我们已经快速安装和启动了Harbor,接下来我们进一步探索一些定制化的配置:
- 安全上我们要启用https
- 默认安装的Harbor将数据Volume挂载到主机的/data目录,我们需要做一些定制,本篇我们将其挂载到主机的其他目录。后边为了实现Harbor的高可用,再继续探索将Registry的存储驱动切换为CephFS或S3。
- 将Harbor默认安装启动的mysql docker容器切换为外部的数据库, 我们的环境中已经有高可用的MySQL GR集群。后边我们再继续探索多个节点Harbor使用相同的外部高可用MySQL。
1.配置https访问
1.1 使用自签名证书
这里还是使用cfssl这个工具生成SSL证书和秘钥。
下载cfss工具:
mkdir /data/cert/
cd /data/cert/
curl -sSL -o cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
curl -sSL -o cfssl "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
chmod +x cfssl cfssljson创建ca-config.json文件:
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"harbor": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}创建文件ca-csr.json:
{
"CN": "harbor",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "harbor",
"OU": "harbor",
"L": "the internet"
}
]
}生成CA证书和私钥:
export PATH="$PATH:/data/cert"
cfssl gencert -initca ca-csr.json | cfssljson -bare caharbor-csr.json
{
"CN": "harbor",
"hosts": [
"127.0.0.1",
"192.168.61.11"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "harbor",
"OU": "harbor",
"L": "the internet"
}
]
}cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=harbor harbor-csr.json | cfssljson -bare harbor1.2 在Harbor上启用https
我们的建议是不要在Harbor上启用https,而是在将Harbor放置到一个LB的后边,配置LB的SSL访问,并在LB上做SSL termination。 因此本节只是简单试验一下。
修改harbor.cfg:
ssl_cert = /data/cert/harbor.pem
ssl_cert_key = /data/cert/harbor-key.pem修改docker-compose.yml文件:
proxy:
image: vmware/nginx:1.11.5-patched
container_name: nginx
restart: always
volumes:
- ./common/config/nginx:/etc/nginx:z
networks:
- harbor
ports:
- 8090:443使用--with-notary参数安装Harbor:
./install.sh --with-notary
......
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://192.168.61.11:8090.因为我们配置使用的是自签名的证书,因此需要将前面生成的CA证书拷贝到需要访问Harbor仓库的每个docker主机的/etc/docker/certs.d/registry-hostname/下。
mkdir -p /etc/docker/certs.d/192.168.61.11:8090拷贝到ca.pem到 /etc/docker/certs.d/192.168.61.11:8090/ca.crt
测试:
docker login -u admin -p Harbor12345 192.168.61.11:8090
Login Succeeded1.3 在前置LB上做SSL termination
我们在Harbor前面再放置一个nginx作为接入层,在这个nginx上配置SSL,可以使用自签名证书,如果绑定了域名和固定IP,可以申请使用 Let’s Encrypt的免费HTTPS证书。
下面的是前置nginx上做负载均衡和SSL termination的nginx配置文件片段:
upstream harbor {
server 192.168.61.11:8090 weight=1 max_fails=2 fail_timeout=30s;
server 192.168.61.12:8090 weight=1 max_fails=2 fail_timeout=30s;
}
server {
listen 443 ssl;
server_name harbor.frognew.com;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/harbor.frognew.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/harbor.frognew.com/privkey.pem;
location / {
proxy_pass http://harbor;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 300M;
}
}
server {
listen 80;
server_name harbor.frognew.com;
rewrite ^(.*)$ https://$host$1 permanent;
}接下来还需要对Harbor中的配置模板做一些修改,修改common/templates/nginx/nginx.http.conf,找到location /, location /v2/ and location /service/这3个配置块,
将这三个配置块中的proxy_set_header X-Forwarded-Proto $scheme;配置移除。
修改common/templates/registry/config.yml,修改auth.token.realm的地址:
auth:
token:
issuer: harbor-token-issuer
realm: https://harbor.frognew.com/service/token
# realm: $ui_url/service/token
rootcertbundle: /etc/registry/root.crt
service: harbor-registrydocker-compose down -v
./prepare
docker-compose up -d2.挂载data Volume到其他目录
使用docker-compose安装的Harbor默认将数据Volume挂载到主机的/data目录下。 根据主机实际的分区我们可以将其挂载到其他目录下,如/home/harbor/data。
修改harbor.cfg:
#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /home/harbor/data/cert/harbor.pem
ssl_cert_key = /home/harbor/data/cert/harbor-key.pem
#The path of secretkey storage
secretkey_path = /home/harbor/data再修改docker-compose.yml中相关volume中的对应路径到/home/harbor/data。
docker-compose down -v
./prepare
docker-compose up -d3.切换到外部的MySQL
首先在外部的MySQL中创建registry数据库和harbor用户:
create database registry;
grant all on registry.* to harbor@'%' identified by 'harbor';将组件harbor-db中的registry的表和数据导入到外部新建的这个数据库。
修改harbor/common/templates/adminserver/env,修改下面的内容:
DATABASE_TYPE=mysql
MYSQL_HOST=192.168.61.11
MYSQL_PORT=3306
MYSQL_USR=harbor
MYSQL_PWD=harbor
MYSQL_DATABASE=registry
RESET=true docker-compose down -v移除 docker-compose.yml中的mysql组件。
./prepare
docker-compose up -d最后使用浏览器打开Harbor的Web UI确认访问正常。