Background:

Tencent cloud has been using personal warehouse to do mirror warehouse. Earlier, Tencent Cloud had TCR container image service:I took a peek and it felt a little expensive. A person has less than 50 images. I just want to use mirror security, vulnerability scanning. There are not as tough demands. More than 600 yuan a month still feels a little expensive! Build a Harbor!

Kubernetes1.21 build harbor

Note: We started with Kubernets 1.20.6 on TKE. Finally, it is on my Tencent Cloud self-built Kubernetes1.21 cluster. Refer to the earlier personal blogs: duiniwukenaihe. Making. IO / 2019/10/29 /…

1. Download the Harbor-Helm repository

Git clone way

git clone https://github.com/goharbor/harbor-helm
Copy the code

Helm necessary

Of course, helM3 is already installed here, and the HELM environment is a must

Wget https://get.helm.sh/helm-v3.6.3-linux-amd64.tar.gz tar ZXVF helm-v3.6.3-linux-amd64.tar.g CD Linux-amd64 cp helm /usr/local/bin/Copy the code

helm fetch

The helm command can also be used to add the warehouse directly. I directly used git Clone

[root@k8s-master-01 harbor-helm]# helm repo add harbor https://helm.goharbor.io "harbor" has been added to your repositories [root@k8s-master-01 harbor-helm]# cd /data/ [root@k8s-master-01 data]# helm search repo harbor NAME CHART VERSION APP VERSION DESCRIPTION Harbor/Harbor 1.7.2 2.3.2 An Open Source Trusted Cloud Native Registry TH... [root@k8s-master-01 data]# helm Fetch Harbor/Harbor -- Version 1.7.2Copy the code

Modifying a Configuration File

Modify the value.yaml configuration file: The cluster uses traefik proxy for external access. Expose Type is set to clusterIP. ExternalURL is set to storageclass. As follows:

type:

externalURL:

storageclass:

Note: Since the minimum unit of CBS is allowed to be 10g and the cut step size is 10g, 10G is used for all other stores except Registry. Of course the use of other storage can be personally reasonable Settings!

Helm install installation

helm install harbor -f values.yaml . --namespace kube-ops
kubectl get pods -n kube-ops -w  
Copy the code

Note: this figure is added later

helm upgrade

If values. Yaml updates the application later, you can use the following command to upgrade the application:

helm upgrade harbor -f values.yaml . --namespace kube-ops
Copy the code

If the Harbor application is deleted, then:

helm uninstall harbor -n kube-ops
Copy the code

Traefik agent Harbor external exposure applications:

ingressroute:

cat ingress-harbor.yml

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-http
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`harbor.xxx.com`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: harbor-portal
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-api
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`harbor.xxx.com`) && PathPrefix(`/api`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-service
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`harbor.xxx.com`) && PathPrefix(`/service`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-v2
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`harbor.xxx.com`) && PathPrefix(`/v2`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-chartrepo
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`harbor.xxx.com`) && PathPrefix(`/chartrepo`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-c
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`harbor.xxx.com`) && PathPrefix(`/c`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
Copy the code
kubectl apply -f ingress-harbor.yaml
Copy the code

Default login password Harbor12345. You can also do this in value.yaml!

traefik ingress

Try it the Ingress way 

helm upgrade harbor -f values.yaml . --namespace kube-ops
Copy the code

Note: this is bound to another domain name! Web access is fine too! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — the delimiter — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Other issues that arise:

Docker push: Unkonwn blob?

The reason for this is probably that MY SLB did an HTTP jump over HTTPS automatically. An exception occurred when docker pushed. I read a lot of solutions online and I don’t know where to start. It basically says something like this, right?Finally lazy used a simple method: create a new SLB. Remove a server from the main SLB and place it on the new SLB. Direct TCP proxy. Do not do HTTP stronghop HTTPS.

 kubectl create secret tls all-xxxx-com --key=2_xxxx.com.key --cert=1_xxxx.com_bundle.crt -n kube-ops
Copy the code

ingress.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-http
spec:
  entryPoints:
    - websecure
  tls:
    secretName: all-xxxx-com
  routes:
    - match: Host(`harbor.xxxx.com`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: harbor-portal
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-api
spec:
  entryPoints:
    - websecure
  tls:
    secretName: all-xxxx-com
  routes:
    - match: Host(`harbor.xxxx.com`) && PathPrefix(`/api/`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-service
spec:
  entryPoints:
    - websecure
  tls:
    secretName: all-xxxx-com
  routes:
    - match: Host(`harbor.xxxx.com`) && PathPrefix(`/service/`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-v2
spec:
  entryPoints:
    - websecure
  tls:
    secretName: all-xxxx-com
  routes:
    - match: Host(`harbor.xxxx.com`) && PathPrefix(`/v2`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-chartrepo
spec:
  entryPoints:
    - websecure
  tls:
    secretName: all-xxxx-com
  routes:
    - match: Host(`harbor.xxxx.com`) && PathPrefix(`/chartrepo/`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  namespace: kube-ops
  name: harbor-c
spec:
  entryPoints:
    - websecure
  tls:
    secretName: all-xxxx-com
  routes:
    - match: Host(`harbor.xxxx.com`) && PathPrefix(`/c/`)
      kind: Rule
      services:
        - name: harbor-core
          port: 80

Copy the code
kubectl apply -f ingress.yaml
Copy the code

Also found a fun; I ended up building harbor in my own cluster. And then the storage is CBS! See also: Kuberentes cluster adds Tencent Cloud CBS as default storage. But my work nodes include AP-Shanghai2 and hosts in AP-Shanghai-3. Although I set the nodes in sector 3 to be unschedulable. But there are also fast storage built in zone 3 and the result is that the POD can’t run properly. After all, cloud hard disks cannot be mounted across regions. Create a storageclass ap-shanghai-2 and change the storageclass in harbor!

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: cbs-shanghai-2
provisioner: com.tencent.cloud.csi.cbs
parameters:
  diskZone: ap-shanghai-2
Copy the code

Eventually, of course, I switched to NFS…… Because I don’t want to waste resources by allocating 10GB hard drives to Redis Database. In terms of NFS storage, more attention should be paid to selfLink. For example, Kubernetes 1.19.12 has been promoted to 1.20.9 in selfLink.

Check out the censorship service

Well, to update it depends on….

Postscript:

I just wanted to check out Harbor’s censorship service. But the page still feels immature. Can you give me a vulnerability map when the scan is done? Proportion of high-risk vulnerabilities? What percentage of bugs per image? Vulnerability trends of different tags in the same image?