offends/Kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
Kubernetes/Docker/Compose/Docs/Docker-compse部署Harbor.md
offends 7a2f41e7d6
All checks were successful
continuous-integration/drone Build is passing
Details
synchronization
2024-08-07 18:54:39 +08:00

467 lines
10 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

> 本文作者:丁辉
# Docker-compse部署Harbor
[官网](https://goharbor.io/) [包下载位置](https://github.com/goharbor/harbor/releases)
> 离线版本harbor-offline-installer-v*.tgz
>
> 在线版本harbor-online-installer-v*.tgz
## 安装Docker-Compose
- Centos
```bash
yum install docker-compose -y
```
- Ubuntu
```bash
apt install docker-compose -y
```
## 开始安装
1. 下载软件包
> 本文以现最新版本 v2.8.3 举例
```bash
wget https://ghproxy.com/https://github.com/goharbor/harbor/releases/download/v2.8.3/harbor-offline-installer-v2.8.3.tgz
```
2. 解压文件
```bash
tar -zxvf harbor-offline-installer-v*.tgz && cd harbor && cp harbor.yml.tmpl harbor.yml
```
3. 更改 harbor.yml 文件
> 配置 Tcp IP 访问
```bash
vi harbor.yml
```
更改如下内容
```yml
hostname: harbor.store.com
http:
port: 9000
#注释域名证书访问
#https:
#port: 443
#certificate: /your/certificate/path
#private_key: /your/private/key/path
harbor_admin_password: Harbor12345
data_volume: /data
```
4. 初始化配置
```bash
./prepare
```
5. 启动 harbor
```bash
./install.sh
```
6. 安装完成后更新 Docker 配置允许使用私有仓库
修改 Docker 配置文件
```bash
vi /etc/docker/daemon.json
```
添加如下内容
```json
{
"insecure-registries": ["1.1.1.1:9000"]
}
```
7. 重载 Docker
```bash
systemctl reload docker
```
8. 登录测试
```bash
docker login 1.1.1.1:9000 -uadmin -pHarbor12345
```
## 配置外部数据库
更改 harbor.yml 文件, 更改如下内容
```yml
external_database:
harbor:
host: harbor_db_host
port: harbor_db_port
db_name: harbor_db_name
username: harbor_db_username
password: harbor_db_password
ssl_mode: disable
max_idle_conns: 2
max_open_conns: 0
notary_signer:
host: notary_signer_db_host
port: notary_signer_db_port
db_name: notary_signer_db_name
username: notary_signer_db_username
password: notary_signer_db_password
ssl_mode: disable
notary_server:
host: notary_server_db_host
port: notary_server_db_port
db_name: notary_server_db_name
username: notary_server_db_username
password: notary_server_db_password
ssl_mode: disable
external_redis:
host: redis:6379
password:
registry_db_index: 1
jobservice_db_index: 2
trivy_db_index: 5
idle_timeout_seconds: 30
```
## 使用 trivy 镜像漏洞检测
1. 更改 harbor.yml 文件, 更改如下内容
```bash
trivy:
ignore_unfixed: false
skip_update: true #跳过更新
offline_scan: true #离线扫描
security_check: vuln
insecure: false
```
2. 启动 harbor 是添加 trivy 启动参数
```bash
./install.sh --with-trivy
```
## 离线环境使用 trivy 导入漏洞数据库
创建持久化目录(如果 harbor 已启动, 则停止后替换目录内容)
```bash
mkdir -p /data/trivy-adapter/trivy/db/
```
### 方法一
[oras官网下载地址](https://github.com/oras-project/oras/releases)
1. 下载软件
```bash
wget https://ghproxy.com/https://github.com/oras-project/oras/releases/download/v1.0.1/oras_1.0.1_linux_amd64.tar.gz
```
2. 解压文件
```bash
tar -zxvf oras_*_linux_amd64.tar.gz && mv oras-install/oras /usr/local/bin/
```
3. 下载数据
```bash
oras pull ghcr.io/aquasecurity/trivy-db:2
```
4. 将数据解压到指定目录
```bash
tar -xzvf db.tar.gz -C /data/trivy-adapter/trivy/db/
```
### 方法二
> 外网搭建 harbor, 上传 Nginx 和 Tomcat 进行检测, 获取数据目录 java-db 和 db
1. 线上环境打包书库目录
```bash
cd /data/trivy-adapter/
tar -zcvf trivy-db-offline.tar.gz trivy
```
2. 在离线环境将数据解压到指定目录
```bash
tar -xzvf trivy-db-offline.tar.gz -C /data/trivy-adapter/trivy/db/
```
3. 授权目录
```bash
chown -R 10000:10000 /data/trivy-adapter/trivy/db/
```
4. 重新启动 harbor 后完成
## Harbor配置签发Https配置私有证书
### 方法一(cfssl)
1. 首先修改 harbor.yml 文件, 配置证书
```yml
hostname: harbor.store.com
http:
port: 80
https:
port: 443
certificate: /data/ssl/harbor/harbor.pem
private_key: /data/ssl/harbor/harbor-key.pem
harbor_admin_password: Harbor12345
data_volume: /data
```
2. 下载配置证书工具
[cfssl下载地址](https://github.com/cloudflare/cfssl/releases/)
```bash
wget https://ghproxy.com/https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64 \ -O /usr/local/bin/cfssl
wget https://ghproxy.com/https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64 \ -O /usr/local/bin/cfssljson
wget https://ghproxy.com/https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl-certinfo_1.6.3_linux_amd64 \ -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*
```
3. 生成并CA配置文件
```json
#cfssl print-defaults config > ca-config.json
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"harbor": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
```
> `default.expiry`默认证书有效期单位h
> `profiles.harbor`:为服务使用该配置文件颁发证书的配置模块
> signing签署表示该证书可用于签名其它证书生成的 ca.pem 证书中 CA=TRUE
> `key encipherment`:密钥加密
> `profiles`:指定了不同角色的配置信息;可以定义多个 profiles分别指定不同的过期时间、使用场景等参数后续在签名证书时使用某个 profile
> `server auth`:服务器身份验证;表示 client 可以用该 CA 对 server 提供的证书进行验证
> `client auth`:客户端身份验证;表示 server 可以用该 CA 对 client 提供的证书进行验证
4. 生成并修改默认csr请求文件
```json
#cfssl print-defaults csr > ca-csr.json
cat > ca-csr.json <<EOF
{
"CN": "harbor",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing"
}
]
}
EOF
```
> `hosts`:包含的授权范围,不在此范围的的节点或者服务使用此证书就会报证书不匹配错误,证书如果不包含可能会出现无法连接的情况(此处是CA机构的可为空
> `Key`: 指定使用的加密算法一般使用rsa非对称加密算法algo:rsasize:2048
> `CN`Common Namekube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法
> `CN`是域名,也就是你现在使用什么域名就写什么域名
> `O`Organization从证书中提取该字段作为请求用户所属的组 (Group)
5. 初始化CA
```bash
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
```
> 可以看到,当前目录下新生成了`ca.csr`、`ca-key.pem`、`ca.pem`这3个文件。 ca-key.pem、ca.pem这两个是CA相关的证书通过这个CA来签署服务端证书。
6. 创建并修改Harbor证书请求文件
```bash
#cfssl print-defaults csr > harbor-csr.json
cat > harbor-csr.json <<EOF
{
"CN": "1.1.1.1",
"hosts": [
"127.0.0.1",
"1.1.1.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing"
}
]
}
EOF
```
7. 使用请求文件根据CA配置颁发证书
```bash
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
-config=ca-config.json \
-profile=harbor harbor-csr.json | cfssljson -bare harbor
```
8. 拷贝证书到指定目录下
```bash
cp harbor.pem harbor-key.pem /data/ssl/harbor/
```
> `-config`指定CA证书机构的配置文件
> `-profile`指定使用CA配置文件中的哪个模块此处harbor对应配置文件中的harbor
> `harbor.pem`harbor服务的数字证书
> `harbor-key`.pemharbor服务的私钥
### 方法二(openssl)
1. 首先修改 harbor.yml 文件, 配置证书
```yml
hostname: harbor.store.com
http:
port: 80
https:
port: 443
certificate: /data/ssl/harbor/harbor.crt
private_key: /data/ssl/harbor/harbor-key.key
harbor_admin_password: Harbor12345
data_volume: /data
```
2. 创建 ca.key
```bash
openssl genrsa -out ca.key 4096
```
3. 创建 ca.crt
```bash
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key ca.key -out ca.crt
```
4. 创建 harbor.key
```bash
openssl genrsa -out harbor.key 4096
```
5. 创建 harbor.csr
```bash
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbor.com" -key harbor.key -out harbor.csr
```
6. 创建x509 v3 扩展 文件
```bash
cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.com
EOF
```
7. 使用 v3.ext 文件为 harbor 服务器创建证书
```bash
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.csr -out harbor.crt
```
### Docker配置证书验证
1. 创建目录
```bash
mkdir -p /etc/docker/certs.d/harbor.com
```
2. crt 文件转换为 cert 文件
```bash
openssl x509 -inform PEM -in harbor.crt -out harbor.cert
```
3. cert key 放在对应目录下
```bash
cp harbor.cert harbor.key ca.crt /etc/docker/certs.d/harbor.com/
```
4. 重启docker
```bash
systemctl restart docker
```
Reference in New Issue View Git Blame Copy Permalink