k8s上部署Harbor通过Nginx-Ingress域名访问

原创 已于 2024-11-23 14:50:20 修改
· 4.3k 阅读 · 8 ·
版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#kubernetes #nginx #运维

于 2022-11-28 19:47:47 首次发布

目录

1、k8s集群环境,通过kubesphere安装部署。

1.1 集群基本信息

 1.2 集群节点信息

 2、安装Harbor

2.1、使用Helm添加Harbor仓库

 2.2 、通过openssl生成证书

2.3、 创建secret

 2.4、 创建nfs存储目录

 2.5、 创建pv

 2.6、创建pvc

2.7、values.yaml配置文件

2.8、部署执行命令

2.9、编辑ingress文件,类型vim操作

 2.9.1、部署nginx-ingress-controller

2.9.2、查看配置Ingress的配置结果

3、访问

3.1、window配置hosts

 3.2、访问地址

1、k8s集群环境,通过kubesphere安装部署。

1.1 集群基本信息

 1.2 集群节点信息

 2、安装Harbor

2.1、使用Helm添加Harbor仓库

helm repo add harbor https://helm.goharbor.io
helm pull harbor/harbor

运行上面命令,得到文件harbor-1.10.2.tgz,将文件解压,并重命名为harbor。

如果是高版本,可能需要升级到helm版本

 2.2 、通过openssl生成证书

harbor目录下存在cert,执行cp -r cert bak,对默认的cert文件进行备份。

cd cert

openssl genrsa -des3 -passout pass:over4chars -out tls.pass.key 2048
...
openssl rsa -passin pass:over4chars -in tls.pass.key -out tls.key
# Writing RSA key

rm -rf tls.pass.key

openssl req -new -key tls.key -out tls.csr
...
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:liebe
Organizational Unit Name (eg, section) []:liebe
Common Name (eg, your name or your server's hostname) []:harbon.liebe.com.cn
Email Address []:你的邮箱地址

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:talent
An optional company name []:liebe

生成 SSL 证书
自签名 SSL 证书是从私钥和文件生成的。tls.keytls.csr
openssl x509 -req -sha256 -days 365 -in tls.csr -signkey tls.key -out tls.crt

2.3、 创建secret

           执行命令

kubectl create secret tls harbor.liebe.com.cn --key tls.key --cert tls.crt -n pig-dev

         查看创建结果

kubectl get secret -n pig-dev

 2.4、 创建nfs存储目录

  mkdir -p /home/data/nfs-share/harbor/registry
  mkdir -p /home/data/nfs-share/harbor/chartmuseum
  mkdir -p /home/data/nfs-share/harbor/jobservice
  mkdir -p /home/data/nfs-share/harbor/database
  mkdir -p /home/data/nfs-share/harbor/redis
  mkdir -p /home/data/nfs-share/harbor/trivy  
  mkdir -p /home/data/nfs-share/harbor/jobservicedata
  mkdir -p /home/data/nfs-share/harbor/jobservicelog
  chmod 777 /home/data/nfs-share/harbor/*

 2.5、 创建pv

#第1个
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-registry
  namespace: pig-dev
  labels:
    app: harbor-registry
spec:
  capacity:
    storage: 150Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "managed-nfs-storage"
  mountOptions:
    - hard
  nfs:
    path: /home/data/nfs-share/harbor/registry
    server: 10.10.10.89
---
#第2个
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-chartmuseum
  namespace: pig-dev
  labels:
    app: harbor-chartmuseum
spec:
  capacity:
    storage: 10G
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "managed-nfs-storage"
  mountOptions:
    - hard
  nfs:
    path: /home/data/nfs-share/harbor/chartmuseum
    server: 10.10.10.89
---
#第3个
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-jobservicelog
  namespace: pig-dev
  labels:
    app: harbor-jobservicelog
spec:
  capacity:
    storage: 10G
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "managed-nfs-storage"
  mountOptions:
    - hard
  nfs:
    path: /home/data/nfs-share/harbor/jobservicelog
    server: 10.10.10.89
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-jobservicedata
  namespace: pig-dev
  labels:
    app: harbor-jobservicedata
spec:
  capacity:
    storage: 10G
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "managed-nfs-storage"
  mountOptions:
    - hard
  nfs:
    path: /home/data/nfs-share/harbor/jobservicedata
    server: 10.10.10.89
---
#第4个
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-database
  namespace: pig-dev
  labels:
    app: harbor-database
spec:
  capacity:
    storage: 10G
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "managed-nfs-storage"
  mountOptions:
    - hard
  nfs:
    path: /home/data/nfs-share/harbor/database
    server: 10.10.10.89
---
#第5个
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-redis
  namespace: pig-dev
  labels:
    app: harbor-redis
spec:
  capacity:
    storage: 10G
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "managed-nfs-storage"
  mountOptions:
    - hard
  nfs:
    path: /home/data/nfs-share/harbor/redis
    server: 10.10.10.89
---
#第6个
apiVersion: v1
kind: PersistentVolume
metadata:
  name: harbor-trivy
  namespace: pig-dev
  labels:
    app: harbor-trivy
spec:
  capacity:
    storage: 10G
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "managed-nfs-storage"
  mountOptions:
    - hard
  nfs:
    path: /home/data/nfs-share/harbor/trivy
    server: 10.10.10.89

 2.6、创建pvc

#第1个
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-registry
  namespace: pig-dev
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "managed-nfs-storage"
  resources:
    requests:
      storage: 150Gi
---
#第2个
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-chartmuseum
  namespace: pig-dev
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "managed-nfs-storage"
  resources:
    requests:
      storage: 10Gi
---
#第3个
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-jobservicelog
  namespace: pig-dev
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "managed-nfs-storage"
  resources:
    requests:
      storage: 5Gi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-jobservicedata
  namespace: pig-dev
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "managed-nfs-storage"
  resources:
    requests:
      storage: 5Gi
---
#第4个
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-database
  namespace: pig-dev
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "managed-nfs-storage"
  resources:
    requests:
      storage: 10Gi
---
#第5个
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-redis
  namespace: pig-dev
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "managed-nfs-storage"
  resources:
    requests:
      storage: 10Gi
---
#第6个
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: harbor-trivy
  namespace: pig-dev
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: "managed-nfs-storage"
  resources:
    requests:
      storage: 10Gi

2.7、values.yaml配置文件

expose:
  # Set how to expose the service. Set the type as "ingress", "clusterIP", "nodePort" or "loadBalancer"
  # and fill the information in the corresponding section
  type: ingress
  tls:
    # Enable TLS or not.
    # Delete the "ssl-redirect" annotations in "expose.ingress.annotations" when TLS is disabled and "expose.type" is "ingress"
    # Note: if the "expose.type" is "ingress" and TLS is disabled,
    # the port must be included in the command when pulling/pushing images.
    # Refer to https://github.com/goharbor/harbor/issues/5291 for details.
    enabled: true
    # The source of the tls certificate. Set as "auto", "secret"
    # or "none" and fill the information in the corresponding section
    # 1) auto: generate the tls certificate automatically
    # 2) secret: read the tls certificate from the specified secret.
    # The tls certificate can be generated manually or by cert manager
    # 3) none: configure no tls certificate for the ingress. If the default
    # tls certificate is configured in the ingress controller, choose this option
    certSource: "secret"
    auto:
      # The common name used to generate the certificate, it's necessary
      # when the type isn't "ingress"
      commonName: ""
    secret:
      # The name of secret which contains keys named:
      # "tls.crt" - the certificate
      # "tls.key" - the private key
      secretName: "harbor.liebe.com.cn"
      # The name of secret which contains keys named:
      # "tls.crt" - the certificate
      # "tls.key" - the private key
      # Only needed when the "expose.type" is "ingress".
      notarySecretName: "harbor.liebe.com.cn"
  ingress:
    hosts:
      core: harbor.liebe.com.cn
      notary: notary-harbor.liebe.com.cn
    # set to the type of ingress controller if it has specific requirements.
    # leave as `default` for most ingress controllers.
    # set to `gce` if using the GCE ingress controller
    # set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
    # set to `alb` if using the ALB ingress controller
    controller: default
    ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress
    kubeVersionOverride: ""
    className: ""
    annotations:
      # note different ingress controllers may require a different ssl-redirect annotation
      # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below
      ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: "1024m"
      #### 如果是 traefik ingress,则按下面配置:
#      kubernetes.io/ingress.class: "traefik"
#      traefik.ingress.kubernetes.io/router.tls: 'true'
#      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      #### 如果是 nginx ingress,则按下面配置:
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "1024m"
      nginx.org/client-max-body-size: "1024m"
    notary:
      # notary ingress-specific annotations
      annotations: {}
      # notary ingress-specific labels
      labels: {}
    harbor:
      # harbor ingress-specific annotations
      annotations: {}
      # harbor ingress-specific labels
      labels: {}
  clusterIP:
    # The name of ClusterIP service
    name: harbor
    # Annotations on the ClusterIP service
    annotations: {}
    ports:
      # The service port Harbor listens on when serving HTTP
      httpPort: 80
      # The service port Harbor listens on when serving HTTPS
      httpsPort: 443
      # The service port Notary listens on. Only needed when notary.enabled
      # is set to true
      notaryPort: 4443
  nodePort:
    # The name of NodePort service
    name: harbor
    ports:
      http:
        # The service port Harbor listens on when serving HTTP
        port: 80
        # The node port Harbor listens on when serving HTTP
        nodePort: 30102
      https:
        # The service port Harbor listens on when serving HTTPS
        port: 443
        # The node port Harbor listens on when serving HTTPS
        nodePort: 30103
      # Only needed when notary.enabled is set to true
      notary:
        # The service port Notary listens on
        port: 4443
        # The node port Notary listens on
        nodePort: 30104
  loadBalancer:
    # The name of LoadBalancer service
    name: harbor
    # Set the IP if the LoadBalancer supports assigning IP
    IP: ""
    ports:
      # The service port Harbor listens on when serving HTTP
      httpPort: 80
      # The service port Harbor listens on when serving HTTPS
      httpsPort: 443
最低0.47元/天 解锁文章
K8S部署Harbor(三部曲之三:使用)
博客主要分享技术教程、工具教程、bug解决、前沿技术动态、编程经验、心得感悟等。 内容同步、干货获取、推广宣发请看侧栏推广信息
02-03 2327
每个人都有惰性,但不断学习是好好生活的根本,共勉!
K8S部署Harbor(三部曲之一:配置)
博客主要分享技术教程、工具教程、bug解决、前沿技术动态、编程经验、心得感悟等。 内容同步、干货获取、推广宣发请看侧栏推广信息
02-01 2378
每个人都有惰性,但不断学习是好好生活的根本,共勉!
k8s部署harbor并暴露访问
03-14
使用cfssl工具配置证书并在kubernetes部署harbor并暴露访问
kubesphere 上部署的服务(nginx代理)怎么获取用户客户访问的真实的IP
最新发布
weixin_51214282的博客
04-16 873
在这种模式下,外部流量仍然会保持源 IP 地址,也就是你可以在 Pod 内获取到客户端的真实 IP 地址。默认情况下,发送到 Type=NodePort 的 Service 的数据包会经过源 NAT 处理,导致无法获取到用户的真实ip。这种方式会丢失源 IP 地址(即外部客户端的真实 IP 地址),因此客户端的 IP 地址在 Pod 内部只能看到节点的 IP 地址。在这种模式下,流量会通过集群中的所有节点进行负载均衡,目标是根据服务的所有 Pod 的 IP 来选择目标 Pod。
k8s 部署Harbor
wowenlong的博客
09-27 2096
Harbor 可以采用http访问和https访问,本文使用https访问的方式部署Harbor
k8s部署 harbor
大虾别跑
03-13 2075
k8s部署 harbor
helm简单部署harbor(ingress方式暴露)
weixin_42562106的博客
05-21 428
【代码】helm简单部署harbor(ingress方式暴露)
k8s-部署本地仓库harbor
Harry_z666的博客
04-21 5023
1.基础配置: 主机名 IP 系统版本 k8s-master 192.168.32.128 centos 7.6 k8s-node1 192.168.32.129 centos 7.6 k8s-node2 192.168.32.130 centos 7.6 k8s-harbor 192.168.32.131 centos 7.6 2.安装docker-compose curl -L https://get.daocloud.io/docker/compose/releases
k8s学习笔记5-部署和应用ingress-nginx-controller(v1.3.0)
weixin_43501172的博客
07-28 5543
Ingress公开从集群外部到集群内服务的HTTP和HTTPS路由。流量路由由Ingress资源上定义的规则控制。
二进制安装k8s集群(16)-安装nginx-ingress-controller
weixin_46073333的博客
11-05 316
在上一篇文章里我们主要介绍安装k8s集群内的基础服务kube-dashboard,这里我们继续介绍安装k8s集群内基础服务nginx-ingress,这个基础服务也创建在kube-sys...
Ingress-nginx详解以及部署方案(二)
xiaxia2022的博客
02-22 2699
上一篇讲解deployment方式部署ingress。 使用DaemonSet方式部署ingress。 官方原始文件使用的是deployment,replicate 为 1,这样将会在某一台节点上启动对应的nginx-ingress-controller pod。外部流量访问至该节点,由该节点负载分担至内部的service。测试环境考虑防止单点故障,改为DaemonSet然后删掉replicate ,配合亲和性部署在制定节点上启动nginx-ingress-controller pod,确保有多个节点启
企业运维实战--k8s学习笔记5.Service之通过Ingress-nginx实现k8s七层负载均衡
Rabbit_hyl的博客
07-29 1964
企业运维实战--k8s学习笔记4.Service之calico网络插件、网络策略范例编写、Ingress-nginx七层负载均衡实现calico网络插件替换flannelcalico支持的网络策略Ingress-nginx calico网络插件替换flannel callico仅依赖三层路由可达。 上传镜像到harbor kubectl apply -f calico.yaml kubectl get pod -n kube-system 等待初始化完成后,即可running calico支持的网络策略
k8s 安装harbor
tankpanv的博客
08-31 1623
根据harbor官网提示,需要提前创建pv和pvc,既然选择了hostpath,那么就需要将pod固定到某一个node上面,本文所有的资源副本都是1,harbor的所有pod放在同一个namespace,并且需要将namespace固定到某个node上,具体步骤见正文。这里用默认类型 ingress,https协议,如果想用http协议,那么需要删除掉“expose.ingress.annotations”里面的“ssl-redirect”相关注解。如果是多master,所有master都要修改。
k8s学习笔记-harbor仓库部署
weixin_37703162的博客
11-21 684
docker安装 部署harbor仓库也需要安装docker,安装过程he在k8s节点上安装相同: 安装docker镜像依赖-存储驱动: sudo yum install -y yum-utils device-mapper-persistent-data lvm2 导入阿里云docker-ce镜像仓库: sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo 安装docke
K8S部署Harbor(三部曲之二:部署
博客主要分享技术教程、工具教程、bug解决、前沿技术动态、编程经验、心得感悟等。 内容同步、干货获取、推广宣发请看侧栏推广信息
02-02 1915
每个人都有惰性,但不断学习是好好生活的根本,共勉!
harbor 项目配置独立域名访问(去除 path 路径中的项目名称小尾巴)
小单的博客专栏
08-12 1004
harbor 项目配置独立域名访问(去除 path 路径中的项目名称小尾巴)
快速入门Kubernetes(K8S)——部署Harbor(企业级Docker的私有仓库)
大数据记录
12-05 6578
         上篇文章给大家介绍了k8s以及集群的安装(快速入门Kubernetes(K8S)——介绍及安装),本篇文章主要讲解Harbor以及 部署私有的Harbor仓库。 一、 Harbor是什么          第一次听到这个名字应该是2016年初的时候,那是在容器技术已经兴起的,各个容器管理平台正处于群雄逐鹿的时候,mesos、ku
【四】K8s集群—HarBor 私有仓库部署
申请二进制
05-27 522
一、概述 前面我们把 K8s 集群部署好了,但是每次拉取镜像时都通过公有镜像仓库拉取非常慢,效率不高,于是我们需要在本地搭建一个私有镜像仓库来提供 K8s 集群使用,这样我们提交镜像和拉取镜像时就非常方便,速度也快。 Kubernetes 集群部署-kubeadm方式 这是前一篇 K8s 集群部署笔记。 二、准备工作 设置主机名 [root@localhost ~]# hostnamectl ...
k8s部署-19-harbor高可用部署
ouyangzhenxin的博客
03-24 6839
当我们使用k8s的时候,就不可以避免的会涉及到很多的镜像,那么是不是最好有一个地方能存放这些东西呢?还记得之前写docker系列的时候,有提到一个服务,叫做harbor,他就是存放镜像的,在k8s中,我还还是使用该服务,且扩展下搭建一个高可用的。  harbor架构从官网找到下面这张图,可以大概的看一下,有一个简单的认知。软件下载从公众号“运维家”后台回复“harbor”即可获取软件下载地址。环境节点名字ip地址node2192.168.112.131node3192.168.112.13
k8s部署harbor 仓库
07-29
您好!要在Kubernetes部署Harbor仓库,您可以按照以下步骤进行操作: 1. 在Kubernetes集群中创建一个命名空间(Namespace),用于部署Harbor。可以使用以下命令创建命名空间: ``` kubectl create namespace harbor ``` 2. 接下来,您需要在Kubernetes部署一个持久化存储卷(Persistent Volume)和一个持久化存储卷声明(Persistent Volume Claim),用于存储Harbor的数据。您可以根据您的需求选择不同的存储解决方案,如NFS、GlusterFS或Ceph等。以下是一个示例使用NFS的配置文件: ```yaml apiVersion: v1 kind: PersistentVolume metadata: name: harbor-pv labels: type: nfs spec: capacity: storage: 10Gi accessModes: - ReadWriteMany nfs: server: <NFS server IP> path: <NFS server path> --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: harbor-pvc namespace: harbor spec: accessModes: - ReadWriteMany resources: requests: storage: 10Gi selector: matchLabels: type: nfs ``` 将上述配置文件保存为`harbor-pv.yaml`,然后使用以下命令创建Persistent Volume和Persistent Volume Claim: ``` kubectl apply -f harbor-pv.yaml ``` 3. 现在,您可以部署Harbor。您可以使用Helm来简化部署过程。首先,添加Harbor的Helm仓库: ``` helm repo add harbor https://helm.goharbor.io ``` 4. 创建一个名为`harbor-values.yaml`的配置文件,并根据您的需求进行配置。以下是一个示例配置文件: ```yaml expose: type: ingress tls: enabled: false ingress: hosts: - harbor.example.com annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/proxy-body-size: "0" persistence: enabled: true existingClaim: harbor/harbor-pvc ``` 在该配置文件中,您可以配置Harbor访问方式(如Ingress或NodePort)、域名、持久化存储等。 5. 使用以下命令安装Harbor: ``` helm install harbor harbor/harbor -n harbor -f harbor-values.yaml ``` 这将在之前创建的`harbor`命名空间中部署Harbor。 6. 等待部署完成后,您可以使用以下命令查看Harbor的状态: ``` kubectl get pods -n harbor ``` 当所有的Harbor组件都处于`Running`状态时,表示部署成功。 7. 最后,您可以通过配置的访问方式(如Ingress或NodePort)访问Harbor。如果使用Ingress,确保已经配置了域名解析和证书。 希望以上步骤对您有所帮助!如有任何问题,请随时提问。
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值