Harbor 2.1.2 安装部署

环境

首先需要准备好 Docker + Docker-Compose 环境,Docker 在 CentOS 7.x 的安装教程请参考 这篇文章,后续文章假设你已经安装好了上述环境。

安装

标准安装

首先从 Harbor 的官方 GitHub Relase 下载最新的安装包,Harbor 本身的运行也是依赖于 Docker Compose ,整个压缩包本质上就是一系列离线镜像,执行安装脚本就是执行 docker load 命令将需要的镜像直接加载。

  1. 下载安装包,请访问 https://github.com/goharbor/harbor/releases/tag/v2.1.2 下载 tgz 压缩包。

  2. 将文件移动到安装文件夹,这里我建立了一个 /opt/harbor 文件夹。

  3. 运行 tar -xvf harbor-offline-installer-v1.10.1.tgz 解压文件包。

  4. 移动到解压完成的文件夹,编辑对应的 harbor.yml 文件,设置域名、SSL 证书等信息。

    注意⚠️:

    这一步的证书文件必须是全链证书(fullchain),否则后续 docker login 的时候会提示 X509 错误。

  5. 执行 ./install.sh --with-clair 开始安装 Harbor。

完成上述步骤以后 Harbor 就安装成功了。

不使用内置 NGINX

在我们的环境当中,NGINX 容器是单独存在的,并且使用的是 docker nework create 创建的外部网络。这个时候就不能够使用 Harbor 安装脚本内提供的 NGINX,需要变更 Harbor 的 Docker Compose 文件。

  1. 执行 docker-compose down 命令,停止所有 Harbor 容器。

  2. 编辑 Harbor 的 docker-compose.yml 文件,引入外部网络,这里我以 internal-network 为例,下面是变更好的 YAML 文件。

    version: '2.3'
    services:
      log:
        image: goharbor/harbor-log:v2.1.2
        container_name: harbor-log
        restart: always
        dns_search: .
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - DAC_OVERRIDE
          - SETGID
          - SETUID
        volumes:
          - /var/log/harbor/:/var/log/docker/:z
          - type: bind
            source: ./common/config/log/logrotate.conf
            target: /etc/logrotate.d/logrotate.conf
          - type: bind
            source: ./common/config/log/rsyslog_docker.conf
            target: /etc/rsyslog.d/rsyslog_docker.conf
        ports:
          - 127.0.0.1:1514:10514
        networks:
          - harbor
          - internal-network
      registry:
        image: goharbor/registry-photon:v2.1.2
        container_name: registry
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/registry:/storage:z
          - ./common/config/registry/:/etc/registry/:z
          - type: bind
            source: /data/secret/registry/root.crt
            target: /etc/registry/root.crt
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "registry"
      registryctl:
        image: goharbor/harbor-registryctl:v2.1.2
        container_name: registryctl
        env_file:
          - ./common/config/registryctl/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/registry:/storage:z
          - ./common/config/registry/:/etc/registry/:z
          - type: bind
            source: ./common/config/registryctl/config.yml
            target: /etc/registryctl/config.yml
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "registryctl"
      postgresql:
        image: goharbor/harbor-db:v2.1.2
        container_name: harbor-db
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - DAC_OVERRIDE
          - SETGID
          - SETUID
        volumes:
          - /data/database:/var/lib/postgresql/data:z
        networks:
          harbor:
        dns_search: .
        env_file:
          - ./common/config/db/env
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "postgresql"
      core:
        image: goharbor/harbor-core:v2.1.2
        container_name: harbor-core
        env_file:
          - ./common/config/core/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - SETGID
          - SETUID
        volumes:
          - /data/ca_download/:/etc/core/ca/:z
          - /data/:/data/:z
          - ./common/config/core/certificates/:/etc/core/certificates/:z
          - type: bind
            source: ./common/config/core/app.conf
            target: /etc/core/app.conf
          - type: bind
            source: /data/secret/core/private_key.pem
            target: /etc/core/private_key.pem
          - type: bind
            source: /data/secret/keys/secretkey
            target: /etc/core/key
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
          - registry
          - redis
          - postgresql
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "core"
      portal:
        image: goharbor/harbor-portal:v2.1.2
        container_name: harbor-portal
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
          - NET_BIND_SERVICE
        volumes:
          - type: bind
            source: ./common/config/portal/nginx.conf
            target: /etc/nginx/nginx.conf
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "portal"
    
      jobservice:
        image: goharbor/harbor-jobservice:v2.1.2
        container_name: harbor-jobservice
        env_file:
          - ./common/config/jobservice/env
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/job_logs:/var/log/jobs:z
          - type: bind
            source: ./common/config/jobservice/config.yml
            target: /etc/jobservice/config.yml
          - type: bind
            source: ./common/config/shared/trust-certificates
            target: /harbor_cust_cert
        networks:
          - harbor
          - internal-network
        dns_search: .
        depends_on:
          - core
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "jobservice"
      redis:
        image: goharbor/redis-photon:v2.1.2
        container_name: redis
        restart: always
        cap_drop:
          - ALL
        cap_add:
          - CHOWN
          - SETGID
          - SETUID
        volumes:
          - /data/redis:/var/lib/redis
        networks:
          harbor:
        dns_search: .
        depends_on:
          - log
        logging:
          driver: "syslog"
          options:
            syslog-address: "tcp://127.0.0.1:1514"
            tag: "redis"
    
    networks:
      harbor:
        external: false
      internal-network:
        external: true
    
  3. 在独立的 NGINX 中创建对应的配置文件,在上一步的 YAML 文件内部,我为每个容器指定了 container_name,确保容器名字唯一不会因为外部原因而变动。这个配置文件我是从之前 Harbor 内部的 NGINX 拷贝出来的,直接拿去改吧改吧就能用。

    server{
        listen 80;
        server_name 你的域名;
        return 301 https://你的域名$request_uri;
    }
    
    server{
        listen 443 ssl;
        server_name 你的域名;
    
        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;
    
        # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;
    
        # Add extra headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header Content-Security-Policy "frame-ancestors 'none'";
    
        ssl_certificate   /etc/nginx/ssl/你的域名/full.pem;      # SSL 证书文件的存放路径
        ssl_certificate_key  /etc/nginx/ssl/你的域名/key.pem;   # SSL 密钥文件的存放路径
    
        ssl_protocols TLSv1.2;
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
    
        location / {
          proxy_pass http://harbor-portal:8080/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; HttpOnly; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /c/ {
          proxy_pass http://harbor-core:8080/c/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /api/ {
          proxy_pass http://harbor-core:8080/api/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /chartrepo/ {
          proxy_pass http://harbor-core:8080/chartrepo/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /v1/ {
          return 404;
        }
    
        location /v2/ {
          proxy_pass http://harbor-core:8080/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
          proxy_send_timeout 900;
          proxy_read_timeout 900;
        }
    
        location /service/ {
          proxy_pass http://harbor-core:8080/service/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
    
          proxy_cookie_path / "/; Secure";
    
          proxy_buffering off;
          proxy_request_buffering off;
        }
    
        location /service/notifications {
          return 404;
        }
    }
    

这里我使用的是 acme.sh 申请的泛解析 SSL 证书。

效果

posted @ 2021-01-04 14:20  MyZony  阅读(3217)  评论(0编辑  收藏  举报