k8s 访问自签名harbor 仓库

小天天 · 2023-02-08 16:07:13

1）生产harbor证书
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=*.xxxtoon.com" \
-key ca.key \
-out ca.crt

openssl genrsa -out xxxtoon.com.key 4096

openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=*.xxxtoon.com" \
-key xxxtoon.com.key \
-out xxxtoon.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=*.xxxtoon.com
DNS.2=xxxtoon.com
DNS.3=hdnewreg.xxxtoon.com
DNS.4=127.0.0.1
DNS.5=10.11.47.0/24
EOF

openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in xxxtoon.com.csr \
-out xxxtoon.com.crt

openssl x509 -inform PEM -in xxxtoon.com.crt -out xxxtoon.com.cert

2）cp xxxtoon.com.crt xxxtoon.com.key /data/harbor/secrert/certs

3)
systemctl start docker
docker-compse up -d

FAQ

自签证书,k8s客户端访问harbor仓库失败问题
1，对于自签证书，需要将证书文件拷贝到客户端，否则客户端登录仓库会触发错误问题

报错日志如下
Error response from daemon: Get https://xxxtoon.com/v2/: x509: certificate signed by unknown authority
1，在客户端创建证书位置目录
mkdir /etc/docker/certs.d/xxxtoon.com -p
2,将harbor仓库服务器自签的证书文件拷贝到客户端
事先先把证书拷贝到客户端/tmp
mv /tmp/xxxtoon.com.crt /etc/docker/certs.d/xxxtoon.com/
3，验证测试
root@localhost ~]# docker login https://xxxtoon.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/referenc … ials-store

Login Succeeded

##https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##官网这个好像没用到

kubectl create secret generic myreg \
--from-file=.dockerconfigjson=/root/.docker/config.json \
--type=kubernetes.io/dockerconfigjson

拉新网 - 挖掘漏洞 - 线报平台

公告

#1 2023-02-08 16:07:13