Harbor从http方式改为https方式-创新互联

Harbor 从http方式改为https方式

为扎赉特等地区用户提供了全套网页设计制作服务，及扎赉特网站建设行业解决方案。主营业务为成都网站设计、成都做网站、扎赉特网站设计，以传统方式定制建设网站，并提供域名空间备案等一条龙服务，秉承以专业、用心的态度为用户提供真诚的服务。我们深信只要达到每一位用户的要求，就会得到认可，从而选择与我们长期合作。这样，我们也可以走得更远！

上面左边是我的个人微信，如需进一步沟通，请加好友。右边是我的公众号“Openstack私有云”，如有兴趣，请关注。

第一次安装harbor的时候为了方便，安装成了http方式，但是后面时候的时候发现各种不方便，因为docker客户端登录镜像源的时候都是默认是https方式，所以每一个客户端都要特别的设置，很是麻烦。因此决定将http方式改为https方式。记录一下操作过程。

参考官网的安装文档进行操作，如下：

https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

创建CA密钥对： openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -sha512 -days 36500 \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key ca.key \ -out ca.crt openssl genrsa -out yuweibing.com.key 4096 创建web服务器端秘钥对： openssl req -sha512 -new \ -subj "/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com" \ -key yuweibing.com.key \ -out yuweibing.com.csr 使web服务器到CA进行签约： cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=yuweibing.com DNS.2=yuweibing DNS.3=harbor EOF openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yuweibing.com.csr \ -out yuweibing.com.crt 执行结果显示如下： [root@harbor ssl]# openssl x509 -req -sha512 -days 3650 \ > -extfile v3.ext \ > -CA ca.crt -CAkey ca.key -CAcreateserial \ > -in yuweibing.com.csr \ > -out yuweibing.com.crt Signature ok subject=/C=SC/ST=CHENGDU/L=CHENGDU/O=example/OU=Personal/CN=yuweibnig.com Getting CA Private Key [root@harbor ssl]#

修改harbor.cfg配置文件中以下参数：

hostname = yuweibing.com

ui_url_protocol = https

ssl_cert = /software/harbor/ssl/yuweibing.com.crt

ssl_cert_key = /software/harbor/ssl/yuweibing.com.key

secretkey_path = /software/harbor/ssl

然后执行prepare：

./prepare

然后执行install:

./install.sh

以下是执行结果：

[root@harbor harbor]# ./prepare Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/core/env Clearing the configuration file: ./common/config/core/app.conf Clearing the configuration file: ./common/config/core/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/config.yml Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/registryctl/env Clearing the configuration file: ./common/config/registryctl/config.yml Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/log/logrotate.conf Generated and saved secret to file: /software/harbor/ssl/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert fil The configuration files are ready, please use docker-compose to start the servi [root@harbor harbor]# ls common docker-compose.clair.yml docker-compose.yml docker-compose.chartmuseum.yml docker-compose.notary.yml harbor.cfg [root@harbor harbor]# ./install.sh [Step 0]: checking installation environment ... Note: docker version: 1.13.1 Note: docker-compose version: 1.18.0 [Step 1]: loading Harbor images ... Loaded image: goharbor/registry-photon:v2.6.2-v1.7.1 Loaded image: goharbor/harbor-migrator:v1.7.1 Loaded image: goharbor/harbor-adminserver:v1.7.1 Loaded image: goharbor/harbor-core:v1.7.1 Loaded image: goharbor/harbor-log:v1.7.1 Loaded image: goharbor/harbor-jobservice:v1.7.1 Loaded image: goharbor/notary-server-photon:v0.6.1-v1.7.1 Loaded image: goharbor/clair-photon:v2.0.7-v1.7.1 Loaded image: goharbor/harbor-portal:v1.7.1 Loaded image: goharbor/harbor-db:v1.7.1 Loaded image: goharbor/redis-photon:v1.7.1 Loaded image: goharbor/nginx-photon:v1.7.1 Loaded image: goharbor/harbor-registryctl:v1.7.1 Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.7.1 Loaded image: goharbor/chartmuseum-photon:v0.7.1-v1.7.1 [Step 2]: preparing environment ... Clearing the configuration file: ./common/config/adminserver/env Clearing the configuration file: ./common/config/core/env Clearing the configuration file: ./common/config/core/app.conf Clearing the configuration file: ./common/config/core/private_key.pem Clearing the configuration file: ./common/config/db/env Clearing the configuration file: ./common/config/jobservice/env Clearing the configuration file: ./common/config/jobservice/config.yml Clearing the configuration file: ./common/config/registry/config.yml Clearing the configuration file: ./common/config/registry/root.crt Clearing the configuration file: ./common/config/registryctl/env Clearing the configuration file: ./common/config/registryctl/config.yml Clearing the configuration file: ./common/config/nginx/cert/yuweibing.com.crt Clearing the configuration file: ./common/config/nginx/cert/yuweibing.com.key Clearing the configuration file: ./common/config/nginx/nginx.conf Clearing the configuration file: ./common/config/log/logrotate.conf loaded secret from file: /software/harbor/ssl/secretkey Generated configuration file: ./common/config/nginx/nginx.conf Generated configuration file: ./common/config/adminserver/env Generated configuration file: ./common/config/core/env Generated configuration file: ./common/config/registry/config.yml Generated configuration file: ./common/config/db/env Generated configuration file: ./common/config/jobservice/env Generated configuration file: ./common/config/jobservice/config.yml Generated configuration file: ./common/config/log/logrotate.conf Generated configuration file: ./common/config/registryctl/env Generated configuration file: ./common/config/core/app.conf Generated certificate, key file: ./common/config/core/private_key.pem, cert fil The configuration files are ready, please use docker-compose to start the servi [Step 3]: checking existing instance of Harbor ... Note: stopping existing Harbor instance ... Stopping nginx ... done Stopping harbor-jobservice ... done Stopping harbor-portal ... done Stopping harbor-core ... done Stopping registry ... done Stopping harbor-adminserver ... done Stopping registryctl ... done Stopping redis ... done Stopping harbor-db ... done Stopping harbor-log ... done Removing nginx ... done Removing harbor-jobservice ... done Removing harbor-portal ... done Removing harbor-core ... done Removing registry ... done Removing harbor-adminserver ... done Creating harbor-log ... done Removing redis ... done Removing harbor-db ... done Removing harbor-log ... done Removing network harbor_harbor Creating redis ... done Creating harbor-core ... done [Step 4]: starting Harbor ... Creating harbor-portal ... done Creating nginx ... done Creating registryctl ... Creating harbor-adminserver ... Creating redis ... Creating registry ... Creating harbor-db ... Creating harbor-core ... Creating harbor-portal ... Creating harbor-jobservice ... Creating nginx ... ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at https://reg.yuweibing.com. For more details, please visit https://github.com/goharbor/harbor . [root@harbor harbor]# ./install.sh

接下来修改windows本机客户端的hosts文件强制解析域名： reg.yuweibing.com

192.168.1.44reg.yuweibing.com

192.168.170.44reg.yuweibing.com

然后就可以在windows客户端上输入域名 reg.yuweibing.com进行访问harbor的web网页了，如下：

Harbor 从http方式改为https方式

登录进去后发现原来的用户信息和镜像数据都还在，还是不错。

接下来验证docker客户端是否能够正常从harbor拉取镜像：

[root@k8s1 ~]# docker login yuweibing.com Username: ywb Password: Error response from daemon: Get https://yuweibing.com/v2/: x509: certificate signed by unknown authority

发现认证失败。原因是还需要设置docker对于yuweibing.com这个域名的认证信息，将这个域名的公钥私钥和CA文件拷贝到docker的认证目录：/etc/docker/certs.d/yuweibing.com/ ，操作如下：

进入上面的秘钥文件所在的ssl目录，并执行如下命令： openssl x509 -inform PEM -in yuweibing.com.crt -out yuweibing.com.cert cp yuweibing.com.cert /etc/docker/certs.d/yuweibing.com/ cp yuweibing.com.key /etc/docker/certs.d/yuweibing.com/ cp ca.crt /etc/docker/certs.d/yuweibing.com/

将上面生成的3个文件同样scp拷贝到需要登录harbor的所有docker客户端的/etc/docker/certs.d/yuweibing.com/目录中，注意这个目录需要新建，同时需要在docker客户端中修改hosts文件解析yuweibing.com。

再次验证一下：

[root@k8s1 yuweibing.com]# docker login yuweibing.com Username: ywb Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@k8s1 yuweibing.com]#

验证成功！

总结：

如果为了在安装harbor的时候省事采用http的方式部署，使用的时候docker客户端默认使用register仓库的时候都是使用安全连接https，如果要改为http需要修改docker配置，很是麻烦。因此还是需要使用https方式。

从http方式改为https方式主要是需要重新生成CA证书（颁发机构），web服务器证书（harbor服务器），以及服务器向CA进行签发注册。之后修改harbor.cfg配置文件，将服务器证书文件配置到配置文件中，修改hostname从IP地址改为域名，重新prepare和install ，install程序会自己将原来的docker-compose中的容器删除重新生成。

重新安装后的用户信息和镜像数据都会保留。

最后不要忘记配置docker客户端harbor服务器的公钥私钥，并且做好域名解析，如果没有dns服务器解析，就直接修改docker客户端上的hosts文件解析harbor配置的域名。

另外有需要云服务器可以了解下创新互联cdcxhl.cn，海内外云服务器15元起步，三天无理由+7*72小时售后在线，公司持有idc许可证，提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案，具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势，专为企业上云打造定制，能够满足用户丰富、多元化的应用场景需求。

本文题目：Harbor从http方式改为https方式-创新互联
文章分享：https://www.cdcxhl.com/article6/cojjog.html

成都网站建设公司_创新互联，为您提供小程序开发、企业建站、移动网站建设、定制网站、动态网站、网站营销

声明：本网站发布的内容（图片、视频和文字）以用户投稿、用户转载内容为主，如果涉及侵权请尽快告知，我们将会在第一时间删除。文章观点不代表本网站立场，如需处理请联系客服。电话：028-86922220；邮箱：631063699@qq.com。内容未经允许不得转载，或转载时需注明来源：创新互联

猜你还喜欢下面的内容