oops
Harbor私有镜像仓库部署
2026-02-12
kubernetes
0
请注意,本文编写于 111 天前,最后修改于 111 天前,其中某些信息可能已经过时。

目录

部署Harbor私有镜像仓库

安装docker

shell
# 通过 wget 命令获取 docker 软件仓库信息
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo

# 安装 docker-ce
yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# 开启 docker 服务
systemctl enable docker && systemctl start docker

# 官方软件源默认启用了最新的软件,您可以通过编辑软件源的方式获取各个版本的软件包。例如官方并没有将测试版本的软件源置为可用,您可以通过以下方式开启。同理可以开启各种测试版本等。

# vim /etc/yum.repos.d/docker-ce.repo

#   将[docker-ce-test]下方的enabled=0修改为enabled=1

#

# 安装指定版本的Docker-CE:

# Step 1: 查找Docker-CE的版本:

# yum list docker-ce.x86_64 --showduplicates | sort -r

#   Loading mirror speeds from cached hostfile

#   Loaded plugins: branch, fastestmirror, langpacks

#   docker-ce.x86_64            17.03.1.ce-1.el7.centos            docker-ce-stable

#   docker-ce.x86_64            17.03.1.ce-1.el7.centos            @docker-ce-stable

#   docker-ce.x86_64            17.03.0.ce-1.el7.centos            docker-ce-stable

#   Available Packages

# Step2: 安装指定版本的Docker-CE: (VERSION例如上面的17.03.0.ce.1-1.el7.centos)

# sudo yum -y install docker-ce-[VERSION]

下载harbor离线安装包

shell
wget https://github.com/goharbor/harbor/releases/download/v2.13.1/harbor-offline-installer-v2.13.1.tgz
tar -xvf harbor-offline-installer-v2.13.1.tgz

http方式

shell
cp harbor.yml.tmpl harbor.yml
vim harbor.yml

# 设置域名
hostname: harbor.local.com

# 注释https相关配置

# http related config
http:

  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80


# https related config

#https:

  # https port for harbor, default is 443

  #port: 443

  # The path of cert and key files for nginx

  #certificate: /your/certificate/path

  #private_key: /your/private/key/path

https方式

生成自签名证书
shell
# 克隆项目
git clone https://github.com/Fishdrowned/ssl.git

# 一键生成证书
cd ssl
./gen.cert.sh harbor.local.com # 生成harbor.local.com域名的证书
Removing dir out
Creating output structure
Done
Generating a RSA private key
...................................+++++
....+++++
writing new private key to 'out/root.key.pem'
-----
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
....................................+++++
e is 65537 (0x010001)
Using configuration from ./ca.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'Guangdong'
localityName          :ASN.1 12:'Guangzhou'
organizationName      :ASN.1 12:'Fishdrowned'
organizationalUnitName:ASN.1 12:'harbor.local.com'
commonName            :ASN.1 12:'*.harbor.local.com
Certificate is to be certified until Aug 12 10:49:02 2025 GMT (730 days)

Write out database with 1 new entries
Data Base Updated

Certificates are located in:
lrwxrwxrwx 1 root root 43 8月  13 18:49 /opt/ssl/out/harbor.local.com/harbor.local.com.bundle.crt -> ./20230813-1849/harbor.local.com.bundle.crt
lrwxrwxrwx 1 root root 36 8月  13 18:49 /opt/ssl/out/harbor.local.com/harbor.local.com.crt -> ./20230813-1849/harbor.local.com.crt
lrwxrwxrwx 1 root root 15 8月  13 18:49 /opt/ssl/out/harbor.local.com/harbor.local.com.key.pem -> ../cert.key.pem
lrwxrwxrwx 1 root root 11 8月  13 18:49 /opt/ssl/out/harbor.local.com/root.crt -> ../root.crt


# 拷贝证书至harbor目录
cd out/harbor.local.com/
cp harbor.local.com.crt /opt/harbor/
cp harbor.local.com.key.pem /opt/harbor/
修改配置文件
shell
cp harbor.yml.tmpl harbor.yml
vim harbor.yml

# 设置域名
hostname: harbor.local.com

# 注释http相关配置

# http related config

# http:

  # port for http, default is 80. If https enabled, this port will redirect to https port

  # port: 80


# https related config
https:

  # https port for harbor, default is 443
  port: 443

  # The path of cert and key files for nginx
  certificate: /opt/harbor/harbor.local.com.crt 
  private_key: /opt/harbor/harbor.local.com.key.pem
data_volume: /data/harbor

运行install.sh

image-20250704005555580

访问Harbor

shell
[root@k8s-harbor harbor]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.5    harbor.local.com

image-20250703211711694

image-20250703211735964

  • 初始用户名admin
  • 初始密码Harbor12345

创建systemd服务管理脚本

shell
cat << 'EOF' > /lib/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor

[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f /usr/local/harbor/docker-compose.yml up
ExecReload=/usr/local/bin/docker-compose -f /usr/local/harbor/docker-compose.yml restart
ExecStop=/usr/local/bin/docker-compose -f /usr/local/harbor/docker-compose.yml down

[Install]
WantedBy=multi-user.target
EOF

shell
systemctl enable harbor --now

Docker授权访问

docker配置文件私有仓库设置

cat /etc/docker/daemon.json
{
    "registry-mirrors": [
        "https://mirror.ccs.tencentyun.com",
        "https://o2j0mc5x.mirror.aliyuncs.com"
    ],
    "insecure-registries": [
        "https://harbor.local.com"
    ]
}

重启docker

systemctl daemon-reload && systemctl restart docker

集群配置映射

cat << EOF >> /etc/hosts
10.0.0.5 harbor.local.com
EOF

firewalld放行443

firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

访问测试

curl -k https://harbor.local.com

查看服务状态

systemctl status harbor.service

登录测试

shell
docker login harbor.local.com -u admin

image-20250704011714192

推送镜像

kubernets授权访问

创建认证secret

shell
kubectl create secret docker-registry registry-secret --namespace=default --docker-server=harbor.local.com --docker-username=admin --docker-password=Harbor12345

[root@k8s-master ~]# cat harbor-registry-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: registry-secret
  namespace: default
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IubG9jYWwuY29tIjp7InVzZXJuYW1lIjoiYWRtaW4iLCJwYXNzd29yZCI6IkhhcmJvcjEyMzQ1IiwiZW1haWwiOiJ5b3VAZXhhbXBsZS5jb20iLCJhdXRoIjoiWVdSdGFXNDZjR0Z6YzNkdmNtUT0ifX19

kubectl apply -f harbor-registry-secret.yaml

查看secret

shell
[root@k8s-master ~]# kubectl get secret registry-secret -n default
NAME              TYPE                             DATA   AGE
registry-secret   kubernetes.io/dockerconfigjson   1      11s
[root@k8s-master ~]# kubectl describe secret registry-secret -n default
Name:         registry-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data
====
.dockerconfigjson:  132 bytesxxxxxxxxxx [root@k8s-master ~]# kubectl get secret registry-secret -n defaultNAME              TYPE                             DATA   AGEregistry-secret   kubernetes.io/dockerconfigjson   1      11s[root@k8s-master ~]# kubectl describe secret registry-secret -n defaultName:         registry-secretNamespace:    defaultLabels:       <none>Annotations:  <none>Type:  kubernetes.io/dockerconfigjsonData====.dockerconfigjson:  132 byteskubectl get secrets NAME              TYPE                             DATA   AGEregistry-secret   kubernetes.io/dockerconfigjson   1      9s

使用相应的私有registry中镜像的Pod资源的定义,即可通过imagePullSecrets字段使用此Secret对象

yaml
apiVersion: v1
kind: Pod 
metadata:
  name: secret-imagepull-demo
  namespace: default
spec:
  imagePullSecrets:
  - name: registry-secret
  containers:
  - image: 192.168.10.14/k8s/nginx:v1
    name: myapp

将 CA 证书添加到 Docker 守护进程 获取 CA 证书 从 harbor.local.com 获取 CA 证书。可以通过浏览器访问 [https://harbor.local.com ](https://www.kimi.com/chat/方法 1:将 CA 证书添加到 Docker 守护进程获取 CA 证书从 harbor.local.com 获取 CA 证书。你可以通过浏览器访问 https://harbor.local.com ,然后导出证书。或者,如果你有权限,可以从 Harbor 服务器上获取 CA 证书文件。将 CA 证书添加到 Docker 守护进程将 CA 证书复制到 Docker 守护进程的证书目录中。通常,这个目录是 /etc/docker/certs.d/harbor.local.com/。重启 Docker 服务:bash复制sudo systemctl restart docker我是用这个方法可以正常拉取harbor镜像了 我之前创建的harbor-registry-secret.yaml还有用吗) ,然后导出证书。 或者,如果你有权限,可以从 Harbor 服务器上获取 CA 证书文件。 将 CA 证书添加到 Docker 守护进程 将 CA 证书复制到 Docker 守护进程的证书目录中。通常,这个目录是 /etc/docker/certs.d/harbor.local.com/。 重启 Docker 服务

shell
[root@k8s-harbor harbor]# scp /usr/local/harbor/harbor.local.com.crt [email protected]:/root
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
ECDSA key fingerprint is SHA256:BQCBv/PyzW2XHb2Ud77URNV029tFeitQou9hNMjsRQ0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
harbor.local.com.crt                                                                                   100% 1533   609.1KB/s   00:00

shell
[root@k8s-worker-1 ~]# mkdir /etc/docker/certs.d/harbor.local.com -p
[root@k8s-worker-2 ~]# mkdir /etc/docker/certs.d/harbor.local.com -p
[root@k8s-master ~] mkdir /etc/docker/certs.d/harbor.local.com/ -p

shell
[root@k8s-master ~]# scp ../harbor.local.com.crt [email protected]:/etc/docker/certs.d/harbor.local.com/
[email protected]'s password:
harbor.local.com.crt                                                                                   100% 1533   801.7KB/s   00:00
[root@k8s-master ~]# scp ../harbor.local.com.crt [email protected]:/etc/docker/certs.d/harbor.local.com/
[email protected]'s password:
harbor.local.com.crt                                                                                   100% 1533   793.8KB/s   00:00
[root@k8s-master ~]# cp ../harbor.local.com.crt /etc/docker/certs.d/harbor.local.com/

shell
[root@k8s-master kube-prometheus-0.15.0]# systemctl restart docker
[root@k8s-worker-1 ~]# systemctl restart docker
[root@k8s-worker-2 ~]# systemctl restart docker