0. tips
- 本文是在上一篇文章的基础上进行的,若有疑惑,可以先看上一篇文章
1. harbor中生成docker客户端证书
[root@harbor250]# cd /usr/local/harbor/certs
[root@harbor250 certs]# cp ca/ca.crt harbor-server/harbor250.geniusc.com.key docker-client/
[root@harbor250 certs]#
[root@harbor250 certs]# cp harbor-server/harbor250.geniusc.com.crt docker-client/harbor250.geniusc.com.cert
[root@harbor250 certs]#
[root@harbor250 certs]# tree
.
├── ca
│ ├── ca.crt
│ └── ca.key
├── docker-client
│ ├── ca.crt
│ ├── harbor250.geniusc.com.cert
│ └── harbor250.geniusc.com.key
└── harbor-server
├── harbor250.geniusc.com.crt
├── harbor250.geniusc.com.csr
├── harbor250.geniusc.com.key
└── v3.ext
3 directories, 9 files
[root@harbor250 certs]#
2. k8s所有节点部署docker环境
3. k8s所有节点创建自建证书的目录结构
mkdir -pv /etc/docker/certs.d/harbor250.geniusc.com/
4. 拷贝docker client证书文件到k8s客户端
[root@harbor250 certs]# scp docker-client/* 10.0.0.51:/etc/docker/certs.d/harbor250.geniusc.com/
[root@harbor250 certs]# scp docker-client/* 10.0.0.52:/etc/docker/certs.d/harbor250.geniusc.com/
[root@harbor250 certs]# scp docker-client/* 10.0.0.53:/etc/docker/certs.d/harbor250.geniusc.com/
5. k8s客户端登录测试
[root@master51 ~]# echo 10.0.0.250 harbor250.geniusc.com >> /etc/hosts
[root@master51 ~]#
[root@master51 ~]# docker login -u admin -p 1 harbor250.geniusc.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https:
Login Succeeded
[root@master51 ~]#
[root@master51 ~]# cat /root/.docker/config.json;echo
{
"auths": {
"harbor250.geniusc.com": {
"auth": "YWRtaW46MQ=="
}
}
}
[root@master51 ~]#
[root@master51 ~]# echo YWRtaW46MQ== | base64 -d;echo
admin:1
[root@master51 ~]#
[root@worker52 ~]# echo 10.0.0.250 harbor250.geniusc.com >> /etc/hosts
[root@worker53 ~]#
[root@worker52 ~]# docker login -u admin -p 1 harbor250.geniusc.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https:
Login Succeeded
[root@worker52 ~]#
[root@worker53 ~]# echo 10.0.0.250 harbor250.geniusc.com >> /etc/hosts
[root@worker53 ~]#
[root@worker53 ~]# docker login -u admin -p 1 harbor250.geniusc.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https:
Login Succeeded
[root@worker53 ~]#
- 可能会出现的错误
[root@worker53 ~]# docker login -u admin -p 1 harbor250.geniusc.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://harbor250.geniusc.com/v2/": x509: certificate signed by unknown authority
[root@worker53 ~]#
错误原因:
没有拷贝客户端自建证书。
解决方案:
参考步骤4即可。
[root@master51 ~]# docker login -u admin -p 1 harbor250.geniusc.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://harbor250.geniusc.com/v2/": dial tcp: lookup harbor250.geniusc.com on 127.0.0.53:53: no such host
[root@master51 ~]#
错误原因:
没有添加host解析。
解决方案:
添加即可,参考步骤5
