二进制部署K8s集群第27节之helm踩坑部署harbor

一、创建PVC

需要先部署NFS
https://blog.51cto.com/yht1990/2630775《storageClass动态挂载对接NFS存储》

kubectl create ns harbor
caIPt &grequests库怎么安装t; harbor-4%bc%9a" target="_blank">时会良pvc.yaml <<'eof'
kind: PersistentVol时会高志须酬umeClaim
apiVersion: v1
metadata:
nameselect的名词: harbor-pvc
namespace: harbor
spec:
accessModes:
- ReadWriteOnce
storageClassName: storage-nfs
resources:
reqrequest是什么意思英语uests:
storage: 20Gi
eof
k时会琴客ubectl apply -f harbor-pvc.yaml

二、拉取harbor的chart到本地

[root@k8s-master harbor]# helm repo aiphone12dd harbor https:selector//helm.goharbor.io
[root@k8s-master harbor]# helm repo update
[root@k8s-master harbor]# helm search repo harbor
NAMEselect的名词            CHART VERSION   APP VERSION     DESCRIPTION
harbor/harbor   1.5.1           2.1.1           An open source tselectionrusiphone6sted cloudiphone6s native registry th...
[root@k8s-master harbrequests库怎么安装or]# helm repo ls
NAME    URL
stable  http://mirror.azure.cn/kubernetes/charts/
harbor  https://helm.goharbor.io
[root@k8s-master harborice是什么意思]# helm pull hip地址查询arbor/haselect是什么意思中文rbor --version 1.5.1

三、Chart参数设置

生产环境size必须调大

[root@k8siphone11-master harb时会高志须酬or]# tar xf harbor-1.5.1select是什么意思中文.tgiptvz
[root@k8s-master harbor]# cd harbor
[root@k8s-master harbor]#  cp values.yaml values.yaml.bicey艾希中文免费下载ak
[roice怎么读ot@k8s-master harIPbor]#  vim values.yaml
...
36selector       core: harbor.od.com
...
101 externalURL: https://harbor.od.com  # 设置访问域名
...
108 externalURL: https://harbor.od.com
185icecream 193   persistentVolumeClaim:
194     registry:
195       # Use the existing PVC which时会宝 must be created manually before bound,
196       # and specify the "subPath" if the PVC is shared with othe时会良r components
197       existingClaim: "harbor-select语句的基本用法pvc"
198       # Specify the "storageClass" used to provision the volume.selected Or the default
199       # StorageClass will be used(the def时会理ault).
200       # Set it to "-" to disable dynamic provisioning
201       storageClass: ""
202       subPath: "registry"
203       accessMode: ReaicecreamdWriteOnce
204       size: 5Gi
205     chartmuseum:
206       existinIPgClaim: "harbor-pvc"
207icey       storageClass: ""
208       subPath: "chartmuseum"
209icecream       accesSelectsMode: ReadWriteOnce
21时会理0       size: 5Gi
211     jobservice:
212       existingClaim: "harbor-pvc"
213       storageClass: ""
21iptv4       su时会理bPath: "jobservice"
215       accessMode: ReadWriteOnce
216       size: 1Gi
217     # If external dataicey艾希中文免费下载base is used, thiphonexre following settings for dataselected是什么档次base will
218     # be ignored
21selected是什么档次9     database:
220       existingClaim: "harbor-piphonevc"
221       storageClass: ""
222       subPath: "database"
223       accessMode:requests库 ReadWriteOnceSelect
224       size: 1Gi
225     # If external Redis is used, the following settiphoneings for Redis will
226     # be ignored
227     redis:
228       existingselected是什么档次Claim: "harbor-pvc"
2时会理29       storageClass: ""
230       subPath: "redis"
231       accessMode: ReadWriselected是什么牌子的男装teOnce
232       size时会琴客: 1Gi
233     trivy:iceberg
234       existingClaim: "harbor-pvc"
235       storageClass: ""
236       subPath: "trivy"
237       accrequest是什么意思英语essMode: ReadWriteOnce
238       size: 5Gi
...
539 clair:
540   enabled: false
...
569 trivy:
570   # enabled the flag to enable Trivy scanner
5时会的近义词71   enabled: false
...
626 notary:
627   enabled: false
...

四、踩坑一

redis持久化数据目录权限导request是什么意思英语致无法登录
redis数据requests库怎么安装目录,/var/iphone6slib/redis,需要设置redis的用户及用户组权限

/root/harbor/templates/redis/statefulset.yaml
initContainersice怎么读:
- name: "change-ip地址permission-of-directory"
securIPityContext:
runAsUser: 0
image: {{ .Values.databaip地址siceberge.internal.image.repository }}:{{ .Values.database.internicecreamal.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}时会香炉
command: ["/bin/sh"]
args: ["-c", "chown -R 999:999 /var/lib/redis"]
volumeMounts:
- name: data
mountPath: /var/lib/redis
subPath: {{ $redis时会.subPath }}

五、踩坑二

registry组件的iceicey下载像存储目录权限导致镜像推送失败
registry的镜像存储request什么意思中文目录,需要设置registry用户的用户及用户组时会达,不然镜像推送失败

/root/harbor/templates/registry/registry-dpl.yaml
ini时会高志须酬tContainers:
- nameiphone12: "change-permission-of-directory"
securityContext:
runAsUser: 0
image: {{ .Values.database.internal.imagrequest是什么意思中文翻译e.repository }}:{{ .Values.databasIPe.internal.image.tag }}
imagePullicelandPselectiveolicy: {{ .Values.imagePullPolicy时会的近义词 }}
commanrequests库d: ["/biniphone6s/sh"]
args: ["-c", "chown -R 10000:10000 {{ .Values.persistence.imageCice是什么意思hartStorage.filesystem.rootdirectory }}"]
volumeMountsiceberg:
- name: registry-data
mountPath: {{ .Values.p时会琴客ersistencicelande.imageChartStorage.filesystipadem.rootdirectory }}
subPath: {{ .Values.persistence.persistentVolumeClaim.registry.subPath }}

六、踩坑三

chartmuseum存储目录权限时会的近义词,导致chart推送失败

/root/harbor/templselectorates/chartmuseum/chartmuseum-dpl.yaml
initContainers:
- name: "change-permission-requests怎么读of-directory"
securityContext:
runAsUser: 0
image: {{ .Values.databaserequest是什么意思英语.internal.image.repository时会达 }}:{{ .Values.database.internal.image.tice是什么意思英语ag }}
imagePullPolicy: {{ .Values.imagePullPoli时会的近义词cy }}
commaselectornd: ["/bin/sh"]
args: ["-c", "chown -R 10000:10000 /chart_storage"]
vorequests库lumeMounts:
- name: chartmuseum-data
mountPath: /chart_storage
subPath: {{ .Values.perequests库怎么安装rsistence.persistentVol时会达umeClaim.chartmuseum.subPath }}

七、安装harbor

cd
helm install harbor ./harbor -n harbor
helm -n harborice ls
kuselect是什么意思中文bectl -n harbor get po

八、配置访问推送

8.1、域名配置

dns服务器或者hosts里配置

ip harboricey下载.select什么意思odselected.com

8.2、配置docker daemIPon

cat /etc/dockerselect语句的基本用法/daemon.json
"insecure-registries": [
"harbor.od.comselect的名词"
],
systemctl restart dockerselect的名词

8.3 推送char时会理t

使用账户密码登录admin/Harbo时会水r12345

docker login harbor.od.com
hselectedelm plugin install https://github.com/chartmuseum/helm-push
helm plugin ls
kubectl get secret harbor-harbor-ingress -n harbor -o jsonpath="{.data.ca.crt}" | base64 -d >harbor.ca.crt
cp harbor.ca.crt /etc/pki/ca-trust/source/anchors
update-ca-trust enable; update-ca-trust extract
helm repo add myharborIP https://harbor.od.com/chartreselect语句的基本用法po/library --ca-filerequest什么意思=harbor.ca.crt
hip地址查询elm repo ls
helm push harbor myharbor -selective-ca-file=harbor.ca.crt -u admin -p Harbor12345