Harbor仓库的搭建

• 1.下载harbor

wget https://github.com/goharbor/harbor/releases/download/v2.12.2/harbor-offline-installer-v2.12.2.tgz

• 2.解压harbor目录

[root@elk93 ~]# tar xf harbor-offline-installer-v2.12.2.tgz  -C /usr/local/

• 3.准备配置文件

[root@elk93 ~]# ll /usr/local/harbor/
total 636508
drwxr-xr-x  2 root root      4096 Mar 24 16:46 ./
drwxr-xr-x 19 root root      4096 Mar 24 16:46 ../
-rw-r--r--  1 root root      3646 Jan 16 22:10 common.sh
-rw-r--r--  1 root root 651727378 Jan 16 22:11 harbor.v2.12.2.tar.gz
-rw-r--r--  1 root root     14288 Jan 16 22:10 harbor.yml.tmpl
-rwxr-xr-x  1 root root      1975 Jan 16 22:10 install.sh*
-rw-r--r--  1 root root     11347 Jan 16 22:10 LICENSE
-rwxr-xr-x  1 root root      2211 Jan 16 22:10 prepare*
[root@elk93 ~]# 
[root@elk93 ~]# cp /usr/local/harbor/harbor.yml{.tmpl,}
[root@elk93 ~]# 
[root@elk93 ~]# ll /usr/local/harbor/harbor.yml*
-rw-r--r-- 1 root root 14288 Mar 24 16:46 /usr/local/harbor/harbor.yml
-rw-r--r-- 1 root root 14288 Jan 16 22:10 /usr/local/harbor/harbor.yml.tmpl
[root@elk93 ~]# 
[root@elk93 ~]# vim /usr/local/harbor/harbor.yml
...
hostname: 10.0.0.93
...
## https related config                               
#https:
#  # https port for harbor, default is 443
#  port: 443
#  # The path of cert and key files for nginx
#  certificate: /your/certificate/path
#  private_key: /your/private/key/path
#  # enable strong ssl ciphers (default: false)
#  # strong_ssl_ciphers: false

...
harbor_admin_password: 1   
...
data_volume: /oldboyedu/data/harbor       
...

• 4.开始安装harbor

注意:确保服务器环境是安装过docker的并且docker服务已启用
[root@elk93 ~]# /usr/local/harbor/install.sh 

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.24

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 2.23.0

[Step 2]: loading Harbor images ...
...

[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0)                                                                                                 docker:default
[+] Running 10/10
 ✔ Network harbor_harbor        Created                                                                                           0.1s 
 ✔ Container harbor-log         Started                                                                                           0.0s 
 ✔ Container redis              Started                                                                                           0.0s 
 ✔ Container registryctl        Started                                                                                           0.0s 
 ✔ Container harbor-db          Started                                                                                           0.1s 
 ✔ Container harbor-portal      Started                                                                                           0.0s 
 ✔ Container registry           Started                                                                                           0.0s 
 ✔ Container harbor-core        Started                                                                                           0.0s 
 ✔ Container harbor-jobservice  Started                                                                                           0.0s 
 ✔ Container nginx              Started                                                                                           0.0s 
✔ ----Harbor has been installed and started successfully.----
[root@elk93 ~]# 

• 5.访问harbor的WebUI

http://10.0.0.93/harbor/projects


用户名: admin 
密  码: 1

http harbor仓库搭建完毕！

harbor基于自建证书https

• 1.环境准备

www.vionletarchitect.com   10.0.0.250

• 2.准备harbor安装包

[root@elk93 ~]# scp harbor-offline-installer-v2.12.2.tgz oldboyedu-autoinstall-docker-docker-compose.tar.gz 10.0.0.250:~

• 3.解压harbor安装包

[root@harbor ~]# tar xf harbor-offline-installer-v2.12.2.tgz

• 4.配置CA证书

4.1 进入到harbor程序的根目录
[root@harbor ~]# cd /usr/local/harbor/
4.2 创建证书存放目录
[root@harbor ~]# apt -y install tree
[root@harbor ~]# mkdir -pv certs/{ca,harbor-server,docker-client}
mkdir: created directory 'certs'
mkdir: created directory 'certs/ca'
mkdir: created directory 'certs/harbor-server'
mkdir: created directory 'certs/docker-client'
[root@harbor ~]# tree certs
certs
├── ca
├── docker-client
└── harbor-server
3 directories, 0 files
4.3 创建CA的私
[root@harbor ~]# cd certs/
[root@harbor ~]# openssl genrsa -out ca/ca.key 4096
[root@harbor ~]# tree 
.
├── ca
│   └── ca.key
├── docker-client
└── harbor-server

4.4 基于自建的CA私钥创建CA证书(注意，证书签发的域名范围)
[root@harbor ~]# openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=amazon.com" \
 -key ca/ca.key \
 -out ca/ca.crt
[root@harbor ~]# tree 
.
├── ca
│   ├── ca.crt
│   └── ca.key
├── docker-client
└── harbor-server

3 directories, 2 files
4.5 查看自建证书信息
[root@harbor ~]# openssl  x509 -in ca/ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3d:fb:57:45:7c:cc:15:d5:ce:04:a2:1d:80:0a:18:49:88:8d:cd:9a
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = oldboyedu.com
        Validity
            Not Before: Mar 25 02:33:25 2025 GMT
            Not After : Mar 23 02:33:25 2035 GMT
        Subject: C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = oldboyedu.com
...

• 5.配置harbor服务端证书

[root@harbor ~]# openssl genrsa -out harbor-server/harbor250.oldboyedu.com.key 4096
[root@harbor ~]#
[root@harbor ~]# tree 
.
├── ca
│   ├── ca.crt
│   └── ca.key
├── docker-client
└── harbor-server
    └── www.vionletarchitect.top.key

5.2 harbor服务器基于私钥签发证书认证请求（csr文件），让自建CA认证
[root@harbor ~]# openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor250.oldboyedu.com" \
    -key harbor-server/www.vionletarchitect.top.key \
    -out harbor-server/www.vionletarchitect.top.csr
[root@harbor ~]# tree
.
├── ca
│   ├── ca.crt
│   └── ca.key
├── docker-client
└── harbor-server
    ├── www.vionletarchitect.top.csr
    └── www.vionletarchitect.top.key
3 directories, 4 files

5.3 生成 x509 v3 的扩展文件用于认证
[root@harbor ~]#  cat > harbor-server/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=www.vionletarchitect.top
EOF
[root@harbor ~]# tree
.
├── ca
│   ├── ca.crt
│   └── ca.key
├── docker-client
└── harbor-server
    ├── www.vionletarchitect.top.csr
    ├── www.vionletarchitect.top.key
    └── v3.ext

3 directories, 5 files

5.4 基于 x509 v3 的扩展文件认证签发harbor server证书
[root@harbor ~]# openssl x509 -req -sha512 -days 3650 \
    -extfile harbor-server/v3.ext \
    -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
    -in harbor-server/www.vionletarchitect.top.csr \
    -out harbor-server/www.vionletarchitect.top.crt
[root@harbor ~]# tree
.
├── ca
│   ├── ca.crt
│   └── ca.key
├── docker-client
└── harbor-server
    ├── www.vionletarchitect.top.crt
    ├── www.vionletarchitect.top.csr
    ├── www.vionletarchitect.top.key
    └── v3.ext

3 directories, 6 files

5.5 修改harbor的配置文件使用自建证书

[root@harbor ~]# cp ../harbor.yml{.tmpl,}
[root@harbor ~]#
[root@harbor ~]# vim ../harbor.yml
...
hostname: www.vionletarchitect.top
https:
  ...
  certificate: /usr/local/harbor/certs/harbor-server/www.vionletarchitect.top.crt
  private_key: /usr/local/harbor/certs/harbor-server/www.vionletarchitect.top.key
...
harbor_admin_password: 1
...
data_volume: /var/lib/harbor
... 

• 5.6 安装harbor服务

[root@harbor ~]# /usr/local/harbor/install.sh 
[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.24

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 2.23.0

[Step 2]: loading Harbor images ...
...

[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0)                                                                                                 docker:default
[+] Running 10/10
 ✔ Network harbor_harbor        Created                                                                                           0.0s 
 ✔ Container harbor-log         Started                                                                                           0.0s 
 ✔ Container harbor-db          Started                                                                                           0.0s 
 ✔ Container registryctl        Started                                                                                           0.1s 
 ✔ Container harbor-portal      Started                                                                                           0.1s 
 ✔ Container redis              Started                                                                                           0.1s 
 ✔ Container registry           Started                                                                                           0.1s 
 ✔ Container harbor-core        Started                                                                                           0.0s 
 ✔ Container nginx              Started                                                                                           0.0s 
 ✔ Container harbor-jobservice  Started                                                                                           0.0s 
✔ ----Harbor has been installed and started successfully.----

• 6.访问harbor的WebUI

6.1 在windows添加hosts文件解析如下:
10.0.0.250 www.vionletarchitect.top

6.2 访问测试:
https://www.vionletarchitect.top/harbor/projects/1/repositories

配置docker客户端证书实战案例

• 1.生成docker客户端证书

[root@harbor certs]# cp ca/ca.crt harbor-server/www.vionletarchitect.top.key docker-client/
[root@harbor certs]# cp harbor-server/www.vionletarchitect.top.crt docker-client/www.vionletarchitect.top.cert
[root@harbor certs]# 
[root@harbor certs]# tree 
.
├── ca
│   ├── ca.crt
│   └── ca.key
├── docker-client
│   ├── ca.crt
│   ├── www.vionletarchitect.top.cert
│   └── www.vionletarchitect.top.key
└── harbor-server
    ├── www.vionletarchitect.top.crt
    ├── www.vionletarchitect.top.csr
    ├── www.vionletarchitect.top.key
    └── v3.ext

3 directories, 9 files

• 2.docker客户端创建自建证书的目录结构(注意域名的名称和目录要一致哟~)

[root@elk91 ~]# mkdir -pv /etc/docker/certs.d/www.vionletarchitect.top/
mkdir: created directory '/etc/docker/certs.d'
mkdir: created directory '/etc/docker/certs.d/www.vionletarchitect.top/'
[root@elk91 ~]#

• 3.拷贝docker client证书文件到客户端

[root@elk91 ~]# ll /etc/docker/certs.d/www.vionletarchitect.top/
total 8
drwxr-xr-x 2 root root 4096 Mar 25 11:00 ./
drwxr-xr-x 3 root root 4096 Mar 25 11:00 ../
[root@elk91 ~]# 
[root@elk91 ~]# scp www.vionletarchitect.top:/usr/local/harbor/certs/docker-client/* /etc/docker/certs.d/www.vionletarchitect.top/
...
root@www.vionletarchitect.top's password: 
ca.crt                                                                                                         100% 2049     4.3MB/s   00:00    
www.vionletarchitect.top.cert                                                                                   100% 2155     1.6MB/s   00:00    
www.vionletarchitect.top.key                                                                                    100% 3268     7.6MB/s   00:00    
[root@elk91 ~]# 
[root@elk91 ~]# ll /etc/docker/certs.d/www.vionletarchitect.top/
total 20
drwxr-xr-x 2 root root 4096 Mar 25 11:01 ./
drwxr-xr-x 3 root root 4096 Mar 25 11:00 ../
-rw-r--r-- 1 root root 2049 Mar 25 11:01 ca.crt
-rw-r--r-- 1 root root 2155 Mar 25 11:01 www.vionletarchitect.top.cert
-rw------- 1 root root 3268 Mar 25 11:01 www.vionletarchitect.top.key
[root@elk91 ~]# 

• 4.客户端登录测试

root@elk91 ~]# docker login -u admin -p 1 www.vionletarchitect.top
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@elk91 ~]# 
[root@elk91 ~]# cat /root/.docker/config.json
{
	"auths": {
		"10.0.0.91": {
			"auth": "bGludXg5NjpMaW51eDk2QDIwMjU="
		},
		"www.vionletarchitect.top": {
			"auth": "YWRtaW46MQ=="
		}
	}
}[root@elk91 ~]# 
[root@elk91 ~]# 
[root@elk91 ~]# echo YWRtaW46MQ== | base64 -d;echo
admin:1
[root@elk91 ~]# 

权威机构办法的证书https配置实战

• 1.下载证书

去阿里云下载你的证书压缩包

• 2.解压证书

[root@elk93 ~]# unzip www.vionletarchitect.top_nginx.zip -d /usr/local/harbor/

• 3.修改harbor的配置文件

[root@elk93 ~]# cd /usr/local/harbor/
[root@elk93 harbor]# 
[root@elk93 harbor]# vim harbor.yml
...
hostname: www.vionletarchitect.top
...
https:
   ...
   certificate: /usr/local/harbor/www.vionletarchitect.top_nginx/www.vionletarchitect.top.crt
   private_key: /usr/local/harbor/www.vionletarchitect.top_nginx/www.vionletarchitect.top.key          

• 4.重新安装

[root@elk93 harbor]# ./prepare 

...
[root@elk93 harbor]# 
[root@elk93 harbor]# ./install.sh 
...
[Step 5]: starting Harbor ...
[+] Building 0.0s (0/0)                                                                                                 docker:default
[+] Running 10/10
 ✔ Network harbor_harbor        Created                                                                                           0.1s 
 ✔ Container harbor-log         Started                                                                                           0.0s 
 ✔ Container harbor-portal      Started                                                                                           0.0s 
 ✔ Container registryctl        Started                                                                                           0.0s 
 ✔ Container redis              Started                                                                                           0.0s 
 ✔ Container harbor-db          Started                                                                                           0.0s 
 ✔ Container registry           Started                                                                                           0.0s 
 ✔ Container harbor-core        Started                                                                                           0.0s 
 ✔ Container nginx              Started                                                                                           0.0s 
 ✔ Container harbor-jobservice  Started                                                                                           0.0s 
✔ ----Harbor has been installed and started successfully.----
[root@elk93 harbor]# 

• 5.windows访问测试

5.1 windows添加解析 
10.0.0.93 www.vionletarchitect.top


5.2 访问测试 
https://harbor.yinzhengjie.com/harbor/projects