Harbor推送403

#1、获得认证权限
openssl genrsa -out ca.key 4096

openssl req -x509 -new -nodes -sha512 -days 3650 \
    -subj "/C=CN/ST=Henan/L=Zhengzhou/O=Inspur/OU=Inspur/CN=10.151.11.52" \
    -key ca.key \
    -out ca.crt
#2、生成私钥
openssl genrsa -out 10.151.11.52.key 4096 
#3、生成证书签名请求
openssl req -sha512 -new \
    -subj "/C=CN/ST=Henan/L=Zhengzhou/O=Inspur/OU=Inspur/CN=10.151.11.52" \
    -key 10.151.11.52.key \
    -out 10.151.11.52.csr 
#4、生成注册主机的证书
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names

[alt_names]
DNS.1=10.151.11.52（或者yourdoamin.com）
DNS.2=hostname
IP=10.151.11.52
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in 10.151.11.52.csr \
    -out 10.151.11.52.crt
#5、将10.151.11.52.crt转换为10.151.11.52.cert
openssl x509 -inform PEM -in 10.151.11.52.crt -out 10.151.11.52.cert

#配置服务器证书和harbor密钥

#将10.151.11.52.crt和10.151.11.52.key 放入harbor data目录

mkdir -p /data/certs

cp 10.151.11.52.crt /data/certs/

cp 10.151.11.52.key /data/certs/


#为docker配置服务器证书、密钥和CA

mkdir -p /etc/docker/certs.d/10.151.11.52

cp 10.151.11.52.crt 10.151.11.52.key ca.crt /etc/docker/certs.d/10.151.11.52


#配置操作系统级别的信任证书

#（1）ubuntu系统

cp 10.151.11.52.crt /usr/local/share/ca-certificates/yourdomain.com.crt

update-ca-certificates

#（2）centos系统

cp 10.151.11.52.crt /etc/pki/ca-trust/source/anchors

update-ca-trust

# 安装wget

yun install -y wget

# 下载

wget https://dl.google.com/go/go1.14.6.linux-amd64.tar.gz

# 解压压缩包到/usr/local/golang目录

mkdir -p /usr/local/golang

tar -C /usr/local/golang -xzf go1.14.6.linux-amd64.tar.gz --strip-components 1

# 将/usr/local/golang/bin 目录添加至/etc/profile PATH环境变量

export PATH=$PATH:/usr/local/golang/bin

# 重新读取环境变量

source /etc/profile

# 查看版本

go version

go version go1.14.6 linux/amd64

4、将notary复制到/usr/local/golang/bin目录下，然后直接可以在linux终端使用notary命令

mkdir -p  ~/.docker/tls/10.151.11.52:4443

cp ca.crt ~/.docker/tls/10.151.11.52:4443

#设置别名，执行notary命令时不需要输入-s和-d

alias notary="notary -s https://10.151.11.52:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/10.151.11.52/ca.crt"

#使用镜像签名时，在终端输入

export DOCKER_CONTENT_TRUST=1

export DOCKER_CONTENT_TRUST_SERVER=https://10.151.11.52:4443

#使用notary签名的镜像，必须移除签名后，才可以删除，不能直接删除签名镜像，移除签名时，需要输入登录harbor的用户名（admin）和密码，然后输入签名密码

notary remove -p 10.151.11.52:5000/notary/centos v4

#如果使用新建的用户取消签名，则删除信息数据，然后再使用harbor的admin移除签名

#找到对应的信息用户的key

notary key list

#删除该用户的key

notary key remove 1091060d7bfd938dfa5be703fa057974f9322a4faef6f580334f3d6df44c02d1

#删除所有信息数据

notary delete registry.example.com/admin/demo --remote

notary其它使用方式参考如下链接

https://docs.docker.com/notary/getting_started/

## Configuration file of Harbor

#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: 10.151.11.52


# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 5001 

# https related config
https:
#   # https port for harbor, default is 443
  port: 5000
#   # The path of cert and key files for nginx
  certificate: /data/certs/10.151.11.52.crt
  private_key: /data/certs/10.151.11.52.key

# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
# external_url: https://reg.mydomain.com:8433

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor12345

## Harbor DB configuration
database:
  #The password for the root user of Harbor DB. Change this before any production use.
  password: root123

# The default data volume
data_volume: /data

# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
#   ca_bundle:

#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
#   filesystem:
#     maxthreads: 100
#   # set disable to true when you want to disable registry redirect
#   redirect:
#     disabled: false

# Clair configuration
clair: 
  # The interval of clair updaters, the unit is hour, set to 0 to disable the updaters.
  updaters_interval: 12

  # Config http proxy for Clair, e.g. http://my.proxy.com:3128
  # Clair doesn't need to connect to harbor internal components via http proxy.
  http_proxy:
  https_proxy:
  no_proxy: 127.0.0.1,localhost,core,registry

jobservice:
  # Maximum number of job workers in job service  
  max_job_workers: 10

# Log configurations
log:
  # options are debug, info, warn, error
  level: info
  # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
  rotate_count: 50
  # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes. 
  # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G 
  # are all valid.
  rotate_size: 200M
  # The directory on your host that store log
  location: /var/log/harbor

#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 1.8.0

# Uncomment external_database if using external database. Currently only support POSTGRES. 
# Four databases are needed to be create first by users for Harbor core, Clair, Notary server 
# and Notary signer. And the tables will be generated automatically when Harbor starting up.
# NOTE: external_database is unable to custom attributes individually, you must do them in block.
# external_database:
#   harbor:
#     host: harbor_db_host
#     port: harbor_db_port
#     db_name: harbor_db_name
#     username: harbor_db_username
#     password: harbor_db_password
#     ssl_mode: disable
#   clair:
#     host: clair_db_host
#     port: clair_db_port
#     db_name: clair_db_name
#     username: clair_db_username
#     password: clair_db_password
#     ssl_mode: disable
#   notary_signer:
#     host: notary_signer_db_host
#     port: notary_signer_db_port
#     db_name: notary_signer_db_name
#     username: notary_signer_db_username
#     password: notary_signer_db_password
#     ssl_mode: disable
#   notary_server:
#     host: notary_server_db_host
#     port: notary_server_db_port
#     db_name: notary_server_db_name
#     username: notary_server_db_username
#     password: notary_server_db_password
#     ssl_mode: disable

# Uncomment external_redis if using external Redis server
# external_redis:
#   host: redis
#   port: 6379
#   password:
#   # db_index 0 is for core, it's unchangeable
#   registry_db_index: 1
#   jobservice_db_index: 2
#   chartmuseum_db_index: 3

# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
#   ca_file: /path/to/ca

#使用镜像签名时，在终端输入

export DOCKER_CONTENT_TRUST=1

export DOCKER_CONTENT_TRUST_SERVER=https://10.151.11.52:4443

然后使用docker push镜像，输入签名密码，push完成后，可以在harbor仓库中查看镜像签名状态

docker push 10.151.11.52:5000/library/centos:latest