使用Helm Chart在Kubernetes/OpenShift上安装Harbor Image Registry
时间:2020-02-23 14:31:42 来源:igfitidea点击:
Harbor是一个开源的云原生注册表,用于存储,签名和扫描容器镜像中的漏洞。
本教程将引导我们完成在带有Helm Chart的Kubernetes/OpenShift上安装Harbor Image Registry的过程。
Harbor镜像注册表的一些很酷的功能是:
Harbor Registry的特点
多租户支持安全和漏洞分析支持可扩展的API和Web UI内容签名和验证跨多个Harbor实例的图像复制身份集成和基于角色的访问控制
Helm是一个命令行界面(CLI)工具,其创建目的是简化将应用程序和服务部署到Kubernetes/OpenShift Container Platform集群的过程。
Helm使用一种称为图表的包装格式。
Helm图表是描述Kubernetes资源的文件的集合。
步骤1:在Linux/macOS上安装Helm 3
Helm分发了一个二进制应用程序,这意味着不需要依赖就可以在Linux/macOS计算机上安装它:
--- Linux -- sudo curl -L https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64 -o /usr/local/bin/helm sudo chmod +x /usr/local/bin/helm --- macOS -- sudo curl -L https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-darwin-amd64 -o /usr/local/bin/helm sudo chmod +x /usr/local/bin/helm
检查安装的版本:
$helm version
version.BuildInfo{Version:"v3.1+unreleased", GitCommit:"7ebdbb86fca32c77f2fce166f7f9e58ebf7e9946", GitTreeState:"clean", GoVersion:"go1.13.4"}
步骤2:在Kubernetes/OpenShift集群上安装Harbor Helm Chart
图表是头盔包。
它包含在Kubernetes集群中运行应用程序,工具或者服务所需的所有资源定义。
添加Harbor Helm存储库:
$helm repo add harbor https://helm.goharbor.io "harbor" has been added to your repositories
更新存储库:
$helm repo update
配置图表
可以在安装过程中通过–set标志设置配置项,也可以通过直接编辑values.yaml进行配置。
请参见Harbor Helm配置页面。
我们可以下载默认values.yaml文件。
wget https://raw.githubusercontent.com/goharbor/harbor-helm/master/values.yaml vim values.yaml
自定义文件以设置所需的值,然后在修改完成后使用自定义配置安装Harbor舵图。
$helm install harbor harbor/harbor -f values.yaml -n harbor NAME: harbor LAST DEPLOYED: Wed Apr 1 19:20:07 2017 NAMESPACE: harbor STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Please wait for several minutes for Harbor deployment to complete. Then you should be able to visit the Harbor portal at https://ocr.example.com For more details, please visit https://github.com/goharbor/harbor.
我们还可以设置为在Helm安装过程中传递值。
请参阅" Harbor Helm配置"页面。
这是一个带有-set标志的少量参数传递示例。
helm install harbor harbor/harbor \ --set persistence.persistentVolumeClaim.registry.accessMode=ReadWriteMany \ --set persistence.persistentVolumeClaim.registry.size=50Gi \ --set persistence.persistentVolumeClaim.chartmuseum.size=5Gi \ --set persistence.persistentVolumeClaim.database.size=5Gi \ --set externalURL=https://ocr.example.com \ --set expose.ingress.hosts.core=ocr.example.com \ --set expose.ingress.hosts.notary=notary.example.com \ --set Hyman@theitroad \ -n harbor
检查状态以确认其已部署:
$helm status harbor
更新harbor部署
如果我们更新values.yml中的参数或者添加新参数,请使用以下命令升级helm部署:
$helm upgrade harbor harbor/harbor -f values.yml -n harbor Release "harbor" has been upgraded. Happy Helming! NAME: harbor LAST DEPLOYED: Thu Apr 30 11:30:06 2017 NAMESPACE: harbor STATUS: deployed REVISION: 2 TEST SUITE: None NOTES: Please wait for several minutes for Harbor deployment to complete. Then you should be able to visit the Harbor portal at https://ocr.example.com For more details, please visit https://github.com/goharbor/harbor.
如果要删除部署,请运行:
$helm uninstall harbor -n harbor
在OpenShift上的Harbor-harbor-database-0上修复Init:CrashLoopBackOff
一些容器镜像(例如postgres和redis)需要root访问权限,并且对如何拥有卷具有某些期望。
我们需要放宽集群中的安全性,以便在不向每个人授予对特权SCC的访问权限的情况下,不强制镜像作为预分配的UID运行:授予所有经过身份验证的用户对anyuid SCC的访问权限:
$oc adm policy add-scc-to-group anyuid system:authenticated
检查部署状态:
$kubectl get deployments NAME READY UP-TO-DATE AVAILABLE AGE harbor-harbor-chartmuseum 1/1 1 1 24m harbor-harbor-clair 1/1 1 1 24m harbor-harbor-core 1/1 1 1 24m harbor-harbor-jobservice 1/1 1 1 24m harbor-harbor-notary-server 1/1 1 1 24m harbor-harbor-notary-signer 1/1 1 1 24m harbor-harbor-portal 1/1 1 1 24m harbor-harbor-registry 1/1 1 1 24m
检查pod状态:
$kubectl get pods NAME READY STATUS RESTARTS AGE harbor-harbor-chartmuseum-58f8647f95-mtmmf 1/1 Running 0 5m16s harbor-harbor-clair-654dcfd8bf-77qs6 2/2 Running 0 5m16s harbor-harbor-core-5cb85989d6-r7s84 1/1 Running 0 5m16s harbor-harbor-database-0 1/1 Running 0 5m33s harbor-harbor-jobservice-fc54cf784-lv864 1/1 Running 0 5m16s harbor-harbor-notary-server-65d8fb7c77-xgxvg 1/1 Running 0 5m16s harbor-harbor-notary-signer-66c9db4cf4-5bwvh 1/1 Running 0 5m16s harbor-harbor-portal-5cbc6d5897-r5wzh 1/1 Running 0 25m harbor-harbor-redis-0 1/1 Running 0 5m16s harbor-harbor-registry-7ff65976f4-sgnnd 2/2 Running 0 5m16s
最后,确认已创建服务和入口。
$kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE harbor-harbor-chartmuseum ClusterIP 172.30.161.108 <none> 80/TCP 26m harbor-harbor-clair ClusterIP 172.30.133.154 <none> 8080/TCP 26m harbor-harbor-core ClusterIP 172.30.29.180 <none> 80/TCP 26m harbor-harbor-database ClusterIP 172.30.199.219 <none> 5432/TCP 26m harbor-harbor-jobservice ClusterIP 172.30.86.18 <none> 80/TCP 26m harbor-harbor-notary-server ClusterIP 172.30.188.135 <none> 4443/TCP 26m harbor-harbor-notary-signer ClusterIP 172.30.165.7 <none> 7899/TCP 26m harbor-harbor-portal ClusterIP 172.30.41.233 <none> 80/TCP 26m harbor-harbor-redis ClusterIP 172.30.101.107 <none> 6379/TCP 26m harbor-harbor-registry ClusterIP 172.30.112.213 <none> 5000/TCP,8080/TCP 26m $kubectl get ing NAME HOSTS ADDRESS PORTS AGE harbor-harbor-ingress core.harbor.domain,notary.harbor.domain 80, 443 26m
由于我实际上是在OpenShift上进行此部署的,因此我将创建路由。
$kubectl get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD harbor-harbor-ingress-7f9vg notary.harbor.domain / harbor-harbor-notary-server 4443 edge/Redirect None harbor-harbor-ingress-9pvvz core.harbor.domain / harbor-harbor-portal 8080 edge/Redirect None harbor-harbor-ingress-d7mcn core.harbor.domain /c/ harbor-harbor-core 8080 edge/Redirect None harbor-harbor-ingress-gn5w6 core.harbor.domain /chartrepo/ harbor-harbor-core 8080 edge/Redirect None harbor-harbor-ingress-jf48l core.harbor.domain /service/ harbor-harbor-core 8080 edge/Redirect None harbor-harbor-ingress-lhbx4 core.harbor.domain /api/ harbor-harbor-core 8080 edge/Redirect None harbor-harbor-ingress-vtt8v core.harbor.domain /v2/ harbor-harbor-core 8080 edge/Redirect None
还创建了许多持久卷声明。
匹配我们指定的大小值。
$kubectl get pvc NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE data-harbor-harbor-redis-0 Bound pvc-1de4a5b2-d55a-48cc-b8b6-1b258214260c 1Gi RWO ocs-storagecluster-cephfs 29m database-data-harbor-harbor-database-0 Bound pvc-9754adde-e2bd-40ee-b18b-d72eacfdfc12 1Gi RWO ocs-storagecluster-cephfs 29m harbor-harbor-chartmuseum Bound pvc-3944fce8-ecee-4bec-b0f6-cc5da3b30572 5Gi RWO ocs-storagecluster-cephfs 29m harbor-harbor-jobservice Bound pvc-5ecf0be4-002c-4628-8dcc-283e996175bc 1Gi RWO ocs-storagecluster-cephfs 29m harbor-harbor-registry Bound pvc-072358e9-06f2-4384-b7d6-88e97eb29499 5Gi RWO ocs-storagecluster-cephfs 29m
第3步:访问Harbor管理仪表板
使用在安装过程中配置的外部域来访问Harbor容器注册表仪表板。
如果我们不更改密码,则默认登录名是:
Username: admin Password: Harbor12345
首次登录后,请不要忘记更改密码。
步骤4:将Pull Secret添加到Kubernetes/OpenShift
按照以下教程中的步骤将拉密钥添加到Kubernetes/OpenShift中。
将Harbor镜像注册表拉密钥添加到Kubernetes/OpenShift
