赞
踩
之前harbor的安装都是借助docker完成一键安装部署,安装完成之后harbor组件均运行到一台机器上面,本文实践harbor在k8s环境中的部署。
根据harbor官方要求:
本使用ingress-nginx暴露harbor服务,结合ingress-nginx版本要求,建议K8S版本大于1.21.0-0进行实践。如果不适用ingress-nginx,满足上面的版本要求即可。
最新的要求请查看官方仓库说明:https://github.com/goharbor/harbor-helm
本文使用的k8s环境如下:
# k8s版本及环境信息 root@master1:~# kubectl get node -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME master1 Ready control-plane 25h v1.28.2 192.168.0.61 <none> Ubuntu 24.04 LTS 6.8.0-36-generic containerd://1.7.12 node1 Ready <none> 25h v1.28.2 192.168.0.62 <none> Ubuntu 24.04 LTS 6.8.0-36-generic containerd://1.7.12 node2 Ready <none> 25h v1.28.2 192.168.0.63 <none> Ubuntu 24.04 LTS 6.8.0-36-generic containerd://1.7.12 # 操作系统信息 root@master1:~# cat /etc/issue Ubuntu 24.04 LTS \n \l root@master1:~# uname -a Linux master1 6.8.0-36-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 10 10:49:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux # helm版本 root@master1:~# helm version version.BuildInfo{Version:"v3.15.2", GitCommit:"1a500d5625419a524fdae4b33de351cc4f58ec35", GitTreeState:"clean", GoVersion:"go1.22.4"}
参考我的另外一篇文章部署openebs,《Kubernetes云原生存储解决方案openebs部署实践-3.10.0版本(helm部署)》
本文部署的openebs信息如下:
root@master1:~# helm ls -n openebs
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
openebs openebs 1 2024-07-02 14:38:40.928808834 +0800 CST deployed openebs-4.0.1 4.0.1
root@master1:~# kubectl get pod -n openebs
NAME READY STATUS RESTARTS AGE
openebs-localpv-provisioner-6b8bff68bd-vmwp7 1/1 Running 0 121m
openebs-lvm-localpv-controller-778b75449c-mmvw6 5/5 Running 0 121m
openebs-lvm-localpv-node-d2trc 2/2 Running 0 121m
openebs-lvm-localpv-node-md5wh 2/2 Running 0 121m
openebs-zfs-localpv-controller-6665568c7c-snw4q 5/5 Running 0 121m
openebs-zfs-localpv-node-mc8tv 2/2 Running 0 121m
openebs-zfs-localpv-node-w6nns 2/2 Running 0 121m
root@master1:~# kubectl get sc -n openebs
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
openebs-hostpath openebs.io/local Delete WaitForFirstConsumer false 121m
参考我的另外一篇文章部署ingress-nginx,《ingress-nginx部署(helm方式)》
建议k8s版本不要太老,以下是在1.18.0部署最新的ingress-nginx,提示版本不兼容。
[root@k8s-master ~]# helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
> --namespace ingress-nginx --create-namespace \
> --set controller.service.type=NodePort
Release "ingress-nginx" does not exist. Installing it now.
Error: chart requires kubeVersion: >=1.21.0-0 which is incompatible with Kubernetes v1.18.0
本次环境部署的ingress nginx如下:
root@master1:~# helm ls -n ingress-nginx
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
ingress-nginx ingress-nginx 1 2024-07-01 18:20:48.811046861 +0800 CST deployed ingress-nginx-4.10.1 1.10.1
root@master1:~# kubectl get pod -n ingress-nginx
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-dddq8 1/1 Running 1 (126m ago) 22h
ingress-nginx-controller-p7gd9 1/1 Running 1 (126m ago) 22h
包括部署的总体步骤,本文部署过程记录。
helm repo add harbor https://helm.goharbor.io
可以通过 --set
标志在安装过程中设置以下项目,或者通过直接编辑 values.yaml
文件进行配置(需要先下载 chart)。
官方提供四种方式暴露Harbor service:
Harbor 核心服务的外部 URL 用于:
格式:protocol://domain[:port]
。通常:
expose.ingress.hosts.core
的值expose.clusterIP.name
的值如果 Harbor 部署在代理后面,将其设置为代理的 URL。
禁用:数据在 Pod 终止时不会被保留。
持久卷声明(默认):在 Kubernetes 集群中需要一个默认的 StorageClass 以动态配置卷。如果你有现成的持久卷可以使用,可以在 storageClass
中指定另一个 StorageClass,或设置 existingClaim
。
外部存储(仅用于镜像和charts):对于镜像和charts,支持以下外部存储:Azure、GCS、S3、Swift 和 OSS。
查看配置部分查看其他配置项。
使用 Helm 安装 Harbor chart 并指定发布名称为 my-release,使用以下命令:
helm install my-release harbor/harbor
卸载或删除发布名称为 my-release的chart:
helm uninstall my-release
本文部署使用ingress暴露服务。ingress-nginx使用的是NodePort方式暴露自身,需要在externalURL中配置其 NodePort 端口号:
# ingress-nginx NodePort https端口为30294 root@master1:~# kubectl get svc -n ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller NodePort 10.102.230.242 <none> 80:30974/TCP,443:30194/TCP 21h ingress-nginx-controller-admission ClusterIP 10.110.51.58 <none> 443/TCP 21h # 查看部署openebs后storageclass为openebs-hostpath root@master1:~# kubectl get sc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE openebs-hostpath openebs.io/local Delete WaitForFirstConsumer false 99m # 执行helm安装,指定为ingress暴露,指定域名,externalURL,密码及StorageClaas helm upgrade --install harbor harbor/harbor --namespace harbor --create-namespace \ --set expose.type=ingress \ --set expose.ingress.className=nginx \ --set expose.ingress.hosts.core=harbor.test.com \ --set expose.ingress.hosts.notary=notary.test.com \ --set externalURL=https://harbor.test.com:30194 \ --set harborAdminPassword="Harbor12345" \ --set persistence.persistentVolumeClaim.registry.storageClass="openebs-hostpath" \ --set persistence.persistentVolumeClaim.jobservice.jobLog.storageClass="openebs-hostpath" \ --set persistence.persistentVolumeClaim.database.storageClass="openebs-hostpath" \ --set persistence.persistentVolumeClaim.redis.storageClass="openebs-hostpath" \ --set persistence.persistentVolumeClaim.trivy.storageClass="openebs-hostpath"
查看部署后的资源:
# 创建的pod root@master1:~# kubectl get pod -n harbor -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES harbor-core-fb5ff9588-b8t6t 1/1 Running 2 (13m ago) 15m 10.244.154.33 node1 <none> <none> harbor-database-0 1/1 Running 0 15m 10.244.154.43 node1 <none> <none> harbor-jobservice-85bf44bd57-5f2wg 1/1 Running 6 (12m ago) 15m 10.244.154.41 node1 <none> <none> harbor-portal-7c5d84cbb8-t6v22 1/1 Running 0 15m 10.244.154.34 node1 <none> <none> harbor-redis-0 1/1 Running 0 15m 10.244.154.39 node1 <none> <none> harbor-registry-7f54fbf5f4-xdx 2/2 Running 0 15m 10.244.154.42 node1 <none> <none> harbor-trivy-0 1/1 Running 0 6m1s 10.244.154.45 node1 <none> <none> # 创建的pvc root@master1:~# kubectl get pvc -n harbor NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE data-harbor-redis-0 Bound pvc-83f38659-8ddb-43ec-9023-460d323c7d48 1Gi RWO openebs-hostpath 6m52s data-harbor-trivy-0 Bound pvc-50b8cd59-23c3-4d15-a0e3-31b7a62ed5d5 5Gi RWO openebs-hostpath 6m51s database-data-harbor-database-0 Bound pvc-8e8d04f2-21f7-4228-b0e7-331f352606e6 1Gi RWO openebs-hostpath 6m52s harbor-jobservice Bound pvc-beca09bd-d3b7-4d82-8e1e-785de4728f4e 1Gi RWO openebs-hostpath 6m52s harbor-registry Bound pvc-cd7048f3-2452-44e2-8c84-337b22ccb4ed 5Gi RWO openebs-hostpath 6m52s # 查看ingress root@master1:~# kubectl get ingress -n harbor NAME CLASS HOSTS ADDRESS PORTS AGE harbor-ingress nginx harbor.test.com 10.102.230.242 80, 443 7m9s
客户端访问测试,在客户端配置域名解析,harbor.test.com
解析到ingress-nginx节点IP,访问https://harbor.test.com:30194
即可打开Harbor登录页面。
用户名admin
,密码Harbor12345
备注:
如果ingress-nginx-controller本身通过LoadBalancer暴露,部署harbor时externalURL域名不用加端口,部署后直接访问域名
https://harbor.test.com
即可。
上述使用ingress方式部署依赖nginx-ingress控制器,如果为了简化部署,可以使用NodePort方式:
export node_ip=192.168.0.61
helm upgrade --install harbor harbor/harbor --namespace harbor --create-namespace \
--set expose.type=nodePort \
--set expose.tls.auto.commonName=$node_ip \
--set externalURL='https://$node_ip:31234'
--set harborAdminPassword="Harbor12345" \
--set persistence.persistentVolumeClaim.registry.storageClass="openebs-hostpath" \
--set persistence.persistentVolumeClaim.jobservice.jobLog.storageClass="openebs-hostpath" \
--set persistence.persistentVolumeClaim.database.storageClass="openebs-hostpath" \
--set persistence.persistentVolumeClaim.redis.storageClass="openebs-hostpath" \
--set persistence.persistentVolumeClaim.trivy.storageClass="openebs-hostpath"
通过https://$node_ip:31234
直接访问harbor。
kubectl -n harbor get secrets harbor-ingress -o jsonpath="{.data.ca\.crt}" | base64 -d >ca.crt
docker运行时和客户端:
root@ubuntu:~# mkdir -p /etc/docker/certs.d/harbor.test.com:30194/
root@ubuntu:~# ls /etc/docker/certs.d/harbor.test.com:30194/
ca.crt
如果使用containerd,配置类似:
root@ubuntu:~# mkdir -p /etc/containerd/certs.d/harbor.test.com:30194/
root@ubuntu:~# ls /etc/containerd/certs.d/harbor.test.com:30194/
ca.crt
echo "192.168.0.62 harbor.test.com" >>/etc/hosts
root@ubuntu:~# docker login -u admin -p Harbor12345 https://harbor.test.com:30194
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/test/.docker/config.json.
Configure a credential helper to remove this warning. See
...
Login Succeeded
root@ubuntu:~# docker push harbor.test.com:30194/library/kubemark:1.19.0
The push refers to repository [harbor.test.com:30194/library/kubemark]
c746c8a16e15: Pushed
f47163e8de57: Pushed
0d1435bd79e4: Pushed
1.19.0: digest: sha256:95effc616f84c0c3d3645ee489f57ec635002bcf5eec1f0892936f485110d529 size: 949
root@master1:~# kubectl get pvc -A
NAMESPACE NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
harbor data-harbor-redis-0 Lost pvc-83f38659-8ddb-43ec-9023-460d323c7d48 0 openebs-hostpath 5d22h
harbor data-harbor-trivy-0 Lost pvc-50b8cd59-23c3-4d15-a0e3-31b7a62ed5d5 0 openebs-hostpath 5d22h
harbor database-data-harbor-database-0 Lost pvc-8e8d04f2-21f7-4228-b0e7-331f352606e6 0 openebs-hostpath 5d22h
不清楚是否为openebs的bug,通过重建pv解决,以为database-data-harbor-database-0组件使用的pv为例:
# database-data-harbor-database-0-pv.yaml apiVersion: v1 kind: PersistentVolume metadata: annotations: pv.kubernetes.io/provisioned-by: openebs.io/local creationTimestamp: "2024-07-02T08:17:54Z" finalizers: - kubernetes.io/pv-protection labels: openebs.io/cas-type: local-hostpath name: pvc-8e8d04f2-21f7-4228-b0e7-331f352606e6 resourceVersion: "83903" spec: accessModes: - ReadWriteOnce capacity: storage: 1Gi claimRef: apiVersion: v1 kind: PersistentVolumeClaim name: database-data-harbor-database-0 namespace: harbor resourceVersion: "83720" uid: 8e8d04f2-21f7-4228-b0e7-331f352606e6 local: fsType: "" path: /var/openebs/local/pvc-8e8d04f2-21f7-4228-b0e7-331f352606e6 nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - node1 persistentVolumeReclaimPolicy: Delete storageClassName: openebs-hostpath volumeMode: Filesystem
创建: kubectl create -f database-data-harbor-database-0-pv.yaml
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。