参考资料: https://mp.weixin.qq.com/s/TPt9Akf2OhK0y4stwa267g
本次部署k8s环境:
k8s版本:v1.23.1
helm版本:v3.9.4

1.安装helm

github地址: https://github.com/helm/helm/releases
wget https://get.helm.sh/helm-v3.9.4-linux-amd64.tar.gz
tar -xf helm-v3.9.4-linux-amd64.tar.gz
cd linux-amd64
mv helm /usr/bin/

# 查看版本
helm version
version.BuildInfo{Version:"v3.9.4", GitCommit:"dbc6d8e20fe1d58d50e6ed30f09a04a77e4c68db", GitTreeState:"clean", GoVersion:"go1.17.13"}

# 先添加常用的chart源
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add stable http://mirror.azure.cn/kubernetes/charts/

2.部署前准备

2.1添加持久化存储(NFS)

ubuntu下安装nfs

# 服务端192.168.0.167
apt-get install nfs-kernel-server

# 客户端启动rpcbind即可
systemctl start rpcbind.service

编辑/etc/exports

/data2/k8s-share 192.168.0.0/22(rw,sync,no_root_squash,no_all_squash)
/data2/k8s-share 192.168.200.0/22(rw,sync,no_root_squash,no_all_squash)

# 修改后服务端重启nfs服务
systemctl restart nfs-kernel-server
systemctl enable nfs-kernel-server

# 客户端重启rpcbind
systemctl restart rpcbinding

# 客户端检查是否能正常挂载
showmount -e 192.168.0.167
# 正常输出
Export list for 192.168.0.167:
/data2/k8s-share 192.168.0.223,192.168.0.224

2.2新建StorageClass

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: manage-167nfs
# 自定义provisioner名字
provisioner: nfswcwj.pri/ifs

新增SA和ClusterRole

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nfs-client167
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nfs-client167-runner
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: run-nfs-client167
subjects:
  - kind: ServiceAccount
    name: nfs-client167
    namespace: default
roleRef:
  kind: ClusterRole
  name: nfs-client167-runner
  apiGroup: rbac.authorization.k8s.io

添加provisioner

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nfs-client-167
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nfs-client-167
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: nfs-client-167
    spec:
      imagePullSecrets:
        - name: registry-pull-secret
      serviceAccount: nfs-client-provisioner
      containers:
        - name: nfs-client-provisioner
          image: easzlab/nfs-subdir-external-provisioner:v4.0.2
          volumeMounts:
            - name: nfs-client167-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: nfswcwj.pri/ifs
            - name: NFS_SERVER
              value: 192.168.0.167
            - name: NFS_PATH
              value: /data2/k8s-share
      volumes:
        - name: nfs-client167-root
          nfs:
            server: 192.168.0.167
            path: /data2/k8s-share

添加harbor的repo

 helm repo add harbor https://helm.goharbor.io

下载harbor安装包

# 获取对应chart
helm pull harbor/harbor
# 解压
tar xf harbor-1.11.0.tgz
cd harbor

3.开始部署

3.1生成tls证书

# 获得ca
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt

# 生成证书签名请求
openssl req -newkey rsa:4096 -nodes -sha256 -keyout tls.key -out tls.csr

# 生成证书
openssl x509 -req -days 3650 -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt
# 生成secret资源
kubectl -n harbor create secret tls qrharbor.local --key tls.key --cert tls.crt 

3.2解压harbor的chart后进入目录新增override.yaml

expose:  #web浏览器访问用的证书
  type: ingress
  tls:
    #enabled: true
    #certSource: "secret"
    secret:
      secretName: "qrharbor.local"
    #  notarySecretName: "qrharbor.local"
  ingress:
    hosts:
      core: qrharbor.local
      notary: notary-qrharbor.local
    #controller: default
    annotations:
      #ingress.kubernetes.io/ssl-redirect: "true"
      #ingress.kubernetes.io/proxy-body-size: "0"
      #### 如果是 traefik ingress,则按下面配置:
#      kubernetes.io/ingress.class: "traefik"
#      traefik.ingress.kubernetes.io/router.tls: 'true'
#      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      #### 如果是 nginx ingress,则按下面配置:
      #nginx.ingress.kubernetes.io/ssl-redirect: "true"
      #nginx.ingress.kubernetes.io/proxy-body-size: "0"
      nginx.org/client-max-body-size: "1024m"
externalURL: https://qrharbor.local
#internalTLS:  #harbor内部组件用的证书
#  enabled: true
#  certSource: "auto"
persistence:
  enabled: true
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:  # 存镜像的
      storageClass: "manage-167nfs"
      accessMode: ReadWriteOnce
      size: 20Gi
    chartmuseum: #存helm的chart
      storageClass: "manage-167nfs"
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice: # jobservice
      jobLog:
        storageClass: "manage-167nfs"
        accessMode: ReadWriteOnce
        size: 2Gi
      scanDataExports:
        storageClass: "manage-167nfs"
        accessMode: ReadWriteOnce
        size: 2Gi
    database: #数据库  pgsql
      storageClass: "manage-167nfs"
      accessMode: ReadWriteOnce
      size: 1Gi
    redis: # redis
      storageClass: "manage-167nfs"
      accessMode: ReadWriteOnce
      size: 1Gi
    trivy: # 漏洞扫描
      storageClass: "manage-167nfs"
      accessMode: ReadWriteOnce
      size: 5Gi

3.3启动harbor

# 安装部署
helm install harbor ./ -f values.yaml -f override.yaml -n harbor

测试访问

默认登录用户:admin 密码:Harbor12345

完成!

3.4生成secret方便部署时推送和拉取镜像

# 在命名空间beta下创建harbor的secret
kubectl -n beta create secret docker-registry harborlogin  \
--docker-server=qrharbor.local \
--docker-username=admin \
--docker-password=Harbor123456 \

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐