nfs 服务配置
master 节点
echo "/data/harbor 192.168.96.0/24(rw,sync,no_root_squash)" > /etc/exports
# 执行以下命令,启动 nfs 服务;创建共享目录
mkdir -p /data/harbor/{chartmuseum,jobservice,registry,database,redis,trivy}
# 在master执行
chmod -R 777 /data/harbor
# 使配置生效
exportfs -r
#检查配置是否生效
exportfs
systemctl enable rpcbind && systemctl start rpcbind
systemctl enable nfs && systemctl start nfsnode 节点
showmount -e 192.168.96.237
mkdir -p /data/harbor
mount -t nfs 192.168.96.237:/data/harbor /data/harbor
# 永久配置
vim /etc/fstab
192.168.96.237:/data/harbor /data/harbor nfs default 0 0helm 配置源
helm repo add harbor https://helm.goharbor.io
helm pull harbor/harbor --version 1.7.4
# 拉取下的chart包名 harbor-1.7.4.tgz
tar zxvf harbor-1.7.4.tgz修改配置
harbor目录下的values.yaml文件
可直接复制
expose:
type: nodePort
tls:
enabled: false
certSource: auto
auto:
commonName: ""
secret:
secretName: ""
notarySecretName: ""
ingress:
hosts:
core: core.harbor.domain
notary: notary.harbor.domain
controller: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
notary:
annotations: {}
harbor:
annotations: {}
clusterIP:
name: harbor
annotations: {}
ports:
httpPort: 80
httpsPort: 443
notaryPort: 4443
nodePort:
name: harbor
ports:
http:
port: 80
nodePort: 30002
https:
port: 443
nodePort: 30003
notary:
port: 4443
nodePort: 30004
loadBalancer:
name: harbor
IP: ""
ports:
httpPort: 80
httpsPort: 443
notaryPort: 4443
annotations: {}
sourceRanges: []
externalURL: http://192.168.96.237:30002
internalTLS:
enabled: false
certSource: "auto"
trustCa: ""
core:
secretName: ""
crt: ""
key: ""
jobservice:
secretName: ""
crt: ""
key: ""
registry:
secretName: ""
crt: ""
key: ""
portal:
secretName: ""
crt: ""
key: ""
chartmuseum:
secretName: ""
crt: ""
key: ""
trivy:
secretName: ""
crt: ""
key: ""
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
existingClaim: "harbor-registry"
storageClass: "harbor-registry"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
chartmuseum:
existingClaim: "harbor-chartmuseum"
storageClass: "harbor-chartmuseum"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
jobservice:
existingClaim: "harbor-jobservice"
storageClass: "harbor-jobservice"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
database:
existingClaim: "harbor-database"
storageClass: "harbor-database"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
redis:
existingClaim: "harbor-redis"
storageClass: "harbor-redis"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
trivy:
existingClaim: "harbor-trivy"
storageClass: "harbor-trivy"
subPath: ""
accessMode: ReadWriteOnce
size: 5Gi
imageChartStorage:
disableredirect: false
type: filesystem
filesystem:
rootdirectory: /storage
azure:
accountname: accountname
accountkey: base64encodedaccountkey
container: containername
gcs:
bucket: bucketname
encodedkey: base64-encoded-json-key-file
s3:
region: us-west-1
bucket: bucketname
swift:
authurl: https://storage.myprovider.com/v3/auth
username: username
password: password
container: containername
oss:
accesskeyid: accesskeyid
accesskeysecret: accesskeysecret
region: regionname
bucket: bucketname
imagePullPolicy: IfNotPresent
imagePullSecrets:
updateStrategy:
type: RollingUpdate
logLevel: info
harborAdminPassword: "Harbor12345"
caSecretName: ""
secretKey: "not-a-secure-key"
proxy:
httpProxy:
httpsProxy:
noProxy: 127.0.0.1,localhost,.local,.internal
components:
- core
- jobservice
- trivy
nginx:
image:
repository: goharbor/nginx-photon
tag: v2.3.4
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
portal:
image:
repository: goharbor/harbor-portal
tag: v2.3.4
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
core:
image:
repository: goharbor/harbor-core
tag: v2.3.4
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
startupProbe:
enabled: true
initialDelaySeconds: 10
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
secret: ""
secretName: ""
xsrfKey: ""
priorityClassName:
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: v2.3.4
replicas: 1
serviceAccountName: ""
automountServiceAccountToken: false
maxJobWorkers: 10
jobLoggers:
- file
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
secret: ""
priorityClassName:
registry:
serviceAccountName: ""
automountServiceAccountToken: false
registry:
image:
repository: goharbor/registry-photon
tag: v2.3.4
controller:
image:
repository: goharbor/harbor-registryctl
tag: v2.3.4
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
secret: ""
relativeurls: false
credentials:
username: "harbor_registry_user"
password: "harbor_registry_password"
htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
middleware:
enabled: false
type: cloudFront
cloudFront:
baseurl: example.cloudfront.net
keypairid: KEYPAIRID
duration: 3000s
ipfilteredby: none
privateKeySecret: "my-secret"
chartmuseum:
enabled: true
serviceAccountName: ""
automountServiceAccountToken: false
absoluteUrl: false
image:
repository: goharbor/chartmuseum-photon
tag: v2.3.4
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
trivy:
enabled: true
image:
repository: goharbor/trivy-adapter-photon
tag: v2.3.4
serviceAccountName: ""
automountServiceAccountToken: false
replicas: 1
debugMode: false
vulnType: "os,library"
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
ignoreUnfixed: false
insecure: false
gitHubToken: ""
skipUpdate: false
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
notary:
enabled: true
server:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/notary-server-photon
tag: v2.3.4
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
signer:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/notary-signer-photon
tag: v2.3.4
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
priorityClassName:
secretName: ""
database:
type: internal
internal:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/harbor-db
tag: v2.3.4
password: "changeit"
shmSizeLimit: 512Mi
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName:
initContainer:
migrator: {}
permissions: {}
external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer"
sslmode: "disable"
maxIdleConns: 100
maxOpenConns: 900
podAnnotations: {}
redis:
type: internal
internal:
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/redis-photon
tag: v2.3.4
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName:
external:
addr: "192.168.0.2:6379"
sentinelMasterSet: ""
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
chartmuseumDatabaseIndex: "3"
trivyAdapterIndex: "5"
password: ""
podAnnotations: {}
exporter:
replicas: 1
podAnnotations: {}
serviceAccountName: ""
automountServiceAccountToken: false
image:
repository: goharbor/harbor-exporter
tag: v2.3.4
nodeSelector: {}
tolerations: []
affinity: {}
cacheDuration: 23
cacheCleanInterval: 14400
priorityClassName:
metrics:
enabled: false
core:
path: /metrics
port: 8001
registry:
path: /metrics
port: 8001
jobservice:
path: /metrics
port: 8001
exporter:
path: /metrics
port: 8001
serviceMonitor:
enabled: false
additionalLabels: {}
interval: ""
metricRelabelings: []
relabelings: []
自建harbor-pv.yaml 文件
注意修改文件中的ip地址
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-chartmuseum
labels:
app: harbor
component: chartmuseum
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-chartmuseum
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.96.237
path: /data/harbor/chartmuseum
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-jobservice
labels:
app: harbor
component: jobservice
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Recycle
storageClassName: harbor-jobservice
nfs:
server: 192.168.96.237
path: /data/harbor/jobservice
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-registry
labels:
app: harbor
component: registry
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-registry
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.96.237
path: /data/harbor/registry
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-database
labels:
app: harbor
component: database
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-database
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.96.237
path: /data/harbor/database
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-redis
labels:
app: harbor
component: redis
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-redis
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.96.237
path: /data/harbor/redis
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: harbor-trivy
labels:
app: harbor
component: trivy
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
storageClassName: harbor-trivy
persistentVolumeReclaimPolicy: Recycle
nfs:
server: 192.168.96.237
path: /data/harbor/trivy自建harbor-pvc.yaml文件
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-chartmuseum
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: harbor-chartmuseum
selector:
matchLabels:
app: "harbor"
component: "chartmuseum"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-jobservice
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: harbor-jobservice
selector:
matchLabels:
app: "harbor"
component: "jobservice"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: harbor-registry
selector:
matchLabels:
app: "harbor"
component: "registry"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-database
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: harbor-database
selector:
matchLabels:
app: "harbor"
component: "database"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-redis
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: harbor-redis
selector:
matchLabels:
app: "harbor"
component: "redis"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: harbor-trivy
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: harbor-trivy
selector:
matchLabels:
app: "harbor"
component: "trivy"执行并检查
kubectl apply -f harbor-pv.yaml
kubectl apply -f harbor-pvc.yaml
[root@master opt]# kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
harbor-chartmuseum 5Gi RWO Recycle Bound default/harbor-chartmuseum harbor-chartmuseum 78m
harbor-database 5Gi RWO Recycle Bound default/harbor-database harbor-database 78m
harbor-jobservice 1Gi RWO Recycle Bound default/harbor-jobservice harbor-jobservice 47m
harbor-redis 1Gi RWO Recycle Bound default/harbor-redis harbor-redis 78m
harbor-registry 10Gi RWO Recycle Bound default/harbor-registry harbor-registry 78m
harbor-trivy 5Gi RWO Recycle Bound default/harbor-trivy harbor-trivy 78m
# 确认状态STATUS Bound安装harbor
[root@master opt]# helm install harbor ./harbor/
[root@master opt]# kubectl get pod
NAME READY STATUS RESTARTS AGE
myharbor-chartmuseum-79575d869d-k5rnb 1/1 Running 0 19m
myharbor-core-7c65b447f-dv2kg 1/1 Running 4 24m
myharbor-database-0 1/1 Running 0 18m
myharbor-jobservice-7c697cdfb7-wkl6s 1/1 Running 0 18m
myharbor-nginx-b4c5f5df-kj2m6 1/1 Running 0 18m
myharbor-notary-server-69bc6bfd76-6ch66 1/1 Running 1 18m
myharbor-notary-signer-56fb6d7cf8-p5r45 1/1 Running 1 18m
myharbor-portal-d68c657b-5nrfk 1/1 Running 0 18m
myharbor-redis-0 1/1 Running 0 18m
myharbor-registry-69f9fdfc9f-mncgz 2/2 Running 0 18m
myharbor-trivy-0 1/1 Running 0 18m
# 确保全部running
# 检查服务
[root@master opt]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
harbor NodePort 10.100.188.52 <none> 80:30002/TCP,4443:30004/TCP 25m
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 38h
myharbor-chartmuseum ClusterIP 10.100.104.33 <none> 80/TCP 25m
myharbor-core ClusterIP 10.107.32.110 <none> 80/TCP 25m
myharbor-database ClusterIP 10.107.51.47 <none> 5432/TCP 25m
myharbor-jobservice ClusterIP 10.109.209.98 <none> 80/TCP 25m
myharbor-notary-server ClusterIP 10.108.118.98 <none> 4443/TCP 25m
myharbor-notary-signer ClusterIP 10.99.78.247 <none> 7899/TCP 25m
myharbor-portal ClusterIP 10.111.86.216 <none> 80/TCP 25m
myharbor-redis ClusterIP 10.99.72.84 <none> 6379/TCP 25m
myharbor-registry ClusterIP 10.102.93.194 <none> 5000/TCP,8080/TCP 25m
myharbor-trivy ClusterIP 10.102.55.41 <none> 8080/TCP 25mweb页面访问
http://192.168.96.237:30002 # 没有配置https,否则可以访问30004
# 默认账号 admin 密码 Harbor12345
配置node节点登录
# vim /etc/docker/daemon.json
{"insecure-registries": ["http://192.168.96.237:30002"]}
# systemctl restart docker
docker login http://192.168.96.237:30002
Comments | NOTHING