harbor鏡像倉庫-https訪問的證書配置

生成CA證書

隨便搞個(gè)什么文件夾，用于存放生成的證書

創(chuàng)建key文件：

root@eb7023:/data/certs>openssl genrsa -out ca.key 4096Generating RSA private key, 4096 bit long modulus............++.........................++e is 65537 (0x10001)

生成證書

**http://harbor23.com**這里是我harbor倉庫的域名，即harbor配置文件中hostname的值，也可以寫ip

root@eb7023:/data/certs>openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/CN=harbor23.com" -key ca.key -out ca.crtroot@eb7023:/data/certs>lltotal 8-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key

生成服務(wù)器證書

創(chuàng)建私鑰

root@eb7023:/data/certs>openssl genrsa -out server.key 4096Generating RSA private key, 4096 bit long modulus........................................................................................................................................................++.............................................................................++e is 65537 (0x10001)

生成證書簽名請(qǐng)求

root@eb7023:/data/certs>openssl req -new -sha512 -subj "/CN=harbor23.com" -key server.key -out server.csrroot@eb7023:/data/certs>lltotal 16-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key

生成harbor倉庫主機(jī)的證書

首先創(chuàng)建一個(gè) v3.ext 文件

root@eb7023:/data/certs>cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuth subjectAltName = @alt_names[alt_names]DNS.1=harbor23.comEOFroot@eb7023:/data/certs>root@eb7023:/data/certs>lltotal 20-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root 231 Sep 11 14:48 v3.ext

生成harbor倉庫主機(jī)的證書

root@eb7023:/data/certs>openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crtSignature oksubject=/CN=harbor23.comGetting CA Private Keyroot@eb7023:/data/certs>lltotal 28-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 17 Sep 11 14:48 ca.srl-rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root 231 Sep 11 14:48 v3.ext

到目前為止所有需要的證書文件就生成完畢了，下面需要一些配置

配置和安裝證書

把server.crt文件和server.key文件拷貝到目錄/data/cert下

因?yàn)槲仪懊嬉恢笔窃谶@個(gè)路徑操作的就省略了該步驟

下面要修改harbor的配置文件 修改以下配置項(xiàng)

root@eb7023:/data/certs>vim ~/harbor/harbor.yml hostname: harbor23.comhttps:port: 443certificate: /data/certs/server.crtprivate_key: /data/certs/server.key

接下來就可重啟以下harbor倉庫了,注意這里要CD到harbor解壓目錄

#導(dǎo)入配置root@eb7023:/root/harbor>./prepare prepare base dir is set to /root/harborClearing the configuration file: /config/log/logrotate.confClearing the configuration file: /config/log/rsyslog_docker.confClearing the configuration file: /config/nginx/nginx.confClearing the configuration file: /config/core/envClearing the configuration file: /config/core/app.confClearing the configuration file: /config/registry/config.ymlClearing the configuration file: /config/registry/root.crtClearing the configuration file: /config/registryctl/envClearing the configuration file: /config/registryctl/config.ymlClearing the configuration file: /config/db/envClearing the configuration file: /config/jobservice/envClearing the configuration file: /config/jobservice/config.ymlGenerated configuration file: /config/log/logrotate.confGenerated configuration file: /config/log/rsyslog_docker.confGenerated configuration file: /config/nginx/nginx.confGenerated configuration file: /config/core/envGenerated configuration file: /config/core/app.confGenerated configuration file: /config/registry/config.ymlGenerated configuration file: /config/registryctl/envGenerated configuration file: /config/db/envGenerated configuration file: /config/jobservice/envGenerated configuration file: /config/jobservice/config.ymlloaded secret from file: /secret/keys/secretkeyGenerated configuration file: /compose_location/docker-compose.ymlClean up the input dir##停止當(dāng)前運(yùn)行的harborroot@eb7023:/root/harbor>docker-compose down -v/usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.from cryptography.hazmat.backends import default_backendStopping harbor-jobservice ... doneStopping harbor-portal ... doneStopping registry ... doneStopping registryctl ... doneStopping redis ... doneStopping harbor-db ... doneStopping harbor-log ... doneRemoving nginx ... doneRemoving harbor-jobservice ... doneRemoving harbor-core ... doneRemoving harbor-portal ... doneRemoving registry ... doneRemoving registryctl ... doneRemoving redis ... doneRemoving harbor-db ... doneRemoving harbor-log ... doneRemoving network harbor_harbor##后臺(tái)運(yùn)行的harborroot@eb7023:/root/harbor>docker-compose up -d/usr/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.from cryptography.hazmat.backends import default_backendCreating network "harbor_harbor" with the default driverCreating harbor-log ... doneCreating registry ... doneCreating harbor-db ... doneCreating registryctl ... doneCreating harbor-portal ... doneCreating redis ... doneCreating harbor-core ... doneCreating harbor-jobservice ... doneCreating nginx ... done

為docker配置harbor認(rèn)證

將server證書cp到docker所在的機(jī)器固定目錄中

#筆者這里的certs.d是已經(jīng)存在的，如果不存在需要mkdirroot@eb7023:/root/harbor>cd /etc/docker/certs.d/root@eb7023:/etc/docker/certs.d>lltotal 0root@eb7023:/etc/docker/certs.d>mkdir -p /etc/docker/certs.d/harbor23.com root@eb7023:/etc/docker/certs.d>cd /data/certs/root@eb7023:/data/certs>lltotal 28-rw-r--r-- 1 root root 1797 Sep 11 14:20 ca.crt-rw-r--r-- 1 root root 3243 Sep 11 14:18 ca.key-rw-r--r-- 1 root root 17 Sep 11 14:48 ca.srl-rw-r--r-- 1 root root 1830 Sep 11 14:48 server.crt-rw-r--r-- 1 root root 1590 Sep 11 14:24 server.csr-rw-r--r-- 1 root root 3243 Sep 11 14:20 server.key-rw-r--r-- 1 root root 231 Sep 11 14:48 v3.extroot@eb7023:/data/certs>cp server.crt /etc/docker/certs.d/harbor23.com/server.crt

然后docker直接login即可

root@eb7023:/data/certs>docker login harbor23.comUsername: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

這里我的docker和harbor是在同一臺(tái)機(jī)器上的，如果是其他機(jī)器也復(fù)制crt文件即可

root@eb7023:/data/certs>scp server.crt root@eb7045:/etc/docker/certs.d/harbor23.com/server.crtroot@eb7045's password: server.crt 100% 1830 2.1MB/s 00:00

在eb7045可以登錄驗(yàn)證一下：

root@eb7045:/etc/docker/certs.d/harbor23.com>docker login harbor23.comUsername: adminPassword: WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded

到這里配置完成。

參考鏈接：https://zhuanlan.zhihu.com/p/234918875

與50位技術(shù)專家面對(duì)面20年技術(shù)見證，附贈(zèng)技術(shù)全景圖

總結(jié)

以上是生活随笔為你收集整理的harbor镜像仓库-https访问的证书配置 （docker配置harbor https证书）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。