Harbor 添加ssl证书


前言

docker 从docker 仓库中推送或获取镜像都是默认走https协议的。需要配置ssl证书,否则将无法方面,为了解决这以问题,我们有2个方案:

修改docker配置文件,关闭证书 “insecure-registries”。关闭证书校验
配置ssl证书,配置harbor走https协议

对比:

  1. 关闭证书校验,也就是不加密,不走https协议。带来的问题就是不安全,能都收到数据篡改和数据劫持等风险。且修改insecure-registries参数是需要重启docker服务的,是会终断容器业务的,并且每次修改仓库ip,或新增仓库,或修改网段都需要重启docker
  2. 配置ssl证书,也是实现数据加密保障数据安全。官方建议采用https方式运行,下面我们介绍如何配置harbor添加ssl证书。

一、证书分类

  • 自签名证书
  • 公网证书

自签名证书就是通过自建CA的方面,创建签名证书,具有加密的功能,一般仅供内部使用。公网证书是受信任的证书提供商签名的证书,由于我们所有的系统、浏览器内置的受信任的根证书颁发机构中都默认有了公网证书提供商的CA证书,公网证书可以直接使用。内网证书需要导入自签名的CA跟证书才能使用。
简单来说,公网证书相对方便,一般基于域名进行签名。私有证书供内部使用,一般需要导入自签名CA证书,或提前预制导入CA证书,私有证书的优势在于自签名,无需通过第三方证书供应商。
为了方便起见,我们采用公网免费ca证书。使用域名的形式配置证书,这样就可以实现一次配置多处使用。

二、公网ssl证书申请

公网ssl证书提供商有很多,如赛门铁克、geotrust 、沃通 等等。免费的单二级域名ssl证书也有很多,如geotrust、Let’s Encrypt、Free ssl等。三方平台一般都会提供各个厂商的ssl证书申请。下面我们就用阿里云的SSL证书服务来申请免费的证书。、

在阿里云的证书服务中找到购买证书,选择免费证书。

点击申请,输入域名 地址 ,联系人等。按照提示进行dns配置,域名验证

找到已颁发证书,点击下载证书

三、配置Harbor Docker仓库ssl

3.1 修改Harbor 配置文件

[root@local harbor]# ls
common  docker-compose.yml  harbor.yml  install.sh  LICENSE  prepare

# 修改Harbor相关https的配置,指定ssl证书的路径(在阿里云下载ssl证书的公钥私钥,上传到改目录)。
[root@local harbor]# vim harbor.yml 

https:
#   # https port for harbor, default is 443
  port: 443
#   # The path of cert and key files for nginx
  certificate: /etc/ssl/reg.local.cn/reg.local.cn.pem
  private_key: /etc/ssl/reg.local.cn/reg.local.cn.key


3.2 修改harbor后需要预编译下harbor

[root@local harbor]# ls
common  docker-compose.yml  harbor.yml  install.sh  LICENSE  prepare
[root@local harbor]# ./prepare 
prepare base dir is set to /usr/local/src/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

3.3 重新加载harbor配置文件

[root@local harbor]# docker-compose down 
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-portal     ... done
Stopping harbor-core       ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing harbor-portal     ... done
Removing harbor-core       ... done
Removing registryctl       ... done
Removing registry          ... done
Removing harbor-db         ... done
Removing redis             ... done
Removing harbor-log        ... done
Removing network harbor_harbor
[root@local harbor]# 
Message from syslogd@local at Sep  8 15:14:53 ...
 kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1

[root@local harbor]# docker-compose top
[root@local harbor]# 
[root@local harbor]# docker-compose ps
Name   Command   State   Ports
------------------------------



[root@local harbor]# docker-compose up -d
Starting harbor-log ... done
Starting redis ... 
Starting registry ... 
Starting harbor-db ... 
Starting registry ... done
Starting harbor-core ... done
Starting harbor-jobservice ... 
Starting harbor-portal ... done
Starting nginx ... done
[root@local harbor]# docker-compose ps
      Name                     Command               State                    Ports                  
-----------------------------------------------------------------------------------------------------
harbor-core         /harbor/start.sh                 Up                                              
harbor-db           /entrypoint.sh postgres          Up      5432/tcp                                
harbor-jobservice   /harbor/start.sh                 Up                                              
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp               
harbor-portal       nginx -g daemon off;             Up      80/tcp                                  
nginx               nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
redis               docker-entrypoint.sh redis ...   Up      6379/tcp                                
registry            /entrypoint.sh /etc/regist ...   Up      5000/tcp                                
registryctl         /harbor/start.sh                 Up 
[root@local harbor]# docker-compose down
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-portal     ... done
Stopping harbor-core       ... done
Stopping registryctl       ... done
Stopping registry          ... done
Stopping redis             ... done
Stopping harbor-db         ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing harbor-portal     ... done
Removing harbor-core       ... done
Removing registryctl       ... done
Removing registry          ... done
Removing redis             ... done
Removing harbor-db         ... done
Removing harbor-log        ... done
Removing network harbor_harbor
[root@local harbor]# 
Message from syslogd@local at Sep  8 15:41:46 ...
 kernel:unregister_netdevice: waiting for lo to become free. Usage count = 1

[root@local harbor]# ls
common  docker-compose.yml  harbor.yml  install.sh  LICENSE  prepare
[root@local harbor]# ./install.sh 

[Step 0]: checking installation environment ...

Note: docker version: 19.03.1

Note: docker-compose version: 1.18.0


[Step 1]: preparing environment ...
prepare base dir is set to /usr/local/src/harbor
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/cert/server.key
Clearing the configuration file: /config/cert/server.crt
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Creating harbor-log ... done
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

Creating registry ... done
Creating harbor-core ... done
[Step 2]: starting Harbor ...
Creating harbor-portal ... done
Creating nginx ... done
Creating registry ... 
Creating harbor-db ... 
Creating registryctl ... 
Creating redis ... 
Creating harbor-core ... 
Creating harbor-jobservice ... 
Creating harbor-portal ... 
Creating nginx ... 

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://10.40.11.193. 
For more details, please visit https://github.com/goharbor/harbor .

[root@local harbor]# docker-compose ps
      Name                     Command               State                    Ports                  
-----------------------------------------------------------------------------------------------------
harbor-core         /harbor/start.sh                 Up                                              
harbor-db           /entrypoint.sh postgres          Up      5432/tcp                                
harbor-jobservice   /harbor/start.sh                 Up                                              
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp               
harbor-portal       nginx -g daemon off;             Up      80/tcp                                  
nginx               nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
redis               docker-entrypoint.sh redis ...   Up      6379/tcp                                
registry            /entrypoint.sh /etc/regist ...   Up      5000/tcp                                
registryctl         /harbor/start.sh                 Up                                              
[root@local harbor]# docker-compose ps
^[[A      Name                     Command               State                    Ports                  
-----------------------------------------------------------------------------------------------------
harbor-core         /harbor/start.sh                 Up                                              
harbor-db           /entrypoint.sh postgres          Up      5432/tcp                                
harbor-jobservice   /harbor/start.sh                 Up                                              
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp               
harbor-portal       nginx -g daemon off;             Up      80/tcp                                  
nginx               nginx -g daemon off;             Up      0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
redis               docker-entrypoint.sh redis ...   Up      6379/tcp                                
registry            /entrypoint.sh /etc/regist ...   Up      5000/tcp                                
registryctl         /harbor/start.sh                 Up

四、测试harbor 仓库访问

4.1 web界面测试

4.2 docker命令行测试

[root@hw-paymenttest03-11-203 ~]# docker login 10.40.11.193
Username: admin
Password: 
Error response from daemon: Get https://10.40.11.193/v2/: x509: cannot validate certificate for 10.40.11.193 because it doesn't contain any IP SANs
[root@hw-paymenttest03-11-203 ~]# vim /etc/hosts
[root@hw-paymenttest03-11-203 ~]# ping reg.local.cn
PING reg.local.cn (10.40.11.193) 56(84) bytes of data.
64 bytes from reg.local.cn (10.40.11.193): icmp_seq=1 ttl=64 time=0.233 ms
64 bytes from reg.local.cn (10.40.11.193): icmp_seq=2 ttl=64 time=0.207 ms
^C
--- reg.local.cn ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.207/0.220/0.233/0.013 ms
[root@hw-paymenttest03-11-203 ~]# docker login reg.local.cn
Username: admin
Password: 

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐