环境信息
- Kubernetes:v1.20.6
- StorageClass:csi-udisk-rssd
- Helm:v3.5.2
- nginx-ingress: 0.47.0
Harbor 2.3.0 版本安装前检查工作
- 推荐至少预留 8vCPU 和 30GB Mem的资源
- 依赖 ingress
- 依赖 Redis 5.0 或者更高版本
- 依赖 PostgreSQL 12.x 或者更高版本
Harbor 2.3.0 版本安装前准备工作
1. 申请通证书,
可以使用 https://keymanager.org/ 来申请 Let’s Encrypt 提供的免费泛域名证书
2. 创建域名证书 secret
kubectl create ns harbor
kubectl create secret tls harbor-secret \
--cert=harbor.crt \
--key=harbor.key \
-n harbor
3. 准备一个 Redis 实例
K8S集群内部署参考链接 Helm部署Redis
4. 准备一个 PostgreSQL 实例
K8S集群内署参考链接 Helm部署postgresql ,数据部署完毕后,需要创建好harbor组件需要的database,参考命令:
export POSTGRES_PASSWORD=$(kubectl get secret --namespace harbor harbor-db-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
kubectl run harbor-db-postgresql-client --rm --tty -i --restart='Never' --namespace harbor --image uhub.service.ucloud.cn/ucloud_pts/postgresql:13.3.0-debian-10-r55 --env="PGPASSWORD=$POSTGRES_PASSWORD" --command -- psql --host harbor-db-postgresql -U postgres -d postgres -p 5432
CREATE DATABASE harbor_core;
CREATE DATABASE harbor_clair;
CREATE DATABASE harbor_notary_server;
CREATE DATABASE harbor_notary_signer;
5. 同步海外源镜像
在国内环境部署应用,经常因为获取国外源站容器镜像超时,导致部署失败,可以提前将容器镜像同步到本地镜像仓库中,以自有镜像仓库uhub.service.ucloud.cn/ucloud_pts 为例,login仓库,执行命令: docker login uhub.service.ucloud.cn/ucloud_pts
需要同步镜像列表如下:
docker.io/bitnami/chartmuseum:0.13.1-debian-10-r98
docker.io/bitnami/harbor-core:2.3.0-debian-10-r0
docker.io/bitnami/harbor-portal:2.3.0-debian-10-r0
docker.io/bitnami/harbor-registry:2.3.0-debian-10-r7
docker.io/bitnami/harbor-registryctl:2.3.0-debian-10-r7
docker.io/bitnami/harbor-jobservice:2.3.0-debian-10-r7
docker.io/bitnami/harbor-adapter-trivy:2.3.0-debian-10-r5
docker.io/bitnami/harbor-notary-server:2.3.0-debian-10-r7
docker.io/bitnami/harbor-notary-signer:2.3.0-debian-10-r7
关于docker pull tag push 操作可以参考:
- https://docs.docker.com/engine/reference/commandline/pull/
- https://docs.docker.com/engine/reference/commandline/tag/
- https://docs.docker.com/engine/reference/commandline/push/
6. 创建 imagePullSecrets
创建容器集群访问仓库地址 uhub.service.ucloud.cn/ucloud_pts,拉取镜像需要的 secret
kubectl create namespace harbor
kubectl create secret docker-registry registry-secret-name \
--namespace=harbor \
--docker-server=uhub.service.ucloud.cn/ucloud_pts \
--docker-username='xxxxxx' \
--docker-password='xxxxxx'
7. 添加 Helm仓库
这里选用BitNami提供的chart仓库
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
8. 定义gitlab 配置,完成gitlab部署
cat > harbor-config.yaml << EOF
global:
imageRegistry: uhub.service.ucloud.cn/ucloud_pts
secretName:
- "tls-harbor-core"
imagePullSecrets:
- "registry-secret-name"
storageClass: "csi-udisk-rssd"
internalTLS:
enabled: false
core:
secretName: "tls-harbor-core"
service:
type: LoadBalancer
tls:
enabled: true
existingSecret: 'tls-harbor-core'
notaryExistingSecret: 'tls-harbor-core'
ingress:
enabled: true
pathType: ImplementationSpecific
apiVersion:
certManager: false
hosts:
core: harbor.onwalk.net
notary: harbor-notary.onwalk.net
controller: nginx
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/ssl-redirect: 'true'
ingress.kubernetes.io/proxy-body-size: '0'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: '0'
externalURL: https://harbor.onwalk.net
postgresql:
enabled: false
redis:
enabled: false
externalDatabase:
host: harbor-db-postgresql
user: postgres
port: 5432
password: "passwdxxxx"
sslmode: disable
coreDatabase: harbor_core
clairDatabase: harbor_clair
clairUsername: "postgres"
clairPassword: "passwdxxxx"
notaryServerDatabase: harbor_notary_server
notaryServerUsername: "postgres"
notaryServerPassword: "passwdxxxx"
notarySignerDatabase: harbor_notary_signer
notarySignerUsername: "postgres"
notarySignerPassword: "passwdxxxx"
externalRedis:
host: harbor-cache-redis-master
port: 6379
password: "redispwxxxxx"
EOF
helm delete harbor -n harbor
helm upgrade --install harbor bitnami/harbor -f harbor-config.yaml -n harbor
参考文档:
- https://github.com/goharbor/harbor-helm
- https://github.com/goharbor/harbor-helm/blob/master/docs/High%20Availability.md
- https://docs.docker.com/engine/security/certificates/
- https://goharbor.io/docs/2.0.0/working-with-projects/working-with-images/managing-helm-charts/