核心配置原则
关键是把harbor内部通讯都设置为http,expose: type设置为 clusterIP,外部用httproute实现https,externalURL设置为其中一个httproute的域名
本次测试使用了cloudnative postgresql和redis,redis是主从模式,所以不用安装harbor自带的redis和postgresql
1. Helm 仓库准备 & 安装
# 先添加并更新仓库
helm repo add harbor https://helm.goharbor.io
helm repo update
helm fetch harbor/harbor --untar
# 直接从远程仓库安装
helm upgrade --install harbor harbor/harbor -n harbor --create-namespace -f harbor-values.yaml2. 创建 Harbor 专用 PostgreSQL 数据库
# 进入 PG 主库 Pod
kubectl exec -it -n postgresql $(kubectl get pods -n postgresql -l role=primary -o name | cut -d '/' -f2) -- psql -U postgres-- 删除已有 registry 库(如有)
DROP DATABASE IF EXISTS registry WITH (FORCE);
-- 创建 registry 数据库
CREATE DATABASE registry;
-- 查看数据库列表确认
\l
-- 创建 harbor 用户
CREATE USER harbor WITH PASSWORD 'Rg3lub2dtE';
-- 修改 registry 数据库所属用户
ALTER DATABASE registry OWNER TO harbor;
-- 授予 harbor 用户全权限
GRANT ALL PRIVILEGES ON DATABASE registry TO harbor;
-- PG 15+ 版本需额外授予 schema 权限
\c registry
GRANT ALL ON SCHEMA public TO harbor;3. 双域名 HTTPRoute 配置
# 第一个域名:harbor.infraserviceonline.com
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: harbor
namespace: harbor
spec:
parentRefs:
- name: gateway
namespace: istio-ingress
hostnames: ["harbor.infraserviceonline.com"]
rules:
- backendRefs:
- name: harbor
port: 80
EOF
# 第二个域名:harbor-2.infraserviceonline.com
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: harbor-route
namespace: harbor
annotations:
external-dns.alpha.kubernetes.io/hostname: "harbor-2.infraserviceonline.com"
external-dns.alpha.kubernetes.io/target: "192.168.0.254"
spec:
parentRefs:
- name: gateway
namespace: istio-ingress
hostnames: ["harbor-2.infraserviceonline.com"]
rules:
- backendRefs:
- name: harbor
port: 80
EOF4. 测试验证
浏览器登录测试
用不同的两个浏览器登录:
- harbor.infraserviceonline.com
- harbor-2.infraserviceonline.com
Podman 登录测试
podman login harbor-2.infraserviceonline.com