以下是k3s搭建Harbor的配置文件:
- 创建harbor.yaml文件
apiVersion: v1
kind: Namespace
metadata:
name: harbor
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: harbor-admin
namespace: harbor
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: harbor-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: harbor-admin
namespace: harbor
---
# Configuration for Harbor
apiVersion: v1
kind: ConfigMap
metadata:
name: harbor-config
namespace: harbor
data:
harbor.yml: |
# Configuration file for Harbor
hostname: <your harbor hostname>
http:
port: 80
tls:
certificate: /harbor_cert/harbor.crt
private_key: /harbor_cert/harbor.key
ca_certificate: /harbor_cert/ca.crt
https:
port: 443
tls:
certificate: /harbor_cert/harbor.crt
private_key: /harbor_cert/harbor.key
ca_certificate: /harbor_cert/ca.crt
db:
password: <your db password>
external_url: https://<your harbor hostname>
jobservice:
max_job_workers: 10
log:
level: info
rotate_size: 200M
persistence:
enabled: true
size: 20Gi
registry:
url: https://<your harbor hostname>
storage:
s3:
accesskey: <your s3 accesskey>
secretkey: <your s3 secretkey>
region: <your s3 region>
bucket: <your s3 bucket>
token_service:
issuer: harbor-token-issuer
trivy:
enabled: true
image_ref: docker.io/aquasec/trivy:0.20.1
insecure_skip_tls_verify: true
---
# Harbor deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: harbor
namespace: harbor
spec:
selector:
matchLabels:
app: harbor
replicas: 1
template:
metadata:
labels:
app: harbor
spec:
serviceAccountName: harbor-admin
containers:
- name: harbor
image: harbor/harbor:v2.1.4
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
volumeMounts:
- name: harbor-cert
mountPath: /harbor_cert
- name: harbor-config
mountPath: /etc/core
readOnly: true
volumes:
- name: harbor-cert
secret:
secretName: harbor-tls
- name: harbor-config
configMap:
name: harbor-config
---
# Harbor service
apiVersion: v1
kind: Service
metadata:
name: harbor
namespace: harbor
spec:
selector:
app: harbor
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
---
# Ingress for Harbor
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: harbor-ingress
namespace: harbor
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: "0"
spec:
rules:
- host: <your harbor hostname>
http:
paths:
- path: /
backend:
serviceName: harbor
servicePort: https
- 创建harbor-tls.yaml文件
apiVersion: v1
kind: Secret
metadata:
name: harbor-tls
namespace: harbor
type: kubernetes.io/tls
data:
tls.crt: <base64 encoded TLS certificate>
tls.key: <base64 encoded TLS private key>
ca.crt: <base64 encoded CA certificate chain>
其中,<your harbor hostname>
需要替换为你的Harbor主机名,<your db password>
需要替换为你的数据库密码,<your s3 accesskey>
、<your s3 secretkey>
和<your s3 region>
需要替换为你的S3存储的访问密钥、秘钥和区域,<your s3 bucket>
需要替换为你的S3存储的桶名。
另外,<base64 encoded TLS certificate>
、<base64 encoded TLS private key>
和<base64 encoded CA certificate chain>
需要分别替换为经过base64编码的TLS证书、私钥和CA证书链。