Harbor 공인 인증서 구성
1. Harbor 공인 인증서 등록
1. hosts 파일 변경
vi /etc/hosts
[IP] 인증서 domain
[IP] 인증서 domain2. harbor docker-compose.yml 위치 확인
$ sudo find / -name 'docker-compose.yml'
cocktail@priv-registry:~$ sudo find / -name 'docker-compose.yml'/var/lib/cubectl/harbor/docker-compose.yml
cocktail@priv-registry:~$3. harbor 인증서의 domain 수정
$ cd /var/lib/cubectl/harbor/common/config/core
$ vi env
# AS-IS
EXT_ENDPOINT=https://10.1.1.50
# TO-BE (접속될 접속주소, 예시:)
EXT_ENDPOINT=https://harbor.cocktailcloud.io4. harbor 인증서 위치 확인
# 위에서 확인한 docker-compose.yml이 위치한 디렉토리에서 검색
grep -A 20 'nginx-photon' docker-compose.yml
# 아래 volumes에서 cert 디렉토리 확인 가능
volumes:
- ./common/config/nginx:/etc/nginx:z
- /data/harbor/secret/cert:/etc/cert:z
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert5. 공인 인증서로 인증서 교체
$ cd /app/data/harbor/secret/cert
$ ls -lrt
-rw------- 1 10000 10000 5055 Apr 11 11:10 server.crt
-rw------- 1 10000 10000 1679 Apr 11 11:11 server.key
# 해당 인증서들 백업
$ sudo cp server.crt old_server.crt
$ sudo cp server.key old_server.key
# 할당받은 인증서로 해당 파일 교체
#(실제 사용될 인증서의 권한은 10000:10000으로 설정이 되어있어야 함)
#(nginx용 PEM형식 파일) -ex) Wildcard.k-paas.io_pem.pem
$ sudo tee /app/data/harbor/secret/cert/server.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIGSDCCBTCgAwIBAgIMD/LYBjs
... (생략)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIET
... (생략)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
EOF
sudo tee /app/data/harbor/secret/cert/server.key <<EOF
-----BEGIN RSA PRIVATE KEY-----
MIIEpAI....(생략)
-----END RSA PRIVATE KEY-----
EOF6. 정상적으로 인증서가 nginx에 설정되었는지 확인
$ docker exec -it nginx nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
$ sudo docker exec -it redis redis-cli FLUSHALL
OK7. harbor 재시작
# docker-compose.yml 파일은 위에서 확인된 경로로 작성
# harbor 중지
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml down -v
# harbor 기동
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml up -d
또는 (cube 5.2.5)
sudo systemctl restart cube-harbor8. 접속 확인
9. 모든 노드의 /etc/containerd/certs.d 디렉토리에 domain으로 디렉토리 생성
$ cd /etc/containerd/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.io10. /etc/containerd/certs.d/ 에 있는 모든 디렉토리의 hosts.toml 파일에 IP로 되어있는 부분을 domain으로 변경
$ cd /etc/containerd/certs.d/docker.io
$ vi hosts.toml
## 변경 전
server = "https://docker.io"
[host."https://172.25.1.172/v2/docker.io/"]
capabilities = ["pull", "resolve"]
ca = "/etc/docker/certs.d/172.25.1.172/ca.crt"
override_path = true
----------------------------------------------------------
## 변경 후
server = "https://docker.io"
[host."https://paas-regi.cocktailcloud.io/v2/docker.io/"]
capabilities = ["pull", "resolve"]
ca = "/etc/docker/certs.d/paas-regi.cocktailcloud.io/ca.crt"
override_path = true11. /etc/docker/certs.d 디렉토리의 IP 로 되어있는 디렉토리를 도메인으로 복사
$ cd /etc/docker/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.ioLast updated
