Kubernetes实录(7) Kubernets集成基于harbor构建的私有镜像仓库配置

Kubernetes实录系列记录文档完整目录参考: Kubernetes实录-目录

相关记录链接地址 :

一、Harbor镜像仓库环境

主机名称 ip地址 操作系统 角色 软件版本 备注
k8sproxy-hzbatst-1 10.120.67.25 CentOS 7.5 proxy, registry haproxy
docker-ce 18.06.1
docker-compose 1.22.0

harbor 1.6.1

Harbor服务的搭建文档参考Kubernetes初体验(1) 配置企业级镜像仓库Harbor

二、harbor与kubernetes集成

1. 自签发证书在kubernetes节点上的配置[所有节点]

# harbor节点上
cp /opt/app/harbor/certs/harbor.example.com.crt /etc/pki/ca-trust/source/anchors/ca.crt

# 在kubernetes节点,也就是harbor的client端执行
mkdir -p /etc/docker/certs.d/harbor.ejuops.com

# 将自签发根证书信息拷贝到kubernetes节点,也就是harbor的client端
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.26:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.27:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.28:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.29:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.30:/etc/pki/ca-trust/source/anchors/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.31:/etc/pki/ca-trust/source/anchors/ca.crt

scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.26:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.27:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.28:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.29:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.30:/etc/docker/certs.d/harbor.ejuops.com/ca.crt
scp /opt/app/harbor/certs/harbor.ejuops.com.crt 10.120.67.31:/etc/docker/certs.d/harbor.ejuops.com/ca.crt

2. 配置secret保存harbor(registry)认证信息

保证相关namespace已经创建

# cat  ns_eju-test.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: eju-test

kubectl apply -f ns_eju-test.yaml
kubectl get ns 

创建secret保存harbor登录认证信息

kubectl create secret docker-registry harbor-test --namespace=eju-test \
        --docker-server=harbor.example.com --docker-username='eju_test_visitor' \
        --docker-password='EJU@test1234' \
        --docker-email='[email protected]'

kubectl get secret -n eju-test
		harbor-test           kubernetes.io/dockerconfigjson        1      73m

3. 测试镜像拉取(yaml)

# 确保harbor里面已经有相关镜像
docker push nginx:1.14
docker tag nginx:1.14  harbor.example.com/eju-test/nginx:1.14
docker pull harbor.example.com/eju-test/nginx:1.14

# cat app_nginx.yaml 
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    run: nginx-app
  name: nginx-app
  namespace: eju-test
spec:
  replicas: 1
  selector:
    matchLabels:
      run: nginx-app
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        run: nginx-app
    spec:
      containers:
      - name: nginx-app
        image: harbor.ejuops.com/eju-test/nginx:1.14
        ports:
        - containerPort: 80
          protocol: TCP
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      imagePullSecrets:
      - name: harbor-test

kubectl apply -f app_nginx.yaml 
kubectl get pod -n eju-test -o wide
	NAME                        READY   STATUS    RESTARTS   AGE   IP             NODE                NOMINATED NODE
	nginx-app-888548bb4-zhxwk   1/1     Running   0          18m   192.168.3.15   k8snode-hzbatst-1   <none>

curl 192.168.3.15
	... ..
	<h1>Welcome to nginx!</h1>
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章