Harbor 공인 인증서 구성

1. Harbor 공인 인증서 등록

1. hosts 파일 변경

vi /etc/hosts

[IP] 인증서 domain
[IP] 인증서 domain

2. harbor docker-compose.yml 위치 확인

$ sudo find / -name 'docker-compose.yml'
cocktail@priv-registry:~$ sudo find / -name 'docker-compose.yml'/var/lib/cubectl/harbor/docker-compose.yml
cocktail@priv-registry:~$

3. harbor 인증서의 domain 수정

$ cd /var/lib/cubectl/harbor/common/config/core
$ vi env

# AS-IS
EXT_ENDPOINT=https://10.1.1.50
# TO-BE (접속될 접속주소, 예시:)
EXT_ENDPOINT=https://harbor.cocktailcloud.io

4. harbor 인증서 위치 확인

# 위에서 확인한 docker-compose.yml이 위치한 디렉토리에서 검색
grep -A 20 'nginx-photon' docker-compose.yml
# 아래 volumes에서 cert 디렉토리 확인 가능
volumes:
    - ./common/config/nginx:/etc/nginx:z
    - /data/harbor/secret/cert:/etc/cert:z
    - type: bind
    source: ./common/config/shared/trust-certificates
    target: /harbor_cust_cert

5. 공인 인증서로 인증서 교체

$ cd /app/data/harbor/secret/cert
$ ls -lrt
-rw------- 1 10000 10000 5055 Apr 11 11:10 server.crt
-rw------- 1 10000 10000 1679 Apr 11 11:11 server.key

# 해당 인증서들 백업
$ sudo cp server.crt old_server.crt
$ sudo cp server.key old_server.key

# 할당받은 인증서로 해당 파일 교체
#(실제 사용될 인증서의 권한은 10000:10000으로 설정이 되어있어야 함)
#(nginx용 PEM형식 파일) -ex) Wildcard.k-paas.io_pem.pem
$ sudo tee /app/data/harbor/secret/cert/server.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIGSDCCBTCgAwIBAgIMD/LYBjs
... (생략)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIET
... (생략)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
EOF

sudo tee /app/data/harbor/secret/cert/server.key  <<EOF 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAI....(생략)
-----END RSA PRIVATE KEY-----
EOF

6. 정상적으로 인증서가 nginx에 설정되었는지 확인

$ docker exec -it nginx nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

$ sudo docker exec -it redis redis-cli FLUSHALL
OK

7. harbor 재시작

# docker-compose.yml 파일은 위에서 확인된 경로로 작성

# harbor 중지
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml down -v

# harbor 기동
sudo docker compose -f /var/lib/cubectl/harbor/docker-compose.yml up -d
또는 (cube 5.2.5)
sudo systemctl restart cube-harbor

8. 접속 확인

9. 모든 노드의 /etc/containerd/certs.d 디렉토리에 domain으로 디렉토리 생성

$ cd /etc/containerd/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.io

10. /etc/containerd/certs.d/ 에 있는 모든 디렉토리의 hosts.toml 파일에 IP로 되어있는 부분을 domain으로 변경

$ cd /etc/containerd/certs.d/docker.io
$ vi hosts.toml

## 변경 전
server = "https://docker.io"

[host."https://172.25.1.172/v2/docker.io/"]
  capabilities = ["pull", "resolve"]
  ca = "/etc/docker/certs.d/172.25.1.172/ca.crt"
  override_path = true
----------------------------------------------------------

## 변경 후
server = "https://docker.io"

[host."https://paas-regi.cocktailcloud.io/v2/docker.io/"]
  capabilities = ["pull", "resolve"]
  ca = "/etc/docker/certs.d/paas-regi.cocktailcloud.io/ca.crt"
  override_path = true

11. /etc/docker/certs.d 디렉토리의 IP 로 되어있는 디렉토리를 도메인으로 복사

$ cd /etc/docker/certs.d
$ cp -r 172.25.1.172 pass-regi.cocktailcloud.io

PreviousRegistry VM이 아닌 다른 서버에서 Harbor 접근 방법 NextPod 기동 불가

Last updated 1 year ago

$ cd /app/data/harbor/secret/cert $ ls -lrt -rw------- 1 10000 10000 5055 Apr 11 11:10 server.crt -rw------- 1 10000 10000 1679 Apr 11 11:11 server.key # 해당 인증서들 백업 $ sudo cp server.crt old_server.crt $ sudo cp server.key old_server.key # 할당받은 인증서로 해당 파일 교체 #(실제 사용될 인증서의 권한은 10000:10000으로 설정이 되어있어야 함) #(nginx용 PEM형식 파일) -ex) Wildcard.k-paas.io_pem.pem $ sudo tee /app/data/harbor/secret/cert/server.crt <<EOF -----BEGIN CERTIFICATE----- MIIGSDCCBTCgAwIBAgIMD/LYBjs ... (생략) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIET ... (생략) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp 1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE 38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== -----END CERTIFICATE----- EOF sudo tee /app/data/harbor/secret/cert/server.key <<EOF -----BEGIN RSA PRIVATE KEY----- MIIEpAI....(생략) -----END RSA PRIVATE KEY----- EOF