0

第一次尝试 VMWare 的 Harbor 注册服务器,并将其作为新 Kubernetes 集群上的部署进行尝试。

遵循Harbor on Kubernetes指南后,所有 Harbor 资源都已应用到 k8s 集群上,并且可以看到运行良好。但是,我目前无法从网络浏览器访问 Harbour ui(我只是得到“无法连接”)。我的猜测是安全性设置不正确,缺少某些东西或放在错误的地方?

make/harbor.cfg文件配置为:

hostname = k8s-dp-2# 这是运行 Harbor 的工作节点..

ui_url_protocol = https

ssl_cert = /path/to/cert/on/host/harbor.crt

ssl_cert_key = /path/to/cert/on/host/harbor.key

secretkey_path = /data

我假设上面证书的路径是主机上的路径,python 脚本将从该路径获取文件然后进行 YAML 构建?

- - 更新 - -

在评论中给出建议后,我现在已经在 k8s 集群中配置了一个 nginx 入口控制器。添加这个入口控制器后,我更新了 Harbor 配置以使用 http 而不再使用 https,因为 https 部分现在应该由 nginx 入口控制器处理。然而,随着这些配置更改到位,我仍然无法通过 https 访问 Harbor 服务,但我现在可以通过 kubernetes 集群的 http 端口调用 Harbor 服务。请参阅下面的测试

# kubectl get svc -n=nginx-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-ingress NodePort 10.103.165.23 <none> 80:31819/TCP,443:30435/TCP 20h

测试调用 1:

$ curl https://k8s-dp-2/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to k8s-dp-2 port 443: Connection refused

测试呼叫 2:

$ curl https://k8s-dp-2:30435/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

测试电话 3:

$ curl http://k8s-dp-2/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to k8s-dp-2 port 80: Connection refused

测试呼叫 4:

$ curl http://k8s-dp-2:31819/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   810  100   810    0     0  12857      0 --:--:-- --:--:-- --:--:-- 12857<!doctype html>
<html>

<head>
    <meta charset="utf-8">
    <title>Harbor</title>
    <base href="/">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="icon" type="image/x-icon" href="favicon.ico?v=2">
</head>

<body style="overflow-y: hidden;">
...
4

1 回答 1

0

在尝试了各种不同的配置之后,下面发布的 YAML 配置对我有用:

入口控制器 YAML:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-nginx
  template:
    metadata:
      labels:
        app: ingress-nginx
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.11.0
          args:
            - /nginx-ingress-controller
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
            - --default-ssl-certificate=$(POD_NAMESPACE)/default-tls-secret
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --annotations-prefix=nginx.ingress.kubernetes.io
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
          - name: http
            containerPort: 80
          - name: https
            containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1

入口 YAML:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: harbor
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts:
    - k8s-dp-2
  rules:
  - host: k8s-dp-2
    http:
      paths:
      - path: /
        backend:
          serviceName: ui
          servicePort: 80
      - path: /v2
        backend:
          serviceName: registry
          servicePort: repo
      - path: /service
        backend:
          serviceName: ui
          servicePort: 80

服务 YAML:

apiVersion: v1
kind: Service
metadata:
  name: ui
spec:
  ports:
    - port: 80
  selector:
    name: ui-apps

然而,找到一个可行的解决方案并不简单。必须学习很多关于入口控制器、入口等的知识。此外,我最初混合了来自两个不同的 nginx 入口控制器图像的配置,它们的工作方式不同(下面的配置与 quay.io 的 nginx 入口控制器一起使用)。此外,由于我仍然无法正确理解的原因,最终配置仅在所涉及的 k8s 节点完全重启后才开始工作。

于 2018-03-14T11:08:06.067 回答