在 k8s 上部署 Harbor

# 在 k8s 上部署 Harbor ## 環境準備 1. 已安裝好 ingress controller 2. 已安裝好 csi driver ``` $ kubectl get sc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE nfs-csi nfs.csi.k8s.io Retain Immediate false 7s $ kubectl get ingressclass NAME CONTROLLER PARAMETERS AGE nginx k8s.io/ingress-nginx <none> 68m ``` ## 新增 helm chart ``` $ helm repo add harbor https://helm.goharbor.io $ helm search repo harbor/harbor --versions # 指定 helm chart 版本 $ helm fetch harbor/harbor --version 1.17.1 --untar ``` ## 產生自簽憑證 ``` $ cd harbor/; mkdir ssl; cd ssl $ wget https://raw.githubusercontent.com/cooloo9871/SelfSigned-RootCA/refs/heads/master/mk2 $ chmod +x mk2 $ ./mk2 create harbor.test.com ``` ``` $ kubectl create ns harbor $ kubectl create secret tls harbor-tls \ --cert=cert.pem \ --key=cert-key.pem \ -n harbor $ kubectl -n harbor get secret NAME TYPE DATA AGE harbor-tls kubernetes.io/tls 2 8s ``` ## 編輯 values.yaml * 設定 harbor 的 `values.yaml` - 設定 ingress domain - 設定 registry 儲存 image 空間 300g ``` $ cd .. $ nano values.yaml ...... certSource: secret ...... secret: # The name of secret which contains keys named: # "tls.crt" - the certificate # "tls.key" - the private key secretName: "harbor-tls" ingress: hosts: core: harbor.test.com ...... externalURL: https://harbor.test.com ...... persistence: enabled: true # Setting it to "keep" to avoid removing PVCs during a helm delete # operation. Leaving it empty will delete PVCs after the chart deleted # (this does not apply for PVCs that are created for internal database # and redis components, i.e. they are never deleted automatically) resourcePolicy: "keep" persistentVolumeClaim: registry: # Use the existing PVC which must be created manually before bound, # and specify the "subPath" if the PVC is shared with other components existingClaim: "" # Specify the "storageClass" used to provision the volume. Or the default # StorageClass will be used(the default). # Set it to "-" to disable dynamic provisioning storageClass: "nfs-csi" subPath: "" accessMode: ReadWriteOnce size: 300Gi chartmuseum: existingClaim: "" storageClass: "nfs-csi" subPath: "" accessMode: ReadWriteOnce size: 5Gi jobservice: existingClaim: "" storageClass: "nfs-csi" subPath: "" accessMode: ReadWriteOnce size: 1Gi # If external database is used, the following settings for database will # be ignored database: existingClaim: "" storageClass: "nfs-csi" subPath: "" accessMode: ReadWriteOnce size: 1Gi # If external Redis is used, the following settings for Redis will # be ignored redis: existingClaim: "" storageClass: "nfs-csi" subPath: "" accessMode: ReadWriteOnce size: 1Gi trivy: existingClaim: "" storageClass: "nfs-csi" subPath: "" accessMode: ReadWriteOnce size: 5Gi ``` ## 部署 harbor ``` $ cd ~ $ helm install harbor harbor/ -n harbor ``` ## 環境檢查 ``` $ kubectl -n harbor get pod NAME READY STATUS RESTARTS AGE harbor-chartmuseum-6c675c5c5c-npv9k 1/1 Running 0 64s harbor-core-697bc98c55-s4h6m 1/1 Running 0 64s harbor-database-0 1/1 Running 0 64s harbor-jobservice-67f5997cd-lnfrt 1/1 Running 0 64s harbor-portal-948c4b8fd-dzgx7 1/1 Running 0 64s harbor-redis-0 1/1 Running 0 64s harbor-registry-6986446689-xnwnz 2/2 Running 0 64s harbor-trivy-0 1/1 Running 0 64s ``` ``` $ kubectl -n harbor get ing NAME CLASS HOSTS ADDRESS PORTS AGE harbor-ingress <none> harbor.test.com 10.10.7.37,10.10.7.38,10.10.7.39 80, 443 76s ``` * 登入 harbor ![image](https://hackmd.io/_uploads/B19H6tQUgg.png) ## 設定 podman & docker 信任憑證登入 * 將 ca.pem 匯入到 client OS * RHEL OS 設定 ``` # ssh 進入到 client 並且把 ca.pem 複製到 OS $ sudo cp ca.pem /usr/share/pki/ca-trust-source/anchors/ $ sudo update-ca-trust ``` * Ubuntu Server 24.04 OS 設定 ``` $ sudo cp ca.pem /usr/local/share/ca-certificates/ca.crt $ sudo update-ca-certificates ``` ### podman 設定 ``` # 把憑證匯入，podman 就可以使用 ca login，需要建立對應的 registry 目錄名稱 $ sudo mkdir -p /etc/containers/certs.d/harbor.test.com # 要指定 ca.crt 憑證名稱 $ sudo cp ca.pem /etc/containers/certs.d/harbor.test.com/ca.crt $ sudo podman login harbor.test.com ``` ### docker 設定 ``` # 把憑證匯入，docker 就可以使用 ca login $ sudo mkdir /etc/docker/certs.d $ sudo cp ca.pem /etc/docker/certs.d/ $ sudo systemctl restart docker $ sudo docker login harbor.test.com ``` ## 參考 https://goharbor.io/docs/2.13.0/install-config/harbor-ha-helm/