harbor配置证书,添加https认证
上一篇文章分享了如何跳过仓库的安全认证,除此之外,我们也是可以通过自己生成证书来使用https的,当然也可以购买权威认证的证书,下面分享一下harbor如何配置证书,添加https认证。
如果之前已经登录了,先退出来并先停止harbor。
[root@kube-node-1 harbor]# docker logout reg.harbor.com:80
Removing login credentials for reg.harbor.com:80
[root@kube-node-1 harbor]# docker-compose stop
Stopping nginx ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping registry ... done
Stopping harbor-portal ... done
Stopping redis ... done
Stopping registryctl ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
创建证书
[root@kube-node-1 harbor]# mkdir harbor-cert
[root@kube-node-1 harbor]# cd harbor-cert/
[root@kube-node-1 harbor-cert]# pwd
/opt/harbor/harbor-cert
[root@kube-node-1 harbor-cert]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout test-harbor.com.key -x509 -days 365 -out test-harbor.com.crt
Generating a 4096 bit RSA private key
................................................................................................................................................................................++
...........................................................................................................++
writing new private key to 'test-harbor.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:xx
Locality Name (eg, city) [Default City]:yy
Organization Name (eg, company) [Default Company Ltd]:SMART
Organizational Unit Name (eg, section) []:OPERATION
Common Name (eg, your name or your server's hostname) []:reg.harbor.com
Email Address []:123@qq.com
修改harbor.yml文件
重新执行脚本
[root@kube-node-1 harbor]# ./prepare
[root@kube-node-1 harbor]# ./install.sh
启动成功后,谷歌浏览器访问就会弹出风险提示
docker重新登录
[root@kube-node-2 reg.test.com]# docker login reg.harbor.com
Username: admin
Password:
Error response from daemon: Get https://reg.harbor.com/v2/: x509: certificate signed by unknown authority
提示证书不是权威机构发布
此时我们还是要修改docker的启动参数
注意:如果有看我上一篇文章的朋友,配置这里时注意不要用=号
重启docker后登录成功
[root@kube-node-1 harbor]# systemctl daemon-reload
[root@kube-node-1 harbor]# systemctl restart docker
[root@kube-node-1 harbor]# docker login reg.harbor.com
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded
提示:如果其他节点的docker要登录harbor,也需要在启动项添加以上参数。