k8s上部署harbor私有仓库
·
一、下载helm
## 添加仓库源
# helm repo add harbor https://helm.goharbor.io
## 查找
# helm search repo harbor
## 下载
# helm pull harbor/harbor
二、修改vules.yaml
# egrep -v "^#|^$|^ *#" values.yaml
expose:
type: ingress
tls:
enabled: true
certSource: auto
auto:
commonName: ""
secret:
secretName: ""
ingress:
hosts:
core: harbor.test.com
notary: notary.test.com
controller: default
kubeVersionOverride: ""
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-dns01
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
labels: {}
clusterIP:
name: harbor
staticClusterIP: ""
ports:
httpPort: 80
httpsPort: 443
annotations: {}
labels: {}
nodePort:
name: harbor
ports:
http:
port: 80
nodePort: 30002
https:
port: 443
nodePort: 31234
annotations: {}
labels: {}
loadBalancer:
name: harbor
IP: ""
ports:
httpPort: 80
httpsPort: 443
annotations: {}
labels: {}
sourceRanges: []
externalURL: https://harbor.test.com
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: ""
storageClass: "nfs-li"
subPath: ""
accessMode: ReadWriteOnce
size: 150Gi
annotations: {}
jobservice:
jobLog:
existingClaim: ""
storageClass: "nfs-li"
subPath: ""
accessMode: ReadWriteOnce
size: 50Gi
annotations: {}
database:
existingClaim: ""
storageClass: "nfs-li"
subPath: ""
accessMode: ReadWriteOnce
size: 100Gi
annotations: {}
redis:
existingClaim: ""
storageClass: "nfs-li"
subPath: ""
accessMode: ReadWriteOnce
size: 50Gi
annotations: {}
trivy:
existingClaim: ""
storageClass: "nfs-li"
subPath: ""
accessMode: ReadWriteOnce
size: 50Gi
annotations: {}
imageChartStorage:
disableredirect: false
type: filesystem
filesystem:
rootdirectory: /storage
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
existingSecret: ""
gcs:
bucket: bucketname
encodedkey: base64-encoded-json-key-file
existingSecret: ""
useWorkloadIdentity: false
s3:
region: us-west-1
bucket: bucketname
swift:
authurl: https://storage.myprovider.com/v3/auth
username: username
password: password
container: containername
existingSecret: ""
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
existingSecret: ""
existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
harborAdminPassword: "Harbor12345"
internalTLS:
enabled: false
strong_ssl_ciphers: false
certSource: "auto"
trustCa: ""
core:
secretName: ""
crt: ""
key: ""
jobservice:
secretName: ""
crt: ""
key: ""
registry:
secretName: ""
crt: ""
key: ""
portal:
secretName: ""
crt: ""
key: ""
trivy:
secretName: ""
crt: ""
key: ""
ipFamily:
ipv6:
enabled: true
ipv4:
enabled: true
imagePullPolicy: IfNotPresent
imagePullSecrets:
updateStrategy:
type: RollingUpdate
logLevel: info
caSecretName: ""
secretKey: "not-a-secure-key"
existingSecretSecretKey: ""
proxy:
httpProxy:
httpsProxy:
noProxy: 127.0.0.1,localhost,.local,.internal
components:
- core
- jobservice
- trivy
enableMigrateHelmHook: false
metrics:
enabled: false
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
serviceMonitor:
enabled: false
additionalLabels: {}
interval: ""
metricRelabelings:
[]
relabelings:
[]
trace:
enabled: false
provider: jaeger
sample_rate: 1
jaeger:
endpoint: http://hostname:14268/api/traces
otel:
endpoint: hostname:4318
url_path: /v1/traces
compression: false
insecure: true
timeout: 10
cache:
enabled: false
expireHours: 24
containerSecurityContext:
privileged: false
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
capabilities:
drop:
- ALL
nginx:
image:
repository: goharbor/nginx-photon
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
podAnnotations: {}
podLabels: {}
priorityClassName:
portal:
image:
repository: goharbor/harbor-portal
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
podAnnotations: {}
podLabels: {}
serviceAnnotations: {}
priorityClassName:
initContainers: []
core:
image:
repository: goharbor/harbor-core
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
startupProbe:
enabled: true
initialDelaySeconds: 10
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
podAnnotations: {}
podLabels: {}
serviceAnnotations: {}
priorityClassName:
initContainers: []
configureUserSettings:
quotaUpdateProvider: db # Or redis
secret: ""
existingSecret: ""
secretName: ""
tokenKey: |
tokenCert: |
xsrfKey: ""
existingXsrfSecret: ""
existingXsrfSecretKey: CSRF_KEY
artifactPullAsyncFlushDuration:
gdpr:
deleteUser: false
auditLogsCompliant: false
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints:
podAnnotations: {}
podLabels: {}
priorityClassName:
initContainers: []
maxJobWorkers: 10
jobLoggers:
- file
loggerSweeperDuration: 14 #days
notification:
webhook_job_max_retry: 3
webhook_job_http_client_timeout: 3 # in seconds
reaper:
max_update_hours: 24
max_dangling_hours: 168
secret: ""
existingSecret: ""
existingSecretKey: JOBSERVICE_SECRET
registry:
registry:
image:
repository: goharbor/registry-photon
tag: v2.11.0
extraEnvVars: []
controller:
image:
repository: goharbor/harbor-registryctl
tag: v2.11.0
extraEnvVars: []
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
podAnnotations: {}
podLabels: {}
priorityClassName:
initContainers: []
secret: ""
existingSecret: ""
existingSecretKey: REGISTRY_HTTP_SECRET
relativeurls: false
credentials:
username: "harbor_registry_user"
password: "harbor_registry_password"
existingSecret: ""
htpasswdString: ""
middleware:
enabled: false
type: cloudFront
cloudFront:
baseurl: example.cloudfront.net
keypairid: KEYPAIRID
duration: 3000s
ipfilteredby: none
privateKeySecret: "my-secret"
upload_purging:
enabled: true
age: 168h
interval: 24h
dryrun: false
trivy:
enabled: true
image:
repository: goharbor/trivy-adapter-photon
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
podAnnotations: {}
podLabels: {}
priorityClassName:
initContainers: []
debugMode: false
vulnType: "os,library"
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
ignoreUnfixed: false
insecure: false
gitHubToken: ""
skipUpdate: false
skipJavaDBUpdate: false
offlineScan: false
securityCheck: "vuln"
timeout: 5m0s
database:
type: internal
internal:
image:
repository: goharbor/harbor-db
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
livenessProbe:
timeoutSeconds: 1
readinessProbe:
timeoutSeconds: 1
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName:
extrInitContainers: []
password: "changeit"
shmSizeLimit: 512Mi
initContainer:
migrator: {}
permissions: {}
external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
existingSecret: ""
sslmode: "disable"
maxIdleConns: 100
maxOpenConns: 900
podAnnotations: {}
podLabels: {}
redis:
type: internal
internal:
image:
repository: goharbor/redis-photon
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
extraEnvVars: []
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName:
initContainers: []
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
trivyAdapterIndex: "5"
external:
addr: "192.168.0.2:6379"
sentinelMasterSet: ""
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
trivyAdapterIndex: "5"
username: ""
password: ""
existingSecret: ""
podAnnotations: {}
podLabels: {}
exporter:
image:
repository: goharbor/harbor-exporter
tag: v2.11.0
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
revisionHistoryLimit: 10
extraEnvVars: []
podAnnotations: {}
podLabels: {}
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
priorityClassName:
cacheDuration: 23
cacheCleanInterval: 14400
三、檢驗
## 運行
# kubectl create ns harbor2
# helm upgrade --install harbor -n harbor2 . -f values.yaml
四、客户端证书配置
## master导出证书
# kubectl -n harbor2 get secrets harbor-ingress -o jsonpath="{.data.ca\.crt}" | base64 -d >ca.crt
## 在node端配置证书
# mkdir -p /etc/docker/certs.d/harbor.test.com/
# # ls /etc/docker/certs.d/harbor.test.com/ -lh
total 4.0K
-rw-r--r-- 1 root root 1.2K Aug 17 13:30 ca.crt
## 从master上拷贝证书到node节点
# scp ca.crt root@node_ip:/etc/docker/certs.d/harbor.test.com/
注:无需重启docker
## containerd配置
root@ubuntu:~# mkdir -p /etc/containerd/certs.d/harbor.test.com/
root@ubuntu:~# ls /etc/containerd/certs.d/harbor.test.com/
ca.crt
## 修改sudo vi /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://gt7m705s.mirror.aliyuncs.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.test.com"]
endpoint = ["https://harbor.test.com"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.test.com".tls]
insecure_skip_verify = false #不跳过ssl
ca_file = "/etc/containerd/certs.d/harbor.test.com/ca.crt" #ca证书的位置
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.test.com".auth]
username = "admin"
password = "Harbor12345"
## 重启containerd
# sudo systemctl restart containerd
#containerd的配置截图
五、参考
https://blog.csdn.net/codelearning/article/details/140552556
AtomGit 是由开放原子开源基金会联合 CSDN 等生态伙伴共同推出的新一代开源与人工智能协作平台。平台坚持“开放、中立、公益”的理念,把代码托管、模型共享、数据集托管、智能体开发体验和算力服务整合在一起,为开发者提供从开发、训练到部署的一站式体验。
更多推荐
1
0- 0
已为社区贡献1条内容
所有评论(0)