接上篇k8s集群部署，点击查看

一、Harbor介绍：

Harbor私有仓库

1. Docker容器应用的开发和运行离不开可靠的镜像管理，虽然Docker官方也提供了公共的镜像仓库，但是从安全和效率等方面考虑，部署我们私有环境内的Registry
2. 也是非常必要的。Harbor是由VMware公司开源的企业级的Docker
3. Registry管理项目，它包括权限管理(RBAC)、LDAP、日志审核、管理界面、自我注册、 镜像复制和中文支持等功能。
4. 要使用Harbor，需要docker，和docker-compose

Harbor仓库结构

二、Harbor主机环境

server8: 172.25.7.8     #仓库主机
[下载Harbor](https://github.com/goharbor/harbor/releases)
docker和docker-compose的依赖包建议阿里云下载
[root@server8 ~]# ls
containerd.io-1.2.13-3.2.el7.x86_64.rpm    # docker-ce的依赖包  
docker-ce-cli-19.03.12-3.el7.x86_64.rpm    # docker-ce的依赖包
container-selinux-2.77-1.el7.noarch.rpm    # containerd.io和docker-ce的依赖包
docker-compose-Linux-x86_64-1.27.0         # docker-compose的依赖包
docker-ce-19.03.12-3.el7.x86_64.rpm        # harbor需要docker和docker-compose
harbor-offline-installer-v1.10.1.tgz       # harbor的tar包

三、安装docker，安装docker-compose，解压harbor离线安装包

[root@server8 ~]# ls
containerd.io-1.2.13-3.2.el7.x86_64.rpm  docker-ce-cli-19.03.12-3.el7.x86_64.rpm
container-selinux-2.77-1.el7.noarch.rpm  docker-compose-Linux-x86_64-1.27.0
docker-ce-19.03.12-3.el7.x86_64.rpm      harbor-offline-installer-v1.10.1.tgz
[root@server8 ~]# yum install  -y *
[root@server8 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz 
[root@server8 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@server8 ~]# systemctl start docker
[root@server8 ~]# systemctl enable --now docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@server8 ~]# cd /etc/sysctl.d
[root@server8 sysctl.d]# vi k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
[root@server8 sysctl.d]# sysctl --system

四、创建数据目录，创建证书和私钥

[root@server8 harbor]# mkdir /data
[root@server8 harbor]# cd /data/
[root@server8 data]# ls
[root@server8 data]# mkdir certs
[root@server8 data]# cd certs/
[root@server8 certs]# openssl req   -newkey rsa:4096 -nodes -sha256 -keyout reg.westos.org.key   -x509 -days 365 -out reg.westos.org.crt
Generating a 4096 bit RSA private key
[root@server8 certs]# ls
reg.westos.org.crt  reg.westos.org.key

五、在harbor目录下执行install脚本，确保执行成功

[root@server8 ~]# cd harbor/ 
[root@server8 harbor]# ./install.sh --with-chartmuseum

六、复制并重命名证书

[root@server8 harbor]# cd /etc/docker/
[root@server8 docker]# mkdir certs.d
[root@server8 docker]# cd certs.d/
[root@server8 certs.d]# mkdir reg.westos.org
[root@server8 certs.d]# cd reg.westos.org/
[root@server8 reg.westos.org]# cp /data/certs/reg.westos.org.crt ca.crt
[root@server8 reg.westos.org]# ls
ca.crt

七、拉取镜像、添加tag、login仓库、push镜像到私有仓库

[root@server8 reg.westos.org]# cd /etc/docker/
[root@server8 docker]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
bf5952930446: Pull complete 
cb9a6de05e5a: Pull complete 
9513ea0afb93: Pull complete 
b49ea07d2e93: Pull complete 
a5e4a503d449: Pull complete 
Digest: sha256:b0ad43f7ee5edbc0effbc14645ae7055e21bc1973aee5150745632a24a752661
Status: Downloaded newer image for nginx:latest
docker.io/library/nginx:latest
[root@server8 docker]# docker tag nginx:latest reg.westos,org/library/nginx:latest
Error parsing reference: "reg.westos,org/library/nginx:latest" is not a valid repository/tag: invalid reference format
[root@server8 docker]# docker tag nginx:latest reg.westos.org/library/nginx:latest
[root@server8 docker]# docker login reg.westos.org
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@server8 docker]# docker push reg.westos.org/library/nginx
The push refers to repository [reg.westos.org/library/nginx]
550333325e31: Pushed 
22ea89b1a816: Pushed 
a4d893caa5c9: Pushed 
0338db614b95: Pushed 
d0f104dc0a1f: Pushed 
latest: digest: sha256:179412c42fe3336e7cdc253ad4a2e03d32f50e3037a860cf5edbeb1aaddb915c size: 1362

浏览器访问server8的ip

八、复制证书到其他节点的主机上

[root@server8 docker]# ls
certs.d  daemon.json  key.json
[root@server8 docker]# scp -r certs.d/ server4:/etc/docker/
[root@server5 docker]# ls
daemon.json  key.json
[root@server5 docker]# vim daemon.json 
[root@server5 docker]# systemctl daemon-reload
[root@server5 docker]# systemctl restart docker
[root@server5 docker]# scp -r certs.d/ server5:/etc/docker/
ca.crt                                             100% 2106     1.5MB/s   00:00    
[root@server5 docker]# scp -r certs.d/ server6:/etc/docker/
ca.crt                                             100% 2106     1.5MB/s   00:00
### 此时四台主机都有证书，server8进行阿里云加速器 
[root@server5 docker]# vim /etc/docker/daemon.json   
{
  "registry-mirrors": ["https://vo5twm71.mirror.aliyuncs.com"]
}
## 而在其他k8s节点server5、server6、server7上，修改优先从harbor私有仓库下载
{
  "registry-mirrors": ["https://reg.westos.org"],
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ]
}     
---------------------------------
每一台修改完都重启
systemctl daemon-reload
systemctl restart docker

九、用私有仓库的镜像创建pod应用

[root@server5 docker]# su - k8s
[k8s@server5 ~]$ kubectl create deployment nginx --image=nginx -r 2
deployment.apps/nginx created
[k8s@server5 ~]$ kubectl get pod
NAME                     READY   STATUS              RESTARTS   AGE
nginx-6799fc88d8-mm2w6   0/1     ContainerCreating   0          3s
nginx-6799fc88d8-vrp59   1/1     Running             0          3s
[k8s@server5 ~]$ kubectl get pod
NAME                     READY   STATUS    RESTARTS   AGE
nginx-6799fc88d8-mm2w6   1/1     Running   0          9s
nginx-6799fc88d8-vrp59   1/1     Running   0          9s