1.生成证书颁发机构证书

生成CA证书私钥

mkdir -p /root/harbor/ssl
cd /root/harbor/ssl
openssl genrsa -out ca.key 4096

生成CA证书

# openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
 -key ca.key \
 -out ca.crt
调整-subj选项中的值以反映组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。
如果是ip访问,将yourdomain.com改成ip地址;

# cat /etc/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.26.37.129 docker harbor.local
# openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Fujian/L=Fuzhou/O=Luorf/OU=Personal/CN=harbor.local" \
 -key ca.key \
 -out ca.crt
# ll
total 8
-rw-r--r-- 1 root root 2041 Mar 26 12:41 ca.crt
-rw------- 1 root root 3243 Mar 26 10:54 ca.key
2.生成服务器证书

证书通常包含一个.crt文件和一个.key文件
生成私钥

# openssl genrsa -out yourdomain.com.key 4096
# openssl genrsa -out harbor.local.key 4096
# ll
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key

生成证书签名请求(CSR)

# openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key yourdomain.com.key \
    -out yourdomain.com.csr
调整-subj选项中的值以反映组织。如果使用FQDN连接Harbor主机,则必须将其指定为通用名称(CN)属性。
如果是ip访问,将yourdomain.com改成ip地址

# openssl req -sha512 -new \
    -subj "/C=CN/ST=Fujian/L=Fuzhou/O=Luorf/OU=Personal/CN=harbor.local" \
    -key harbor.local.key \
    -out harbor.local.csr
# ll
total 16
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key

生成一个x509 v3扩展文件
无论使用FQDN还是IP地址连接到Harbor主机,都必须创建此文件,以便可以为Harbor主机生成符合主题备用名称(SAN)和x509 v3的证书扩展要求。替换DNS条目以反映域

# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.local
EOF

如果是ip访问
# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:172.26.37.129
EOF

使用该v3.ext文件为Harbor主机生成证书

# openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in yourdomain.com.csr \
    -out yourdomain.com.crt
如果是ip访问, 将 harbor.od.com 改成 ip地址
# openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in harbor.local.csr \
    -out harbor.local.crt
# ll
total 28
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root   41 Mar 26 14:37 ca.srl
-rw-r--r-- 1 root root 2065 Mar 26 14:37 harbor.local.crt
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
-rw-r--r-- 1 root root  231 Mar 26 14:37 v3.ext
3.提供证书给Harbor和Docker

生成后ca.crt,yourdomain.com.crt和yourdomain.com.key文件,必须将它们提供给Harbor和docker,重新配置它们
将服务器证书和密钥复制到Harbor主机上的certficates文件夹中。

# cp harbor.local.crt /data/cert/
# cp harbor.local.key /data/cert/

转换yourdomain.com.crt为yourdomain.com.cert,供Docker使用。
Docker守护程序将.crt文件解释为CA证书,并将.cert文件解释为客户端证书。

# openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
# openssl x509 -inform PEM -in harbor.local.crt -out harbor.local.cert
# ll
total 32
-rw-r--r-- 1 root root 2037 Mar 26 14:35 ca.crt
-rw------- 1 root root 3243 Mar 26 14:33 ca.key
-rw-r--r-- 1 root root   41 Mar 26 14:37 ca.srl
-rw-r--r-- 1 root root 2065 Mar 26 14:38 harbor.local.cert
-rw-r--r-- 1 root root 2065 Mar 26 14:37 harbor.local.crt
-rw-r--r-- 1 root root 1700 Mar 26 14:36 harbor.local.csr
-rw------- 1 root root 3243 Mar 26 14:35 harbor.local.key
-rw-r--r-- 1 root root  231 Mar 26 14:37 v3.ext

将服务器证书,密钥和CA文件复制到Harbor主机上的Docker证书文件夹中。必须首先创建适当的文件夹。

# cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
# cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
# cp ca.crt /etc/docker/certs.d/yourdomain.com/

# mkdir -p /etc/docker/certs.d/harbor.local/
# cp harbor.local.cert /etc/docker/certs.d/harbor.local/
# cp harbor.local.key /etc/docker/certs.d/harbor.local/
# cp ca.crt /etc/docker/certs.d/harbor.local/
# ll /etc/docker/certs.d/harbor.local/
total 12
-rw-r--r-- 1 root root 2037 Mar 26 14:40 ca.crt
-rw-r--r-- 1 root root 2065 Mar 26 14:39 harbor.local.cert
-rw------- 1 root root 3243 Mar 26 14:39 harbor.local.key
如果将默认nginx端口443映射到其他端口,请创建文件夹/etc/docker/certs.d/yourdomain.com:port或/etc/docker/certs.d/harbor_IP:port。(省略)

重新启动Docker Engine

# systemctl restart docker

以下示例说明了使用自定义证书的配置。

/etc/docker/certs.d/
    └── yourdomain.com:port
       ├── yourdomain.com.cert  <-- Server certificate signed by CA
       ├── yourdomain.com.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate
# tree /etc/docker/certs.d/
/etc/docker/certs.d/
└── harbor.local
    ├── ca.crt
    ├── harbor.local.cert
    └── harbor.local.key
4.重新配置harbor
# cd /root/harbor
# cp -p harbor.yml harbor.yml.bak20230326
# vi harbor.yml
修改以下内容
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.local

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/harbor.local.crt 
  private_key: /data/cert/harbor.local.key

执行harbor部署(此处略,已成功部署)
# ./install.sh

重新配置为支持https

运行prepare脚本以启用HTTPS。
# ./prepare
停止harbor并删除现有实例(镜像数据保留在文件系统中,不会丢失任何数据。)
# docker-compose down -v
重启harbor
# docker-compose up -d
# docker ps |grep harbor
d4170f45b469   goharbor/harbor-jobservice:v2.3.2    "/harbor/entrypoint.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-jobservice
9de01fdc84da   goharbor/nginx-photon:v2.3.2         "nginx -g 'daemon of…"   6 minutes ago   Up 6 minutes (healthy)   0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp   nginx
839ad5e59519   goharbor/harbor-core:v2.3.2          "/harbor/entrypoint.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-core
97e39e780d6d   goharbor/harbor-portal:v2.3.2        "nginx -g 'daemon of…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-portal
2e965c47ddb9   goharbor/registry-photon:v2.3.2      "/home/harbor/entryp…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    registry
9d55cca88bf6   goharbor/harbor-db:v2.3.2            "/docker-entrypoint.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    harbor-db
f1871916ace3   goharbor/redis-photon:v2.3.2         "redis-server /etc/r…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    redis
c0b9f1d592b1   goharbor/harbor-registryctl:v2.3.2   "/home/harbor/start.…"   6 minutes ago   Up 6 minutes (healthy)                                                                                    registryctl
69e47f6ed041   goharbor/harbor-log:v2.3.2           "/bin/sh -c /usr/loc…"   6 minutes ago   Up 6 minutes (healthy)   127.0.0.1:1514->10514/tcp
5.验证HTTPS连接
添加hosts可以直接访问http://harbor.local

从Docker客户端登录Harbor
获取Harbor客户端登录证书

# mkdir /etc/docker/certs.d/harbor.local
# scp 172.26.37.129:/root/harbor/ssl/ca.crt /etc/docker/certs.d/harbor.local/

登录Harbor

Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

# https # 服务器 # 网络协议
GitHub 加速计划 / ha / harbor
23.24 K
4.68 K
下载
Harbor 是一个开源的容器镜像仓库,用于存储和管理 Docker 镜像和其他容器镜像。 * 容器镜像仓库、存储和管理 Docker 镜像和其他容器镜像 * 有什么特点:支持多种镜像格式、易于使用、安全性和访问控制
最近提交(Master分支:2 个月前 )
9e55afbb pull image from registry.goharbor.io instead of dockerhub Update testcase to support Docker Image Can Be Pulled With Credential Change gitlab project name when user changed. Update permissions count and permission count total Change webhook_endpoint_ui Signed-off-by: stonezdj <stone.zhang@broadcom.com> Co-authored-by: Wang Yan <wangyan@vmware.com> 6 天前
3dbfd422 Signed-off-by: wang yan <wangyan@vmware.com> 7 天前
Logo
GitCode 开源社区

旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。

更多推荐

[转载]在Windows环境下安装GNU Radio

转自:在Windows环境下安装GNURadio_恐弱智_新浪博客GNU Radio是用Python开发的,大部分开源的工程能够在Linux环境下运行良好,而Windows下却运行的很勉强,而且安装配置都很复杂。GNU Radio算是个例外了,不光提供了Windows的二进制安装,还有比较详细的说明。我是Python小白,所以折腾了好久才弄好,特意记录下来,免得以后再装还折腾。GNU Radio的

avatar GitCode 开源社区

centOS 8 使用dnf安装Docker

DNF是什么?CentOS 8使用YUM软件包管理器版本v4.0.4。现在,该版本使用DNF(已删除YUM)。DNF是软件包管理器。它会在Linux发行版上安装,执行更新并删除软件包。使用DNF安装Docker跳过具有损坏依赖性的程序包一个有效的解决方案是使您的CentOS 8系统使用以下--nobest命令安装最符合条件的版本:sudo dnf install docker...

avatar GitCode 开源社区

定时同步数据库表(mysql+linux+crontab)

sync.sh里面的参数需要改变,ip/username/password/database/tablesync.sh#!/bin/sh# Please change the IP and password of the data source db.# Then change the table name.filename=/home/nington/db/$(date +%Y-%m

avatar GitCode 开源社区