docker 镜像仓库Harbor https访问

Posted 2021-01-29

配置harbor的https

为什么要配置https?
因为后续你将镜像打包好放入到harbor仓库中，若是生产环境的镜像，会包含很多隐私的配置文件（db，redis等），需要用到https进行加密

参考文档：https://github.com/goharbor/harbor/blob/master/docs/configure_https.md

下载：https://github.com/goharbor/harbor/releases

下载：docker-compose
https://docs.docker.com/compose/install/#install-compose

配置如下
1、在harbor的目录中新建ssl目录，用来存放自签证书
[[email protected] harbor]# mkdir ssl

2、[[email protected] harbor]# cd ssl/
3、[[email protected] ssl]# openssl genrsa -out ca.key 4096
4、主要是这里的域名test.com 就是待会访问harbor的域名
[[email protected] ssl]# openssl req -x509 -new -nodes -sha512 -days 3650
-subj "/C=GZ/ST=Guangd/L=Taipei/O=example/OU=Personal/CN=test.com"
-key ca.key
-out ca.crt
5、[[email protected] ssl]# openssl genrsa -out test.com.key 4096
6、[[email protected] ssl]# openssl req -sha512 -new
-subj "/C=GZ/ST=Guangd/L=Taipei/O=example/OU=Personal/CN=test.com"
-key test.com.key
-out test.com.csr
7、[[email protected] ssl]# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=test.com
DNS.2=test
DNS.3=hostname
EOF

8、[[email protected] ssl]# openssl x509 -req -sha512 -days 3650
-extfile v3.ext
-CA ca.crt -CAkey ca.key -CAcreateserial
-in test.com.csr
-out test.com.crt

9、修改配置文件
[[email protected] harbor]# vi harbor.cfg
hostname = test.com #这个就是你访问的地址
ui_url_protocol = https
ssl_cert = ./ssl/test.com.crt
ssl_cert_key = ./ssl/test.com.key
harbor_admin_password = 123456

10、重载配置文件
[[email protected] harbor]# ./prepare

11、安装，这个过程需要等5分钟
[[email protected] harbor]# ./install.sh

12、结果正常

13、绑定hosts，访问

docker拉取镜像验证：
1、[[email protected] ~]# vi /etc/docker/daemon.json

{"registry-mirrors": ["http://f1361db2.m.daocloud.io"],"insecure-registries":["https://test.com","192.168.1.13"]}

2、绑定hosts

3、重启docker
[[email protected] ~]# systemctl restart docker

4、[[email protected] ~]# docker login https://test.com