December 31, 2019
安装Cert Manager # 2.1. 安装 # https://cert-manager.io/docs/installation/kubernetes/
2.2. 创建ClusterIssuer # 集群内所有命名空间公用方案
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: cluster-letsencrypt-prod spec: acme: email: hnbcao@qq.com privateKeySecretRef: name: cluster-letsencrypt-prod server: https://acme-v02.api.letsencrypt.org/directory solvers: - http01: ingress: class: traefik 2.3. Ingress应用ClusterIssuer # kind: Ingress apiVersion: extensions/v1beta1 metadata: name: harbor-ingress namespace: ns-harbor labels: app: harbor chart: harbor heritage: Helm release: harbor annotations: cert-manager.io/cluster-issuer: cluster-letsencrypt-prod spec: tls: - hosts: - harbor.domian.io secretName: harbor-letsencrypt-tls rules: - host: harbor.
...
December 31, 2019
部署TraefikIngress # 3.1. 创建证书 # 使用OpenSSL创建TLS证书(已有证书则跳过该选项)
设置证书信息 cd ~ && mkdir tls echo """ [req] distinguished_name = req_distinguished_name prompt = yes [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_value = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_value = Chongqing localityName = Locality Name (eg, city) localityName_value = Yubei organizationName = Organization Name (eg, company) organizationName_value = HNBCAO organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_value = R & D Department commonName = Common Name (eg, your name or your server\'s hostname) commonName_value = *.
...
December 31, 2019
创建集群用户 # 4.1. 创建用户 # apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: admin-user annotations: rbac.authorization.kubernetes.io/autoupdate: "true" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system 4.2. 获取Token # 获取管理员用户的Token,通过执行如下命令获取系统Token信息
kubectl describe secret admin-user --namespace=kube-system 4.3. 导出配置 # DASH_TOCKEN=$(kubectl get secret -n kube-system admin-user-token-4j272 -o jsonpath={.data.token}|base64 -d) kubectl config set-cluster kubernetes --server=https://172.16.0.9:8443 --kubeconfig=/root/kube-admin.
...
December 31, 2019
创建ImagePullSecret # 5.1. 登录仓库 # 登录镜像仓库,成功之后会生成如下/root/.docker/config.json文件
{ "auths": { "harbor.hnbcao.tech": { "auth": "YWRtaW4******lRlY2g=" } }, "HttpHeaders": { "User-Agent": "Docker-Client/***" } } 5.2. 创建ImagePullSecret # 执行如下命令创建ImagePullSecret
kubectl create secret generic harbor-admin-secret --from-file=.dockerconfigjson=/root/.docker/config.json --type=kubernetes.io/dockerconfigjson --namespace hnbcao-mixing-ore 说明:
harbor-admin-secret: ImagePullSecret名字 type: 指定secret类型为kubernetes.io/dockerconfigjson namespace:secret命名空间 5.3. 添加ImagePullSecret # Deployment 在配置项的spec.template.spec.imagePullSecrets下添加secret:harbor-admin-secret。例如,Deployment的配置如下:
kind: Deployment apiVersion: apps/v1 metadata: name: app-test spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: app-test app.kubernetes.io/name: hnbcao template: metadata: labels: app.
...