[root@elasticsearch01 rbd-provisioner]# ls clusterrolebinding.yaml deployment.yaml role.yaml clusterrole.yaml rolebinding.yaml serviceaccount.yaml [root@elasticsearch01 rbd-provisioner]# kubectl create -f ./ clusterrole.rbac.authorization.k8s.io/rbd-provisioner created clusterrolebinding.rbac.authorization.k8s.io/rbd-provisioner created deployment.extensions/rbd-provisioner created role.rbac.authorization.k8s.io/rbd-provisioner created rolebinding.rbac.authorization.k8s.io/rbd-provisioner created serviceaccount/rbd-provisioner created
3、验证rbd-provisioner
1 2 3 4 5 6
[root@elasticsearch01 rbd-provisioner]# kubectl get pods NAME READY STATUS RESTARTS AGE busybox 1/1 Running 600 25d ceph-rbd-pv-pod1 1/1 Running 10 6d23h jenkins-0 1/1 Running 0 6d1h rbd-provisioner-67b4857bcd-xxwx5 1/1 Running 0 9s
[root@elasticsearch01 harbor-helm]# cat values.yaml expose: # Set the way how to expose the service. Set the type as "ingress", # "clusterIP" or "nodePort" and fill the information in the corresponding # section type: ingress tls: # Enable the tls or not. Note: if the type is "ingress" and the tls # is disabled, the port must be included in the command when pull/push # images. Refer to https://github.com/goharbor/harbor/issues/5291 # for the detail. enabled: true # Fill the name of secret if you want to use your own TLS certificate # and private key. The secret must contain keys named tls.crt and # tls.key that contain the certificate and private key to use for TLS # The certificate and private key will be generated automatically if # it is not set secretName: "ingress-secret" # By default, the Notary service will use the same cert and key as # described above. Fill the name of secret if you want to use a # separated one. Only needed when the type is "ingress". notarySecretName: "" # The commmon name used to generate the certificate, it's necessary # when the type is "clusterIP" or "nodePort" and "secretName" is null commonName: "" ingress: hosts: core: core-harbor.minminmsn.com notary: notary-harbor.minminmsn.com annotations: ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-body-size: "0" clusterIP: # The name of ClusterIP service name: harbor ports: # The service port Harbor listens on when serving with HTTP httpPort: 80 # The service port Harbor listens on when serving with HTTPS httpsPort: 443 # The service port Notary listens on. Only needed when notary.enabled # is set to true notaryPort: 4443 nodePort: # The name of NodePort service name: harbor ports: http: # The service port Harbor listens on when serving with HTTP port: 80 # The node port Harbor listens on when serving with HTTP nodePort: 30002 https: # The service port Harbor listens on when serving with HTTPS port: 443 # The node port Harbor listens on when serving with HTTPS nodePort: 30003 # Only needed when notary.enabled is set to true notary: # The service port Notary listens on port: 4443 # The node port Notary listens on nodePort: 30004
# The external URL for Harbor core service. It is used to # 1) populate the docker/helm commands showed on portal # 2) populate the token service URL returned to docker/notary client # # Format: protocol://domain[:port]. Usually: # 1) if "expose.type" is "ingress", the "domain" should be # the value of "expose.ingress.hosts.core" # 2) if "expose.type" is "clusterIP", the "domain" should be # the value of "expose.clusterIP.name" # 3) if "expose.type" is "nodePort", the "domain" should be # the IP address of k8s node # # If Harbor is deployed behind the proxy, set it as the URL of proxy externalURL: https://core-harbor.minminmsn.com
# The persistence is enabled by default and a default StorageClass # is needed in the k8s cluster to provision volumes dynamicly. # Specify another StorageClass in the "storageClass" or set "existingClaim" # if you have already existing persistent volumes to use # # For storing images and charts, you can also use "azure", "gcs", "s3", # "swift" or "oss". Set it in the "imageChartStorage" section persistence: enabled: true # Setting it to "keep" to avoid removing PVCs during a helm delete # operation. Leaving it empty will delete PVCs after the chart deleted resourcePolicy: "keep" persistentVolumeClaim: registry: # Use the existing PVC which must be created manually before bound existingClaim: "" # Specify the "storageClass" used to provision the volume. Or the default # StorageClass will be used(the default). # Set it to "-" to disable dynamic provisioning storageClass: "rbd" subPath: "" accessMode: ReadWriteOnce size: 50Gi chartmuseum: existingClaim: "" storageClass: "rbd" subPath: "" accessMode: ReadWriteOnce size: 5Gi jobservice: existingClaim: "" storageClass: "rbd" subPath: "" accessMode: ReadWriteOnce size: 2Gi # If external database is used, the following settings for database will # be ignored database: existingClaim: "" storageClass: "rbd" subPath: "" accessMode: ReadWriteOnce size: 2Gi # If external Redis is used, the following settings for Redis will # be ignored redis: existingClaim: "" storageClass: "rbd" subPath: "" accessMode: ReadWriteOnce size: 2Gi # Define which storage backend is used for registry and chartmuseum to store # images and charts. Refer to # https://github.com/docker/distribution/blob/master/docs/configuration.md#storage # for the detail. imageChartStorage: # Specify the type of storage: "filesystem", "azure", "gcs", "s3", "swift", # "oss" and fill the information needed in the corresponding section. The type # must be "filesystem" if you want to use persistent volumes for registry # and chartmuseum type: filesystem filesystem: rootdirectory: /storage #maxthreads: 100 azure: accountname: accountname accountkey: base64encodedaccountkey container: containername #realm: core.windows.net gcs: bucket: bucketname # TODO: support the keyfile of gcs #keyfile: /path/to/keyfile #rootdirectory: /gcs/object/name/prefix #chunksize: "5242880" s3: region: us-west-1 bucket: bucketname #accesskey: awsaccesskey #secretkey: awssecretkey #regionendpoint: http://myobjects.local #encrypt: false #keyid: mykeyid #secure: true #v4auth: true #chunksize: "5242880" #rootdirectory: /s3/object/name/prefix #storageclass: STANDARD swift: authurl: https://storage.myprovider.com/v3/auth username: username password: password container: containername #region: fr #tenant: tenantname #tenantid: tenantid #domain: domainname #domainid: domainid #trustid: trustid #insecureskipverify: false #chunksize: 5M #prefix: #secretkey: secretkey #accesskey: accesskey #authversion: 3 #endpointtype: public #tempurlcontainerkey: false #tempurlmethods: oss: accesskeyid: accesskeyid accesskeysecret: accesskeysecret region: regionname bucket: bucketname #endpoint: endpoint #internal: false #encrypt: false #secure: true #chunksize: 10M #rootdirectory: rootdirectory
imagePullPolicy: IfNotPresent
logLevel: debug # The initial password of Harbor admin. Change it from portal after launching Harbor harborAdminPassword: "newpassword" # The secret key used for encryption. Must be a string of 16 chars. secretKey: "not-a-secure-key"
# If expose the service via "ingress", the Nginx will not be used nginx: image: repository: goharbor/nginx-photon tag: v1.7.0 replicas: 1 # resources: # requests: # memory: 256Mi # cpu: 100m nodeSelector: {} tolerations: [] affinity: {} ## Additional deployment annotations podAnnotations: {}
clair: enabled: true image: repository: goharbor/clair-photon tag: v2.0.7-v1.7.0 replicas: 1 # The http(s) proxy used to update vulnerabilities database from internet httpProxy: httpsProxy: # The interval of clair updaters, the unit is hour, set to 0 to # disable the updaters updatersInterval: 12 # resources: # requests: # memory: 256Mi # cpu: 100m nodeSelector: {} tolerations: [] affinity: {} ## Additional deployment annotations podAnnotations: {}
database: # if external database is used, set "type" to "external" # and fill the connection informations in "external" section type: internal internal: image: repository: goharbor/harbor-db tag: v1.7.0 # The initial superuser password for internal database password: "changeit" # resources: # requests: # memory: 256Mi # cpu: 100m nodeSelector: {} tolerations: [] affinity: {} external: host: "192.168.0.1" port: "5432" username: "user" password: "password" coreDatabase: "registry" clairDatabase: "clair" notaryServerDatabase: "notary_server" notarySignerDatabase: "notary_signer" sslmode: "disable" ## Additional deployment annotations podAnnotations: {}
redis: # if external Redis is used, set "type" to "external" # and fill the connection informations in "external" section type: internal internal: image: repository: goharbor/redis-photon tag: v1.7.0 # resources: # requests: # memory: 256Mi # cpu: 100m nodeSelector: {} tolerations: [] affinity: {} external: host: "10.2.8.44" port: "6379" # The "coreDatabaseIndex" must be "0" as the library Harbor # used doesn't support configuring it coreDatabaseIndex: "0" jobserviceDatabaseIndex: "1" registryDatabaseIndex: "2" chartmuseumDatabaseIndex: "3" password: "" ## Additional deployment annotations podAnnotations: {}
==> v1/Secret NAME TYPE DATA AGE min-harbor-adminserver Opaque 4 1s min-harbor-chartmuseum Opaque 1 1s min-harbor-core Opaque 4 1s min-harbor-database Opaque 1 1s min-harbor-ingress kubernetes.io/tls 3 1s min-harbor-jobservice Opaque 1 1s min-harbor-registry Opaque 1 1s
==> v1/ConfigMap NAME DATA AGE min-harbor-adminserver 39 1s min-harbor-chartmuseum 24 1s min-harbor-clair 1 1s min-harbor-core 1 1s min-harbor-jobservice 1 1s min-harbor-notary-server 5 1s min-harbor-registry 2 1s
NOTES: Please wait for several minutes for Harbor deployment to complete. Then you should be able to visit the Harbor portal at https://core-harbor.minminmsn.com. For more details, please visit https://github.com/goharbor/harbor.
[root@elasticsearch01 harbor-helm]# helm install . --name min helm delete --purge min These resources were kept due to the resource policy: [PersistentVolumeClaim] min-harbor-chartmuseum [PersistentVolumeClaim] min-harbor-jobservice [PersistentVolumeClaim] min-harbor-registry
release "min" deleted
四、访问harobr
1、获取harbor ingress 服务
1 2 3 4
[root@elasticsearch01 harbor-helm]# kubectl get ingress NAME HOSTS ADDRESS PORTS AGE jenkins jenkins.minminmsn.com 80, 443 6d2h min-harbor-ingress core-harbor.minminmsn.com,notary-harbor.minminmsn.com 80, 443 6m43s
[root@elasticsearch02 ~]# docker login core-harbor.minminmsn.com Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
上传下载测试
1 2 3 4 5 6 7 8 9 10 11 12
[root@elasticsearch02 ~]# docker tag registry.cn-beijing.aliyuncs.com/minminmsn/kubernetes-dashboard:v1.10.1 core-harbor.minminmsn.com/public/kubernetes-dashboard:v1.10.1 [root@elasticsearch02 ~]# docker push core-harbor.minminmsn.com/public/kubernetes-dashboard:v1.10.1 The push refers to repository [core-harbor.minminmsn.com/public/kubernetes-dashboard] fbdfe08b001c: Pushed v1.10.1: digest: sha256:54cc02a35d33a5ff9f8aa1a1b43f375728bcd85034cb311bdaf5c14f48340733 size: 529
[root@elasticsearch03 ~]# docker pull core-harbor.minminmsn.com/public/kubernetes-dashboard:v1.10.1 v1.10.1: Pulling from public/kubernetes-dashboard Digest: sha256:54cc02a35d33a5ff9f8aa1a1b43f375728bcd85034cb311bdaf5c14f48340733 Status: Downloaded newer image for core-harbor.minminmsn.com/public/kubernetes-dashboard:v1.10.1