基于K8s的Harbor镜像仓库在线部署指南
一、环境准备与前置条件
在Kubernetes集群中部署Harbor镜像仓库前,需完成以下环境配置:
- K8s集群要求:建议使用K8s 1.19+版本,确保集群具备3个以上工作节点,每个节点配置不低于4核CPU、8GB内存及100GB存储空间。通过
kubectl get nodes验证集群状态,确保所有节点处于Ready状态。 - 存储类配置:Harbor需要持久化存储支持,推荐使用云厂商提供的块存储(如AWS EBS、阿里云云盘)或分布式存储(如Rook-Ceph)。通过
kubectl get storageclass确认可用存储类,例如:# 示例:创建NFS存储类(需提前部署NFS服务端)apiVersion: storage.k8s.io/v1kind: StorageClassmetadata:name: nfs-storageprovisioner: k8s-sigs.io/nfs-subdir-external-provisionerparameters:archiveOnDelete: "false"
- Ingress控制器部署:Harbor默认通过Ingress暴露服务,需提前部署Nginx Ingress或Traefik。以Nginx为例:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginxhelm install ingress-nginx ingress-nginx/ingress-nginx
- 证书管理:若使用HTTPS,需准备TLS证书。可通过Let’s Encrypt自动签发:
helm repo add jetstack https://charts.jetstack.iohelm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace
二、Helm部署Harbor核心流程
1. 添加Harbor Helm仓库
helm repo add harbor https://helm.goharbor.iohelm repo update
2. 创建命名空间
kubectl create namespace harbor
3. 自定义Values配置
创建harbor-values.yaml文件,关键配置项如下:
expose:type: ingresstls:enabled: truecertSource: secretsecret:secretName: harbor-tlsnamespace: harboringress:hosts:- core: harbor.example.com- notary: notary.example.comannotations:nginx.ingress.kubernetes.io/proxy-body-size: "0"persistence:persistentVolumeClaim:registry:storageClass: "nfs-storage"accessMode: ReadWriteOncesize: 100Gichartmuseum:storageClass: "nfs-storage"size: 10Gijobservice:storageClass: "nfs-storage"size: 1Gidatabase:storageClass: "nfs-storage"size: 1Giredis:storageClass: "nfs-storage"size: 1Gi
4. 执行部署命令
helm install harbor harbor/harbor -f harbor-values.yaml -n harbor
5. 验证部署状态
kubectl get pods -n harbor# 预期输出:所有Pod处于Running状态NAME READY STATUS RESTARTS AGEharbor-core-xxxxxxxxx-xxxxx 1/1 Running 0 2mharbor-database-0 1/1 Running 0 2mharbor-jobservice-xxxxxxxxx-xx 1/1 Running 0 2mharbor-notary-server-xxxxxxxxx 1/1 Running 0 2mharbor-portal-xxxxxxxxx-xxxxx 1/1 Running 0 2mharbor-redis-0 1/1 Running 0 2mharbor-registry-xxxxxxxxx-xx 1/1 Running 0 2mharbor-trivy-xxxxxxxxx-xxxxx 1/1 Running 0 2m
三、关键配置优化
1. 高可用架构设计
- 数据库高可用:修改Values文件启用外部数据库:
database:type: externalexternal:host: "mysql-master.example.com"port: "3306"username: "harbor"password: "Harbor12345"coreDatabase: "registry"notaryDatabase: "notaryserver"notarySignerDatabase: "notarysigner"
- Redis集群配置:
redis:type: externalexternal:addr: "redis-cluster.example.com:6379"password: ""
2. 性能调优参数
- JVM内存设置:修改Jobservice资源限制:
jobservice:resources:requests:cpu: 500mmemory: 1Gilimits:cpu: 1000mmemory: 2Gi
- 并发工作线程:
jobservice:workerPool:workerCount: 10backlogQueueDepth: 1000
3. 安全加固方案
- 网络策略:限制Pod间通信:
networkPolicy:enabled: trueegress:- to:- podSelector:matchLabels:app: redisports:- protocol: TCPport: 6379
- 审计日志:
core:auditLog:enabled: truepath: /var/log/harbor/audit.logmaxSize: 1024maxBackups: 30maxAge: 30
四、运维管理实践
1. 备份恢复策略
- 定期备份:使用Velero进行集群级备份:
velero backup create harbor-backup --include-namespaces harbor
- 数据库备份:
kubectl exec -n harbor harbor-database-0 -- mysqldump -uharbor -pHarbor12345 registry > registry_backup.sql
2. 监控告警配置
- Prometheus监控:
metrics:enabled: trueserviceMonitor:enabled: trueinterval: 30s
- 告警规则示例:
```yaml
groups: - name: harbor.rules
rules:- alert: HarborRegistryHighLatency
expr: histogram_quantile(0.99, sum(rate(harbor_registry_request_duration_seconds_bucket[5m])) by (le)) > 1
for: 10m
labels:
severity: warning
annotations:
summary: “Harbor registry experiencing high latency”
```
- alert: HarborRegistryHighLatency
3. 升级维护流程
- Helm升级命令:
helm upgrade harbor harbor/harbor -f harbor-values.yaml -n harbor
- 回滚策略:
helm history harbor -n harborhelm rollback harbor --revision 2 -n harbor
五、常见问题解决方案
- Ingress 502错误:检查后端服务是否就绪,验证Pod日志:
kubectl logs -n harbor harbor-core-xxxxxxxxx-xxxxx
- 存储卷挂载失败:确认PVC状态,检查StorageClass配置:
kubectl get pvc -n harborkubectl describe sc nfs-storage
- 数据库连接超时:验证网络策略,测试数据库连通性:
kubectl exec -n harbor harbor-core-xxxxxxxxx-xxxxx -- nc -zv mysql-master.example.com 3306
通过以上完整部署方案,开发者可在Kubernetes环境中快速构建企业级Harbor镜像仓库,实现镜像管理、安全扫描、签名验证等核心功能。建议定期进行性能测试(如使用Locust进行压力测试),持续优化资源配置参数。