Kubernetes 基于 helm 安装 harbor

helm 安装 harbor

参考：

https://github.com/goharbor/harbor-helm

https://goharbor.io/docs/2.5.0/install-config/harbor-ha-helm/

Harbor 的大部分组件现在都是无状态的。所以可以简单的增加 Pod 的副本，确保组件分布到多个 Worker 节点，并利用 K8S 的 Service 机制来保证 Pod 之间的连通性。

1、添加helm仓库

helm repo add harbor https://helm.goharbor.io
1

2、helm 部署harbor仓库，使用nodePort方式暴露服务，默认启用自签名证书

export node_ip=192.168.72.50
helm upgrade --install harbor harbor/harbor --namespace harbor --create-namespace \
  --set expose.type=nodePort \
  --set expose.tls.auto.commonName=$node_ip \
  --set externalURL='https://$node_ip:30003'
1
2
3
4
5

说明：其中 192.168.72.50 为kubernetes集群任一节点IP地址。

3、验证安装结果

查看pods

root@node01:~# kubectl -n harbor get pods
NAME                                    READY   STATUS    RESTARTS      AGE
harbor-chartmuseum-cc96d7bd6-h6x5q      1/1     Running   0             17m
harbor-core-75c675ccbd-lk5w9            1/1     Running   0             17m
harbor-database-0                       1/1     Running   0             17m
harbor-jobservice-847d4bc6cb-trpqp      1/1     Running   0             17m
harbor-nginx-7bfc589c8d-6clgx           1/1     Running   0             17m
harbor-notary-server-f584f495-jcvzl     1/1     Running   1 (16m ago)   17m
harbor-notary-signer-687bff6479-bzwqz   1/1     Running   1 (17m ago)   17m
harbor-portal-685498cc69-v5ppr          1/1     Running   0             17m
harbor-redis-0                          1/1     Running   0             17m
harbor-registry-7945564768-g86tt        2/2     Running   0             17m
harbor-trivy-0                          1/1     Running   0             17m
1
2
3
4
5
6
7
8
9
10
11
12
13

查看service

root@node01:/var/lib/sealos/data/default/rootfs# kubectl -n harbor get svc
NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                     AGE
harbor                 NodePort    10.96.1.217   <none>        80:30002/TCP,443:30003/TCP,4443:30004/TCP   100s
harbor-chartmuseum     ClusterIP   10.96.0.116   <none>        80/TCP                                      100s
harbor-core            ClusterIP   10.96.0.125   <none>        80/TCP                                      100s
harbor-database        ClusterIP   10.96.1.189   <none>        5432/TCP                                    100s
harbor-jobservice      ClusterIP   10.96.1.99    <none>        80/TCP                                      100s
harbor-notary-server   ClusterIP   10.96.0.5     <none>        4443/TCP                                    100s
harbor-notary-signer   ClusterIP   10.96.0.164   <none>        7899/TCP                                    100s
harbor-portal          ClusterIP   10.96.1.25    <none>        80/TCP                                      100s
harbor-redis           ClusterIP   10.96.0.224   <none>        6379/TCP                                    100s
harbor-registry        ClusterIP   10.96.3.233   <none>        5000/TCP,8080/TCP                           100s
harbor-trivy           ClusterIP   10.96.2.193   <none>        8080/TCP                                    100s
1
2
3
4
5
6
7
8
9
10
11
12
13

查看pvc

root@node01:~# kubectl -n harbor get pvc
NAME                              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS     AGE
data-harbor-redis-0               Bound    pvc-f9839aa4-89ed-4971-92ae-047b271e6205   1Gi        RWO            local-hostpath   17m
data-harbor-trivy-0               Bound    pvc-4b25125b-0fb8-40ed-8d3b-80c70f90cc5a   5Gi        RWO            local-hostpath   17m
database-data-harbor-database-0   Bound    pvc-7d826b47-066e-4da6-8fb8-734be3823667   1Gi        RWO            local-hostpath   17m
harbor-chartmuseum                Bound    pvc-432582f3-62f8-49da-96d0-37a01e015c57   5Gi        RWO            local-hostpath   17m
harbor-jobservice                 Bound    pvc-080863a2-277d-4293-93ec-dea149b051ec   1Gi        RWO            local-hostpath   17m
harbor-registry                   Bound    pvc-906d49c6-0fd8-435d-84f1-46b6e7132802   5Gi        RWO            local-hostpath   17m
1
2
3
4
5
6
7
8

备注：前提已准备好默认的storageclass

root@node01:~# kubectl get sc
NAME                       PROVISIONER        RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
local-hostpath (default)   openebs.io/local   Delete          WaitForFirstConsumer   false                  2d23h
1
2
3

4、浏览器访问harbor，使用节点IP+nodePort方式访问，使用默认用户名密码admin/Harbor12345进行登录：

https://192.168.72.50:30003/
1

登录后如下:

5、docker客户端配置

首先导出ca.crt证书

kubectl -n harbor get secrets harbor-nginx -o jsonpath="{.data.ca\.crt}" | base64 -d >ca.crt
1

复制ca.crt到docker客户端所在机器

root@ubuntu:~# mkdir -p /etc/docker/certs.d/192.168.72.50:30003/

root@ubuntu:~# ls /etc/docker/certs.d/192.168.72.50:30003/
ca.crt
1
2
3
4

登录harbor仓库

root@ubuntu:~# docker login -u admin -p Harbor12345 https://192.168.72.50:30003
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See

Login Succeeded
1
2
3
4
5
6

推送镜像到harbor仓库

root@ubuntu:~# docker tag centos:latest 192.168.72.50:30003/library/centos:latest

root@ubuntu:~# docker push 192.168.72.50:30003/library/centos:latest
The push refers to repository [192.168.72.50:30003/library/centos]
74ddd0ec08fa: Pushed 
latest: digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc size: 529
1
2
3
4
5
6