一、简介 1、官方已经提供registry镜像为什么还需要用harbor 1)registry缺少镜像清理机制,可以push但是不能删除,耗费空间 2)registry缺乏相应的扩展机制 3)harbor特点:
Cloud native registry:云本地环境 With support for both container images and Helm charts, Harbor serves as registry for cloud native environments like container runtimes and orchestration platforms.
Role based access control:RBAC基于角色的权限控制 Users and repositories are organized via 'projects' and a user can have different permission for images or Helm charts under a project.
Policy based replication: 基于策略的镜像复制 Images and charts can be replicated (synchronized) between multiple registry instances based on policies with multiple filters (repository, tag and label). Harbor automatically retries a replication if it encounters any errors. Great for load balancing, high availability, multi-datacenter, hybrid and multi-cloud scenarios.
Vulnerability Scanning: 漏洞扫描 Harbor scans images regularly and warns users of vulnerabilities.
LDAP/AD support: LDAP/AD支持 Harbor integrates with existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor and assigning proper project roles to them.
OIDC support: 身份验证 Harbor leverages OpenID Connect (OIDC) to verify the identity of users authenticated by an external authorization server or identity provider. Single sign-on can be enabled to log into the Harbor portal.
Image deletion & garbage collection: 镜像删除和垃圾清理 Images can be deleted and their space can be recycled.
Notary: 镜像签名 Image authenticity can be ensured.
Graphical user portal: 用户界面 User can easily browse, search repositories and manage projects.
Auditing: 审计 All the operations to the repositories are tracked.
RESTful API: RESTful api RESTful APIs for most administrative operations, easy to integrate with external systems. An embedded Swagger UI is available for exploring and testing the API.
Easy deployment: 安装简单 Provide both an online and offline installer. In addition, a Helm Chart can be used to deploy Harbor on Kubernetes.
2、什么是harborVMware公司开源的企业级registry项目,基于docker registry开发的,harbor是一个用于存储和分发docker镜像的企业级registry服务器,通过添加需要的功能如安全性、身份认证、管理来扩展了源Docker Distribution,提升了镜像的传输效率,支持registry之间复制镜像,还提供了更高级的安全功能,比如:漏洞分析、用户管理、访问控制、活动审计等。该项目已经在github上获得超过了4600颗星。
官方网址:https://goharbor.io/
github安装指南:https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md
下载:https://github.com/goharbor/harbor/releases
注意:这里直接使用online版本即可
3、harbor图标
Proxy:harbor的registry、UI、token server等组件都在反向代理后面,代理来自浏览器和Docker客户端的请求转发到各种后端服务
Registry:负责存储Docker镜像和处理docker推/拉命令,由于harbor需要强制执行对镜像的访问控制,因此registry将引导客户端使用令牌服务,以便于每个请i去提供有效的令牌
Core services:harbor的核心服务,主要提供以下服务:
UI:图形用户界面,可以帮助用户管理注册表的图形
Webhook:webhook是在注册表中配置的一种机制,因此可以将registry中的镜像状态更改填充到harbor的webhook端点。harbor使用webhook更新日志,启动复制和其他一些功能。
Token service:令牌服务负责更加项目用户的角色未每个docker push/pull命令发布令牌。如果从Docker客户端发送的请求中没有令牌,则registry将请求重定向到令牌服务。
Database:数据库存储,项目、用户、角色、复制策略和镜像的元数据。
Job services:用户镜像的复制,可以将本地镜像复制(同步)到其他harbor实例。
Log collector:负责在一个地方收集其他模块的日志。
redis:用于存储session。
3、实验架构图