​Harbor Getting started and installing

One 、 introduction

1、 brief introduction

Harbor Is one for storage and distribution Docker Enterprise level of mirroring Registry The server .

As an enterprise private Registry The server ,Harbor Provides better performance and security . Improve user usage Registry The efficiency of transferring images between build and run environments .Harbor Supports installation in multiple Registry The mirror resource copy of the node , All images are kept private Registry in , Ensure data and intellectual property are controlled within the company's internal network . in addition ,Harbor Advanced security features are also provided , Things like user management , Access control and activity auditing .

• Role-based access control - Users and Docker Image warehouse through “ project ” Conduct organization management , A user can store multiple images in the same namespace （project） There are different authorities in .
• Mirror copy - Images can be in multiple Registry Copy in instance （ Sync ）. Especially suitable for load balancing , High availability , Mixed cloud and cloudy scenes .
• Graphical user interface - Users can browse through the browser , Retrieve current Docker Mirror warehouse , Manage projects and namespaces .
• AD/LDAP Support - Harbor It can integrate the existing AD/LDAP, For authentication management .
• Audit management - All operations for the image warehouse can be traced , For audit management .
• internationalization - Already have English 、 chinese 、 German 、 Localized versions in Japanese and Russian . More languages will be added .
• RESTful API - RESTful API Provided to administrators for Harbor More control , Make it easier to integrate with other management software .
• Simple deployment - Provide online and offline installation tools , Can also be installed to vSphere platform (OVA The way ) Virtual device .

2、 Core components

• Nginx(Proxy)： For proxy Harbor Of registry,UI, token Etc
• db： Responsible for storing user rights 、 The audit log 、Dockerimage Group information and other data .
• UI： Provide graphical interface , Help users manage registry Image on , And authorize users
• jobsevice： Responsible for image replication , He and registry signal communication , From a registry pull Mirror and push To another registry, And record job_log
• Adminserver： It is the configuration management center of the system that checks the storage consumption ,ui and jobserver It needs to be loaded at startup adminserver Configuration of .
• Registry： Native docker Mirror warehouse , Responsible for storing image files .
• Log： To help monitor Harbor function , Responsible for collecting other components log, It was recorded that syslog in

3、 install

3.1、helm download charts

helm repo add harbor https://helm.goharbor.iohelm pull harbor/harbor

3.2、 Custom configuration

3.2.1、TLS certificate

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE:tls.key} -out ${CERT_FILE:tls.cert} -subj "/CN=${HOST:lanson.com}/O=${HOST:lanson.com}"kubectl create secret tls ${CERT_NAME:lanson-tls} --key ${KEY_FILE:tls.key} --cert ${CERT_FILE:tls.cert}##  The example command is as follows openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=*.lanson.com/O=*.lanson.com"kubectl create secret tls harbor.lanson.com --key tls.key --cert tls.crt -n devops

The original certificate is lanson.com domain name Now it's harbor.lanson.com Domain name . Create a single

3.2.2、values-overrides.yaml To configure

Old version configuration ; Use your own certificate . Your certificate should be compatible harbor The components inside are troublesome

expose:  type: ingress  tls:    certSource: "secret"    secret:      secretName: "harbor.lanson.com"      notarySecretName: "harbor.lanson.com"  ingress:    hosts:      core: harbor.lanson.com      notary: notary-harbor.lanson.comexternalURL: https://harbor.lanson.cominternalTLS:  enabled: true  certSource: "secret"   #  core:    secretName: "harbor.lanson.com"  jobservice:    secretName: "harbor.lanson.com"  registry:    secretName: "harbor.lanson.com"  portal:    secretName: "harbor.lanson.com"  chartmuseum:    secretName: "harbor.lanson.com"  trivy:    secretName: "harbor.lanson.com"persistence:  enabled: true  resourcePolicy: "keep"  persistentVolumeClaim:    registry:  #  Mirrored       storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 5Gi    chartmuseum: # save helm Of chart      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 5Gi    jobservice: #      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 1Gi    database: # database   pgsql      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 1Gi    redis: #      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 1Gi    trivy: #  Vulnerability scanning       storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 5Gimetrics:  enabled: true

• New version configuration ,harbor Default certificate for internal components .ingress You need to use your own certificate
• Give your own certificate information to each namespace Configure the same

expose:  #web Certificate for browser access   type: ingress  tls:    certSource: "secret"    secret:      secretName: "harbor.lanson.com"      notarySecretName: "harbor.lanson.com"  ingress:    hosts:      core: harbor.lanson.com      notary: notary-harbor.lanson.comexternalURL: https://harbor.lanson.cominternalTLS:  #harbor Certificates for internal components   enabled: true  certSource: "auto"persistence:  enabled: true  resourcePolicy: "keep"  persistentVolumeClaim:    registry:  #  Mirrored       storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 5Gi    chartmuseum: # save helm Of chart      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 5Gi    jobservice: #      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 1Gi    database: # database   pgsql      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 1Gi    redis: #      storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 1Gi    trivy: #  Vulnerability scanning       storageClass: "rook-ceph-block"      accessMode: ReadWriteOnce      size: 5Gimetrics:  enabled: true

3.2.3、 install

 # Be careful , Because the configuration file uses secret, So create it in this namespace in advance  openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.cert -subj "/CN=*.lanson.com/O=*.lanson.com"kubectl create secret tls lanson.com --key tls.key --cert tls.cert -n devops helm install itharbor ./ -f values.yaml -f override.yaml  -n devops

3.2.4、 uninstall

# uninstall helm uninstall itharbor -n devops

Two 、docker Use

1、 Basic configuration

1.1、 Use https Access to

because harbor It uses https. need docker Trust this https;

#  hold xx.cert file   Copied to the   /etc/docker/certs.d/harbor.lanson.com/tls.crt

On the cloud Custom domain name Do the following ： 1、 Configure /etc/hosts file . The domain name address can be specified as Public network ip perhaps ingress Where is the node ip 2、 stay /etc/docker/certs.d/ Next, prepare the domain name folder （ Contains a non default port number ）, And put the domain name cert/crt Copy the file in . And modify the file name xxx.crt, It can't be cert file ​​​​​​​3、 Recommended configuration ingress Where is the node ip . So we use the domain name to ingress node .ingress Node nginx This domain name is monitored , Then forward it to the designated service

1.2、 Don't use https visit

# modify docker The configuration file {"insecure-registries":["https://test.com","192.168.1.13"," added ...."]}

2、 Image agent

#  Pull docker Official mirror image . And cache it .harbor.lanson.com/ Own warehouse name / + /library + / Mirror name ： edition docker pull harbor.lanson.com/harbor-hub/library/busybox:latest#  The third party . Use the full name of the third party  harbor.lanson.com/objs +  The third party docker pull harbor.lanson.com/objs/redislabs/redis