一起来学k8s 28.二进制k8s集群helm安装harbor
二进制k8s集群helm安装harbor环境准备##/etc/hosts192.168.48.101 master01192.168.48.102 master02192.168.48.103 master03192.168.48.201 node01192.168.48.202 node02192.168.48.54nfs## keepalived的vip192.168...
·
二进制k8s集群helm安装harbor
环境准备
##/etc/hosts
192.168.48.101 master01
192.168.48.102 master02
192.168.48.103 master03
192.168.48.201 node01
192.168.48.202 node02
192.168.48.54 nfs
## keepalived的vip
192.168.48.66
IP | Hostname | CPU | Memory |
---|---|---|---|
192.168.48.101 | master01 | 2 | 4G |
192.168.48.102 | master02 | 2 | 4G |
192.168.48.103 | master03 | 2 | 4G |
192.168.48.201 | node01 | 2 | 4G |
192.168.48.202 | node02 | 2 | 4G |
192.168.48.54 | nfs | 2 | 4G |
软件 | 版本 |
---|---|
kubernetes | 1.15.2 |
docker-ce | 19.03 |
calico | 3.8 |
etcd | 3.3.13 |
CNI | 0.8.1 |
coredns | 1.4.0 |
metrics-server | 0.3.3 |
ingress-controller | 0.25.0 |
dashboard | 1.10.1 |
Weave Scope | 1.11.4 |
nfs | v4 |
helm | 2.14.3 |
harbor | 1.1.1 |
安装
添加repo
[root@master01 harbor-helm]# helm repo add harbor https://helm.goharbor.io
"harbor" has been added to your repositories
准备values
[root@master01 ~]# cd /root/
[root@master01 ~]# vim tk8s-values.yaml
##ingress配置
expose:
type: ingress
tls:
enabled: true
ingress:
hosts:
core: registry.tk8s.com
notary: notary.tk8s.com
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
##访问地址
externalURL: https://registry.tk8s.com
###动态创建pv
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
storageClass: "k8s-nfs-storage"
chartmuseum:
storageClass: "k8s-nfs-storage"
jobservice:
storageClass: "k8s-nfs-storage"
database:
storageClass: "k8s-nfs-storage"
redis:
storageClass: "k8s-nfs-storage"
镜像下载
goharbor/chartmuseum-photon:v0.8.1-v1.8.1
goharbor/clair-photon:v2.0.8-v1.8.1
goharbor/harbor-core:v1.8.1
goharbor/harbor-db:v1.8.1
goharbor/harbor-jobservice:v1.8.1
goharbor/notary-server-photon:v0.6.1-v1.8.1
goharbor/notary-signer-photon:v0.6.1-v1.8.1
goharbor/harbor-portal:v1.8.1
goharbor/redis-photon:v1.8.1
goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1
goharbor/harbor-registryctl:v1.8.1
下载地址
链接: https://pan.baidu.com/s/17yml04xNhWweG8KgXK3MIw 提取码: u3qs
docker load -i goharbor1.8.1.tar.gz
安装harbor
[root@master01 ~]# helm search harbor
NAME CHART VERSION APP VERSION DESCRIPTION
harbor/harbor 1.1.1 1.8.1 An open source trusted cloud native registry that stores,...
[root@master01 ~]# helm install harbor/harbor -n kube-harbor -f tk8s-values.yaml --namespace kube-harbor
[root@master01 ~]# kubectl get pods -n kube-harbor -o wide -o wide -w
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-harbor-harbor-chartmuseum-5479d98c8-v5dzj 1/1 Running 0 93s 10.244.196.182 node01 <none> <none>
kube-harbor-harbor-clair-576d7fd7cd-qvmlt 1/1 Running 3 93s 10.244.140.67 node02 <none> <none>
kube-harbor-harbor-core-779947d6bc-zsc2h 1/1 Running 0 93s 10.244.140.65 node02 <none> <none>
kube-harbor-harbor-database-0 1/1 Running 0 93s 10.244.140.66 node02 <none> <none>
kube-harbor-harbor-jobservice-56bd7c66df-7wnpk 1/1 Running 0 93s 10.244.196.181 node01 <none> <none>
kube-harbor-harbor-notary-server-75fff645d9-nwtlm 1/1 Running 1 93s 10.244.196.180 node01 <none> <none>
kube-harbor-harbor-notary-signer-5d6b4f455b-9b4cv 1/1 Running 1 93s 10.244.196.179 node01 <none> <none>
kube-harbor-harbor-portal-6bfd6f7db-4c7tb 1/1 Running 0 93s 10.244.140.127 node02 <none> <none>
kube-harbor-harbor-redis-0 1/1 Running 0 93s 10.244.140.69 node02 <none> <none>
kube-harbor-harbor-registry-64499c6678-tjh5v 2/2 Running 0 93s 10.244.196.183 node01 <none> <none>
访问
登录
输入用户名:admin,密码:Harbor12345
我们可以看到有很多功能,默认情况下会有一个名叫library
的项目,改项目默认是公开访问权限的,进入项目可以看到里面还有 Helm Chart 包的管理,可以手动在这里上传,也可以对改项目里面的镜像进行一些配置,比如是否开启自动扫描镜像功能:
测试
vim /etc/hosts
....
192.168.48.101 master01 registry.tk8s.com
[root@node01 ~]# docker login registry.tk8s.com
Username: admin
Password:
Error response from daemon: Get https://registry.tk8s.com/v2/: x509: certificate signed by unknown authority
这是因为我们没有提供证书文件,我们将使用到的ca.crt
文件复制到/etc/docker/certs.d/registry.tk8s.com
目录下面,如果该目录不存在,则创建它。ca.crt 这个证书文件我们可以通过 Ingress 中使用的 Secret 资源对象来提供:
mkdir /etc/docker/certs.d/registry.tk8s.com -p
[root@master01 ~]# kubectl get secret kube-harbor-harbor-ingress -n kube-harbor -o yaml
apiVersion: v1
data:
ca.crt: <ca.crt>
tls.crt: <tls.crt>
tls.key: <tls.key>
kind: Secret
metadata:
creationTimestamp: 2019-02-22T14:39:28Z
labels:
app: harbor
chart: harbor
heritage: Tiller
release: harbor
name: harbor-harbor-ingress
namespace: kube-ops
resourceVersion: "50400208"
selfLink: /api/v1/namespaces/kube-ops/secrets/harbor-harbor-ingress
uid: a899c57a-36af-11e9-bcd8-525400db4df7
type: kubernetes.io/tls
[root@master01 ~]# echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5RENDQWR5Z0F3SUJBZ0lRVUZCSm44Ung0N21MUWpDd1NuRm0vakFOQmdrcWhraUc5dzBCQVFzRkFEQVUKTVJJd0VBWURWUVFERXdsb1lYSmliM0l0WTJFd0hoY05NVGt3T0RFME1qTTBPREE1V2hjTk1qQXdPREV6TWpNMApPREE1V2pBVU1SSXdFQVlEVlFRREV3bG9ZWEppYjNJdFkyRXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRRHdTVXViSU5jcEtvSjVXWWhlRW82Vlg4RXowUVd5d0QzLzMwMVdDWUQxT3FsUUtnOHkKUUhQTzdMU2I4cy9WQldiRGtBOXh3aEF1bVlpNGZhOURwdzgrRmFuSmp2WGtNZVRNekJ6S05qSVp4ZU9Ib21uKwozR3kwV3JCenJobFVRQlhzdlljRzBGRnh5TzcvZnBSRjBHaWNaSjZtT010czg5WFdLdU5KbnU1ZlNpZmp0VFJjCkhiMjVFS0tyYU5mVGhNeEhzRzhXVjVNaEFwWjNHZUZFTXU4d2Q3Z3NRdjNxUFdFS2VxVTVsMTI4UGVrb05KQlAKTGZJVGtNa1B0aURYZDlmbUFhc1E5VU0yc3JSbnA2Y2JSeHZqSzhMcUQ5QkNHU0JQMy84NHA5NEJTY2l3VnBNeQordU5ZYmlDSTRWVlNMbi9DalJHOHpRNmJMbU8xem5mN2h5UE5BZ01CQUFHalFqQkFNQTRHQTFVZER3RUIvd1FFCkF3SUNwREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0R3WURWUjBUQVFIL0JBVXcKQXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFJMTI5RnVnRWVpOFVxRDRzdDZ0MzF5VXFsMVk1bzdjbQo3WEZYUzNPM3lCTWMyajRYQ25JVFlXbS92Qjc1U1N6Y1VFSllLcDlnSUJEUlQ3U3pXRnV4K1dCMzJxU3JSR2gwCmVQU2l1cUNFQkJoYXNtT0ZGQmZzQ2k3WTRSemh4RVVTRWNBT1gzc2NMc3Vack5NbGVRS2JWM0VHampoTnIxeVgKZ2ZOVmNQSm04clppbTNCZkd6TklNc2lGZmlpbUJJL24yR2pnMzdZNnFSLyswWkRRUnJFU1NBVkZYN0RaM2JqRwpoQ2d6WHExQkhJN3pTeE1obm1mdWFHZkNsc1U0Y0xqd01hTlQ4NzdhMjZnTUM3UjdveG1ZcUE5TEw3ZUxmVG5oCklJVnpQUXFqN3ZWNXdOdzBQNDhPZGhpRk1xb1NpMXZFeVRETzZZMGpKZlEveFZoN3EvbVNtQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" > ca.crt
for NODE in "${!AllNode[@]}"; do
echo "--- $NODE ${AllNode[$NODE]} ---"
scp /root/ca.crt ${AllNode[$NODE]}:/etc/docker/certs.d/registry.tk8s.com/
scp /root/ca.crt ${AllNode[$NODE]}:/etc/pki/ca-trust/source/anchors/
ssh ${AllNode[$NODE]} 'update-ca-trust'
done
添加 "insecure-registries": ["registry.tk8s.com"]
vim /etc/docker/daemon.json
{
"log-driver": "json-file",
"exec-opts": ["native.cgroupdriver=cgroupfs"],
"log-opts": {
"max-size": "100m",
"max-file": "3"
},
"insecure-registries": ["registry.tk8s.com"],
"live-restore": true,
"max-concurrent-downloads": 10,
"max-concurrent-uploads": 10,
"registry-mirrors": ["https://2lefsjdg.mirror.aliyuncs.com"],
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
systemctl daemon-reload
systemctl restart docker
docker login registry.tk8s.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
push
[root@node01 ~]# docker pull alpine:3.6
3.6: Pulling from library/alpine
5a3ea8efae5d: Pull complete
Digest: sha256:66790a2b79e1ea3e1dabac43990c54aca5d1ddf268d9a5a0285e4167c8b24475
Status: Downloaded newer image for alpine:3.6
docker.io/library/alpine:3.6
[root@node01 ~]# docker tag alpine:3.6 registry.tk8s.com/library/alpine:3.6
[root@node01 ~]# docker push registry.tk8s.com/library/alpine:3.6
The push refers to repository [registry.tk8s.com/library/alpine]
721384ec99e5: Pushed
3.6: digest: sha256:36c3a913e62f77a82582eb7ce30d255f805c3d1e11d58e1f805e14d33c2bc5a5 size: 528
pull
[root@node02 ~]# docker pull registry.tk8s.com/library/alpine:3.6
3.6: Pulling from library/alpine
5a3ea8efae5d: Pull complete
Digest: sha256:36c3a913e62f77a82582eb7ce30d255f805c3d1e11d58e1f805e14d33c2bc5a5
Status: Downloaded newer image for registry.tk8s.com/library/alpine:3.6
registry.tk8s.com/library/alpine:3.6
pod使用
创建secret
[root@master01 ~]# kubectl create secret docker-registry registry-secret --docker-server=registry.tk8s.com --docker-username=admin --docker-password=Harbor12345
secret/registry-secret created
创建pod
vim test-alpine.yaml
apiVersion: v1
kind: Pod
metadata:
name: alpine
spec:
containers:
- name: alpine
image: registry.tk8s.com/library/alpine:3.6
command:
- "/bin/sh"
- "-c"
- "while true;do date;sleep 1;done"
imagePullSecrets:
- name: registry-secret
[root@master01 ~]# kubectl apply -f test-alpine.yaml
pod/alpine created
[root@master01 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
alpine 1/1 Running 0 5s
[root@master01 ~]# kubectl logs -f alpine
Thu Aug 15 00:38:07 UTC 2019
Thu Aug 15 00:38:08 UTC 2019
Thu Aug 15 00:38:09 UTC 2019
Thu Aug 15 00:38:10 UTC 2019
Thu Aug 15 00:38:11 UTC 2019
Thu Aug 15 00:38:12 UTC 2019
Thu Aug 15 00:38:13 UTC 2019
Thu Aug 15 00:38:14 UTC 2019
Thu Aug 15 00:38:15 UTC 2019
Thu Aug 15 00:38:16 UTC 2019
Thu Aug 15 00:38:17 UTC 2019
Thu Aug 15 00:38:18 UTC 2019
Thu Aug 15 00:38:19 UTC 2019
Thu Aug 15 00:38:20 UTC 2019
更多推荐
已为社区贡献20条内容
所有评论(0)