The company has been using harbor for a long time and has been using http protocol. Recently, it upgraded to version 1.1.2. By the way, it opens https, so record it.
Get the installation package
You can go to the official Github of the project. Release Publishing Address Download offline installation packages, or download online installation packages, usually offline.
Use the command tar-zxf harbor-offline-installer-xxx.tgz to decompress the downloaded offline installation package.
To configure
Enter the directory cd harbor and modify the harbor.cfg file vi harbor.cfg
Set the hostname entry to the IP or domain name that serves your harbor, but don't set it to localhost or 127.0.0.1.
## Configuration file of Harbor #Set the hostname entry to serve your harbor IP or domain name. #Because external links are required to access services, do not set to `localhost'or `127.0.0.1'. hostname = harbor.example.com #The default connection mode is http, which can be changed to https. ui_url_protocol = http #The root password of mysql database can be modified by itself if necessary. db_password = root123 #The default maximum concurrency is 3. If it's a company or a public image, you can increase the server resources appropriately. I'll change it to 10. max_job_workers = 10 #Automatic generation of docker token token token token, default to on, if the first installation is set to on to make it easier to automatically generate; update or change settings or specify certificates by itself can be set to off #Reference to official guidance: https://github.com/vmware/harbor/blob/master/docs/customize_token_service.md #There is also an official docker note: https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md customize_crt = off #When set to https, you need to specify a certificate. ssl_cert = /data/cert/server.crt ssl_cert_key = /data/cert/server.key #The path to store secretkey secretkey_path = /data #If only a single Harbor is deployed, it is set to NA. admiral_url = NA #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES #only take effect in the first boot, the subsequent changes of these properties #should be performed on web ui #************************BEGIN INITIAL PROPERTIES************************ #Email Mail Service Configuration. You can not write it here until harbor deployment logs in successfully, or you can modify and verify it in the settings of the page. #Email server uses the given username and password to authenticate on TLS connections to host and act as identity. #Identity left blank to act as username. email_identity = email_server = smtp.mydomain.com email_server_port = 25 email_username = sample_admin@mydomain.com email_password = abc email_from = admin <sample_admin@mydomain.com> email_ssl = false #harbor's initial password, self-modifying. harbor_admin_password = Harbor12345 #Account information can be stored and authenticated in `ldap_auth'or `db_auth', defaulting to `db_auth'. auth_mode = db_auth #LDAP services #Address. ldap_url = ldaps://ldap.mydomain.com #Setting up a user with search LDAP/AD service privileges #If LDAP/AD does not support anonymous search, the annotations of ldap_serchdn and ldap_search_pwd can be removed. #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com #ldap_search_pwd = password #Find user ldap_basedn = ou=people,dc=mydomain,dc=com #Filter settings. #ldap_filter = (objectClass=person) #Used to match user attributes during LDAP search, it can be uid, cn, email or other attributes. ldap_uid = uid #the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE ldap_scope = 3 #ldap connection timeout, default 5 seconds. ldap_timeout = 5 #Whether to open registration, default on, self-use can be set to off, create a successful login can be modified in the settings self_registration = off #token timeout, default 30 minutes, can be modified in settings after successful login token_expiration = 30 #Set whether all users can create a warehouse image, default everyone, can be set to adminonly, create a successful login can be modified in the settings project_creation_restriction = everyone #Whether to validate remote SSL certificates. Default on. Set off to cancel validation. verify_remote_cert = on #************************END INITIAL PROPERTIES************************ #############
Generate certificates
You can choose to generate your own certificates or use the certificates issued by Let's Encrypt. Here I use self-generated certificates.
Specific reference Official guidance
Because I set hostname as the domain name, I use a more convenient way to generate it:
mkdir -p /data/cert/ && cd /data/cert localdomain=harbor.example.com #It's important to note that if hostname is IP, you need to change the CN value to something else, but the *, or asterisk, is recommended. openssl req -nodes -subj "/C=CN/ST=Guangdong/L=Shenzhen/CN=$localdomain" -newkey rsa:2048 -keyout $localdomain.key -out $localdomain.csr openssl x509 -req -days 3650 -in $localdomain.csr -signkey $localdomain.key -out $localdomain.crt #Note that if hostname fills in the domain name, use this: openssl x509 -req -in $localdomain.csr -CA $localdomain.crt -CAkey $localdomain.key -CAcreateserial -out $localdomain.crt -days 3650 #If hostname is IP, use this command to replace the subjectAltName segment IP with the harbor server IP: echo subjectAltName = IP:192.168.1.101 > extfile.cnf && openssl x509 -req -days 365 \ -in $localdomain.csr -CA $localdomain.crt -CAkey $localdomain.key -CAcreateserial -extfile extfile.cnf -out $localdomain.crt #Change $localdomain.crt and $localdomain.key to server.crt and server.key. mv $localdomain.crt server.crt && mv $localdomain.key server.key
Place the generated server.crt and server.key in the path specified by the ssl Certificate in harbor.cfg. Here I AM / data/cert /.
Verify SSL
Two items need to be validated:
- Web page https
- docker login uses ssl.
https
Open the address filled in by hostname, and by default force jump to https request. Enter user name password, default administrator account admin, password Harbor12345.
docker login
Copy the generated server.crt certificate to the virtual machine that needs to be logged in. The path is / etc/docker/certs.d/$hostname/server.crt. Here, $hostname is the value of hostname in harbor.cfg. If the port is specified, the format is / etc/docker/certs.d/$hostname:port/server.crt. Then enter the command docker login $hostname and fill in the username and password to complete the login.
If you encounter an error, refer to Troubleshooting in Official Guidance