[TOC]
Harbor 支持多种安装方式,源码目录下面默认有一个安装脚本(make/install.sh),采用 docker-compose 的形式运行 Harbor 各个组件,以前写的一个使用docker-compose部署的, 这次使用helm部署. 并实现https访问.
安装harbor
首先下载 Harbor Chart 包到要安装的集群上:
$ git clone https://github.com/goharbor/harbor-helm
$ cd harbor-helm
$ git checkout 1.4.2
配置文件解析
安装 Helm Chart 包最重要的当然是values.yaml文件了,我们可以通过覆盖该文件中的属性来改变配置:
expose:
# 设置暴露服务的方式。将类型设置为 ingress、clusterIP或nodePort并补充对应部分的信息。
type: ingress
tls:
# 是否开启 tls,注意:如果类型是 ingress 并且tls被禁用,则在pull/push镜像时,则必须包含端口。详细查看文档:https://github.com/goharbor/harbor/issues/5291。
enabled: true
# 如果你想使用自己的 TLS 证书和私钥,请填写这个 secret 的名称,这个 secret 必须包含名为 tls.crt 和 tls.key 的证书和私钥文件,如果没有设置则会自动生成证书和私钥文件。
secretName: "fenghong"
# 默认 Notary 服务会使用上面相同的证书和私钥文件,如果你想用一个独立的则填充下面的字段,注意只有类型是 ingress 的时候才需要。
notarySecretName: ""
# common name 是用于生成证书的,当类型是 clusterIP 或者 nodePort 并且 secretName 为空的时候才需要
commonName: ""
ingress:
hosts:
core: harbor.fenghong.cn
notary: notary.fenghong.tech
# set to the type of ingress controller if it has specific requirements.
# leave as `default` for most ingress controllers.
# set to `gce` if using the GCE ingress controller
# set to `ncp` if using the NCP (NSX-T Container Plugin) ingress controller
controller: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
# Harbor 核心服务外部访问 URL。主要用于:
# 1) 补全 portal 页面上面显示的 docker/helm 命令
# 2) 补全返回给 docker/notary 客户端的 token 服务 URL
# 格式:protocol://domain[:port]。
# 1) 如果 expose.type=ingress,"domain"的值就是 expose.ingress.hosts.core 的值
# 2) 如果 expose.type=clusterIP,"domain"的值就是 expose.clusterIP.name 的值
# 3) 如果 expose.type=nodePort,"domain"的值就是 k8s 节点的 IP 地址
# 如果在代理后面部署 Harbor,请将其设置为代理的 URL
externalURL: https://harbor.fenghong.cn
# harbor各组件之间的TLS. 基本可以不用的.
internalTLS:
enabled: false
certSource: "auto"
# The content of trust ca, only available when `certSource` is "manual"
trustCa: ""
# core related cert configuration
core:
# secret name for core's tls certs
secretName: ""
# Content of core's TLS cert file, only available when `certSource` is "manual"
crt: ""
# Content of core's TLS key file, only available when `certSource` is "manual"
key: ""
# jobservice related cert configuration
jobservice:
# secret name for jobservice's tls certs
secretName: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of jobservice's TLS key file, only available when `certSource` is "manual"
key: ""
# registry related cert configuration
registry:
# secret name for registry's tls certs
secretName: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of registry's TLS key file, only available when `certSource` is "manual"
key: ""
# portal related cert configuration
portal:
# secret name for portal's tls certs
secretName: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of portal's TLS key file, only available when `certSource` is "manual"
key: ""
# chartmuseum related cert configuration
chartmuseum:
# secret name for chartmuseum's tls certs
secretName: ""
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of chartmuseum's TLS key file, only available when `certSource` is "manual"
key: ""
# clair related cert configuration
clair:
# secret name for clair's tls certs
secretName: ""
# Content of clair's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of clair's TLS key file, only available when `certSource` is "manual"
key: ""
# trivy related cert configuration
trivy:
# secret name for trivy's tls certs
secretName: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
crt: ""
# Content of trivy's TLS key file, only available when `certSource` is "manual"
key: ""
# 默认情况下开启数据持久化,在k8s集群中需要动态的挂载卷默认需要一个StorageClass对象。
# 如果你有已经存在可以使用的持久卷,需要在"storageClass"中指定你的 storageClass 或者设置 "existingClaim"。
#
# 对于存储 docker 镜像和 Helm charts 包,你也可以用 "azure"、"gcs"、"s3"、"swift" 或者 "oss",直接在 "imageChartStorage" 区域设置即可
persistence:
enabled: true
# Setting it to "keep" to avoid removing PVCs during a helm delete
# operation. Leaving it empty will delete PVCs after the chart deleted
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
# 使用一个存在的 PVC(必须在绑定前先手动创建)
existingClaim: ""
# 指定"storageClass",或者使用默认的 StorageClass 对象,设置成"-"禁用动态分配挂载卷
storageClass: "nfs"
subPath: ""
accessMode: ReadWriteOnce
size: 2Gi
chartmuseum:
existingClaim: ""
storageClass: "nfs"
subPath: ""
accessMode: ReadWriteOnce
size: 2Gi
jobservice:
existingClaim: ""
storageClass: "nfs"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
# 如果使用外部的数据库服务,下面的设置将会被忽略
database:
existingClaim: ""
storageClass: ""
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
# 如果使用外部的 Redis 服务,下面的设置将会被忽略
redis:
existingClaim: ""
storageClass: "nfs"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
trivy:
existingClaim: ""
storageClass: "nfs"
subPath: ""
accessMode: ReadWriteOnce
size: 2Gi
# 定义使用什么存储后端来存储镜像和 charts 包,详细文档地址:https://github.com/docker/distribution/blob/master/docs/configuration.md#storage
imageChartStorage:
# 指定存储类型:"filesystem", "azure", "gcs", "s3", "swift", "oss",在相应的区域填上对应的信息。
# 如果你想使用 pv 则必须设置成"filesystem"类型
type: filesystem
filesystem:
rootdirectory: /storage
#maxthreads: 100
imagePullPolicy: IfNotPresent
# Use this set to assign a list of default pullSecrets
imagePullSecrets:
# - name: docker-registry-secret
# - name: internal-registry-secret
updateStrategy:
type: RollingUpdate
# debug, info, warning, error or fatal
logLevel: info
# Harbor admin 初始密码,Harbor 启动后通过 Portal 修改该密码
harborAdminPassword: "Harbor12345"
# 用于加密的一个 secret key,必须是一个16位的字符串
secretKey: "not-a-secure-key"
# The proxy settings for updating clair vulnerabilities from the Internet and replicating
# artifacts from/to the registries that cannot be reached directly
proxy:
httpProxy:
httpsProxy:
noProxy: 127.0.0.1,localhost,.local,.internal
components:
- core
- jobservice
- clair
- trivy
# The custom ca bundle secret, the secret must contain key named "ca.crt"
# which will be injected into the trust store for chartmuseum, clair, core, jobservice, registry, trivy components
# caBundleSecretName: ""
## UAA Authentication Options
# If you're using UAA for authentication behind a self-signed
# certificate you will need to provide the CA Cert.
# Set uaaSecretName below to provide a pre-created secret that
# contains a base64 encoded CA Certificate named `ca.crt`.
# uaaSecretName:
# 如果你通过"ingress"保留服务,则下面的Nginx不会被使用
nginx:
image:
repository: goharbor/nginx-photon
tag: v2.0.2
# set the service account to be used, default if left empty
serviceAccountName: ""
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
portal:
image:
repository: goharbor/harbor-portal
tag: v2.0.2
# set the service account to be used, default if left empty
serviceAccountName: ""
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
core:
image:
repository: goharbor/harbor-core
tag: v2.0.2
# set the service account to be used, default if left empty
serviceAccountName: ""
replicas: 1
## Liveness probe values
livenessProbe:
initialDelaySeconds: 300
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used when core server communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate and private key for token encryption/decryption.
# The secret must contain keys named:
# "tls.crt" - the certificate
# "tls.key" - the private key
# The default key pair will be used if it isn't set
secretName: ""
# The XSRF key. Will be generated automatically if it isn't specified
xsrfKey: ""
jobservice:
image:
repository: goharbor/harbor-jobservice
tag: v2.0.2
replicas: 1
# set the service account to be used, default if left empty
serviceAccountName: ""
maxJobWorkers: 10
# The logger for jobs: "file", "database" or "stdout"
jobLogger: file
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used when job service communicates with other components.
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
registry:
# set the service account to be used, default if left empty
serviceAccountName: ""
registry:
image:
repository: goharbor/registry-photon
tag: v2.0.2
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
controller:
image:
repository: goharbor/harbor-registryctl
tag: v2.0.2
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
# set the service account to be used, default if left empty
serviceAccountName: ""
replicas: 1
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Secret is used to secure the upload state from client
# and registry storage backend.
# See: https://github.com/docker/distribution/blob/master/docs/configuration.md#http
# If a secret key is not specified, Helm will generate one.
# Must be a string of 16 chars.
secret: ""
# If true, the registry returns relative URLs in Location headers. The client is responsible for resolving the correct URL.
relativeurls: false
credentials:
username: "harbor_registry_user"
password: "harbor_registry_password"
# If you update the username or password of registry, make sure use cli tool htpasswd to generate the bcrypt hash
# e.g. "htpasswd -nbBC10 $username $password"
htpasswd: "harbor_registry_user:$2y$10$9L4Tc0DJbFFMB6RdSCunrOpTHdwhid4ktBJmLD00bYgqkkGOvll3m"
middleware:
enabled: false
type: cloudFront
cloudFront:
baseurl: example.cloudfront.net
keypairid: KEYPAIRID
duration: 3000s
ipfilteredby: none
# The secret key that should be present is CLOUDFRONT_KEY_DATA, which should be the encoded private key
# that allows access to CloudFront
privateKeySecret: "my-secret"
chartmuseum:
enabled: true
# set the service account to be used, default if left empty
serviceAccountName: ""
# Harbor defaults ChartMuseum to returning relative urls, if you want using absolute url you should enable it by change the following value to 'true'
absoluteUrl: false
image:
repository: goharbor/chartmuseum-photon
tag: v2.0.2
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
clair:
enabled: true
# set the service account to be used, default if left empty
serviceAccountName: ""
clair:
image:
repository: goharbor/clair-photon
tag: v2.0.2
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
adapter:
image:
repository: goharbor/clair-adapter-photon
tag: v2.0.2
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
replicas: 1
# The interval of clair updaters, the unit is hour, set to 0 to
# disable the updaters
updatersInterval: 12
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
trivy:
# enabled the flag to enable Trivy scanner
enabled: true
image:
# repository the repository for Trivy adapter image
repository: goharbor/trivy-adapter-photon
# tag the tag for Trivy adapter image
tag: v2.0.2
# set the service account to be used, default if left empty
serviceAccountName: ""
# replicas the number of Pod replicas
replicas: 1
# debugMode the flag to enable Trivy debug mode with more verbose scanning log
debugMode: false
# vulnType a comma-separated list of vulnerability types. Possible values are `os` and `library`.
vulnType: "os,library"
# severity a comma-separated list of severities to be checked
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
# ignoreUnfixed the flag to display only fixed vulnerabilities
ignoreUnfixed: false
# insecure the flag to skip verifying registry certificate
insecure: false
# gitHubToken the GitHub access token to download Trivy DB
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system (`/home/scanner/.cache/trivy/db/trivy.db`). In addition, the database contains the update
# timestamp so Trivy can detect whether it should download a newer version from the Internet or use the cached one.
# Currently, the database is updated every 12 hours and published as a new release to GitHub.
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://developer.github.com/v3/#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
gitHubToken: ""
# skipUpdate the flag to disable Trivy DB downloads from GitHub
#
# You might want to set the value of this flag to `true` in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the value is set to `true` you have to manually download the `trivy.db` file and mount it in the
# `/home/scanner/.cache/trivy/db/trivy.db` path.
skipUpdate: false
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
## Additional deployment annotations
podAnnotations: {}
notary:
enabled: true
server:
# set the service account to be used, default if left empty
serviceAccountName: ""
image:
repository: goharbor/notary-server-photon
tag: v2.0.2
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
signer:
# set the service account to be used, default if left empty
serviceAccountName: ""
image:
repository: goharbor/notary-signer-photon
tag: v2.0.2
replicas: 1
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
## Additional deployment annotations
podAnnotations: {}
# Fill the name of a kubernetes secret if you want to use your own
# TLS certificate authority, certificate and private key for notary
# communications.
# The secret must contain keys named ca.crt, tls.crt and tls.key that
# contain the CA, certificate and private key.
# They will be generated if not set.
secretName: ""
database:
# if external database is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
# set the service account to be used, default if left empty
serviceAccountName: ""
image:
repository: goharbor/harbor-db
tag: v2.0.2
# The initial superuser password for internal database
password: "changeit"
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: "192.168.0.1"
port: "5432"
username: "user"
password: "password"
coreDatabase: "registry"
clairDatabase: "clair"
notaryServerDatabase: "notary_server"
notarySignerDatabase: "notary_signer"
# "disable" - No SSL
# "require" - Always SSL (skip verification)
# "verify-ca" - Always SSL (verify that the certificate presented by the
# server was signed by a trusted CA)
# "verify-full" - Always SSL (verify that the certification presented by the
# server was signed by a trusted CA and the server host name matches the one
# in the certificate)
sslmode: "disable"
# The maximum number of connections in the idle connection pool.
# If it <=0, no idle connections are retained.
maxIdleConns: 50
# The maximum number of open connections to the database.
# If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgre of harbor.
maxOpenConns: 1000
## Additional deployment annotations
podAnnotations: {}
redis:
# if external Redis is used, set "type" to "external"
# and fill the connection informations in "external" section
type: internal
internal:
# set the service account to be used, default if left empty
serviceAccountName: ""
image:
repository: goharbor/redis-photon
tag: v2.0.2
# resources:
# requests:
# memory: 256Mi
# cpu: 100m
nodeSelector: {}
tolerations: []
affinity: {}
external:
host: "192.168.0.2"
port: "6379"
# The "coreDatabaseIndex" must be "0" as the library Harbor
# used doesn't support configuring it
coreDatabaseIndex: "0"
jobserviceDatabaseIndex: "1"
registryDatabaseIndex: "2"
chartmuseumDatabaseIndex: "3"
clairAdapterIndex: "4"
trivyAdapterIndex: "5"
password: ""
## Additional deployment annotations
podAnnotations: {}
简化后harbor.yaml
expose:
type: ingress
tls:
enabled: true
secretName: "youpenglai"
ingress:
hosts:
core: harbor.fenghong.tech
notary: notary.fenghong.tech
controller: default
annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
externalURL: https://harbor.fenghong.tech
persistence:
enabled: true
resourcePolicy: "keep"
persistentVolumeClaim:
registry:
storageClass: "nfs"
accessMode: ReadWriteOnce
size: 2Gi
chartmuseum:
storageClass: "nfs"
accessMode: ReadWriteOnce
size: 2Gi
jobservice:
existingClaim: ""
storageClass: "nfs"
subPath: ""
accessMode: ReadWriteOnce
size: 1Gi
database:
storageClass: "nfs"
accessMode: ReadWriteOnce
size: 1Gi
redis:
storageClass: "nfs"
accessMode: ReadWriteOnce
size: 1Gi
trivy:
storageClass: "nfs"
accessMode: ReadWriteOnce
size: 2Gi
imagePullPolicy: IfNotPresent
部署
其中需要我们定制的部分很少,我们将域名替换成我们自己的,使用默认的 Ingress 方式暴露服务,其他需要我们手动配置的部分就是数据持久化的部分,我们需要提前为上面的这些服务创建好可用的 PVC 或者 StorageClass 对象,比如我们这里使用一个名为 harbor-data 的 StorageClass 资源对象,当然也可以根据我们实际的需求修改 accessMode 或者存储容量.这里,我已经预先创建了基于nfs的动态pvc了以及域名证书tls. 不熟悉的可以找一下之前的文章.
$ kubectl create ns kube-ops
# 使用指定的key创建名为fenghong的TLS secret
$ kubectl create secret tls fenghong --cert=path/to/tls.cert --key=path/to/tls.key -n kube-ops
# 创建nginx-ingress
$ kubectl apply -f https://kuboard.cn/install-script/v1.18.x/nginx-ingress.yaml
## 指定values.yaml安装 harbor
$ helm repo add harbor https://helm.goharbor.io
$ helm install harbor harbor/harbor -f harbor.yaml --namespace kube-ops
查看部署结果
$ kubectl get all -n kube-ops
NAME READY STATUS RESTARTS AGE
pod/harbor-harbor-chartmuseum-9dbc86bf5-np6tm 1/1 Running 0 65m
pod/harbor-harbor-clair-75c79f8699-hh9z8 2/2 Running 0 30m
pod/harbor-harbor-core-c5f8b499d-n7jq5 1/1 Running 0 65m
pod/harbor-harbor-database-0 1/1 Running 0 65m
pod/harbor-harbor-jobservice-7bc6f94fc8-hrwqw 1/1 Running 1 65m
pod/harbor-harbor-notary-server-5fc79f89d8-2mfvn 1/1 Running 2 65m
pod/harbor-harbor-notary-signer-55fb874764-phg9c 1/1 Running 2 65m
pod/harbor-harbor-portal-87858859c-z5gpm 1/1 Running 0 65m
pod/harbor-harbor-redis-0 1/1 Running 0 65m
pod/harbor-harbor-registry-7ddd894946-txmfr 2/2 Running 0 21m
pod/harbor-harbor-trivy-0 1/1 Running 0 65m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/harbor-harbor-chartmuseum ClusterIP 10.102.191.179 <none> 80/TCP 65m
service/harbor-harbor-clair ClusterIP 10.97.102.76 <none> 8080/TCP 65m
service/harbor-harbor-core ClusterIP 10.104.232.106 <none> 80/TCP 65m
service/harbor-harbor-database ClusterIP 10.101.7.197 <none> 5432/TCP 65m
service/harbor-harbor-jobservice ClusterIP 10.111.236.111 <none> 80/TCP 65m
service/harbor-harbor-notary-server ClusterIP 10.99.122.140 <none> 4443/TCP 65m
service/harbor-harbor-notary-signer ClusterIP 10.110.255.184 <none> 7899/TCP 65m
service/harbor-harbor-portal ClusterIP 10.101.139.189 <none> 80/TCP 65m
service/harbor-harbor-redis ClusterIP 10.105.216.126 <none> 6379/TCP 65m
service/harbor-harbor-registry ClusterIP 10.98.71.16 <none> 5000/TCP,8080/TCP 65m
service/harbor-harbor-trivy ClusterIP 10.104.97.54 <none> 8080/TCP 65m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/harbor-harbor-chartmuseum 1/1 1 1 65m
deployment.apps/harbor-harbor-clair 1/1 1 1 65m
deployment.apps/harbor-harbor-core 1/1 1 1 65m
deployment.apps/harbor-harbor-jobservice 1/1 1 1 65m
deployment.apps/harbor-harbor-notary-server 1/1 1 1 65m
deployment.apps/harbor-harbor-notary-signer 1/1 1 1 65m
deployment.apps/harbor-harbor-portal 1/1 1 1 65m
deployment.apps/harbor-harbor-registry 1/1 1 1 65m
NAME DESIRED CURRENT READY AGE
replicaset.apps/harbor-harbor-chartmuseum-9dbc86bf5 1 1 1 65m
replicaset.apps/harbor-harbor-clair-75c79f8699 1 1 1 65m
replicaset.apps/harbor-harbor-core-c5f8b499d 1 1 1 65m
replicaset.apps/harbor-harbor-jobservice-7bc6f94fc8 1 1 1 65m
replicaset.apps/harbor-harbor-notary-server-5fc79f89d8 1 1 1 65m
replicaset.apps/harbor-harbor-notary-signer-55fb874764 1 1 1 65m
replicaset.apps/harbor-harbor-portal-87858859c 1 1 1 65m
replicaset.apps/harbor-harbor-registry-7ddd894946 1 1 1 65m
NAME READY AGE
statefulset.apps/harbor-harbor-database 1/1 65m
statefulset.apps/harbor-harbor-redis 1/1 65m
statefulset.apps/harbor-harbor-trivy 1/1 65m
## 查看ingress
$ kubectl get ing -n kube-ops
NAME CLASS HOSTS ADDRESS PORTS AGE
harbor-harbor-ingress <none> harbor.fenghong.tech 80, 443 140m
harbor-harbor-ingress-notary <none> notary.fenghong.tech 80, 443 140m
添加完成后,在浏览器中输入harbor.fenghong.tech 界面了,当然我们配置的 Ingress 中会强制跳转到 https,所以如果你的浏览器有什么安全限制的话,证书是阿里云的免费一年的帧数,证书文件可以通过查看 Secret 资源对象获取.
然后输入用户名:admin,密码:Harbor12345(当然我们也可以通过 Helm 安装的时候自己覆盖 harborAdminPassword)即可登录进入 Portal 首页 .
高可用参考官网.