Harbor通过配置 HTTPS 协议,可以确保镜像传输的安全性,防止数据被窃取或篡改。本文将详细介绍如何基于 Harbor 配置 HTTPS 协议的私有镜像仓库。
1.生成自建ca证书
[root@docker01 ~]# mkdir -p /liux/softwares/harbor/certs/custom/{ca,server,client}
[root@docker01 ~]# cd /liux/softwares/harbor/certs/custom
#生成CA的私钥
[root@docker01 custom]# openssl genrsa -out ca/ca.key 4096
Generating RSA private key, 4096 bit long modulus
.........................................................++
e is 65537 (0x10001)
[root@docker01 custom]# ll ca/
total 4
-rw-r--r-- 1 root root 3243 May 19 09:27 ca.key
#生成ca的自签名证书 域名liux.com
[root@docker01 custom]# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=liux.com" \
-key ca/ca.key \
-out ca/ca.crt
[root@docker01 custom]# ll ca/
total 8
-rw-r--r-- 1 root root 2017 May 19 09:40 ca.crt
-rw-r--r-- 1 root root 3243 May 19 09:27 ca.key2.生成harbor主机证书
#1. 生成harbor主机私钥
[root@docker01 custom]# openssl genrsa -out server/harbor.liux.com.key 4096
Generating RSA private key, 4096 bit long modulus
.......................................................................................++
....++
e is 65537 (0x10001)
[root@docker01 custom]# ll server/
total 4
-rw-r--r-- 1 root root 3247 May 19 09:43 harbor.liux.com.key
#2. 生成harbor主机的证书申请
[root@docker01 custom]# openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.liux.com" \
-key server/harbor.liux.com.key \
-out server/harbor.liux.com.csr
[root@docker01 custom]# ll server/
total 8
-rw-r--r-- 1 root root 1708 May 19 09:45 harbor.liux.com.csr
-rw-r--r-- 1 root root 3247 May 19 09:43 harbor.liux.com.key
#3. 生成x509 v3扩展文件
[root@docker01 custom]# cat > server/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=liux.com
DNS.2=liux
DNS.3=harbor.liux.com
EOF
#4. 使用"v3.ext"给harbor主机签发证书
[root@docker01 custom]# openssl x509 -req -sha512 -days 3650 \
-extfile server/v3.ext \
-CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial \
-in server/harbor.liux.com.csr \
-out server/harbor.liux.com.crt
#5. 将crt文件转换为cert客户端证书文件
[root@docker01 custom]# openssl x509 -inform PEM -in server/harbor.liux.com.crt -out server/harbor.liux.com.cert
[root@docker01 custom]# ll server/
total 20
-rw-r--r-- 1 root root 2086 May 19 09:49 harbor.liux.com.cert
-rw-r--r-- 1 root root 2086 May 19 09:48 harbor.liux.com.crt
-rw-r--r-- 1 root root 1708 May 19 09:45 harbor.liux.com.csr
-rw-r--r-- 1 root root 3247 May 19 09:43 harbor.liux.com.key
-rw-r--r-- 1 root root 259 May 19 09:47 v3.ext注:docker程序认为"*.crt"文件是CA证书文件,"*.cert"客户端证书文件,于是上面第五步需要转换一下,其实使用cp一下也是可以的,内容并没有变化。
3.使用生成的证书在服务端配置https
#修改harbor的配置文件
[root@docker01 harbor]# vim /liux/softwares/harbor/harbor.yml
...
hostname: harbor.liux.com
...
https:
...
port: 443
certificate: /liux/softwares/harbor/certs/custom/server/harbor.liux.com.crt
private_key: /liux/softwares/harbor/certs/custom/server/harbor.liux.com.key
...
#重新安装harbor服务
[root@docker01 ]# cd /liux/softwares/harbor && ./install.sh
#或者prepare.sh搭配docker-compose down和docker-compose up -d
[root@docker01 ]# cd /liux/softwares/harbor && ./prepare.sh4.docker配置信任证书以及测试
[root@docker01 harbor]# cat /etc/docker/daemon.json
{
...
"data-root": "/liux/data/docker",
"insecure-registries": ["harbor.liux.com"]
}
[root@docker01 harbor]# systemctl restart docker
#启动harbor
[root@docker01 harbor]# docker-compose up -d
#登录验证
[root@docker01 harbor]# docker login https://harbor.liux.com -uadmin -pHarbor12345
...
Login Succeeded5.浏览器访问
通过浏览器访问需要配置hosts,路径C:\Windows\System32\drivers\etc/hosts
192.168.91.52 harbor.liux.com
https://harbor.liux.com/
6.客户端配置证书
将客户端证书拷贝到需要登录harbor服务器的节点上,然后配置docker信任,登录harbor
#推荐配置客户端、服务端、ca,便于后期维护,将证书拷贝到客户端文件夹
[root@docker01 custom]# cp ca/ca.crt server/harbor.liux.com.cert server/harbor.liux.com.key client/
[root@docker01 custom]# ll -R
.:
total 0
drwxr-xr-x 2 root root 48 May 19 10:04 ca
drwxr-xr-x 2 root root 75 May 19 10:43 client
drwxr-xr-x 2 root root 129 May 19 10:04 server
./ca:
total 12
-rw-r--r-- 1 root root 2017 May 19 10:04 ca.crt
-rw-r--r-- 1 root root 3243 May 19 10:04 ca.key
-rw-r--r-- 1 root root 17 May 19 10:04 ca.srl
./client:
total 12
-rw-r--r-- 1 root root 2017 May 19 10:43 ca.crt
-rw-r--r-- 1 root root 2086 May 19 10:43 harbor.liux.com.cert
-rw-r--r-- 1 root root 3243 May 19 10:43 harbor.liux.com.key
./server:
total 20
-rw-r--r-- 1 root root 2086 May 19 10:04 harbor.liux.com.cert
-rw-r--r-- 1 root root 2086 May 19 10:04 harbor.liux.com.crt
-rw-r--r-- 1 root root 1708 May 19 10:04 harbor.liux.com.csr
-rw-r--r-- 1 root root 3243 May 19 10:04 harbor.liux.com.key
-rw-r--r-- 1 root root 259 May 19 10:04 v3.ext
#将客户端证书拷贝到需要登录harbor的服务器
[root@docker02 ~]# mkdir -pv /etc/docker/certs.d/harbor.liux.com
mkdir: created directory ‘/etc/docker/certs.d’
mkdir: created directory ‘/etc/docker/certs.d/harbor.liux.com’
#拷贝证书文件
[root@docker01 custom]# scp client/* 192.168.91.51:/etc/docker/certs.d/harbor.liux.com/
#docker添加证书地址,自建证书不受信任需要添加
[root@docker02 custom]# cat /etc/docker/daemon.json
{
...
"insecure-registries": ["harbor.liux.com"]
}
#重启docker
[root@docker02 harbor]# systemctl restart docker
#重启harbor
[root@docker02 harbor]# docker-compose up -d
#登录harbor
[root@docker02 harbor]# docker login https://harbor.liux.com -uadmin -pHarbor12345
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded搞定 Harbor HTTPS 证书配置!下一期,我们将解锁 Harbor 高可用环境搭建,让你的镜像仓库稳如泰山!不见不散哦~