Rancher + Harbor + private CA

  • Harbor Info:
  • Login Harbor:

    localadmin@iiidevops1:~$ sudo docker login https://10.20.0.71:5443/
    [sudo] password for localadmin:
    Username: tryweb
    Password:
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store
    
    Login Succeeded

  • Exp. 建立的 image : devops-db:v1

    sudo docker build ~/deploy-devops-develop/devops-db --tag devops-db:v1

  • 檢視本地 images 清單

    localadmin@iiidevops1:~$ sudo docker images
    REPOSITORY                      TAG             IMAGE ID       CREATED        SIZE
    devops-db                       v1              25269cfee615   4 hours ago    314MB
    postgres                        12              386fd8c60839   3 weeks ago    314MB
    iiiorg/devops-db                latest          ec09d7015ce5   2 months ago   314MB

  • 使用 tag 來設定 image Harbor 的位址, 專案:tryweb

    sudo docker tag devops-db:v1 10.20.0.71:5443/tryweb/devops-db:v1
    
    localadmin@iiidevops1:~$ sudo docker images
    REPOSITORY                      TAG             IMAGE ID       CREATED        SIZE
    devops-db                       v1              25269cfee615   4 hours ago    314MB
    postgres                        12              386fd8c60839   3 weeks ago    314MB
    iiiorg/devops-db                latest          ec09d7015ce5   2 months ago   314MB
    10.20.0.71:5443/devops-db       v1              25269cfee615   5 hours ago    314MB

  • push 至 Harbor

    localadmin@iiidevops1:~$ sudo docker push --disable-content-trust 10.20.0.71:5443/tryweb/devops-db:v1
    The push refers to repository [10.20.0.71:5443/tryweb/devops-db]
    dad28bba27f8: Pushed
    21086d1e867a: Pushed
    5f7e00914c15: Pushed
    af0b57c72d50: Pushed
    e0cf62a99bcd: Pushed
    b1096cae6203: Pushed
    e076f7b31275: Pushed
    9cd7c4e12078: Pushed
    73cf3adf6112: Pushed
    065d45f80eac: Pushed
    3aac10e9b066: Pushed
    117725f5c702: Pushed
    a01778662164: Pushed
    883d24bc9ae1: Pushed
    f5600c6330da: Pushed
    v1: digest: sha256:7aec874faa639f6b73b7438f0f7bc6aa3e7fece8ea575bcd6421fc44e00161ea size: 3453

  • Exp. deploy-devops-develop/devops-db/devopsdb-deployment.yaml
    apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
    kind: Deployment
    metadata:
      name: devopsdb
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: devopsdb
      strategy:
        type: Recreate
      template:
        metadata:
          labels:
            app: devopsdb
        spec:
          containers:
          - name: devopsdb
            image: 10.20.0.71:5443/tryweb/devops-db:v1
            env:
            - name: POSTGRES_PASSWORD
              value: xxxxxxxx
            - name: POSTGRES_DB
              value: devopsdb
            ports:
            - containerPort: 5432
            volumeMounts:
            - name: db-data
              mountPath: /var/lib/postgresql/data
          volumes:
          - name: db-data
            nfs:
              server: 10.20.0.71
              path: /iiidevopsNFS/devopsdb
  • 完整錯誤訊息大致如下:
    ErrImagePull: rpc error: code = Unknown desc = Error response from daemon: Get ... v2/: x509: certificate signed by unknown authority
  • 解決方法一 : 讓 Rancher 所使用的自簽憑證 Exp. 10.20.0.71.crt 複製到 Rancher cluster 所有 k8s 主機內並設定信任這憑證, 然後重啟 docker 服務
    • [email protected]

      sudo cp 10.20.0.71.crt /usr/local/share/ca-certificates/
      sudo update-ca-certificates
      sudo systemctl restart docker.service
      ls /etc/ssl/certs | awk /10.20.0.71/

  • 解決方法二 : 將所有 k8s 主機內的 Docker 信任 Harbor 的 IP:Port 10.20.0.71:5443 或 Domain Name, 然後重啟 docker 服務
    • [email protected]

      sudo vi /etc/docker/daemon.json
      {
          "insecure-registries":["10.20.0.71:5443", "harbor.iiidevops.org"]
      }

  • tech/harbor_rancher_ca.txt
  • 上一次變更: 2021/04/20 09:12
  • jonathan