k8s containerd对接harbor私有仓库_皮卡丘QAQ的博客-程序员ITS203

技术标签: kubernetes  Linux运维  运维  k8s  linux  harbor  containerd  

1.harbor自签证书配置https

harbor建议还是配置https,没有配置的https的情况测试了很多方法都没成功过0.0
(这里配置是参考这位大佬的文章)

这里开始生成证书,觉得我这里步骤乱的可以直接去看大佬的原文章
[email protected]_16:39:13_/data/server/harbor/certs $openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
............................................................................................................................................................................................................................................++
.......................................................................................++
e is 65537 (0x10001)


[email protected]_16:39:46_/data/server/harbor/certs $openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/CN=harbor.yh.com" \
> -key ca.key  -out ca.crt
[email protected]_16:40:05_/data/server/harbor/certs $ll
总用量 8
-rw-r--r-- 1 root root 1797 825 16:40 ca.crt
-rw-r--r-- 1 root root 3247 825 16:39 ca.key
[email protected]_16:40:07_/data/server/harbor/certs $openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
...............................................++
...................................................................................++
e is 65537 (0x10001)


[email protected]_16:40:14_/data/server/harbor/certs $openssl req  -new -sha512  -subj "/CN=harbor.yh.com"  -key server.key  -out \
> server.csr


[email protected]_16:40:43_/data/server/harbor/certs $ll
总用量 16
-rw-r--r-- 1 root root 1797 825 16:40 ca.crt
-rw-r--r-- 1 root root 3247 825 16:39 ca.key
-rw-r--r-- 1 root root 1590 825 16:40 server.csr
-rw-r--r-- 1 root root 3243 825 16:40 server.key


[email protected]_17:25:33_/data/server/harbor $cat certs/v3.ext 
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.yh.com


[email protected]_16:41:33_/data/server/harbor/certs $openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt 
Signature ok
subject=/CN=harbor.yh.com
Getting CA Private Key


[email protected]_16:44:31_/data/server/harbor $vim harbor.yml 
hostname: harbor.yh.com

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 8080

# https related config
https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /data/server/harbor/certs/server.crt
  private_key: /data/server/harbor/certs/server.key
  
  

[email protected]_16:43:04_/data/server/harbor $./prepare 
prepare base dir is set to /data/server/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/root.crt
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/jobservice/config.yml
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir


[email protected]_16:45:45_/data/server/harbor $docker-compose down
Stopping nginx             ... done
Stopping harbor-jobservice ... done
Stopping harbor-core       ... done
Stopping redis             ... done
Stopping registry          ... done
Stopping harbor-db         ... done
Stopping registryctl       ... done
Stopping harbor-portal     ... done
Stopping harbor-log        ... done
Removing nginx             ... done
Removing harbor-jobservice ... done
Removing harbor-core       ... done
Removing redis             ... done
Removing registry          ... done
Removing harbor-db         ... done
Removing registryctl       ... done
Removing harbor-portal     ... done
Removing harbor-log        ... done
Removing network harbor_harbor


[email protected]_16:45:45_/data/server/harbor $docker-compose up -d
[email protected]_17:21:13_/data/server/harbor $netstat -lntup|egrep '8080|443'
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      32071/docker-proxy  
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      32057/docker-proxy 


[[email protected] ~]# ctr -n k8s.io image pull harbor.yh.com:8080/test/nginx:v1
INFO[0000] trying next host                              error="failed to do request: Head \"https://harbor.yh.com:8080/v2/test/nginx/manifests/v1\": http: server gave HTTP response to HTTPS client" host="harbor.yh.com:8080"
ctr: failed to resolve reference "harbor.yh.com:8080/test/nginx:v1": failed to do request: Head "https://harbor.yh.com:8080/v2/test/nginx/manifests/v1": http: server gave HTTP response to HTTPS client

2.containerd对接harbor(在所有节点上操作)

 [[email protected] ~]#  ctr -n k8s.io image pull harbor.yh.com/test/nginx:v1     
INFO[0000] trying next host                              error="failed to do request: Head \"https://harbor.yh.com/v2/test/nginx/manifests/v1\": x509: certificate signed by unknown authority" host=harbor.yh.com
ctr: failed to resolve reference "harbor.yh.com/test/nginx:v1": failed to do request: Head "https://harbor.yh.com/v2/test/nginx/manifests/v1": x509: certificate signed by unknown authority
[[email protected] ~]# yum install -y ca-certificates
[[email protected] ~]# cp -a server.crt /etc/pki/ca-trust/source/anchors/
[[email protected] ~]# ln -s /etc/pki/ca-trust/source/anchors/server.crt /etc/ssl/certs/
[[email protected] ~]# update-ca-trust    
[[email protected] ~]# nerdctl login -u admin harbor.yh.com
Enter Password: Login Succeeded
[[email protected] ~]#  ctr -n k8s.io image pull harbor.yh.com/test/nginx:v1
harbor.yh.com/test/nginx:v1:                                                      resolved       |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:48d56bae87c65ca642b0a1d13c3dc97c4430994991e5531ff123f77cdf975fae: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:6f28985ad1843afd6fd4fe0b42a30bfab63c27d302362e7341e3316e8ba25ced:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:6084105296a952523c36eea261af38885f41e9d1d0001b4916fa426e45377ffe:   exists         |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:29f7ebf60efda2064ed8f3ca5f748b757c9eb4194e8db766ee370067d2c72210:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:158aac73782cb5bf2f03cc3b3f9afa49ce582c26a546f6dba65994d1c7ddd43d:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:879a7c160ac652fea0b56d0d28a9fe5a4dfb9716fe0147c5d163a841c8d83fae:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:de58cd48a671f1121ff5cc9f04cb93916d1a71f25c378f3048975421d87f5a05:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:be704f37b5f442aeb0ee33e0a86d08263d23e7343321b4fc96b68d71e869e3b4:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 1.7 s                                                                    total:  51.2 M (30.1 MiB/s)                                      
unpacking linux/amd64 sha256:48d56bae87c65ca642b0a1d13c3dc97c4430994991e5531ff123f77cdf975fae...
done: 11.646226ms

3.配置k8s执行yaml自动拉取

k8s执行yaml使用的命令是这个,现在还是拉取失败的
[[email protected] ~]# crictl pull harbor.yh.cn/yw/centos:v7
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and
unpack image "harbor.yh.cn/yw/centos:v7": failed to resolve reference
"harbor.yh.cn/yw/centos:v7": failed to do request: Head
"https://harbor.yh.cn/v2/yw/centos/manifests/v7": x509: certificate signed by
unknown authority 

增加(150-154行;159-160行;)
 cat -n /etc/containerd/config.toml  
   144      [plugins."io.containerd.grpc.v1.cri".registry]
   145        config_path = ""
   146
   147        [plugins."io.containerd.grpc.v1.cri".registry.auths]
   148
   149        [plugins."io.containerd.grpc.v1.cri".registry.configs]
   150          [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.yh.cn".tls]
   151            ca_file = "/etc/ssl/certs/server.crt"
   152          [plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.yh.cn".auth]
   153            username = "admin"
   154            password = "Harbor12345"
   155
   156        [plugins."io.containerd.grpc.v1.cri".registry.headers]
   157
   158        [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
   159          [plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.yh.cn"]
   160            endpoint = ["https://harbor.yh.cn"]
   161
   162      [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
   163        tls_cert_file = ""
   164        tls_key_file = ""

重启测试
[[email protected] ~]# systemctl restart containerd
[[email protected] ~]# crictl pull harbor.yh.cn/yw/centos:v7
Image is up to date for
sha256:eeb6ee3f44bd0b5103bb561b4c16bcb82328cfe5809ab675bb17ab3a16c517c9

4.测试

删除刚刚所有节点上测试拉取的镜像
ctr -n k8s.io image rm harbor.yh.com/test/nginx:v1
通过yaml去拉取测试
[[email protected] ~]# cat nginx.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo
  namespace: sa
spec:
  selector:
    matchLabels:
      app: demo
  template:
    metadata:
      labels:
        app: demo
    spec:
      nodeSelector:
        kubernetes.io/hostname: k8s-node02
      containers:
      - image: harbor.yh.com/test/nginx:v1
        imagePullPolicy: IfNotPresent
        name: nginx
        ports:
        - containerPort: 80
          protocol: TCP

我这里目前就一个master跟两个node节点 都分别测试是不是都能执行yaml后拉取成功
[[email protected] ~]#  kubect apply -f nginx.yaml
[[email protected] ~]# kubectl -n sa get pod -o wide()                  
NAME                    READY   STATUS        RESTARTS   AGE     IP
NODE         NOMINATED NODE   READINESS GATES
demo-56768bf96f-l7fl7   1/1     Running       0          3s      10.16.0.131
k8s-node02   <none>           <none>
jenkins-0               1/1     Running       0          2d16h   10.16.0.140
k8s-master   <none>           <none>

测试node1
[[email protected] ~]# egrep 'nodeSelector|hostname' nginx.yaml 
      nodeSelector:
        kubernetes.io/hostname: k8s-node01
[[email protected] ~]# kubectl apply -f nginx.yaml  
deployment.apps/demo configured
[[email protected] ~]# kubectl -n sa get pod -o wide                  
NAME                    READY   STATUS        RESTARTS   AGE     IP
NODE         NOMINATED NODE   READINESS GATES
demo-56768bf96f-9ptq2   0/1     Terminating   0          7m1s    10.16.0.16
k8s-node02   <none>           <none>
demo-56768bf96f-l7fl7   1/1     Running       0          3s      10.16.0.131
k8s-node01   <none>           <none>
jenkins-0               1/1     Running       0          2d16h   10.16.0.140
k8s-master   <none>           <none>
测试master
[[email protected] ~]# kubectl -n sa get pod -o wide
NAME                    READY   STATUS    RESTARTS   AGE     IP
NODE         NOMINATED NODE   READINESS GATES
demo-5dfdfc7bbc-dnr2c   1/1     Running   0          3s      10.16.0.150
k8s-master   <none>           <none>
jenkins-0               1/1     Running   0          2d16h   10.16.0.140
k8s-master   <none>           <none>

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/liang_operations/article/details/126538237

智能推荐

汇编语言里调用函数的过程和堆栈平衡问题_C4cke的博客-程序员ITS203

汇编语言里调用函数的过程和堆栈平衡问题文章目录汇编语言里调用函数的过程和堆栈平衡问题@[toc]1、汇编实例:简单函数调用时堆栈的变化过程1.调用函数前:传入参数2.调用函数时1.开辟空间(缓存区)2.保存现场3.覆盖缓存区4.执行函数的功能5.恢复现场6.恢复空间7.函数结尾:RENT3.总结2、堆栈平衡3、IDA堆栈不平衡问题:positive sp value has been found...

python graphviz_Graphviz 安装并使用 (Python)_weixin_39631017的博客-程序员ITS203

概述Graphviz 是一款由 AT&amp;T Research 和 Lucent Bell 实验室开源的可视化图形工具,可以很方便的用来绘制结构化的图形网络,支持多种格式输出。Graphviz 输入是一个用 dot 语言编写的绘图脚本,通过对输入脚本的解析,分析出其中的点、边及子图,然后根据属性进行绘制。Graphviz layout 以简单的文本语言描述图形,并以实用的格式制作图表,如用于网...

easyui 加载本地json 文件的方法_weixin_30386713的博客-程序员ITS203

easyui 加载本地json 文件的方法2017年12月15日 17:18:07vivian_hnd阅读数 2155https://blog.csdn.net/vivian_wang07/article/details/78811161这是我工作中遇到的问题总结,拿出来跟大家分享一下:easyui 加载本地json 文件的方法,(还存在一...

java web图片ocr,基于Tesseract-OCR实现的JAVA WEB版OCR(图片转文字)_柿油dang人文集的博客-程序员ITS203

首先在Tesseract-OCR官网下载Tesseract-OCR 3.02,以及中文数据包chi_sim.traineddata(简体)接下来就是新建一个JAVA EE项目,把Tesseract-OCR放在项目WebRoot下。下面是主要代码:接受客户端上传过来的图片,使用Tesseract-OCR识别后返回至前台。package servlet;import java.io.IOExcepti...

App登录功能(用户名+密码)_blingbling*的博客-程序员ITS203_登录app

未登录账号操作需账号权限的所有功能,均须弹出登录弹层/页面在登录弹层/页面页面UI与设计图一致,元素完整、元素无变形、元素对齐、样式一致、文字简易易懂无错别字页面title登录,在页面顶部,安卓手机上居左、iOS上居中显示输入用户名、密码用户名明文显示、密码密文显示在密码字段点击切换密文/明文的图标输入的密码可以切换明文/密文App后台运行,再次调至前台图标状态与置于后台运行前最后的状态一致App结束运行,再次启动图标状态为默认密文状态输入...

Struts2系列(三)Intercept&API_仲夏风灯的博客-程序员ITS203

一.Intercept是Struts2的核心,所有用户请求都经过Intercept处理并经过Intercept处理返回数据。另外,介绍一下Struts2如何获得Servlet域对象。二.API测试代码直接上代码,具体解释见代码注释 [email protected](&quot;all&quot;)public class ServletAPI extends Ac...

随便推点

一些世界名著的开场白和结束语_丰满的博客-程序员ITS203

一些世界名著的开场白和结束语No 1 《双城记》查尔斯・狄更斯“那是最美好的时代,那是最糟糕的时代;那是智慧的年头, 那是愚昧的年头;那是信仰的时期,那是怀疑的时期;那是光明的季节,那是黑暗的季节;那是希望的春天,那是失望的冬天;我们全都在直奔天堂,我们全都在直 奔相反的方向——简而言之,那时跟现在非常相像,某些最喧嚣的权威坚持要用形容同的最高级来形容它。说它好,是最高级的;说它不

c语言编程sinx泰勒公式_C语言依据泰勒公式计算sin(x)_weixin_39995108的博客-程序员ITS203

C语言根据泰勒公式计算sin(x)//Use Taylor's formula to compute sin(x)//7/19/2009 很没技术含量的用泰勒公式计算sin(x),数据处理的为数不够,先就这样吧,没时//间改了,有时间再完善吧#include #include double Factorial(int n){//long long 占8个字节double i, factorial ...

N720 拨号上网遇到的问题 /var/lock/LCK_为了维护世界和平_的博客-程序员ITS203_can't creat ttyusb2

问题:Can’t read pid from lock file /var/lock/LCK…ttyACM2Can’t create lock file /var/lock/LCK…ttyACM2: No such file or directory原因以及解决方法:在系统中没有目录文件,需要新建目录文件mkdir /var/run -pmkdir /var/lock -p...

iOS一行代码监测FPS/内存/CPU_MinggeQingchun的博客-程序员ITS203

项目开发都会做一些调试,比如看看PFS的情况。网上有不少工具,自己就参考做了一个比较简单的工具WHDebugTool,可以监测内存,CPU和FPS。GitHub地址:https://github.com/remember17/WHDebugTool WHDebugTool 1、快速使用方法1.1 导入头文件 1 #import &quot;WHDe...

校赛数括号_kacders的博客-程序员ITS203_赛数

oj:http://oj.cust.edu.cn/problem/72/阅读完这篇文章,请问题中有几对括号?(划掉 这才不是题目叻现给出一篇文章,其中的字符全由字母、数字、小括号、空格、换行符及字符[?!.,-&quot;;:]组成。求文章中出现了几对匹配的括号。注:左括号与右括号匹配称为一对括号,若两左右括号中出现空格、字符[?!.,-&quot;;:]或跨行,则为不匹配例(此处中文字符应替换为英文,请自行理解):...

SVN版本库迁移到Git工具SubGit_weixin_33929309的博客-程序员ITS203

为什么80%的码农都做不了架构师?&gt;&gt;&gt; ...

推荐文章

热门文章

相关标签