OS: Ubuntu Server 22.04
一: 在srv4节点上配置带有SSL的私有仓库
1) 生成证书
root@srv4:~# cd /etc/ssl/private
root@srv4:/etc/ssl/private# openssl genrsa -aes128 2048 > server.key
Enter PEM pass phrase: # 输入密码
Verifying - Enter PEM pass phrase:
root@srv4:/etc/ssl/private# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: # 输入密码
writing RSA key
root@srv4:/etc/ssl/private# openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BeiJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:1000y.cloud
Organizational Unit Name (eg, section) []:Tech
Common Name (e.g. server FQDN or YOUR name) []:srv4.1000y.cloud
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@srv4:/etc/ssl/private# vim san.txt
# 添加新内容---便于生成一个包含 SAN(Subject Alternative Name)的证书
subjectAltName = DNS:*.1000y.cloud, IP:192.168.1.14
root@srv4:/etc/ssl/private# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 -extfile san.txt
Certificate request self-signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = 1000y.cloud, OU = Tech, CN = srv4.1000y.cloud
root@srv4:/etc/ssl/private# cd2) 创建一个访问帐户
root@srv4:~# apt install apache2-utils podman -y
root@srv4:~# htpasswd -Bc /etc/containers/.htpasswd snow
New password: # 设定一个密码
Re-type new password:
Adding password for user snow二: 在srv4节点上创建一个仓库
root@srv4:~# podman pull registry:2
Resolved "registry" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/registry:2...
Getting image source signatures
Copying blob fc30d7061437 done
Copying blob 2408cc74d12b done
Copying blob e69d20d3dd20 done
Copying blob c87369050336 done
Copying blob ea60b727a1ce done
Copying config 773dbf02e4 done
Writing manifest to image destination
Storing signatures
773dbf02e42e2691c752b74e9b7745623c4279e4eeefe734804a32695e46e2f3
root@srv4:~# mkdir /var/lib/containers/registry
root@srv4:~# podman run --privileged -d -p 5000:5000 \
-v /etc/containers:/auth \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/.htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/server.key \
-v /etc/ssl/private:/certs \
-v /var/lib/containers/registry:/var/lib/registry \
registry:2
4997aa1a7bb83b6bfb7abe92ba7d6bc8a0f689da21c0a4db3e022d4f73990edf三: 测试
1) Registry[仓库]测试
root@srv4:~# vim /etc/containers/registries.conf
......
......
......
......
......
......
# 于文件最后添加如下内容
[registries.search]
registries = ['docker.io']
[registries.insecure]
registries = ['srv4.1000y.cloud:5000']
root@srv4:~# podman pull nginx
Resolving "nginx" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/nginx:latest...
Getting image source signatures
Copying blob 62c70f376f6a done
Copying blob 7b1fab684d70 done
Copying blob 75a963e94de0 done
Copying blob 42c077c10790 done
Copying blob 915cc9bd79c2 done
Writing manifest to image destination
Storing signatures
0e901e68141fd02f237cf63eb842529f8a9500636a9419e3cf4fb986b8fe3d5d
root@srv4:~# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/library/nginx latest 0e901e68141f 3 weeks ago 146 MB
docker.io/library/registry 2 773dbf02e42e 3 weeks ago 24.6 MB
root@srv4:~# podman tag docker.io/library/nginx:latest srv4.1000y.cloud:5000/nginx
root@srv4:~# podman login srv4.1000y.cloud:5000
Username: snow
Password:
Login Succeeded!
root@srv4:~# podman push srv4.1000y.cloud:5000/nginx:latest
Getting image source signatures
Copying blob 33e3df466e11 done
Copying blob 747b7a567071 done
Copying blob 57d3fc88cb3f done
Copying blob 53ae81198b64 done
Copying blob 58354abe5f0e done
Copying blob ad6562704f37 done
Copying config 0e901e6814 done
Writing manifest to image destination
Storing signatures
root@srv4:~# curl --user snow:123456 -XGET https://srv4.1000y.cloud:5000/v2/_catalog -k
{"repositories":["nginx"]}2) 客户端测试
(1) 修改相关的配置文件
root@srv1:~# vim /etc/containerd/config.toml
......
......
......
......
......
......
[plugins."io.containerd.grpc.v1.cri".registry]
# 于145行,进行修改。指定registry配置文件所在目录
config_path = "/etc/containerd/certs.d"
[plugins."io.containerd.grpc.v1.cri".registry.auths]
# 于148行,添加认证帐户的信息
[plugins."io.containerd.grpc.v1.cri".registry.configs."srv4.1000y.cloud:5000".auth]
username = "snow"
password = "123456"
......
......
......
......
......
......
root@srv1:~# mkdir -p /etc/containerd/certs.d/srv4.1000y.cloud:5000/
root@srv1:~# vim /etc/containerd/certs.d/srv4.1000y.cloud:5000/hosts.toml
[host."https://srv4.1000y.cloud:5000"]
capabilities = ["pull", "resolve", "push"]
ca = "/etc/containerd/certs.d/srv4.1000y.cloud:5000/ca.crt"
root@srv1:~# scp srv4.1000y.cloud:/etc/ssl/private/server.crt /etc/containerd/certs.d/srv4.1000y.cloud:5000/ca.crt
root@srv1:~# systemctl restart containerd.service
(2) 测试
root@srv1:~# crictl pull srv4.1000y.cloud:5000/nginx
Image is up to date for sha256:0e901e68141fd02f237cf63eb842529f8a9500636a9419e3cf4fb986b8fe3d5d
root@srv1:~# crictl images | grep nginx
srv4.1000y.cloud:5000/nginx latest 0e901e68141fd 59.2MB
3) 其他
如果测试成功,请将其他的k8s节点的containerd服务的私有仓库配置完成四: 将验证信息加入至Docker credentials中[K8S Master节点操作]
1) 创建Regcred
root@srv1:~# kubectl create secret docker-registry regcred \
--docker-server=srv4.1000y.cloud:5000 \
--docker-username=snow \
--docker-password=123456
secret/regcred created
root@srv1:~# kubectl get secrets
NAME TYPE DATA AGE
regcred kubernetes.io/dockerconfigjson 1 10s
regcred kubernetes.io/dockerconfigjson 1 20s2) 查看regcred详细信息
root@srv1:~# kubectl get secret regcred --output=yaml
apiVersion: v1
data:
.dockerconfigjson: eyJhdXRocyI6eyJzcnY0LjEwMDB5LmNsb3VkOjUwMDAiOnsidXNlcm5hbWUiOiJzbm93IiwicGFzc3dvcmQiOiIxMjM0NTYiLCJhdXRoIjoiYzI1dmR6b3hNak0wTlRZPSJ9fX0=
kind: Secret
metadata:
creationTimestamp: "2022-06-21T08:14:19Z"
name: regcred
namespace: default
resourceVersion: "7659"
uid: 9e5152c0-b395-40dc-995f-f7163cd8aa7b
type: kubernetes.io/dockerconfigjson3) 用Base64查看regcred中用户名及密码
root@srv1:~# kubectl get secret regcred --output="jsonpath={.data.\.dockerconfigjson}" | base64 -d
{"auths":{"srv4.1000y.cloud:5000":{"username":"snow","password":"123456","auth":"c25vdzoxMjM0NTY="}}}五: 测试K8S与私有仓库的互动
1) 确认私有仓库是否存在nginx镜像
root@srv1:~# curl --user snow:123456 -XGET https://srv4.1000y.cloud:5000/v2/_catalog -k
{"repositories":["nginx"]}2) 于私有仓库pull一个镜像并启动一个Pod
root@srv1:~# vim private-nginx.yml
# 于新文件内添加如下内容
apiVersion: v1
kind: Pod
metadata:
name: private-nginx
spec:
containers:
- name: private-nginx
# 设定私有仓库及镜像
image: srv4.1000y.cloud:5000/nginx
imagePullSecrets:
# 添加认证名称
- name: regcred
root@srv1:~# kubectl create -f private-nginx.yml
pod/private-nginx created
root@srv1:~# kubectl get pods
NAME READY STATUS RESTARTS AGE
private-nginx 1/1 Running 0 23s
root@srv1:~# kubectl describe pods private-nginx
Name: private-nginx
Namespace: default
Priority: 0
Node: srv2.1000y.cloud/192.168.1.12
Start Time: Tue, 21 Jun 2022 16:22:42 +0800
Labels:
Annotations:
Status: Running
IP: 10.244.2.2
IPs:
IP: 10.244.2.2
Containers:
private-nginx:
Container ID: containerd://002bb89a7f0fc8ae3faf2e9dc9169e9df48f9a26ec626b16f27052e72f33986c
Image: srv4.1000y.cloud:5000/nginx
Image ID: srv4.1000y.cloud:5000/nginx@sha256:65b1ea5e1db59668e46e2a8e2090522358bead4124609f77f2509f482b631b4d
Port:
Host Port:
State: Running
Started: Tue, 21 Jun 2022 16:22:54 +0800
Ready: True
Restart Count: 0
Environment:
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-7kjwz (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-7kjwz:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional:
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors:
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 46s default-scheduler Successfully assigned default/private-nginx to srv2.1000y.cloud
Normal Pulling 45s kubelet Pulling image "srv4.1000y.cloud:5000/nginx"
Normal Pulled 35s kubelet Successfully pulled image "srv4.1000y.cloud:5000/nginx" in 10.095096643s
Normal Created 34s kubelet Created container private-nginx
Normal Started 34s kubelet Started container private-nginx | 留言与评论(共有 0 条评论) “” |
