环境信息

节点主机名	节点IP
harbor01	192.168.2.21
harbor02	192.168.2.22

添加hosts解析，本机添加对端harbor域名解析地址

#harbor01
192.168.2.22 harbor.acaiblog.top
#harbor02
192.168.2.21 harbor.acaiblog.top

安装Harbor

下载安装包

https://github.com/goharbor/harbor/releases/download/v2.8.5/harbor-online-installer-v2.8.5.tgz

解压安装包

tar xf harbor-online-installer-v2.8.5.tgz
cd harbor

创建ssl证书

备注：如果不需要https访问barbor，可以跳过此步骤
创建key

openssl genrsa -out harbor.acaiblog.top.key 4096

创建证书签名请求

openssl req -sha512 -new     -subj "/C=CN/ST=Beijing/L=Beijing/O=acaiblog/OU=Personal/CN=harbor.acaiblog.top"     -key harbor.acaiblog.top.key     -out harbor.acaiblog.top.csr

创建自签证书

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=harbor.acaiblog.top
EOF

创建CA

openssl req -new -x509 -days 3650 -keyout ca.key -out ca.crt
Generating a RSA private key
....+++++
.........+++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:harbor.acaiblog.top
Organizational Unit Name (eg, section) []:Personal
Common Name (e.g. server FQDN or YOUR name) []:harbor.acaiblog.top
Email Address []:

创建证书

openssl x509 -req -sha512 -days 3650     -extfile v3.ext     -CA ca.crt -CAkey ca.key -CAcreateserial     -in harbor.acaiblog.top.csr     -out harbor.acaiblog.top.crt

合并证书

openssl x509 -inform PEM -in harbor.acaiblog.top.crt -out harbor.acaiblog.top.cert

复制证书到数据目录

mkdir /data/cert
cp *.crt *.key /data/cert/

配置docker客户端

mkdir -p /etc/docker/certs.d/harbor.acaiblog.top
cp harbor.acaiblog.top.cert /etc/docker/certs.d/harbor.acaiblog.top/
cp harbor.acaiblog.top.key /etc/docker/certs.d/harbor.acaiblog.top/
cp ca.crt /etc/docker/certs.d/harbor.acaiblog.top/

配置Harbor

创建harbor配置文件

cp harbor.yml.tmpl harbor.yml

编辑harbor.yml以下配置

hostname: harbor.acaiblog.top
https:
  certificate: /tmp/docker/harbor/harbor.acaiblog.top.cert
  private_key: /tmp/docker/harbor/harbor.acaiblog.top.key
harbor_admin_password: Harbor12345

编辑docker-compose.yml中registry、registryctl、core、jobservice、添加以下配置，将本地/etc/hosts文件映射到容器

volumes:
  - type: bind
    source: /etc/hosts
    target: /etc/hosts

部署harbor

./prepare
docker-compose -f docker-compose.yml up -d

docker客户端添加hosts解析

192.168.2.21 harbor.acaiblog.top

docker客户端测试登录harbor

$ docker login harbor.acaiblog.top
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded