无法访问 Kubernetes 集群上的新 Harbor 部署

Unable to Access New Harbor Deployment on Kubernetes Cluster

第一次试用 VMWare 的 Harbor 注册表服务器并将其作为部署在新的 Kubernetes 集群上进行尝试。

按照Harbor on Kubernetesguide,所有Harbor资源都申请到了k8s集群上,可以看到运行ok了。但是,我目前无法从网络浏览器访问 Harbor ui(我刚返回 "Unable to connect")。我的猜测是安全设置不正确,某些东西丢失或在错误的地方?

make/harbor.cfg 文件配置为:

hostname = k8s-dp-2 # 这是Harbor所在的worker节点 运行..

ui_url_protocol = https

ssl_cert = /path/to/cert/on/host/harbor.crt

ssl_cert_key = /path/to/cert/on/host/harbor.key

secretkey_path = /data

我假设上述证书的路径是主机上的路径,python 脚本将从该路径获取文件,然后执行 YAML builds?

----更新---

经过评论中的建议,我现在已经在k8s集群中配置了一个nginx ingress controller。添加这个入口控制器后,我更新了 Harbor 配置以使用 http 而不再使用 https,因为 https 部分现在应该由 nginx 入口控制器处理。但是,现在有了这些配置更改,我仍然无法通过 https 访问 Harbor 服务,但我现在可以通过 kubernetes 集群的 http 端口调用它来访问 Harbor 服务。请参阅下面的测试

# kubectl get svc -n=nginx-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-ingress NodePort 10.103.165.23 <none> 80:31819/TCP,443:30435/TCP 20h

测试调用 1:

$ curl https://k8s-dp-2/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to k8s-dp-2 port 443: Connection refused

测试调用 2:

$ curl https://k8s-dp-2:30435/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

测试调用 3:

$ curl http://k8s-dp-2/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed to connect to k8s-dp-2 port 80: Connection refused

测试调用 4:

$ curl http://k8s-dp-2:31819/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   810  100   810    0     0  12857      0 --:--:-- --:--:-- --:--:-- 12857<!doctype html>
<html>

<head>
    <meta charset="utf-8">
    <title>Harbor</title>
    <base href="/">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="icon" type="image/x-icon" href="favicon.ico?v=2">
</head>

<body style="overflow-y: hidden;">
...

尝试各种不同的配置后,下面发布的 YAML 配置对我有用:

入口控制器 YAML:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
  namespace: ingress-nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ingress-nginx
  template:
    metadata:
      labels:
        app: ingress-nginx
      annotations:
        prometheus.io/port: '10254'
        prometheus.io/scrape: 'true'
    spec:
      serviceAccountName: nginx-ingress-serviceaccount
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.11.0
          args:
            - /nginx-ingress-controller
            - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
            - --default-ssl-certificate=$(POD_NAMESPACE)/default-tls-secret
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --annotations-prefix=nginx.ingress.kubernetes.io
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
          - name: http
            containerPort: 80
          - name: https
            containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1

入口 YAML:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: harbor
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts:
    - k8s-dp-2
  rules:
  - host: k8s-dp-2
    http:
      paths:
      - path: /
        backend:
          serviceName: ui
          servicePort: 80
      - path: /v2
        backend:
          serviceName: registry
          servicePort: repo
      - path: /service
        backend:
          serviceName: ui
          servicePort: 80

服务 YAML:

apiVersion: v1
kind: Service
metadata:
  name: ui
spec:
  ports:
    - port: 80
  selector:
    name: ui-apps

然而,找到一个可行的解决方案并不简单。必须学习很多关于入口控制器、入口等的知识。此外,我最初混合了来自两个不同工作方式不同的 nginx 入口控制器图像的配置(下面的配置适用于 quay.io 的 nginx 入口控制器)。另外,由于我仍然没有正确理解的原因,最终配置仅在完全重启所涉及的 k8s 节点后才开始工作。