环境依赖:
docker-ce
docker-compose
这些部分的安装这里就不再赘述
# 创建证书和私钥
mkdir /opt/harbor/ssl -p
# 生成CA证书私钥 ca.key
openssl genrsa -out ca.key 4096
# 根据上面生成的CA证书私钥,再来生成CA证书 ca.crt
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \ -key ca.key \ -out ca.crt
设置 -subj 选项中的值来反映的组织,例如:省份、地市、域名等等信息。如果使用FQDN 【 「(Fully Qualified Domain Name)全限定域名:同时带有主机名和域名的名称。」】连接Harbor主机,则必须将其指定为通用名称(CN)属性,可以看到示例写的是yourdomain.com。
openssl req -x509 -new -nodes -sha512 -days 3650 \ -subj "/C=CN/ST=Beijing/L=Beijing/O=harbortrivy/OU=harbortrivy/CN=harbortrivy.com" \ -key ca.key \ -out ca.crt
# 根据ca.key密钥生成 ca.crt证书。
# 参数说明:
-new 指生成证书请求-x509 表示直接输出证书-key 指定私钥文件-days 指定证书过期时间为3650天-out 导出结束后证书文件-subj 输入证书拥有者信息
# 生成服务器证书
# 生成私钥 yourdomain.com.key
openssl genrsa -out harbortrivy.com.key 4096
# 生成证书签名请求(CSR)yourdomain.com.csr
openssl req -sha512 -new \ -subj "/C=CN/ST=Beijing/L=Beijing/O=harbortrivy/OU=harbortrivy/CN=harbortrivy.com" \ -key harbortrivy.com.key \ -out harbortrivy.com.csr
# 生成一个x509 v3扩展文件
cat > v3.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbortrivy.com
DNS.2=harbortrivy
EOF
# 使用该v3.ext文件为您的Harbor主机生成证书 yourdomain.com.crt
openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in yourdomain.com.csr \ -out yourdomain.com.crt
openssl x509 -req -sha512 -days 3650 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in harbortrivy.com.csr \ -out harbortrivy.com.crt
下载harbor离线包:
官方网站:https://github.com/goharbor/harbor/releases
版本2.3以上
tar -zxvf harbor-offline-installer-v2.5.3.tgz
# 拷贝配置模板修改
cp harbor.yml.tmpl harbor.yml
hostname: harbortrivy.com
certificate: /opt/harbor/ssl/harbortrivy.com.crt
private_key: /opt/harbor/ssl/harbortrivy.com.key
harbor_admin_password: harbortrivy
# 安装 指定trivy,notary等参数
./install.sh --with-notary --with-trivy --with-chartmuseum
安装成功后,https登录,admin/harbortrivy
# docker客户端配置
mkdir -p /etc/docker/certs.d/harbortrivy.com
将证书harbortrivy.com.crt 放到此目录
转换证书:
openssl x509 -inform PEM -in harbortrivy.com.crt -out harbortrivy.com.cert
cat /etc/hosts
192.168.47.131 harbortrivy.com
# 登陆
docker login --username=admin harbortrivy.com
# 测试
docker pull ghcr.io/christophetd/log4shell-vulnerable-app:latest
docker tag ghcr.io/christophetd/log4shell-vulnerable-app:latest harbortrivy.com/library/log4shell-vulnerable-app:latest
docker push harbortrivy.com/library/log4shell-vulnerable-app:latest
参考资料:
Harbor .v1.10.2 私有镜像仓库的自签CA证书、安装使用【超详细官方文档翻译说明】_11229407的技术博客_51CTO博客