使用Helm图表在Kubernetes / OpenShift上安装Harbor Image Registry


从下面的链接下载并以PDF格式支持本文。

theロード下载PDF指南

关门


Harbor是一个开源云原生注册表,用于存储,签名和扫描容器映像中的漏洞。本指南介绍了如何使用Helm Chart在Kubernetes / OpenShift上安装Harbor Image Registry。 Harbor Image Registry的一些很酷的功能包括:

港口注册处功能

  • 多租户支持
  • 支持安全性和漏洞分析
  • 可扩展的API和Web UI
  • 内容签名和验证
  • 多个Harbor实例之间的映像复制
  • 身份集成和基于角色的访问控制

Helm是一个命令行界面(CLI)工具,旨在轻松将应用程序和服务部署到Kubernetes / OpenShift Container Platform集群。 Helm使用称为图表的包格式。 Helm图表是描述Kubernetes资源的文件的集合。

步骤1:在Linux / macOS上安装Helm 3

Helm作为二进制应用程序分发。也就是说,在Linux / macOS机器上安装不需要依赖项。

--- Linux ---
sudo curl -L https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64 -o /usr/local/bin/helm
sudo chmod +x /usr/local/bin/helm

--- macOS ---
sudo curl -L https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-darwin-amd64 -o /usr/local/bin/helm
sudo chmod +x /usr/local/bin/helm

检查安装的版本。

$ helm version
version.BuildInfo{Version:"v3.1+unreleased", GitCommit:"7ebdbb86fca32c77f2fce166f7f9e58ebf7e9946", GitTreeState:"clean", GoVersion:"go1.13.4"}

步骤2:在Kubernetes / OpenShift集群中安装Harbor Helm图表

该图表是一个Helm软件包。它包含在Kubernetes集群中运行应用程序,工具或服务所需的所有资源定义。

添加港口头盔存储库。

$ helm repo add harbor https://helm.goharbor.io
"harbor" has been added to your repositories

更新存储库。

$ helm repo update

构造图

配置项是 -设置 在安装过程中设置标志,或者 values.yaml 直接。

Harbor Helm配置页面

您可以下载默认的values.yaml文件。

wget https://raw.githubusercontent.com/goharbor/harbor-helm/master/values.yaml
vim values.yaml

更改完成后,使用自定义配置安装Harbor Helm Chart。

$ helm install harbor harbor/harbor -f values.yaml -n harbor
NAME: harbor
LAST DEPLOYED: Wed Apr  1 19:20:07 2020
NAMESPACE: harbor
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Please wait for several minutes for Harbor deployment to complete.
Then you should be able to visit the Harbor portal at https://hbr.apps.hqocp.safaricom.net.
For more details, please visit https://github.com/goharbor/harbor.

检查状态以确保已部署。

$ helm status harbor

在OpenShift的Harbor-harbor-database-0中进行初始化:修复了CrashLoopBackOff

一些容器映像,例如: PostgresRedis 需要root用户访问权限,并且对如何拥有该卷具有某些期望。您需要降低群集的安全性,并且不要在不授予所有用户访问权限的情况下强制将映像作为预分配的UID运行。 礼遇 SCC:

对于所有通过身份验证的用户, 阿努伊德 SCC:

$ oc adm policy add-scc-to-group anyuid system:authenticated

检查部署状态。

$ kubectl get deployments
NAME                          READY   UP-TO-DATE   AVAILABLE   AGE
harbor-harbor-chartmuseum     1/1     1            1           24m
harbor-harbor-clair           1/1     1            1           24m
harbor-harbor-core            1/1     1            1           24m
harbor-harbor-jobservice      1/1     1            1           24m
harbor-harbor-notary-server   1/1     1            1           24m
harbor-harbor-notary-signer   1/1     1            1           24m
harbor-harbor-portal          1/1     1            1           24m
harbor-harbor-registry        1/1     1            1           24m

检查吊舱的状态。

$ kubectl get pods
NAME                                           READY   STATUS    RESTARTS   AGE
harbor-harbor-chartmuseum-58f8647f95-mtmmf     1/1     Running   0          5m16s
harbor-harbor-clair-654dcfd8bf-77qs6           2/2     Running   0          5m16s
harbor-harbor-core-5cb85989d6-r7s84            1/1     Running   0          5m16s
harbor-harbor-database-0                       1/1     Running   0          5m33s
harbor-harbor-jobservice-fc54cf784-lv864       1/1     Running   0          5m16s
harbor-harbor-notary-server-65d8fb7c77-xgxvg   1/1     Running   0          5m16s
harbor-harbor-notary-signer-66c9db4cf4-5bwvh   1/1     Running   0          5m16s
harbor-harbor-portal-5cbc6d5897-r5wzh          1/1     Running   0          25m
harbor-harbor-redis-0                          1/1     Running   0          5m16s
harbor-harbor-registry-7ff65976f4-sgnnd        2/2     Running   0          5m16s

最后,验证是否已创建服务和入口。

$ kubectl get svc
NAME                          TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
harbor-harbor-chartmuseum     ClusterIP   172.30.161.108           80/TCP              26m
harbor-harbor-clair           ClusterIP   172.30.133.154           8080/TCP            26m
harbor-harbor-core            ClusterIP   172.30.29.180            80/TCP              26m
harbor-harbor-database        ClusterIP   172.30.199.219           5432/TCP            26m
harbor-harbor-jobservice      ClusterIP   172.30.86.18             80/TCP              26m
harbor-harbor-notary-server   ClusterIP   172.30.188.135           4443/TCP            26m
harbor-harbor-notary-signer   ClusterIP   172.30.165.7             7899/TCP            26m
harbor-harbor-portal          ClusterIP   172.30.41.233            80/TCP              26m
harbor-harbor-redis           ClusterIP   172.30.101.107           6379/TCP            26m
harbor-harbor-registry        ClusterIP   172.30.112.213           5000/TCP,8080/TCP   26m

$ kubectl get ing
NAME                    HOSTS                                     ADDRESS   PORTS     AGE
harbor-harbor-ingress   core.harbor.domain,notary.harbor.domain             80, 443   26m

我实际上是通过OpenShift进行此操作的,因此我创建了一条路线。

$ kubectl get route
NAME                          HOST/PORT              PATH          SERVICES                      PORT   TERMINATION     WILDCARD
harbor-harbor-ingress-7f9vg   notary.harbor.domain   /             harbor-harbor-notary-server   4443   edge/Redirect   None
harbor-harbor-ingress-9pvvz   core.harbor.domain     /             harbor-harbor-portal          8080   edge/Redirect   None
harbor-harbor-ingress-d7mcn   core.harbor.domain     /c/           harbor-harbor-core            8080   edge/Redirect   None
harbor-harbor-ingress-gn5w6   core.harbor.domain     /chartrepo/   harbor-harbor-core            8080   edge/Redirect   None
harbor-harbor-ingress-jf48l   core.harbor.domain     /service/     harbor-harbor-core            8080   edge/Redirect   None
harbor-harbor-ingress-lhbx4   core.harbor.domain     /api/         harbor-harbor-core            8080   edge/Redirect   None
harbor-harbor-ingress-vtt8v   core.harbor.domain     /v2/          harbor-harbor-core            8080   edge/Redirect   None

还创建了许多持久卷请求。匹配指定的大小值。

$ kubectl  get pvc
NAME                                     STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS                AGE
data-harbor-harbor-redis-0               Bound    pvc-1de4a5b2-d55a-48cc-b8b6-1b258214260c   1Gi        RWO            ocs-storagecluster-cephfs   29m
database-data-harbor-harbor-database-0   Bound    pvc-9754adde-e2bd-40ee-b18b-d72eacfdfc12   1Gi        RWO            ocs-storagecluster-cephfs   29m
harbor-harbor-chartmuseum                Bound    pvc-3944fce8-ecee-4bec-b0f6-cc5da3b30572   5Gi        RWO            ocs-storagecluster-cephfs   29m
harbor-harbor-jobservice                 Bound    pvc-5ecf0be4-002c-4628-8dcc-283e996175bc   1Gi        RWO            ocs-storagecluster-cephfs   29m
harbor-harbor-registry                   Bound    pvc-072358e9-06f2-4384-b7d6-88e97eb29499   5Gi        RWO            ocs-storagecluster-cephfs   29m

步骤3:访问Harbour Administration仪表板

使用在安装过程中配置的外部域来访问Harbor容器注册表仪表板。

如果您没有更改密码,则默认登录名是:

Username: admin
Password: Harbor12345

记住,第一次登录后要更改密码。

类似指南:

使用运算符在OpenShift上安装Project Quay注册表


从下面的链接下载并以PDF格式支持本文。

theロード下载PDF指南

关门


Sidebar