Harbor仓库配置https访问_为什么harbor需要域名访问

注：高版本（14以上）docker执行login命令，默认使用https，且harbor必须使用域名，只是用ip访问是不行的。

假设使用的网址是：www.harbor.mobi，本机ip是172.16.5.45

因为这个网址是虚拟的，所以需要在本机hosts文件中添加

echo "172.16.5.45  www.harbor.mobi" >> /etc/hosts

把yourdomain.com换成实际使用的域名或者ip或者ip:port，要跟harbor.yml文件中的配置信息保持一致

#set hostname
hostname: www.harbor.mobi
 
#http:
#  port: 80
 
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/www.harbor.mobi.crt
  private_key: /data/cert/www.harbor.mobi.key
# 注意证书路径

一键脚本文件：

#!/bin/bash
 
# 在该目录下操作生成证书，正好供harbor.yml使用
mkdir -p /data/cert
cd /data/cert
 
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr
 
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
 
[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF
 
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt
    
openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert
 
cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt 
update-ca-trust

# 把这三个复制到docke下
mkdir -p /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.cert /etc/docker/certs.d/www.harbor.mobi/
cp www.harbor.mobi.key /etc/docker/certs.d/ywww.harbor.mobi/
cp ca.crt /etc/docker/certs.d/www.harbor.mobi/
 
 
最终docker目录结构：
/etc/docker/certs.d/
    └── www.harbor.mobi
       ├── www.harbor.mobi.cert  <-- Server certificate signed by CA
       ├── www.harbor.mobi.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate
# 重启docker
systemctl restart docker.service
 
# 停止
docker-compose down -v
 
# 重新生成配置文件
./prepare --with-notary --with-clair --with-chartmuseum
 
# 启动
docker-compose up -d

官方步骤示例：

#set hostname
hostname: yourdomain.com
 
http:
  port: 80
 
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/cert/yourdomain.com.crt
  private_key: /data/cert/yourdomain.com.key

# 生成使用的相关证书
openssl genrsa -out ca.key 4096
 
openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key ca.key \
    -out ca.crt
 
openssl genrsa -out yourdomain.com.key 4096
 
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
    -key yourdomain.com.key \
    -out yourdomain.com.csr
 
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
 
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
 
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in yourdomain.com.csr \
    -out yourdomain.com.crt
 
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
 
# 把这三个复制到docke下
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
 
 
最终docker目录结构：
/etc/docker/certs.d/
    └── yourdomain.com:port
       ├── yourdomain.com.cert  <-- Server certificate signed by CA
       ├── yourdomain.com.key   <-- Server key signed by CA
       └── ca.crt               <-- Certificate authority that signed the registry certificate
# 重启docker
systemctl restart docker.service
 
cp 192.168.75.100.crt /etc/pki/ca-trust/source/anchors/192.168.75.100.crt 
update-ca-trust
 
# harbor证书配置
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/
 
# 重新生成配置文件
./prepare --with-notary --with-clair --with-chartmuseum
 
# 停止
docker-compose down -v
 
# 启动
docker-compose up -d
 

然后docker直接login即可

 root@eb7023:/data/certs>docker login www.harbor.mobi
 Username: admin
 Password: 
 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 Configure a credential helper to remove this warning. See
 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 ​
 Login Succeeded

这里我的docker和harbor是在同一台机器上的，如果是其他机器也复制crt文件即可

 root@eb7023:/data/certs>scp www.harbor.mobi.crt root@eb7045:/etc/docker/certs.d/www.harbor.mobi/www.harbor.mobi.crt
 root@eb7045's password: 
www.harbor.mobi.crt                                    100% 1830     2.1MB/s   00:00    

在eb7045可以登录验证一下：

 root@eb7045:/etc/docker/certs.d/harbor23.com>docker login www.harbor.mobi
 Username: admin
 Password: 
 WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
 Configure a credential helper to remove this warning. See
 https://docs.docker.com/engine/reference/commandline/login/#credentials-store
 ​
 Login Succeeded

到这里配置完成 ！