kubernetes 案例:基于 Helm 部署 Harbor
kubernetes 案例:基于 Helm 部署 Harbor
https://goharbor.cn/docs/2.13.0/install-config/harbor-ha-helm/
https://artifacthub.io/packages/helm/harbor/harbor
实现流程
使用helm将harbor部署到kubernetes集群
使用ingress发布到集群外部
使用 PVC 持久存储
范例:默认安装
#安装前准备
#ingress controller 基于nginx实现
#metallb
#SC名称为sc-nfs,并设为默认的SC
[root@master1 ~]# kubectl get sc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE sc-nfs (default) k8s-sigs.io/nfs-subdir-external-provisioner Delete Immediate false 6d7h
[root@master1 ~]# kubectl get ingressclasses.networking.k8s.io
NAME CONTROLLER PARAMETERS AGE
nginx k8s.io/ingress-nginx <none> 4d19h
#添加仓库配置
helm repo add harbor https://helm.goharbor.io
helm repo list
#在repo中搜索
helm search repo harbor
#下载Chart,查看内容
helm pull harbor/harbor
[root@master1 helm]# ls -l harbor-1.19.1.tgz -rw-r--r-- 1 root root 54222 May 30 22:51 harbor-1.19.1.tgz
tar tf harbor-1.19.1.tgz
#使用默认安装,第一个harbor表示repo仓库名,第二个harbor表示chart名,此方式如果没有配置默认的
SC,会因为缺少持久化存储配置导致pending
helm install myharbor harbor/harbor
#修改ingressClass
kubectl edit ingress myharbor-ingress
spec: #添加下面一行
ingressClassName: nginx
[root@master1 helm]# kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE myharbor-ingress nginx core.harbor.domain 192.168.3.10 80, 443 94s
#域名解析core.harbor.domain --> 192.168.3.10
#默认值,用户名密码admin/Harbor12345
#浏览器访问默认域名
https://core.harbor.domain/
#卸载
helm uninstall myharbor
范例:定制安装
#安装前准备
#ingress controller 基于nginx实现
#metallb
#SC名称为sc-nfs
#定制配置
#生成配置文件
helm show values harbor/harbor > harbor-values.yaml
#修改配置文件
vim harbor-values.yaml
expose: type: ingress tls: enabled: true certSource: auto ingress: hosts: core: harbor.ming.org #指定harbor访问的域名 notary: notary.org #公证人,用于Docker image 签名和认证,开发者在发布镜像后 使用 Notary 进行签名,并发布签名信息。运维团队在拉取镜像时使用 Notary 来验证镜像的签名,确保其 没有被篡改 controller: default className: "nginx" #新版用法,添加此行,指定ingress annotations: kubernetes.io/ingress.class: "nginx" #添加此行,指定ingress,旧版使用 ipFamily: ipv4: enabled: true ipv6: enabled: false externalURL: https://harbor.ming.org #指定harbor访问的域名,和前面域名要一致 # 持久化存储配置部分,如果设置storageclass是默认值,下面可不修改 persistence: enabled: true resourcePolicy: "keep" persistentVolumeClaim: # 定义Harbor各个组件的PVC持久卷 registry: # registry组件(持久卷) storageClass: "sc-nfs" # 前面创建的StorageClass,其它组件同样配置,如 果设置默认storageClass,可以不用配置 accessMode: ReadWriteMany # 卷的访问模式,需要修改为ReadWriteMany size: 5Gi chartmuseum: # chartmuseum组件(持久卷) storageClass: "sc-nfs" accessMode: ReadWriteMany size: 5Gi jobservice: jobLog: storageClass: "sc-nfs" #如果设置默认storageClass,可以不用配置 accessMode: ReadWriteOnce size: 1Gi scanDataExports: storageClass: "sc-nfs" accessMode: ReadWriteOnce size: 1Gi database: # PostgreSQl数据库组件 storageClass: "sc-nfs" #如果设置默认storageClass,可以不用配置 accessMode: ReadWriteMany size: 2Gi redis: # Redis缓存组件 storageClass: "sc-nfs" #如果设置默认storageClass,可以不用配置 accessMode: ReadWriteMany size: 2Gi trivy: # Trity漏洞扫描 storageClass: "sc-nfs" #如果设置默认storageClass,可以不用配置 accessMode: ReadWriteMany size: 1Gi harborAdminPassword: "123456"
#创建名称空间(可选)
kubectl create namespace harbor
#安装Harbor,指定release为myharbor,可以自动创建namespace
helm install myharbor -f harbor-values.yaml harbor/harbor -n harbor --create-namespace
#查看
helm list -n harbor
[root@master1 helm]# kubectl get svc -n harbor NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE myharbor-core ClusterIP 10.101.229.163 <none> 80/TCP 3m2s myharbor-database ClusterIP 10.110.223.99 <none> 5432/TCP 3m2s myharbor-jobservice ClusterIP 10.99.18.34 <none> 80/TCP 3m2s myharbor-portal ClusterIP 10.98.188.235 <none> 80/TCP 3m2s myharbor-redis ClusterIP 10.98.78.247 <none> 6379/TCP 3m2s myharbor-registry ClusterIP 10.111.62.135 <none> 5000/TCP,8080/TCP 3m2s myharbor-trivy ClusterIP 10.98.6.183 <none> 8080/TCP 3m2s
[root@master1 helm]# kubectl get ingress -n harbor NAME CLASS HOSTS ADDRESS PORTS AGE myharbor-ingress nginx harbor.ming.org 192.168.3.10 80, 443 5m2s
[root@master1 helm]# kubectl get pod -n harbor -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES myharbor-core-5d7949f87-ldp95 1/1 Running 11 (8m37s ago) 48m 10.244.2.100 node2.org <none> <none> myharbor-core-749dbf66c4-bmmj5 0/1 Running 0 4s 10.244.2.103 node2.org <none> <none> myharbor-database-0 1/1 Running 0 6m7s 10.244.2.102 node2.org <none> <none> myharbor-jobservice-7cd9fc494d-z69w9 1/1 Running 3 (2m55s ago) 21m 10.244.1.110 node1.org <none> <none> myharbor-portal-7d66b7896d-gqdmg 1/1 Running 0 48m 10.244.2.99 node2.org <none> <none> myharbor-redis-0 1/1 Running 0 76m 10.244.1.107 node1.org <none> <none> myharbor-registry-746f87566c-fnr52 2/2 Running 0 48m 10.244.1.109 node1.org <none> <none> myharbor-trivy-0 1/1 Running 0 76m 10.244.1.106 node1.org <none> <none>
[root@master1 helm]# kubectl get pvc -n harbor NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE data-myharbor-redis-0 Bound pvc-a27b7cb0-7573-434c-aef6-f0854a9be208 1Gi RWO sc-nfs <unset> 77m data-myharbor-trivy-0 Bound pvc-724b3ecf-af2f-4d77-b1ef-311fe5c16df3 5Gi RWO sc-nfs <unset> 77m database-data-myharbor-database-0 Bound pvc-bbf96c51-1c43-46b8-b14b-e2f956672d19 1Gi RWO sc-nfs <unset> 77m myharbor-jobservice Bound pvc-e8c92c54-393d-4239-bbaa-0ace5e34e530 1Gi RWO sc-nfs <unset> 77m myharbor-registry Bound pvc-7c9331a0-bb5b-4cf1-911d-367d609fb42d 5Gi RWO sc-nfs <unset> 77m
root@master1 helm]# kubectl get pv -n harbor NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE pvc-293c769e-5435-4eab-ac98-82ed4a481378 5Gi RWO Delete Bound default/myharbor-registry sc-nfs <unset> 95m pvc-2bb036fa-e565-4347-ab16-f56f61e90424 1Gi RWO Delete Bound default/database-data-myharbor-database-0 sc-nfs <unset> 95m pvc-2e6411c2-39fd-4b31-a42c-074f28db0782 1Gi RWO Delete Bound default/myharbor-jobservice sc-nfs <unset> 95m pvc-43a9bdcf-d837-4d0f-ac04-830dc0988136 5Gi RWO Delete Bound default/data-myharbor-trivy-0 sc-nfs <unset> 95m pvc-724b3ecf-af2f-4d77-b1ef-311fe5c16df3 5Gi RWO Delete Bound harbor/data-myharbor-trivy-0 sc-nfs <unset> 77m pvc-7c9331a0-bb5b-4cf1-911d-367d609fb42d 5Gi RWO Delete Bound harbor/myharbor-registry sc-nfs <unset> 77m pvc-9a264bad-82c1-41fe-aa8a-a30b31e599b9 1Gi RWO Delete Bound default/data-myharbor-redis-0 sc-nfs <unset> 95m pvc-a27b7cb0-7573-434c-aef6-f0854a9be208 1Gi RWO Delete Bound harbor/data-myharbor-redis-0 sc-nfs <unset> 77m pvc-bbf96c51-1c43-46b8-b14b-e2f956672d19 1Gi RWO Delete Bound harbor/database-data-myharbor-database-0 sc-nfs <unset> 77m pvc-e8c92c54-393d-4239-bbaa-0ace5e34e530 1Gi RWO Delete Bound harbor/myharbor-jobservice sc-nfs <unset> 77m
#使用用户名密码:admin/123456登录验证
#如果不改密码:默认是Habor12345
#域名解析将harbor.ming.org--》IP
#浏览器访问:
http://harbor.ming.org
#删除
helm delete myharbor -n harbor
浙公网安备 33010602011771号