使用helm安装harbor

环境信息:

k8s集群安装helm3

Helm,Kubernetes的包管理工具。

  1. 下载安装 Helm 客户端

    github地址:https://github.com/helm/helm/releases/tag/v3.5.4

    #下载Helm客户端
    $ wget https://get.helm.sh/helm-v3.5.4-linux-amd64.tar.gz
    
    #解压 Helm
    $ tar -zxvf helm-v3.5.4-linux-amd64.tar.gz
    
    #复制客户端执行文件到 bin 目录下,方便在系统下能执行 helm 命令
    $ cp linux-amd64/helm /usr/local/bin/
    

    helm 客户端需要下载到安装了 kubectl 并且能执行能正常通过 kubectl 操作 kubernetes 的服务器上,否则 helm 将不可用。

数据包准备

  1. 下载 harbor-helm 1.5.5

    https://github.com/goharbor/harbor-helm/tree/v1.5.5

  2. 下载 harbor 离线镜像

    harbor-helm的values.yaml里面对应的harbor镜像为 2.1.5,因此选择2.1.5的harbor离线包下载

    https://github.com/goharbor/harbor/releases/tag/v2.1.5

  3. 解压后在所有节点load镜像

    docker load -i harbor.v2.1.5.tar.gz
    

创建 nfs StorageClass

apiVerson: v1
kind: Namespace
metadata:
  name: harbor

---

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nfs-client-provisioner
  namespace: harbor
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: nfs-client-provisioner
  template:
    metadata:
      labels:
        app: nfs-client-provisioner
    spec:
      serviceAccountName: nfs-client-provisioner
      containers:
        - name: nfs-client-provisioner
          image: quay.io/external_storage/nfs-client-provisioner:latest
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: fuseim.pri/ifs
            - name: NFS_SERVER
              value: 192.168.10.170
            - name: NFS_PATH
              value: /data/nfs/harbor
      volumes:
        - name: nfs-client-root
          nfs:
            server: 10.151.30.57
            path: /data/nfs/harbor
            
---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nfs-client-provisioner
  namespace: harbor

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nfs-client-provisioner-runner
  namespace: harbor
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: run-nfs-client-provisioner
  namespace: harbor
subjects:
  - kind: ServiceAccount
    name: nfs-client-provisioner
    namespace: harbor
roleRef:
  kind: ClusterRole
  name: nfs-client-provisioner-runner
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: course-nfs-storage
provisioner: fuseim.pri/ifs # or choose another name, must match deployment's env PROVISIONER_NAME'

values.yaml文件修改

配置说明

expose:
  # 设置暴露服务的方式。将类型设置为 ingress、clusterIP或nodePort并补充对应部分的信息。
  type: ingress
  tls:
    # 是否开启 tls,注意:如果类型是 ingress 并且tls被禁用,则在pull/push镜像时,则必须包含端口。详细查看文档:https://github.com/goharbor/harbor/issues/5291。
    enabled: true
    # 如果你想使用自己的 TLS 证书和私钥,请填写这个 secret 的名称,这个 secret 必须包含名为 tls.crt 和 tls.key 的证书和私钥文件,如果没有设置则会自动生成证书和私钥文件。
    secretName: ""
    # 默认 Notary 服务会使用上面相同的证书和私钥文件,如果你想用一个独立的则填充下面的字段,注意只有类型是 ingress 的时候才需要。
    notarySecretName: ""
    # common name 是用于生成证书的,当类型是 clusterIP 或者 nodePort 并且 secretName 为空的时候才需要
    commonName: ""
  ingress:
    hosts:
      core: core.harbor.domain
      notary: notary.harbor.domain
    annotations:
      ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
  clusterIP:
    # ClusterIP 服务的名称
    name: harbor
    ports:
      httpPort: 80
      httpsPort: 443
      # Notary 服务监听端口,只有当 notary.enabled 设置为 true 的时候有效
      notaryPort: 4443
  nodePort:
    # NodePort 服务名称
    name: harbor
    ports:
      http:
        port: 80
        nodePort: 30002
      https:
        port: 443
        nodePort: 30003
      notary:
        port: 4443
        nodePort: 30004

# Harbor 核心服务外部访问 URL。主要用于:
# 1) 补全 portal 页面上面显示的 docker/helm 命令
# 2) 补全返回给 docker/notary 客户端的 token 服务 URL

# 格式:protocol://domain[:port]。
# 1) 如果 expose.type=ingress,"domain"的值就是 expose.ingress.hosts.core 的值
# 2) 如果 expose.type=clusterIP,"domain"的值就是 expose.clusterIP.name 的值
# 3) 如果 expose.type=nodePort,"domain"的值就是 k8s 节点的 IP 地址

# 如果在代理后面部署 Harbor,请将其设置为代理的 URL
externalURL: https://core.harbor.domain

# 默认情况下开启数据持久化,在k8s集群中需要动态的挂载卷默认需要一个StorageClass对象。
# 如果你有已经存在可以使用的持久卷,需要在"storageClass"中指定你的 storageClass 或者设置 "existingClaim"。
#
# 对于存储 docker 镜像和 Helm charts 包,你也可以用 "azure"、"gcs"、"s3"、"swift" 或者 "oss",直接在 "imageChartStorage" 区域设置即可
persistence:
  enabled: true
  # 设置成"keep"避免在执行 helm 删除操作期间移除 PVC,留空则在 chart 被删除后删除 PVC
  resourcePolicy: "keep"
  persistentVolumeClaim:
    registry:
      # 使用一个存在的 PVC(必须在绑定前先手动创建)
      existingClaim: ""
      # 指定"storageClass",或者使用默认的 StorageClass 对象,设置成"-"禁用动态分配挂载卷
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    chartmuseum:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
    jobservice:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # 如果使用外部的数据库服务,下面的设置将会被忽略
    database:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
    # 如果使用外部的 Redis 服务,下面的设置将会被忽略
    redis:
      existingClaim: ""
      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
  # 定义使用什么存储后端来存储镜像和 charts 包,详细文档地址:https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
  imageChartStorage:
    # 正对镜像和chart存储是否禁用跳转,对于一些不支持的后端(例如对于使用minio的`s3`存储),需要禁用它。为了禁止跳转,只需要设置`disableredirect=true`即可,详细文档地址:https://github.com/docker/distribution/blob/master/docs/configuration.md#redirect
    disableredirect: false
    # 指定存储类型:"filesystem", "azure", "gcs", "s3", "swift", "oss",在相应的区域填上对应的信息。
    # 如果你想使用 pv 则必须设置成"filesystem"类型
    type: filesystem
    filesystem:
      rootdirectory: /storage
      #maxthreads: 100
    azure:
      accountname: accountname
      accountkey: base64encodedaccountkey
      container: containername
      #realm: core.windows.net
    gcs:
      bucket: bucketname
      # The base64 encoded json file which contains the key
      encodedkey: base64-encoded-json-key-file
      #rootdirectory: /gcs/object/name/prefix
      #chunksize: "5242880"
    s3:
      region: us-west-1
      bucket: bucketname
      #accesskey: awsaccesskey
      #secretkey: awssecretkey
      #regionendpoint: http://myobjects.local
      #encrypt: false
      #keyid: mykeyid
      #secure: true
      #v4auth: true
      #chunksize: "5242880"
      #rootdirectory: /s3/object/name/prefix
      #storageclass: STANDARD
    swift:
      authurl: https://storage.myprovider.com/v3/auth
      username: username
      password: password
      container: containername
      #region: fr
      #tenant: tenantname
      #tenantid: tenantid
      #domain: domainname
      #domainid: domainid
      #trustid: trustid
      #insecureskipverify: false
      #chunksize: 5M
      #prefix:
      #secretkey: secretkey
      #accesskey: accesskey
      #authversion: 3
      #endpointtype: public
      #tempurlcontainerkey: false
      #tempurlmethods:
    oss:
      accesskeyid: accesskeyid
      accesskeysecret: accesskeysecret
      region: regionname
      bucket: bucketname
      #endpoint: endpoint
      #internal: false
      #encrypt: false
      #secure: true
      #chunksize: 10M
      #rootdirectory: rootdirectory

imagePullPolicy: IfNotPresent

logLevel: debug
# Harbor admin 初始密码,Harbor 启动后通过 Portal 修改该密码
harborAdminPassword: "Harbor12345"
# 用于加密的一个 secret key,必须是一个16位的字符串
secretKey: "not-a-secure-key"

# 如果你通过"ingress"保留服务,则下面的Nginx不会被使用
nginx:
  image:
    repository: goharbor/nginx-photon
    tag: v1.7.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  ## 额外的 Deployment 的一些 annotations
  podAnnotations: {}

portal:
  image:
    repository: goharbor/harbor-portal
    tag: v1.7.0
  replicas: 1
# resources:
#  requests:
#    memory: 256Mi
#    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

core:
  image:
    repository: goharbor/harbor-core
    tag: v1.7.0
  replicas: 1
# resources:
#  requests:
#    memory: 256Mi
#    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

adminserver:
  image:
    repository: goharbor/harbor-adminserver
    tag: v1.7.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

jobservice:
  image:
    repository: goharbor/harbor-jobservice
    tag: v1.7.0
  replicas: 1
  maxJobWorkers: 10
  # jobs 的日志收集器:"file", "database" or "stdout"
  jobLogger: file
# resources:
#   requests:
#     memory: 256Mi
#     cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

registry:
  registry:
    image:
      repository: goharbor/registry-photon
      tag: v2.6.2-v1.7.0
  controller:
    image:
      repository: goharbor/harbor-registryctl
      tag: v1.7.0
  replicas: 1
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

chartmuseum:
  enabled: true
  image:
    repository: goharbor/chartmuseum-photon
    tag: v0.7.1-v1.7.0
  replicas: 1
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

clair:
  enabled: true
  image:
    repository: goharbor/clair-photon
    tag: v2.0.7-v1.7.0
  replicas: 1
  # 用于从 Internet 更新漏洞数据库的http(s)代理
  httpProxy:
  httpsProxy:
  # clair 更新程序的间隔,单位为小时,设置为0来禁用
  updatersInterval: 12
  # resources:
  #  requests:
  #    memory: 256Mi
  #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

notary:
  enabled: true
  server:
    image:
      repository: goharbor/notary-server-photon
      tag: v0.6.1-v1.7.0
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  signer:
    image:
      repository: goharbor/notary-signer-photon
      tag: v0.6.1-v1.7.0
    replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}

database:
  # 如果使用外部的数据库,则设置 type=external,然后填写 external 区域的一些连接信息
  type: internal
  internal:
    image:
      repository: goharbor/harbor-db
      tag: v1.7.0
    # 内部的数据库的初始化超级用户的密码
    password: "changeit"
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.1"
    port: "5432"
    username: "user"
    password: "password"
    coreDatabase: "registry"
    clairDatabase: "clair"
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"
    sslmode: "disable"
  podAnnotations: {}

redis:
  # 如果使用外部的 Redis 服务,设置 type=external,然后补充 external 部分的连接信息。
  type: internal
  internal:
    image:
      repository: goharbor/redis-photon
      tag: v1.7.0
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
    nodeSelector: {}
    tolerations: []
    affinity: {}
  external:
    host: "192.168.0.2"
    port: "6379"
    # coreDatabaseIndex 必须设置为0
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    chartmuseumDatabaseIndex: "3"
    password: ""
  podAnnotations: {}

在内网使用NodePort

  1. expose.type 使用 nodePort

    expose:
      type: nodePort
      tls:
        enabled: false
        secretName: ""
        notarySecretName: ""
        commonName: ""
      ingress:
        hosts:
          core: core.harbor.domain
          notary: notary.harbor.domain
        annotations:
          ingress.kubernetes.io/ssl-redirect: "true"
          nginx.ingress.kubernetes.io/ssl-redirect: "true"
          ingress.kubernetes.io/proxy-body-size: "0"
          nginx.ingress.kubernetes.io/proxy-body-size: "0"
      clusterIP:
        name: harbor
        ports:
          httpPort: 80
          httpsPort: 443
          notaryPort: 4443
      nodePort:
        name: harbor
        ports:
          http:
            port: 80
            nodePort: 31104
          https:
            port: 443
            nodePort: 31104
          notary:
            port: 4443
            nodePort: 30004
    externalURL: http://192.168.10.170:31104
    persistence:
      enabled: true
      resourcePolicy: "keep"
      persistentVolumeClaim:
        registry:
          storageClass: "course-nfs-storage"
          accessMode: ReadWriteOnce
          size: 5Gi
        chartmuseum:
          storageClass: "course-nfs-storage"
          accessMode: ReadWriteOnce
          size: 5Gi
        jobservice:
          storageClass: "course-nfs-storage"
          accessMode: ReadWriteOnce
          size: 1Gi
        # 如果使用外部的数据库服务,下面的设置将会被忽略
        database:
          storageClass: "course-nfs-storage"
          accessMode: ReadWriteOnce
          size: 1Gi
        # 如果使用外部的 Redis 服务,下面的设置将会被忽略
        redis:
          storageClass: "course-nfs-storage"
          accessMode: ReadWriteOnce
          size: 1Gi
      imageChartStorage:
        disableredirect: false
        # 如果你想使用 pv 则必须设置成"filesystem"类型
        type: filesystem
        filesystem:
          rootdirectory: /storage
        azure:
          accountname: accountname
          accountkey: base64encodedaccountkey
          container: containername
        gcs:
          bucket: bucketname
          encodedkey: base64-encoded-json-key-file
        s3:
          region: us-west-1
          bucket: bucketname
        swift:
          authurl: https://storage.myprovider.com/v3/auth
          username: username
          password: password
          container: containername
        oss:
          accesskeyid: accesskeyid
          accesskeysecret: accesskeysecret
          region: regionname
          bucket: bucketname
    imagePullPolicy: IfNotPresent
    logLevel: debug
    harborAdminPassword: "Harbor12345"
    secretKey: "not-a-secure-key"
    nginx:
      image:
        repository: goharbor/nginx-photon
        tag: v1.7.0
      replicas: 1
      nodeSelector: {}
      tolerations: []
      affinity: {}
      ## 额外的 Deployment 的一些 annotations
      podAnnotations: {}
    portal:
      image:
        repository: goharbor/harbor-portal
        tag: v1.7.0
      replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    
    core:
      image:
        repository: goharbor/harbor-core
        tag: v1.7.0
      replicas: 1
    # resources:
    #  requests:
    #    memory: 256Mi
    #    cpu: 100m
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    
    adminserver:
      image:
        repository: goharbor/harbor-adminserver
        tag: v1.7.0
      replicas: 1
      # resources:
      #  requests:
      #    memory: 256Mi
      #    cpu: 100m
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    
    jobservice:
      image:
        repository: goharbor/harbor-jobservice
        tag: v1.7.0
      replicas: 1
      maxJobWorkers: 10
      # jobs 的日志收集器:"file", "database" or "stdout"
      jobLogger: file
    # resources:
    #   requests:
    #     memory: 256Mi
    #     cpu: 100m
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    
    registry:
      registry:
        image:
          repository: goharbor/registry-photon
          tag: v2.6.2-v1.7.0
      controller:
        image:
          repository: goharbor/harbor-registryctl
          tag: v1.7.0
      replicas: 1
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    
    chartmuseum:
      enabled: true
      image:
        repository: goharbor/chartmuseum-photon
        tag: v0.7.1-v1.7.0
      replicas: 1
      # resources:
      #  requests:
      #    memory: 256Mi
      #    cpu: 100m
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    # 不需要
    clair:
      enabled: false
      image:
        repository: goharbor/clair-photon
        tag: v2.0.7-v1.7.0
      replicas: 1
      # 用于从 Internet 更新漏洞数据库的http(s)代理
      httpProxy:
      httpsProxy:
      # clair 更新程序的间隔,单位为小时,设置为0来禁用
      updatersInterval: 12
      # resources:
      #  requests:
      #    memory: 256Mi
      #    cpu: 100m
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    # 不需要
    notary:
      enabled: false
      server:
        image:
          repository: goharbor/notary-server-photon
          tag: v0.6.1-v1.7.0
        replicas: 1
        # resources:
        #  requests:
        #    memory: 256Mi
        #    cpu: 100m
      signer:
        image:
          repository: goharbor/notary-signer-photon
          tag: v0.6.1-v1.7.0
        replicas: 1
        # resources:
        #  requests:
        #    memory: 256Mi
        #    cpu: 100m
      nodeSelector: {}
      tolerations: []
      affinity: {}
      podAnnotations: {}
    
    database:
      # 如果使用外部的数据库,则设置 type=external,然后填写 external 区域的一些连接信息
      type: internal
      internal:
        image:
          repository: goharbor/harbor-db
          tag: v1.7.0
        # 内部的数据库的初始化超级用户的密码
        password: "changeit"
        # resources:
        #  requests:
        #    memory: 256Mi
        #    cpu: 100m
        nodeSelector: {}
        tolerations: []
        affinity: {}
      external:
        host: "192.168.0.1"
        port: "5432"
        username: "user"
        password: "password"
        coreDatabase: "registry"
        clairDatabase: "clair"
        notaryServerDatabase: "notary_server"
        notarySignerDatabase: "notary_signer"
        sslmode: "disable"
      podAnnotations: {}
    
    redis:
      # 如果使用外部的 Redis 服务,设置 type=external,然后补充 external 部分的连接信息。
      type: internal
      internal:
        image:
          repository: goharbor/redis-photon
          tag: v1.7.0
        # resources:
        #  requests:
        #    memory: 256Mi
        #    cpu: 100m
        nodeSelector: {}
        tolerations: []
        affinity: {}
      external:
        host: "192.168.0.2"
        port: "6379"
        # coreDatabaseIndex 必须设置为0
        coreDatabaseIndex: "0"
        jobserviceDatabaseIndex: "1"
        registryDatabaseIndex: "2"
        chartmuseumDatabaseIndex: "3"
        password: ""
      podAnnotations: {}
    
  2. 安装harbor

    helm install harbor ./harbor/ -nharbor
    
    # 卸载
    helm uninstall harbor -nharbor