Harbor 配置 TLS

零、 部署 harbor

• 1. 上传 harbor 离线安装包
• 2. 确保 docker 和 docker-compose版本正确
• 3. 复制配置文件
     cp harbor.yml.tmpl harbor.yml
• 4. 修改配置文件
     hostname: 192.168.100.100
• 5. 安装 harbor
     ./prepare.sh
./install.sh

一、 配置 TLS

• 创建 ssl 证书目录
  mkdir -p /usr/local/harbor/ssl

• 修改 harbor 配置文件 /usr/local/harbor/harbor.yml

  certificate: /usr/local/harbor/ssl/harbor.com.crt
private_key: /usr/local/harbor/ssl/harbor.com.key

• 创建 CA 私钥
  openssl genrsa -out ca.key 4096

• 创建 CA 证书

  openssl req -x509 -new -nodes -sha512 -days 3650 \
   -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=example/OU=Personal/CN=harbor.com" \
   -key ca.key \
   -out ca.crt

• 创建 harbor.com 私钥
  openssl genrsa -out harbor.com.key 4096

• 为 harbor.com 创建证书签名请求

  openssl req -sha512 -new \
     -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=example/OU=Personal/CN=*.harbor.com" \
     -key harbor.com.key \
     -out harbor.com.csr

• 生成 X509 V3 扩展文件

  cat > v3.ext <<-EOF
  authorityKeyIdentifier=keyid,issuer
  basicConstraints=CA:FALSE
  keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names
  
  [alt_names]
  IP.1=192.168.100.100
  DNS.1=harbor.com
  DNS.2=*.harbor.com
  DNS.3=debian
  EOF

• CA 为 harbor.com 签署证书

  openssl x509 -req -sha512 -days 3650 \
      -extfile v3.ext \
      -CA ca.crt -CAkey ca.key -CAcreateserial \
      -in harbor.com.csr \
      -out harbor.com.crt

• 为 docker 客户端生成证书
  openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert

二、 Dcoekr 使用证书访问 harbor

• 创建必要文件目录
  mkdir -p /etc/docker/certs.d/harbor.com

• 复制证书文件
  cp /usr/local/harbor/ssl/{ca.crt,harbor.com.cert,harbor.com.key} /etc/docker/certs.d/harbor.com

• 重启 docker
  systemctl daemon-reload && systemctl restart docker

• 验证 harbor 访问

  docker login harbor.com
  Username: admin
  Password: 
  WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
  Configure a credential helper to remove this warning. See
  https://docs.docker.com/engine/reference/commandline/login/#credentials-store
  
  Login Succeeded

三、 可能遇到的问题

• Error response from daemon: Get "https://harbor.com/v2/": x509: certificate signed by unknown authority
  一定要按照上述要求生成证书, 如果使用了错误的证书, 最好重新部署harbor, 只更新证书文件 harbor 并不会更新证书, 或者删除 harbor的数据目录

• 证书检查命令
  openssl x509 -in /etc/docker/certs.d/harbor.com/ca.crt -text -noout