使用舵踩坑部署港口1,我的环境1、centos 7.92、k8s集群13、19.034、关闭所有防火墙2、安装配置头盔(k8s-主头盔节点操作)1、安装helm3下载舵的包wget https://get.helm.sh/helm-v3.2.4-linux-amd64.tar.gz解压塔尔-zxf helm-v3.2.4-linux-amd64.tar.gz使用舵命令CP Linux-amd64/helm/usr/local/bin/2、验证赫尔姆$赫尔姆版本版本4 . BuildInfo { version : ' v 3 . 2 . 4 ',git commit : ' 0ad 800 ef 43d 3b 826 f 31 a5 ad 8 dfbb 4 Fe 05d 143688 ',GitTreeState:'clean ',gov : ' go 1。13 .12 ' } 3,命令补全来源(头盔完成猛击)3,安装配置港口1,添加港口图仓库头盔回购添加港口https://头盔。去港口。io舵报告ls2,搜索海港的查特海姆搜索回购港3,拉取赫尔姆拉港/海港-版本1.4.14,解压塔尔白兰地规格港-1.4.1.tgz注意:如果仓库添加不了请使用饭桶克隆方式
饭桶克隆https://github.com/goharbor/harbor-helmcd港-赫尔姆吉特结帐1.4.1或https://github.com/goharbor/harbor-helm/releases/tag/v1.4.1直接下载水手包放到服务器进行解压tar xf harbor-helm-1.4.1.tar.gz我是用的下载水手包到服务器的5、修改配置$维姆港-圣盔-1。4 .1/数值。YAML 179坚持:180启用:真181 #将其设置为"保持"以避免在赫尔姆删除182 #操作期间删除聚氯乙烯.将其留空将在图表删除后删除PVC 183资源策略:“保留”184持久卷声明:185注册表:186 #使用绑定前必须手动创建的现有PVC,187 #如果聚氯乙烯与其他组件共享,则指定"子路径“188现有权利要求3360‘harbor-PVC’189 #指定用于配置卷的“存储类”.或者将使用默认值190 #存储类(默认值)。191 #将其设置为"-"以禁用动态资源调配192存储类:""193子路径: "注册表" 194访问模式:读写一次195大小: 20gi 196图表博物馆3360197现有权利要求:'harbor-PVC'198存储类:""199子路径360
2 jobservice:203 existingClaim: "harbor-pvc"204 storageClass: "jobservice"205 subPath: ""206 accessMode: ReadWriteOnce207 size: 20Gi208 # If external database is used, the following settings for database will209 # be ignored210 database:211 existingClaim: "harbor-pvc"212 storageClass: ""213 subPath: "database"214 accessMode: ReadWriteOnce215 size: 20Gi216 # If external Redis is used, the following settings for Redis will217 # be ignored218 redis:219 existingClaim: "harbor-pvc"220 storageClass: ""221 subPath: "redis"222 accessMode: ReadWriteOnce223 size: 20Gi224 trivy:225 existingClaim: "harbor-pvc"226 storageClass: ""227 subPath: "trivy"228 accessMode: ReadWriteOnce229 size: 20Gi522 clair:523 enabled: false552 trivy:553 # enabled the flag to enable Trivy scanner554 enabled: false606 notary:607 enabled: false6、创建pv及PVC1、安装nfs服务端 (k8s集群master节点)yum -y install nfs-utils rpcbindmkdir -p /data/k8s && chmod 755 /data/k8secho '/data/k8s *(insecure,rw,sync,no_root_squash)'>>/etc/exportssystemctl enable rpcbind && systemctl start rpcbind客户端(k8s集群slave节点)yum -y install nfs-utils rpcbindmkdir /nfsdatamount -t nfs 192.168.10.101:/data/k8s /nfsdata2、创建命名空间k8s-master上操作kubectl create namespace harbor3、创建pvccat >harbor-pvc.yaml <<EOFapiVersion: v1kind: PersistentVolumeClaimmetadata: name: harbor-pvc namespace: harborspec: accessModes: - ReadWriteOnce resources: requests: storage: 20GiEOFkubectl create -f harbor-pvc.yaml4、创建PVcat >harbor-pv.yaml<<EOFapiVersion: v1kind: PersistentVolumemetadata: name: harbor-pv namespace: harborspec: capacity: storage: 20Gi accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Recycle nfs: path: /data/k8s server: 192.168.10.101EOFkubectl create -f harbor-pv.yaml5、安装harborhelm install harbor ./harbor-helm-1.4.1 -n harbor6、验证查看podkubectl -n harbor get pod 查看ingresskubectl -n harbor get ing4、安装ingressk8s-master
下载wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.30.0/deploy/static/mandatory.yaml修改配置$ grep -n5 nodeSelector mandatory.yaml212- spec:213- hostNetwork: true #添加为host模式214- # wait up to five minutes for the drain of connections215- terminationGracePeriodSeconds: 300216- serviceAccountName: nginx-ingress-serviceaccount217: nodeSelector:218- ingress: "true" #替换此处,来决定将ingress部署在哪些机器219- containers:220- - name: nginx-ingress-controller221- image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0222- args:k8s-master节点添加labelkubectl label node k8s-master ingress=true安装kubectl create -f mandatory.yaml验证kubectl get ns|grep ingkubectl -n ingress-nginx get pod# 如果ingress不能在master节点上运行 状态一直为pending执行以下命令kubectl taint nodes --all node-role.kubernetes.io/master-5、配置hosts解析并访问web192.168.10.101 core.harbor.domainweb 访问https://core.harbor.domain
6、重点来了!!!重点来了!!!重点来了!!!1、踩坑一:发现登陆不进去看报错4011、错误重现登录不进去
发现pod重启了$ kubectl -n harbor get podNAME READY STATUS RESTARTS AGEharbor-harbor-chartmuseum-7f5d97c8d-k9tst 1/1 Running 0 51mharbor-harbor-core-59b76f46bb-shxqz 1/1 Running 3 51mharbor-harbor-database-0 1/1 Running 0 51mharbor-harbor-jobservice-5bfb764464-625p6 1/1 Running 3 51mharbor-harbor-portal-59c779dd74-5ffg2 1/1 Running 0 51mharbor-harbor-redis-0 1/1 Running 0 51mharbor-harbor-registry-6b4b74b7b8-vmlxm 2/2 Running 0 51m2、如何排查问题查看日志$ kubectl -n harbor logs -f harbor-harbor-jobservice-5bfb764464-625p6#提示redis有问题2021-06-18T20:10:31Z
ok 登录成功
2、踩坑二:registry组件的镜像存储目录权限导致镜像推送失败1、错误重现k8s-node节点 配置docker仓库cat >/etc/docker/daemon.json<<EOF{ "registry-mirrors" : < "https://8xpk5wnt.mirror.aliyuncs.com" >, "exec-opts" : <"native.cgroupdriver=systemd">, "insecure-registries":<"192.168.10.101:5000","core.harbor.domain">}EOF重启dockersystemctl restart dockerhosts解析echo '192.168.10.101 core.harbor.domain' >>/etc/hosts登录仓库$ docker login core.harbor.domainUsername: adminPassword: Harbor12345WARNING! Your password will be stored unencrypted in /root/.docker/config.json.Configure a credential helper to remove this warning. Seehttps://docs.docker.com/engine/reference/commandline/login/#credentials-storeLogin Succeeded拉取镜像docker pull nginx:alpine打标签docker tag nginx:alpine core.harbor.domain/library/nginx:alpine推送失败
修改配置加入(47到56行)$ vim harbor-helm-1.4.1/templates/registry/registry-dpl.yaml 45 {{- toYaml . | nindent 8 }} 46 {{- end }} 47 initContainers: 48 - name: "change-permission-of-directory" 49 image: {{ .Values.database.internal.initContainerImage.repository }}:{{ .Values.database.internal.initContainerImage.tag }} 50 imagePullPolicy: {{ .Values.imagePullPolicy }} 51 command: <"/bin/sh"> 52 args: <"-c", "chown -R 10000:10000 {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }}"> 53 volumeMounts: 54 - name: registry-data 55 mountPath: {{ .Values.persistence.imageChartStorage.filesystem.rootdirectory }} 56 subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }} 57 containers: 58 - name: registry更新helm upgrade harbor -n harbor ./harbor-helm-1.4.1再次推送成功$ docker push core.harbor.domain/library/nginx:alpineThe push refers to repository
$ vim harbor-helm-1.4.1/templates/chartmuseum/chartmuseum-dpl.yaml 44 imagePullSecrets: 45 {{- toYaml . | nindent 8 }} 46 {{- end }} 47 initContainers: 48 - name: "change-permission-of-directory" 49 image: {{ .Values.database.internal.initContainerImage.repository }}:{{ .Values.database.interna l.initContainerImage.tag }} 50 imagePullPolicy: {{ .Values.imagePullPolicy }} 51 command: <"/bin/sh"> 52 args: <"-c", "chown -R 10000:10000 /chart_storage"> 53 volumeMounts: 54 - name: chartmuseum-data 55 mountPath: /chart_storage 56 subPath: {{ .Values.persistence.persistentVolumeClaim.chartmuseum.subPath }} 57 containers: 58 - name: chartmuseum更新helm upgrade harbor -n harbor ./harbor-helm-1.4.17、推送chart到Harbor仓库helm3默认没有安装helm push插件,需要手动安装。插件地址 https://github.com/chartmuseum/helm-push 安装插件$ helm plugin install https://github.com/chartmuseum/helm-push离线安装:(建议)
8、登录仓库遇到的问题Error response from daemon: Get https://core.harbor.domain/v2/: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "harbor-ca")解决
$ vim /usr/lib/systemd/system/docker.serviceExecStart=/usr/bin/dockerd --insecure-registry core.harbor.domain#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock