====== Rancher + Harbor + private CA ======
* Harbor Info:
* URL - https://10.20.0.71:5443/
* User tryweb
* Add Public Project - tryweb {{:tech:2020121101.png|}}
* Login Harbor:
localadmin@iiidevops1:~$ sudo docker login https://10.20.0.71:5443/
[sudo] password for localadmin:
Username: tryweb
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
===== push 建立好的 image 到 Harbor =====
* 參考網址 - https://ithelp.ithome.com.tw/articles/10191213
* Exp. 建立的 image : devops-db:v1
sudo docker build ~/deploy-devops-develop/devops-db --tag devops-db:v1
* 檢視本地 images 清單
localadmin@iiidevops1:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
devops-db v1 25269cfee615 4 hours ago 314MB
postgres 12 386fd8c60839 3 weeks ago 314MB
iiiorg/devops-db latest ec09d7015ce5 2 months ago 314MB
* 使用 tag 來設定 image Harbor 的位址, 專案:tryweb
sudo docker tag devops-db:v1 10.20.0.71:5443/tryweb/devops-db:v1
localadmin@iiidevops1:~$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
devops-db v1 25269cfee615 4 hours ago 314MB
postgres 12 386fd8c60839 3 weeks ago 314MB
iiiorg/devops-db latest ec09d7015ce5 2 months ago 314MB
10.20.0.71:5443/devops-db v1 25269cfee615 5 hours ago 314MB
* push 至 Harbor
localadmin@iiidevops1:~$ sudo docker push --disable-content-trust 10.20.0.71:5443/tryweb/devops-db:v1
The push refers to repository [10.20.0.71:5443/tryweb/devops-db]
dad28bba27f8: Pushed
21086d1e867a: Pushed
5f7e00914c15: Pushed
af0b57c72d50: Pushed
e0cf62a99bcd: Pushed
b1096cae6203: Pushed
e076f7b31275: Pushed
9cd7c4e12078: Pushed
73cf3adf6112: Pushed
065d45f80eac: Pushed
3aac10e9b066: Pushed
117725f5c702: Pushed
a01778662164: Pushed
883d24bc9ae1: Pushed
f5600c6330da: Pushed
v1: digest: sha256:7aec874faa639f6b73b7438f0f7bc6aa3e7fece8ea575bcd6421fc44e00161ea size: 3453
{{:tech:2020121102.png|}}
===== Rancher yaml 取用的寫法 =====
* Exp. deploy-devops-develop/devops-db/devopsdb-deployment.yaml
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: devopsdb
spec:
replicas: 1
selector:
matchLabels:
app: devopsdb
strategy:
type: Recreate
template:
metadata:
labels:
app: devopsdb
spec:
containers:
- name: devopsdb
image: 10.20.0.71:5443/tryweb/devops-db:v1
env:
- name: POSTGRES_PASSWORD
value: xxxxxxxx
- name: POSTGRES_DB
value: devopsdb
ports:
- containerPort: 5432
volumeMounts:
- name: db-data
mountPath: /var/lib/postgresql/data
volumes:
- name: db-data
nfs:
server: 10.20.0.71
path: /iiidevopsNFS/devopsdb
===== Harbor 使用 Private CA, Rancher 出現 ErrImagePull: rpc error ..... x509 =====
* 參考 - https://forums.rancher.com/t/rancher-2-private-docker-registry/12541
* {{:tech:2020121103.png|}}
* 完整錯誤訊息大致如下:
ErrImagePull: rpc error: code = Unknown desc = Error response from daemon: Get ... v2/: x509: certificate signed by unknown authority
* 解決方法一 : 讓 Rancher 所使用的自簽憑證 Exp. 10.20.0.71.crt 複製到 Rancher cluster 所有 k8s 主機內並設定信任這憑證, 然後重啟 docker 服務
* k8s@10.20.0.72
sudo cp 10.20.0.71.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo systemctl restart docker.service
ls /etc/ssl/certs | awk /10.20.0.71/
* 解決方法二 : 將所有 k8s 主機內的 Docker 信任 Harbor 的 IP:Port 10.20.0.71:5443 或 Domain Name, 然後重啟 docker 服務
* k8s@10.20.0.72
sudo vi /etc/docker/daemon.json
{
"insecure-registries":["10.20.0.71:5443", "harbor.iiidevops.org"]
}
{{tag>rancher harbor k8s iiidevops}}