1、如果你有腾讯云的域名,就去腾讯云申请一个免费的ssl证书,填写域名并做好域名解析,我这里申请了证书cs.xxjsjl.cn,ip指向了我的私有地址:192.168.0.6
2、k8s所有节点修改hosts解析
[root@k8s-master01 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.11 k8s-master01
192.168.0.12 k8s-master02
192.168.0.13 k8s-master03
192.168.0.14 k8s-node01
192.168.0.15 k8s-node02
192.168.0.16 k8s-node03
192.168.0.6 cs.xxjsjl.cn3、k8s所有节点重新配置registries.yaml文件,并且在对应目录下上传下载的pem和key证书
[root@k8s-master01 ~]# ls /etc/rancher/rke2/ssl/
cs.xxjsjl.cn.key cs.xxjsjl.cn.pem[root@k8s-master01 ~]# cat /etc/rancher/rke2/registries.yaml
mirrors:
cs.xxjsjl.cn:
endpoint:
- "https://cs.xxjsjl.cn"
configs:
"https://cs.xxjsjl.cn":
auth:
username: admin
password: Ab660910../
tls:
cert_file: /etc/rancher/rke2/ssl/cs.xxjsjl.cn.pem
key_file: /etc/rancher/rke2/ssl/cs.xxjsjl.cn.key4、重启所有节点
server节点
systemctl restart rke2-server.serviceagent节点
systemctl restart rke2-agent.service观察containrd配置
[root@k8s-master01 ~]# cat /var/lib/rancher/rke2/agent/etc/containerd/config.toml
# File generated by rke2. DO NOT EDIT. Use config.toml.tmpl instead.
version = 2
[plugins."io.containerd.internal.v1.opt"]
path = "/var/lib/rancher/rke2/agent/containerd"
[plugins."io.containerd.grpc.v1.cri"]
stream_server_address = "127.0.0.1"
stream_server_port = "10010"
enable_selinux = true
enable_unprivileged_ports = true
enable_unprivileged_icmp = true
sandbox_image = "registry.cn-hangzhou.aliyuncs.com/rancher/pause:3.6"
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
disable_snapshot_annotations = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."cs.xxjsjl.cn"]
endpoint = ["https://cs.xxjsjl.cn"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."https://cs.xxjsjl.cn".auth]
username = "admin"
password = "Ab660910../"
[plugins."io.containerd.grpc.v1.cri".registry.configs."https://cs.xxjsjl.cn".tls]
cert_file = "/etc/rancher/rke2/ssl/cs.xxjsjl.cn.pem"
key_file = "/etc/rancher/rke2/ssl/cs.xxjsjl.cn.key"5、harbor上修改配置
配置文件修改
[root@cs harbor]# cat harbor.yml
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: cs.xxjsjl.cn
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
https:
# https port for harbor, default is 443
port: 443 # 启用443
# The path of cert and key files for nginx
certificate: /root/harbor/ssl/cs.xxjsjl.cn.pem # 对应目录存放下载的pem
private_key: /root/harbor/ssl/cs.xxjsjl.cn.key # 对应目录存放下载的key
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# # enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false
……………… 其它忽略删除原因的数据
docker rm -f $(docker ps -qa)
rm -rf /data重新编译运行
./prepare
./install.sh
# 如果出现核心服务不可用,使用命令:docker restart $(docker ps -qa) 启动修改harbor主机名
hostnamectl set-hostname cs.xxjsjl.cnharbor本地登录仓库
[root@my harbor]# docker login -u admin cs.xxjsjl.cn
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded上传一个测试镜像
[root@cs harbor]# docker push cs.xxjsjl.cn/library/nginx:1.25.0
The push refers to repository [cs.xxjsjl.cn/library/nginx]
5f5ffeb5f485: Pushed
f096f2cad7ff: Pushed
89ad618cc7b9: Pushed
cc7def5d7708: Pushed
077db2bd2c24: Pushed
0cc1f0165626: Pushed
1.25.0: digest: sha256:e7058572cd3be00c224dc135c22b0e3cf21ed75d335df135ce0e56dd95a25a1b size: 1571
6、集群中测试
编写一个yaml文件
[root@k8s-master01 ~]# cat nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: default
spec:
containers:
- name: nginx
image: cs.xxjsjl.cn/library/nginx:1.25.0执行运行
[root@k8s-master01 ~]# kubectl apply -f nginx.yaml检测
[root@k8s-master01 ~]# kubectl describe pod nginx | tail -8
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 17m default-scheduler Successfully assigned default/nginx to k8s-node03
Normal Pulling 17m kubelet Pulling image "cs.xxjsjl.cn/library/nginx:1.25.0"
Normal Pulled 17m kubelet Successfully pulled image "cs.xxjsjl.cn/library/nginx:1.25.0" in 609.635814ms (609.646218ms including waiting)
Normal Created 17m kubelet Created container nginx
Normal Started 17m kubelet Started container nginx
[root@k8s-master01 ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 17m 10.42.4.14 k8s-node03 <none> <none>
[root@k8s-master01 ~]# curl http://10.42.4.14
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
评论区