centos7安装harbor带ssl

Posted hao-guo

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了centos7安装harbor带ssl相关的知识,希望对你有一定的参考价值。

1、安装依赖
yum install ebtables ethtool iproute iptables socat util-linux wget openssl-devel -y
2、安装 docker-compose

yum install epel-release -y
yum install python-pip -y
pip install --upgrade pip
curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

chmod a+x /usr/local/bin/docker-compose

docker-compose --version

修改hosts文件
笔者以下使用的域名hub.domain.com,并不是实际注册的域名,而是通过修改Hosts文件指向了这个Harbor服务器的地址,你可以修改为自己需要的域名。

[root@harbor ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.43 hub.domain.com
创建为Harbor使用Https的CA证书

创建证书存放目录

[root@harbor ~]# mkdir -p /data/cert
[root@harbor ~]# cd /data/cert/

获得证书授权

[root@harbor cert]# openssl genrsa -out ca.key 4096
[root@harbor cert]# openssl req -x509 -new -nodes -sha512 -days 3650     -subj "/C=CN/ST=Guangzhou/L=Guangzhou/O=example/CN=hub.domain.com"     -key ca.key     -out ca.crt

获得证书服务器

# 创建私钥
[root@harbor cert]# openssl genrsa -out hub.domain.com.key 4096
# 生成证书签名
[root@harbor cert]# openssl req -sha512 -new     -subj "/C=CN/ST=Guangzhou/L=Guangzhou/O=example/CN=hub.domain.com"     -key hub.domain.com.key     -out hub.domain.com.csr 
# 生成注册表主机的证书
[root@harbor cert]# cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names

[alt_names]
DNS.1=hub.domain.com
DNS.2=hub.domain
EOF
[root@harbor cert]# openssl x509 -req -sha512 -days 3650     -extfile v3.ext     -CA ca.crt -CAkey ca.key -CAcreateserial     -in hub.domain.com.csr     -out hub.domain.com.crt 
# 转换证书
[root@harbor cert]# openssl x509 -inform PEM -in hub.domain.com.crt -out hub.domain.com.cert



生成完之后的证书目录结构

[root@harbor cert]# tree .
.
├── ca.crt
├── ca.key
├── ca.srl
├── hub.domain.com.cert
├── hub.domain.com.crt
├── hub.domain.com.csr
├── hub.domain.com.key
└── v3.ext

0 directories, 8 files


安装及配置Harbor私有仓库
下载加解压离线安装版Harbor安装文件

[root@harbor cert]# cd ..
[root@harbor data]# wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-offline-installer-v1.7.1.tgz
[root@harbor data]# tar -xf harbor-offline-installer-v1.7.1.tgz
[root@harbor data]# ls
cert  harbor  harbor-offline-installer-v1.7.1.tgz


编辑harbor.cfg配置文件

[root@harbor data]# cd harbor.yml
Edit the file harbor.yml, update the hostname and uncomment the https block, and update the attributes certificate and private_key:
#set hostname
hostname: yourdomain.com

http:
  port: 80

https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/yourdomain.com.crt
  private_key: /data/cert/yourdomain.com.key


为Harbor生成配置文件

[root@harbor harbor]# ./prepare
1
为Docker配置服务器证书,密钥和CA

[root@harbor harbor]# mkdir -p /etc/docker/certs.d/hub.demian.com
[root@harbor harbor]# cp hub.domain.com.cert /etc/docker/certs.d/hub.domain.com/
[root@harbor harbor]# cp hub.domain.com.key /etc/docker/certs.d/hub.domain.com/
[root@harbor harbor]# cp ca.crt /etc/docker/certs.d/hub.domain.com/



Edit the file harbor.yml, update the hostname and uncomment the https block, and update the attributes certificate and private_key:
#set hostname
hostname: yourdomain.com

http:
  port: 80

https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/yourdomain.com.crt
  private_key: /data/cert/yourdomain.com.key

以上是关于centos7安装harbor带ssl的主要内容,如果未能解决你的问题,请参考以下文章

Centos7搭建Harbor私有仓库

centos7 离线安装自签名harbor

centos7下安装harbor

centos7 使用非标准端口 离线安装自签名harbor

centos7 安装harbor docker镜像库

centos7 搭建Harbor(简单快速版)