配置对 Harbor 的 HTTPS 访问

官方文档：
Harbor - Configure HTTPS Access to Harbor

默认情况下，Harbor 不附带证书。可以在没有安全保护的情况下部署 Harbor，以便您可以通过 HTTP 连接到它。在生产环境中，推荐始终使用 HTTPS。如果启用 Content Trust with Notary 以正确签署所有image，则必须使用 HTTPS。

要配置 HTTPS，必须创建 SSL 证书。可以使用由受信任的第三方 CA 签名的证书，也可以使用自签名证书。

Harbor 注册表的主机名是harbor.SMTX.top

生成证书颁发机构证书

生成 CA 证书私钥。

openssl genrsa -out ca.key 4096

root@harbor:~# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................++++
..................................................................................++++
e is 65537 (0x010001)

生成 CA 证书。
调整选项中的值-subj以反映组织。如果使用 FQDN 连接 Harbor 主机，则必须将其指定为通用名称 ( CN) 属性。

openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=harbor.smtx.top" \
 -key ca.key \
 -out ca.crt

root@harbor:~# openssl req -x509 -new -nodes -sha512 -days 3650 \
>  -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=harbor.smtx.top" \
>  -key ca.key \
>  -out ca.crt

CN=commonName 通用名
OU=organizationUnit 组织部门名
O=organizationName 组织名
L=localityName 本地名
ST=stateName 洲名
C=country 国家

生成服务器证书

证书通常包含一个.crt文件和一个.key文件，例如，harbor.smtx.top.crt和harbor.smtx.top.key。

生成私钥。

openssl genrsa -out harbor.smtx.top.key 4096

root@harbor:~# openssl genrsa -out harbor.smtx.top.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
............................................................................++++
.....................................................................................................................................................................................++++
e is 65537 (0x010001)

生成证书签名请求 (CSR)。
调整选项中的值-subj以反映组织。如果使用 FQDN 连接 Harbor 主机，则必须将其指定为通用名称 ( CN) 属性，并在密钥和 CSR 文件名中使用它。
openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=harbor.smtx.top" \
-key harbor.smtx.top.key \
-out harbor.smtx.top.csr

    root@harbor:~# openssl req -sha512 -new \
    >     -subj "/C=CN/ST=Shanghai/L=Shanghai/O=SmartX/OU=Lab/CN=harbor.smtx.top" \
    >     -key harbor.smtx.top.key \
    >     -out harbor.smtx.top.csr

生成 x509 v3 扩展文件。
无论使用 FQDN 还是 IP 地址连接到您的 Harbor 主机，都必须创建此文件，以便可以为您的 Harbor 主机生成符合主题备用名称 (SAN) 和 x509 v3 的证书扩展要求。
替换DNS条目以反映使用的域。

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.smtx.top
DNS.2=smtx.top
DNS.3=harbor
EOF

使用该v3.ext文件为您的 Harbor 主机生成证书。

openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.smtx.top.csr \
-out harbor.smtx.top.crt

root@harbor:~# openssl x509 -req -sha512 -days 3650     -extfile v3.ext     -CA ca.crt -CAkey ca.key -CAcreateserial     -in harbor.smtx.top.csr     -out harbor.smtx.top.crt
Signature ok
subject=C = CN, ST = Shanghai, L = Shanghai, O = SmartX, OU = Lab, CN = harbor.smtx.top
Getting CA Private Key

向 Harbor 和 Docker 提供证书

生成ca.crt、harbor.smtx.top.crt和harbor.smtx.top.key文件后，必须将它们提供给 Harbor 和 Docker，并重新配置 Harbor 以使用它们。

将服务器证书和密钥复制到 Harbor 主机上的 certificates 文件夹中。
cp harbor.smtx.top.crt /data/cert/
cp harbor.smtx.top.key /data/cert/
转换harbor.smtx.top.crt为harbor.smtx.top.cert, 供 Docker 使用。
Docker 守护进程将.crt文件解释为 CA 证书，.cert将文件解释为客户端证书。
openssl x509 -inform PEM -in harbor.smtx.top.crt -out harbor.smtx.top.cert
将服务器证书、密钥和 CA 文件复制到 Harbor 主机上的 Docker 证书文件夹中。必须先创建适当的文件夹。
cp harbor.smtx.top.cert /etc/docker/certs.d/harbor.smtx.top/
cp harbor.smtx.top.key /etc/docker/certs.d/harbor.smtx.top/
cp ca.crt /etc/docker/certs.d/harbor.smtx.top/
如果将默认nginx端口 443 映射到其他端口，需要创建文件夹/etc/docker/certs.d/harbor.smtx.top:port或/etc/docker/certs.d/harbor_IP:port。
重新启动 Docker 引擎。
systemctl restart docker

配置 Harbor YML 文件

harbor.yml可以在安装程序包中包含的文件中为 Harbor 设置系统级参数。这些参数在运行脚本来安装或重新配置 Harbor 时生效install.sh。

在初始部署和启动 Harbor 之后，可以在 Harbor Web Portal 中执行其他配置。

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: harbor.smtx.top #修改harbor地址

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 80

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /etc/docker/certs.d/harbor.smtx.top/harbor.smtx.top.cert
  private_key: /etc/docker/certs.d/harbor.smtx.top/harbor.smtx.top.key

......

安装

执行install.sh

root@harbor:/home/zyi/harbor# ./install.sh

[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.21

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 1.25.0

[Step 2]: loading Harbor images ...
Loaded image: goharbor/harbor-portal:v2.7.0
Loaded image: goharbor/harbor-registryctl:v2.7.0
Loaded image: goharbor/redis-photon:v2.7.0
Loaded image: goharbor/notary-server-photon:v2.7.0
Loaded image: goharbor/notary-signer-photon:v2.7.0
Loaded image: goharbor/prepare:v2.7.0
Loaded image: goharbor/nginx-photon:v2.7.0
Loaded image: goharbor/trivy-adapter-photon:v2.7.0
Loaded image: goharbor/harbor-core:v2.7.0
Loaded image: goharbor/harbor-log:v2.7.0
Loaded image: goharbor/harbor-jobservice:v2.7.0
Loaded image: goharbor/harbor-exporter:v2.7.0
Loaded image: goharbor/registry-photon:v2.7.0
Loaded image: goharbor/harbor-db:v2.7.0
Loaded image: goharbor/chartmuseum-photon:v2.7.0

[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /home/zyi/harbor
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

Note: stopping existing Harbor instance ...
Removing network harbor_harbor
WARNING: Network harbor_harbor not found.

[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating registryctl   ... done
Creating harbor-db     ... done
Creating registry      ... done
Creating harbor-core   ... done
Creating harbor-jobservice ... done
Creating nginx             ... done
✔ ----Harbor has been installed and started successfully.----

Docker客户端登录

修改配置文件

#[root@fio-00 ~]# vim /usr/lib/systemd/system/docker.service

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket containerd.service

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd --insecure-registry harbor.smtx.top

......

拷贝server： /etc/docker/certs.d/harbor.smtx.top/的文件到客户端的相应目录
重启docker

[root@fio-00 ~]# systemctl restart docker
[root@fio-00 ~]# systemctl daemon-reload

登录Harbor并下载

[root@fio-00 ~]# docker login harbor.smtx.top
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@fio-00 ~]# docker pull harbor.smtx.top/library/nginx@sha256:544ba2bfe312bf2b13278495347bb9381ec342e630bcc8929af124f1291784bb
harbor.smtx.top/library/nginx@sha256:544ba2bfe312bf2b13278495347bb9381ec342e630bcc8929af124f1291784bb: Pulling from library/nginx
59bf1c3509f3: Pull complete 
f3322597df46: Pull complete 
d09cf91cabdc: Pull complete 
3a97535ac2ef: Pull complete 
919ade35f869: Pull complete 
40e5d2fe5bcd: Pull complete 
Digest: sha256:544ba2bfe312bf2b13278495347bb9381ec342e630bcc8929af124f1291784bb
Status: Downloaded newer image for harbor.smtx.top/library/nginx@sha256:544ba2bfe312bf2b13278495347bb9381ec342e630bcc8929af124f1291784bb
harbor.smtx.top/library/nginx@sha256:544ba2bfe312bf2b13278495347bb9381ec342e630bcc8929af124f1291784bb

Containerd客户端登录

拷贝server： /etc/docker/certs.d/harbor.smtx.top/的文件到客户端的相应目录

修改containerd配置文件 /etc/containerd/config.toml，
如果没有使用下面的命令创建

containerd config default > /etc/containerd/config.toml

注意缩进和重复配置

[plugins."io.containerd.grpc.v1.cri".image_decryption]
      key_model = "node"

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = ""

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

#      [plugins."io.containerd.grpc.v1.cri".registry.configs]

      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.smtx.top"] #从这里开始，我这里harbor域名为 harbor.smtx.top
          endpoint = ["https://harbor.smtx.top"]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]

        [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.smtx.top".tls]
          insecure_skip_verify = true  #跳过认证
          ca_file = "/etc/containerd/certs.d/harbor.smtx.top/ca.crt" #ca证书
          cert_file = "/etc/containerd/certs.d/harbor.smtx.top/harbor.smtx.top.cert" #harbor证书
          key_file = "/etc/containerd/certs.d/harbor.smtx.top/harbor.smtx.top.key" #密钥

        [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.smtx.top".auth]
          username = "admin"  #harbor用户名
          password = "VMware1!"   #harbor密码   配置截至到这里

重启containerd

crictl pull

root@cp:~# crictl pull harbor.smtx.top/library/network-multitool:v1.1
Image is up to date for sha256:1631e536ed7dd2e8b80119f4f54c7958da9ffc159323ae5ecfb15c76ebdab10a
root@cp:~# ls
calico.yaml  kubeadm-init.yaml  kubeconfig.yaml  snap
root@cp:~# crictl images
IMAGE                                                                         TAG                 IMAGE ID            SIZE
docker.io/calico/cni                                                          v3.24.5             628dd70880410       87.5MB
docker.io/calico/node                                                         v3.24.5             54637cb36d4a1       81.6MB
harbor.smtx.top/library/network-multitool                                     1.1                 293c239dd8558       16.8MB
registry.cn-hangzhou.aliyuncs.com/tanzu/network-multitool                     1.1                 293c239dd8558       16.8MB
harbor.smtx.top/library/network-multitool                                     v1.1                1631e536ed7dd       17.4MB