公告

特别推出京东优惠挖掘小程序 [点击这里,扫码收藏] 专门收集京东今日特价爆品,商家漏洞等,拼手速,手慢无! 新增优惠: 1,美团外卖红包:扫码至少节省3元[点击收藏],全国可用,用完还能领。 2,车主加油打折服务:一键导航到加油站,选择油枪,支付时直减。 [点击查看] 3,电影票购买返利,覆盖所有主流院线。 [点击查看]

#1 2023-02-08 16:07:13

小天天
Moderator
注册时间: 2019-09-29
帖子: 886

k8s 访问 自签名harbor 仓库

1)生产harbor证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=*.xxxtoon.com" \
-key ca.key \
-out ca.crt


openssl genrsa -out xxxtoon.com.key 4096

openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=*.xxxtoon.com" \
    -key xxxtoon.com.key \
    -out xxxtoon.com.csr



cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=*.xxxtoon.com
DNS.2=xxxtoon.com
DNS.3=hdnewreg.xxxtoon.com
DNS.4=127.0.0.1
DNS.5=10.11.47.0/24
EOF


openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in xxxtoon.com.csr \
    -out xxxtoon.com.crt

openssl x509 -inform PEM -in xxxtoon.com.crt -out xxxtoon.com.cert


2)cp xxxtoon.com.crt xxxtoon.com.key  /data/harbor/secrert/certs

3)
systemctl start docker
docker-compse up -d

FAQ

自签证书,k8s客户端访问harbor仓库失败问题
1,对于自签证书,需要将证书文件拷贝到客户端,否则客户端登录仓库会触发错误问题

报错日志如下
Error response from daemon: Get https://xxxtoon.com/v2/: x509: certificate signed by unknown authority
1,在客户端创建证书位置目录
mkdir /etc/docker/certs.d/xxxtoon.com -p
2,将harbor仓库服务器自签的证书文件拷贝到客户端
事先先把证书拷贝到客户端/tmp
mv /tmp/xxxtoon.com.crt /etc/docker/certs.d/xxxtoon.com/
3,验证测试
root@localhost ~]# docker login https://xxxtoon.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/referenc … ials-store

Login Succeeded



##https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##官网这个好像没用到

kubectl create secret generic myreg \
    --from-file=.dockerconfigjson=/root/.docker/config.json \
    --type=kubernetes.io/dockerconfigjson

离线

页脚

Powered by 华新企财帮

京ICP备19031397号-1