背景:
始终应用的腾讯云的集体仓库做镜像仓库。早些时候腾讯云有了 tcr 容器镜像服务:
瞄了一眼感觉略贵。集体也就 50 个之内的 image。就想用一下镜像平安,破绽扫描。也没有那么强硬的需要。600 多块一个月还是感觉略贵!还是老老实实搭建一下 harbor 吧!
kubernetes1.21 搭建 harbor
注:开始在 tke 下面尝试的是 kubernetes1.20.6 两个版本差距不大就疏忽吧。最初是在我的腾讯云自建的 kubernetes1.21 集群上。参考了早些时候集体写的博客:https://duiniwukenaihe.github.io/2019/10/29/k8s-helm-install-hrbor/
1. 下载 harbor-helm 仓库
git clone 形式
git clone https://github.com/goharbor/harbor-helmhelm 必备
当然了这里曾经装置了 helm3,helm 环境是必备的
wget https://get.helm.sh/helm-v3.6.3-linux-amd64.tar.gz
tar zxvf helm-v3.6.3-linux-amd64.tar.g
cd linux-amd64
cp helm /usr/local/bin/helm fetch
这里也能够间接 helm 增加仓库的形式, 算是温习一下 helm 命令吧。我是间接用了 git clone 的形式
[root@k8s-master-01 harbor-helm]# helm repo add harbor https://helm.goharbor.io
"harbor" has been added to your repositories
[root@k8s-master-01 harbor-helm]# cd /data/
[root@k8s-master-01 data]# helm search repo harbor
NAME CHART VERSION APP VERSION DESCRIPTION
harbor/harbor 1.7.2 2.3.2 An open source trusted cloud native registry th...
[root@k8s-master-01 data]# helm fetch harbor/harbor --version 1.7.2
批改配置文件
批改 value.yaml 配置文件:
集群应用 traefik 代理内部拜访。expose type 设置了 clusterIP. 设置了 externalURL,storageclass。如下:
type:
externalURL:
storageclass:
注:因为 cbs 最小单位容许为 10g 切步长为 10g. 故除了 registry 外其余的存储都应用了 10G. 当然了应用其余存储可集体正当设置!
helm install 装置
helm install harbor -f values.yaml . --namespace kube-ops
kubectl get pods -n kube-ops -w
注:此图后补的
helm upgrade
如前面更改了 values.yaml 更新利用能够应用一下命令降级利用:
helm upgrade harbor -f values.yaml . --namespace kube-ops如删除 harbor 利用,则:
helm uninstall harbor -n kube-opstraefik 代理 harbor 对外裸露利用:
ingressroute:
cat ingress-harbor.yml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-http
spec:
entryPoints:
- web
routes:
- match: Host(`harbor.xxx.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: harbor-portal
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-api
spec:
entryPoints:
- web
routes:
- match: Host(`harbor.xxx.com`) && PathPrefix(`/api`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-service
spec:
entryPoints:
- web
routes:
- match: Host(`harbor.xxx.com`) && PathPrefix(`/service`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-v2
spec:
entryPoints:
- web
routes:
- match: Host(`harbor.xxx.com`) && PathPrefix(`/v2`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-chartrepo
spec:
entryPoints:
- web
routes:
- match: Host(`harbor.xxx.com`) && PathPrefix(`/chartrepo`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-c
spec:
entryPoints:
- web
routes:
- match: Host(`harbor.xxx.com`) && PathPrefix(`/c`)
kind: Rule
services:
- name: harbor-core
port: 80kubectl apply -f ingress-harbor.yaml
默认登陆密码 Harbor12345。当然也能够在 value.yaml 中进行提前替换批改!
traefik ingress
试一下 ingress 的形式
helm upgrade harbor -f values.yaml . --namespace kube-ops
留神:这里绑定了 另外一个域名!
web 拜访也是失常的!
—————————– 分隔符 ——————————————————————————
呈现的其余问题:
web 拜访失常 docker login 登陆也失常 然而 docker push 呈现 unkonwn blob?
这样的起因预计是我的 slb 下面做了 http 主动跳转 https。docker push 的时候就呈现了异样。网上看了很多解决的办法无从下手。基本上是说这样的?
最初偷懒用了一个简略的办法:
新建一个 slb。将次要的 slb 下面摘下个 server 放在新的 slb 下面。间接 tcp 代理。不做 http 强跳 https。
kubectl create secret tls all-xxxx-com --key=2_xxxx.com.key --cert=1_xxxx.com_bundle.crt -n kube-ops
ingress.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-http
spec:
entryPoints:
- websecure
tls:
secretName: all-xxxx-com
routes:
- match: Host(`harbor.xxxx.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: harbor-portal
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-api
spec:
entryPoints:
- websecure
tls:
secretName: all-xxxx-com
routes:
- match: Host(`harbor.xxxx.com`) && PathPrefix(`/api/`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-service
spec:
entryPoints:
- websecure
tls:
secretName: all-xxxx-com
routes:
- match: Host(`harbor.xxxx.com`) && PathPrefix(`/service/`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-v2
spec:
entryPoints:
- websecure
tls:
secretName: all-xxxx-com
routes:
- match: Host(`harbor.xxxx.com`) && PathPrefix(`/v2`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-chartrepo
spec:
entryPoints:
- websecure
tls:
secretName: all-xxxx-com
routes:
- match: Host(`harbor.xxxx.com`) && PathPrefix(`/chartrepo/`)
kind: Rule
services:
- name: harbor-core
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: kube-ops
name: harbor-c
spec:
entryPoints:
- websecure
tls:
secretName: all-xxxx-com
routes:
- match: Host(`harbor.xxxx.com`) && PathPrefix(`/c/`)
kind: Rule
services:
- name: harbor-core
port: 80
kubectl apply -f ingress.yaml 还发现一个好玩的;
我最终是在我的自建集群搭建的 harbor。而后呢存储是 cbs!参见:Kuberentes 集群增加腾讯云 CBS 为默认存储。然而我的 work 节点有 ap-shanghai2 还有 ap-shanghai- 3 区的主机。尽管 3 区的节点我设置了不可调度。然而还有有快存储建在了三区而后这样的后果就是 pod 不能失常 running 调度。毕竟云硬盘是不能跨区挂载的。解决形式就是新建一个 storageclass ap-shanghai-2,更改了 harbor 中的存储类!
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: cbs-shanghai-2
provisioner: com.tencent.cloud.csi.cbs
parameters:
diskZone: ap-shanghai-2当然了 最终我还是换成了 nfs…… 因为我不想给 redis database 调配 10g 的硬盘啊 浪费资源。nfs 的存储这里更要留神一下 selfLink 了,能够参照 Kubernetes 1.19.12 降级到 1.20.9(强调一下 selfLink)中 selfLink 的配置。
体验一下审查服务
嗯呢要更新一下依赖了 ….
后记:
其实就是想体验一下 harbor 的审查服务. 然而这页面感觉还是不太成熟。扫描实现能不能给我出一个破绽分布图呢?高危破绽比重?每个 images 的破绽比重?同一个镜像不同 tag 的破绽趋势?