Kubernetes基于helm安装 harbor

之前harbor的安装都是借助docker完成一键安装部署，安装完成之后harbor组件均运行到一台机器上面，本文实践harbor在k8s环境中的部署。

准备工作

根据harbor官方要求：

• Kubernetes cluster 1.20+
• Helm v3.2.0+

结合ingress-nginx版本要求，建议K8S版本大于1.21.0-0进行实践。

部署一套K8S环境

本文使用的k8s环境如下：

# k8s版本及环境信息
root@master1:~# kubectl get node -o wide
NAME      STATUS   ROLES           AGE   VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE           KERNEL-VERSION     CONTAINER-RUNTIME
master1   Ready    control-plane   25h   v1.28.2   192.168.0.61   <none>        Ubuntu 24.04 LTS   6.8.0-36-generic   containerd://1.7.12
node1     Ready    <none>          25h   v1.28.2   192.168.0.62   <none>        Ubuntu 24.04 LTS   6.8.0-36-generic   containerd://1.7.12
node2     Ready    <none>          25h   v1.28.2   192.168.0.63   <none>        Ubuntu 24.04 LTS   6.8.0-36-generic   containerd://1.7.12

# 操作系统信息
root@master1:~# cat /etc/issue
Ubuntu 24.04 LTS \n \l

root@master1:~# uname -a
Linux master1 6.8.0-36-generic #36-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 10 10:49:14 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

# helm版本
root@master1:~# helm version
version.BuildInfo{Version:"v3.15.2", GitCommit:"1a500d5625419a524fdae4b33de351cc4f58ec35", GitTreeState:"clean", GoVersion:"go1.22.4"}

部署openebs用于提供pv

参考我的另外一篇文章部署openebs，《Kubernetes云原生存储解决方案openebs部署实践-3.10.0版本（helm部署）》

本文部署的openebs信息如下：

root@master1:~# helm ls -n openebs
NAME    NAMESPACE       REVISION        UPDATED                                 STATUS          CHART           APP VERSION
openebs openebs         1               2024-07-02 14:38:40.928808834 +0800 CST deployed        openebs-4.0.1   4.0.1
root@master1:~# kubectl get pod -n openebs
NAME                                              READY   STATUS    RESTARTS   AGE
openebs-localpv-provisioner-6b8bff68bd-vmwp7      1/1     Running   0          121m
openebs-lvm-localpv-controller-778b75449c-mmvw6   5/5     Running   0          121m
openebs-lvm-localpv-node-d2trc                    2/2     Running   0          121m
openebs-lvm-localpv-node-md5wh                    2/2     Running   0          121m
openebs-zfs-localpv-controller-6665568c7c-snw4q   5/5     Running   0          121m
openebs-zfs-localpv-node-mc8tv                    2/2     Running   0          121m
openebs-zfs-localpv-node-w6nns                    2/2     Running   0          121m
root@master1:~# kubectl get sc -n openebs
NAME               PROVISIONER        RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
openebs-hostpath   openebs.io/local   Delete          WaitForFirstConsumer   false                  121m

部署ingress-nginx用于暴露服务

参考我的另外一篇文章部署ingress-nginx，《ingress-nginx部署(helm方式)》

建议k8s版本不要太老，以下是在1.18.0部署最新的ingress-nginx，提示版本不兼容。

[root@k8s-master ~]# helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
>   --namespace ingress-nginx --create-namespace \
>   --set controller.service.type=NodePort
Release "ingress-nginx" does not exist. Installing it now.
Error: chart requires kubeVersion: >=1.21.0-0 which is incompatible with Kubernetes v1.18.0

本次环境部署的ingress nginx如下：

root@master1:~# helm ls -n ingress-nginx
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
ingress-nginx   ingress-nginx   1               2024-07-01 18:20:48.811046861 +0800 CST deployed        ingress-nginx-4.10.1    1.10.1
root@master1:~# kubectl get pod -n ingress-nginx
NAME                             READY   STATUS    RESTARTS       AGE
ingress-nginx-controller-dddq8   1/1     Running   1 (126m ago)   22h
ingress-nginx-controller-p7gd9   1/1     Running   1 (126m ago)   22h

部署harbor–ingress方式暴露服务

添加harbor helm仓库：

helm repo add harbor https://helm.goharbor.io

官方提供四种方式暴露Harbor service：

• Ingress: 借助Ingress暴露服务，K8S集群中已经部署ingress nginx controller。
• ClusterIP: 使用ClusterIP暴露服务，只能在集群内部进行访问。
• NodePort: 使用NodePort暴露服务，通过NodeIP:NodePort进行访问。
• LoadBalancer: 使用云供应商提供的LB进行访问。

部署harbor仓库，使用ingress暴露服务。ingress-nginx使用的是NodePort方式暴露自身，需要在externalURL中配置其 NodePort 端口号:

# ingress-nginx NodePort https端口为30294
root@master1:~# kubectl get svc -n ingress-nginx
NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
ingress-nginx-controller             NodePort    10.102.230.242   <none>        80:30974/TCP,443:30194/TCP   21h
ingress-nginx-controller-admission   ClusterIP   10.110.51.58     <none>        443/TCP                      21h

# 查看部署openebs后storageclass为openebs-hostpath 
root@master1:~# kubectl get sc
NAME               PROVISIONER        RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
openebs-hostpath   openebs.io/local   Delete          WaitForFirstConsumer   false                  99m


# 执行helm安装，指定为ingress暴露，指定域名，externalURL，密码及StorageClaas
helm upgrade --install harbor harbor/harbor --namespace harbor --create-namespace \
  --set expose.type=ingress \
  --set expose.ingress.className=nginx \
  --set expose.ingress.hosts.core=harbor.test.com \
  --set expose.ingress.hosts.notary=notary.test.com \
  --set externalURL=https://harbor.test.com:30194 \
  --set harborAdminPassword="Harbor12345" \
  --set persistence.persistentVolumeClaim.registry.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.jobservice.jobLog.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.database.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.redis.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.trivy.storageClass="openebs-hostpath"

查看部署后的资源：

# 创建的pod
root@master1:~# kubectl get pod -n harbor -o wide
NAME                                 READY   STATUS    RESTARTS      AGE    IP              NODE    NOMINATED NODE   READINESS GATES
harbor-core-fb5ff9588-b8t6t          1/1     Running   2 (13m ago)   15m    10.244.154.33   node1   <none>           <none>
harbor-database-0                    1/1     Running   0             15m    10.244.154.43   node1   <none>           <none>
harbor-jobservice-85bf44bd57-5f2wg   1/1     Running   6 (12m ago)   15m    10.244.154.41   node1   <none>           <none>
harbor-portal-7c5d84cbb8-t6v22       1/1     Running   0             15m    10.244.154.34   node1   <none>           <none>
harbor-redis-0                       1/1     Running   0             15m    10.244.154.39   node1   <none>           <none>
harbor-registry-7f54fbf5f4-xdx4t     2/2     Running   0             15m    10.244.154.42   node1   <none>           <none>
harbor-trivy-0                       1/1     Running   0             6m1s   10.244.154.45   node1   <none>           <none>

# 创建的pvc
root@master1:~# kubectl get pvc -n harbor
NAME                              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS       AGE
data-harbor-redis-0               Bound    pvc-83f38659-8ddb-43ec-9023-460d323c7d48   1Gi        RWO            openebs-hostpath   6m52s
data-harbor-trivy-0               Bound    pvc-50b8cd59-23c3-4d15-a0e3-31b7a62ed5d5   5Gi        RWO            openebs-hostpath   6m51s
database-data-harbor-database-0   Bound    pvc-8e8d04f2-21f7-4228-b0e7-331f352606e6   1Gi        RWO            openebs-hostpath   6m52s
harbor-jobservice                 Bound    pvc-beca09bd-d3b7-4d82-8e1e-785de4728f4e   1Gi        RWO            openebs-hostpath   6m52s
harbor-registry                   Bound    pvc-cd7048f3-2452-44e2-8c84-337b22ccb4ed   5Gi        RWO            openebs-hostpath   6m52s

# 查看ingress
root@master1:~# kubectl get ingress -n harbor
NAME             CLASS   HOSTS             ADDRESS          PORTS     AGE
harbor-ingress   nginx   harbor.test.com   10.102.230.242   80, 443   7m9s

客户端访问测试，在客户端配置域名解析，harbor.test.com解析到ingress-nginx节点IP，访问https://harbor.test.com:30194：

用户名admin，密码Harbor12345

部署harbor–NodePort方式暴露服务

上述使用ingress方式部署依赖nginx-ingress控制器，如果为了简化部署，可以使用NodePort方式：

export node_ip=192.168.0.61
helm upgrade --install harbor harbor/harbor --namespace harbor --create-namespace \
  --set expose.type=nodePort \
  --set expose.tls.auto.commonName=$node_ip \
  --set externalURL='https://$node_ip:31234'
  --set harborAdminPassword="Harbor12345" \
  --set persistence.persistentVolumeClaim.registry.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.jobservice.jobLog.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.database.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.redis.storageClass="openebs-hostpath" \
  --set persistence.persistentVolumeClaim.trivy.storageClass="openebs-hostpath"

通过https://$node_ip:31234直接访问harbor。

客户端上传镜像验证

1. 到处ca证书

kubectl -n harbor get secrets harbor-ingress -o jsonpath="{.data.ca\.crt}" | base64 -d >ca.crt

2. 复制ca.crt到docker客户端所在机器

docker运行时和客户端：

root@ubuntu:~# mkdir -p /etc/docker/certs.d/harbor.test.com:30194/

root@ubuntu:~# ls /etc/docker/certs.d/harbor.test.com:30194/
ca.crt

如果使用containerd，配置类似：

root@ubuntu:~# mkdir -p /etc/containerd/certs.d/harbor.test.com:30194/

root@ubuntu:~# ls /etc/containerd/certs.d/harbor.test.com:30194/
ca.crt

3. 配置解析

echo "192.168.0.62 harbor.test.com" >>/etc/hosts

4. 测试登录

root@ubuntu:~# docker login -u admin -p Harbor12345 https://harbor.test.com:30194
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/test/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

5. 推送镜像

root@ubuntu:~# docker push harbor.test.com:30194/library/kubemark:1.19.0
The push refers to repository [harbor.test.com:30194/library/kubemark]
c746c8a16e15: Pushed
f47163e8de57: Pushed
0d1435bd79e4: Pushed
1.19.0: digest: sha256:95effc616f84c0c3d3645ee489f57ec635002bcf5eec1f0892936f485110d529 size: 949

参考资料

1. https://github.com/goharbor/harbor-helm

2. https://goharbor.io/docs/2.5.0/install-config/harbor-ha-helm/

3. https://blog.csdn.net/networken/article/details/126295863