# Harbor搭建私有镜像库服务器(CentOS 7) ## 一、安装harbor ### docker install > 在docker上安装harbor，网上教程非常多，在此不做说明 ### kubernetes install > ## 二、harbor配置Https ### 获取CA证书 ``` openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Shanxi/L=XIan/O=webber/OU=Personal/CN=webebr.harbor.com" \ -key ca.key \ -out ca.crt ``` ### 获得服务器证书 - **创建自己的私钥：** ``` openssl genrsa -out yourdomain.com.key 4096 ``` - **生成证书签名请求:** ``` openssl req -sha512 -new \ -subj "/C=CN/ST=Shanxi/L=XIan/O=webber/OU=Personal/CN=webebr.harbor.com" \ -key webber.harbor.com.key \ -out webber.harbor.com.csr ``` - **生成注册表主机的证书：** ``` cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1=webber.harbor.com DNS.2=webber.harbor DNS.3=k8s.harbor EOF ``` ``` openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yourdomain.com.csr \ -out yourdomain.com.crt ``` ### harbor服务端配置 - 编辑文件`harbor.cfg`，更新主机名和协议，并更新属性`ssl_cert`和`ssl_cert_key`： ``` #set hostname hostname = yourdomain.com:port #set ui_url_protocol ui_url_protocol = https ...... #The path of cert and key files for nginx, they are applied only the protocol is set to https ssl_cert = /data/cert/yourdomain.com.crt ssl_cert_key = /data/cert/yourdomain.com.key ``` - 为Harbor生成配置文件： ~~~ ./prepare ~~~ - 如果Harbor已在运行，请停止并删除现有实例,并重新启动 ~~~ docker-compose down -v docker-compose up -d ~~~ ## 三、docker客户端配置 ### 从服务端复制证书到客户端 ``` mkdir -p /etc/docker/certs.d/yourdomain.com/ cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/ cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/ cp ca.crt /etc/docker/certs.d/yourdomain.com/ ``` ``` cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt update-ca-trust systemctl restart docker ``` ## 参考： 1. [官方文档](https://github.com/goharbor/harbor/blob/master/docs/configure_https.md#Troubleshooting)