[英]Unable to Access New Harbor Deployment on Kubernetes Cluster
Trying out VMWare's Harbour registry server for first time and trying it as a deployment on new Kubernetes cluster. 首次试用VMWare的Harbor注册表服务器,并将其作为新Kubernetes群集上的部署进行尝试。
Having followed the Harbor on Kubernetes guide, all Harbor resources get applied on the k8s cluster and can be seen running okay. 遵循Kubernetes上的Harbor指南之后,所有Harbor资源都已应用到k8s集群上,并且可以正常运行。 However, I am currently unable to access the Harbor ui from a web browser (I just get "Unable to connect" back).
但是,我目前无法通过Web浏览器访问Harbor ui(我刚刚得到“无法连接”)。 It is my guess that security was not setup properly and something is missing or in the wrong place?
我猜测安全性设置不正确,缺少某些东西或放置在错误的位置?
The make/harbor.cfg
file is configured with: make/harbor.cfg
文件配置有:
hostname = k8s-dp-2
# This is the worker node on which Harbor is running.. hostname = k8s-dp-2
#这是运行Harbor的工作程序节点。
ui_url_protocol = https
ssl_cert = /path/to/cert/on/host/harbor.crt
ssl_cert_key = /path/to/cert/on/host/harbor.key
secretkey_path = /data
I am assuming that the path to the certs above are the path on the host from which the python script will grab the files to then do the YAML builds? 我假设上述证书的路径是主机上的路径,Python脚本将从该主机上获取文件,然后进行YAML生成?
---- UPDATE --- ----更新-
After advice given in comments, I have now configured an nginx ingress controller in the k8s cluster. 经过评论中的建议后,我现在在k8s集群中配置了Nginx入口控制器。 After adding in this ingress controller, I have updated the Harbor config to use http and no longer https since the https part should now be taken care of by the nginx ingress controller.
添加了该入口控制器后,我将Harbour配置更新为使用http,不再使用https,因为nginx入口控制器现在应该处理https部分。 With these config changes now in place however, I am still unable to get to the Harbor service via https but I am now able to get to the Harbor service by calling it via the kubernetes cluster's http port.
但是,现在有了这些配置更改,我仍然无法通过https进入Harbor服务,但是现在我可以通过kubernetes集群的http端口调用它来进入Harbor服务。 See tests below
查看下面的测试
# kubectl get svc -n=nginx-ingress NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx-ingress NodePort 10.103.165.23 <none> 80:31819/TCP,443:30435/TCP 20h
Test Call 1: 测试电话1:
$ curl https://k8s-dp-2/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to k8s-dp-2 port 443: Connection refused
Test Call 2: 测试电话2:
$ curl https://k8s-dp-2:30435/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Test Call 3: 测试电话3:
$ curl http://k8s-dp-2/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed to connect to k8s-dp-2 port 80: Connection refused
Test Call 4: 测试电话4:
$ curl http://k8s-dp-2:31819/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 810 100 810 0 0 12857 0 --:--:-- --:--:-- --:--:-- 12857<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Harbor</title>
<base href="/">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/x-icon" href="favicon.ico?v=2">
</head>
<body style="overflow-y: hidden;">
...
After trying various different configurations, the YAML configurations posted below are what worked for me: 在尝试了各种不同的配置之后,下面发布的YAML配置对我有用:
Ingress Conroller YAML: Ingress Conroller YAML:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app: ingress-nginx
template:
metadata:
labels:
app: ingress-nginx
annotations:
prometheus.io/port: '10254'
prometheus.io/scrape: 'true'
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.11.0
args:
- /nginx-ingress-controller
- --default-backend-service=$(POD_NAMESPACE)/default-http-backend
- --default-ssl-certificate=$(POD_NAMESPACE)/default-tls-secret
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --annotations-prefix=nginx.ingress.kubernetes.io
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
Ingress YAML: 入口YAML:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: harbor
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
tls:
- hosts:
- k8s-dp-2
rules:
- host: k8s-dp-2
http:
paths:
- path: /
backend:
serviceName: ui
servicePort: 80
- path: /v2
backend:
serviceName: registry
servicePort: repo
- path: /service
backend:
serviceName: ui
servicePort: 80
Service YAML: 服务YAML:
apiVersion: v1
kind: Service
metadata:
name: ui
spec:
ports:
- port: 80
selector:
name: ui-apps
Getting to a working solution was not straightforward however. 但是,要找到一个可行的解决方案并非易事。 Had to learn a lot about ingress controllers, ingresses, etc. Also I was initially mixing configurations from two different nginx ingress controller images that work differently (The configs below work with quay.io's nginx ingress controller).
不得不学习很多有关入口控制器,入口等的知识。另外,我最初也是从两个不同的nginx入口控制器映像混合配置,这些映像的工作方式不同(下面的配置与quay.io的nginx入口控制器一起使用)。 Also, for a reason which I still don't properly understand, the final configuration only started working after a full reboot of the k8s nodes involved.
另外,由于我仍然不了解的原因,最终配置仅在所涉及的k8s节点完全重新启动后才能开始工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.