root@master harbor]# docker tag nginx:latest 172.16.1.30:80/harbor/nginx:v1.0
[root@master harbor]# docker push 172.16.1.30:80/harbor/nginx:v1.0
The push refers to repository [172.16.1.30:80/harbor/nginx]
12fdf55172df: Pushed
002a63507c1c: Pushed
1c95c77433e8: Pushed
v1.0: digest: sha256:099019968725f0fc12c4b69b289a347ae74cc56da0f0ef56e8eb8e0134fc7911 size: 948
#在harbor倉庫中可查看到上傳的鏡像
#如果需要刪除鏡像�����,可用在線進(jìn)行刪除:
3)其他用戶共享harbor倉庫
#將master上的docker配置文件拷貝至其他節(jié)點(node01�����,node02):
[root@master harbor]# scp /usr/lib/systemd/system/docker.service root@node01:/usr/lib/systemd/system/
docker.service 100% 1634 1.6KB/s 00:00
[root@master harbor]# scp /usr/lib/systemd/system/docker.service root@node02:/usr/lib/systemd/system/
docker.service 100% 1634 1.6KB/s 00:00
#重新加載docker:
[root@node01 ~]# systemctl daemon-reload
[root@node01 ~]# systemctl restart docker
[root@node02 ~]# systemctl daemon-reload
[root@node02 ~]# systemctl restart docker
2)登陸harbor私有倉庫(以node01為例):
[root@node01 ~]# docker login -u admin -p Harbor12345 172.16.1.30:80
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
3)從harbor倉庫中拉取鏡像:
[root@node01 ~]# docker pull 172.16.1.30:80/harbor/nginx:v1.0
v1.0: Pulling from harbor/nginx
1ab2bdfe9778: Pull complete
a17e64cfe253: Pull complete
e1288088c7a8: Pull complete
Digest: sha256:099019968725f0fc12c4b69b289a347ae74cc56da0f0ef56e8eb8e0134fc7911
Status: Downloaded newer image for 172.16.1.30:80/harbor/nginx:v1.0
[root@node01 ~]# docker images | grep nginx
172.16.1.30:80/harbor/nginx v1.0 5a3221f0137b 6 months ago 126MB
4)以harbor私有倉庫中的鏡像�����,簡單部署nginx服務(wù)
[root@master harbor]# cat nginx.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
template:
metadata:
labels:
app: web
spec:
containers:
- name: nginx
image: 172.16.1.30:80/harbor/nginx:v1.0 #下載鏡像指定harbor倉庫中的鏡像
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
type: NodePort
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30000
//創(chuàng)建nginx服務(wù)�����,并訪問nginx網(wǎng)頁:
[root@master harbor]# kubectl create -f nginx.yaml
deployment.extensions/nginx created
service/nginx-svc created
[root@master harbor]# kubectl get pod,svc
NAME READY STATUS RESTARTS AGE
pod/nginx-7559d56464-tqc2g 1/1 Running 0 63s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 113d
service/nginx-svc NodePort 10.105.18.41 <none> 80:30000/TCP 63s
四�����,拉取Harbor倉庫中的私有鏡像
K8S在默認(rèn)情況下只能拉取Harbor倉庫中的公有鏡像�����,拉取私有鏡像會報錯:ErrImagePull 或 ImagePullBackOff�����,如下圖(node02上沒有pull鏡像到本地,所以會報錯)
為了解決這個問題�����,我們需要創(chuàng)建認(rèn)證登陸密鑰來拉取私有鏡像�����。
核心思路:拉取私有倉庫鏡像需要配置私有倉庫的登陸信息�����,用Secret存儲�����,并且定義Deployment或者Pod時�����,指定imagePullSecret為保存了私有倉庫登陸信息的Secret名�����。
注意:需要事先在客戶端登錄harbor,才能夠拉取harbor倉庫中的私有鏡像�����。
#有兩種創(chuàng)建Secret的方法:
1�����,docker credential創(chuàng)建Secret
1)先在服務(wù)器上登陸Harbor倉庫:
[root@master harbor]# docker login -uadmin -pHarbor12345 172.16.1.30:80
2)登陸成功后會在當(dāng)前用戶下生成~/.docker/config.json文件:
[root@master harbor]# cat ~/.docker/config.json
{
"auths": {
"172.16.1.30:80": {
"auth": "YWRtaW46SGFyYm9yMTIzNDU="
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (linux)"
}
#將config.json文件進(jìn)行base64加密:
[root@master harbor]# cat ~/.docker/config.json | base64 -w 0
ewoJImF1dGhzIjogewoJCSIxNzIuMTYuMS4zMDo4MCI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOC4wOS4wIChsaW51eCkiCgl9Cn0=
3)創(chuàng)建secret
[root@master harbor]# vim login-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: login
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ewoJImF1dGhzIjogewoJCSIxNzIuMTYuMS4zMDo4MCI6IHsKCQkJImF1dGgiOiAiWVdSdGFXNDZTR0Z5WW05eU1USXpORFU9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOC4wOS4wIChsaW51eCkiCgl9Cn0=
[root@master harbor]# kubectl create -f login-secret.yaml
secret/login created
[root@master harbor]# kubectl get secrets
NAME TYPE DATA AGE
default-token-wswg2 kubernetes.io/service-account-token 3 113d
login kubernetes.io/dockerconfigjson 1 36s
2�����,用戶名密碼創(chuàng)建Secret(一條命令解決�����,推薦使用)
#使用私有倉庫的用戶名密碼�����,直接創(chuàng)建Secret:
[root@master harbor]# kubectl create secret docker-registry login-new --docker-server=172.16.1.30:80 --docker-username=admin --docker-password=Harbor12345
secret/login-new created
[root@master harbor]# kubectl get secrets
NAME TYPE DATA AGE
default-token-wswg2 kubernetes.io/service-account-token 3 113d
login kubernetes.io/dockerconfigjson 1 38m
login-new kubernetes.io/dockerconfigjson 1 11m
##部署應(yīng)用�����,拉取私有鏡像(以上邊的nginx服務(wù)為例):
[root@master harbor]# cat nginx.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx
spec:
template:
metadata:
labels:
app: web
spec:
containers:
- name: nginx
image: 172.16.1.30:80/harbor/nginx:v1.0
ports:
- containerPort: 80
imagePullSecrets: #添加imagePullSecrets字段
- name: login
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
type: NodePort
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 80
nodePort: 30000
注:需要在創(chuàng)建容器時指定imagePullSecrets字段(指定剛才創(chuàng)建的密鑰)
#重新創(chuàng)建nginx服務(wù):
[root@master harbor]# kubectl delete -f nginx.yaml
[root@master harbor]# kubectl apply -f nginx.yaml
#再次查看pod�����,成功拉取harbor倉庫中的私有鏡像
##測試第二種方法創(chuàng)建的Secret�����,部署應(yīng)用:
#重新創(chuàng)建nginx服務(wù):
注:先將node節(jié)點上原有拉取在本地的鏡像給刪除掉
[root@master harbor]# kubectl apply -f nginx.yaml
deployment.extensions/nginx configured
service/nginx-svc unchanged
#查看pod�����,同樣能夠成功拉取Harbor倉庫中的私有鏡像:
