Kubernetes installs Harbor warehouse through Helm Chart and accesses verification
Harbor basic introduction
Harbor is an open source enterprise-level Docker and OCI (Open Container Initiative) mirror repository for storing, distributing, and managing container images. It provides a safe and reliable way to manage and share container images, suitable for building and deploying containerized application environments.
The Harbor mirror warehouse is the first choice for the current enterprise-level mirror warehouse.
The main features and functions of the Harbor mirror warehouse:
- Image storage and management: Harbor allows users to upload Docker and OCI images to the warehouse for storage and management. It provides version control, tag management, and metadata storage for easy browsing, searching, and filtering of images.
- Security and authority control: Harbor has powerful security and authority control functions. It supports user authentication and authorization, and can restrict user access and operations on images through roles and permissions. In addition, Harbor also provides security functions such as vulnerability scanning and static code analysis to help users discover and fix security vulnerabilities in container images in a timely manner.
- Registry replication and synchronization: Harbor supports registry replication and synchronization functions, which can copy images from one Harbor instance to another instance, or synchronize with other Docker Registries. This enables users to share and deploy container images across multiple environments, improving the availability and reliability of images.
- Enterprise-level features: As an enterprise-level mirror warehouse, Harbor provides many features to meet enterprise needs. It supports LDAP/AD integration and can be integrated with existing user authentication systems. In addition, Harbor also provides functions such as audit logs, reports, and statistical information to help users track and analyze the usage of images.
- Scalability and flexibility: Harbor has good scalability and can achieve high availability and load balancing by adding additional Harbor nodes. It also provides a RESTful API and plug-in mechanism, which can be integrated and extended with other systems to meet the specific needs of users.
1. Harbor installation
1.1 Prerequisites
a. Kubernetes cluster version>=1.20
b. Helm version >=v3.2.0, for the installation of Helm, please refer to: Helm Install
c. A default StorageClass is required. For the specific preparation process, please refer to: Install StorageClass on Kubernetes
d. Need to have the default IngressClasses, the specific preparation process reference: Kubernetes installation IngressClass where step 4 "Set as the default Ingress Class" is necessary, and the NodePort port of the Ingress is preferably set to 80, 443
1.2 Installation process
Perform the following operations on the master node of the cluster:
a. Add Harbor Chart warehouse
helm repo add harbor https://helm.goharbor.io
b. Create a namespace to install Harbor
kubectl create ns harbor
c. Execute the Chart installation command, and the service exposure method uses the default Ingress
Note: Since there are default IngressClasses and StorageClass, there is no need to specify specific parameters for installation. IngressClasses and StorageClass, the default tls encryption certificate is also automatically generated by the process (of course, it can also be set manually).
For the introduction of specific parameters, please refer to: harbor chart official website
harbor chart official website
You can also refer to related processes (note that the chart version in the video is v1.0.0, which is only of reference value):
reference video
helm install harbor harbor/harbor \
--set externalURL=https://harbor.example.com \ #对外访问地址
--set expose.ingress.hosts.core=harbor.example.com \ #ingress.hosts.core地址,要和externalURL后的域名一致
--set expose.ingress.hosts.notary=notary.example.com \ #ingress.hosts.notary地址
--set harborAdminPassword=Yiqi123 \ #默认admin用户密码
-n harbor #安装的名字空间
d. After completion, you can check whether the installation is successful through the following command
kubectl get po,ing,svc -n harbor
NAME READY STATUS RESTARTS AGE
pod/harbor-core-84dccff85b-7qlkd 1/1 Running 0 120m
pod/harbor-database-0 1/1 Running 0 120m
pod/harbor-jobservice-f4689d655-4tqrc 1/1 Running 4 (119m ago) 120m
pod/harbor-notary-server-7d4b6ff68-xpjb5 1/1 Running 1 (119m ago) 120m
pod/harbor-notary-signer-665bc967c8-7x79d 1/1 Running 1 (119m ago) 120m
pod/harbor-portal-7d5f8d86cf-2qxl2 1/1 Running 0 120m
pod/harbor-redis-0 1/1 Running 0 120m
pod/harbor-registry-75fcfd8b8c-qz4vg 2/2 Running 0 120m
pod/harbor-trivy-0 1/1 Running 0 120m
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/harbor-ingress nginx harbor.example.com 172.16.80.22 80, 443 120m
ingress.networking.k8s.io/harbor-ingress-notary nginx notary.example.com 172.16.80.22 80, 443 120m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/harbor-core ClusterIP 172.16.226.24 <none> 80/TCP 120m
service/harbor-database ClusterIP 172.16.138.139 <none> 5432/TCP 120m
service/harbor-jobservice ClusterIP 172.16.90.83 <none> 80/TCP 120m
service/harbor-notary-server ClusterIP 172.16.51.31 <none> 4443/TCP 120m
service/harbor-notary-signer ClusterIP 172.16.238.7 <none> 7899/TCP 120m
service/harbor-portal ClusterIP 172.16.178.86 <none> 80/TCP 120m
service/harbor-redis ClusterIP 172.16.125.72 <none> 6379/TCP 120m
service/harbor-registry ClusterIP 172.16.155.145 <none> 5000/TCP,8080/TCP 120m
service/harbor-trivy ClusterIP 172.16.201.86 <none> 8080/TCP 120m
2. Access verification
a. Set the hosts configuration on the machine that needs to be accessed
vi /etc/hosts
#添加如下配置
<集群中任意Worker节点的Ip地址> harbor.example.com
b. Browser access
c. Push mirror settings. Since the tls certificate used by the current mirror warehouse is self-signed, it is a non-trusted warehouse. You need to set the non-trusted warehouse configuration in the accessed docker configuration file
vi /etc/docker/daemon.json
#添加如下内容:
{
"insecure-registries": [
"harbor.example.com"
]
}
#写完配置文件后执行以下命令:
systemctl daemon-reload
systemctl restart docker
#通过 docker login 登录私有仓库
docker login harbor.example.com
#镜像打标签
docker tar nginx:alpine harbor.example.com/library/nginx:alpine
#镜像推送
docker push harbor.example.com/library/nginx:alpine
After the push is complete, you can see the pushed image in the graphical interface