harbor域名证书一年一换,上传新证书,然后直接更改/opt/harbor/harbor.yml文件证书配置,重启服务:
cd /opt/harbor/
docker-compose down -v
docker-compose up -d
发现证书并没有更新。
检查docker-comoser.yml文件,参看nginx部分,发现做了持久化
root@harbor harbor]# vim docker-compose.yml
...
syslog-address: "tcp://127.0.0.1:1514"
tag: "redis"
proxy:
image: goharbor/nginx-photon:v2.1.0
container_name: nginx
restart: always
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
- NET_BIND_SERVICE
volumes:
- ./common/config/nginx:/etc/nginx:z
- /harbor_data/secret/cert:/etc/cert:z //这里,缺省做了持久化
- /etc/hosts:/etc/hosts:z
- type: bind
source: ./common/config/shared/trust-certificates
target: /harbor_cust_cert
networks:
- harbor
dns_search: .
ports:
- 80:8080
...
所以更新证书文件到这里,覆盖之前的server.crt和server.key
[root@harbor harbor]# cd /harbor_data/secret/cert/
[root@harbor cert]# ll
total 12
-rw-r--r-- 1 root root 5824 Apr 12 16:10 server.crt
-rw-r--r-- 1 root root 1675 Apr 12 15:10 server.key
也不用使用docker-compose把服务全部重启,只重启ng容器即可
[root@harbor cert]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6e696e371d67 goharbor/harbor-jobservice:v2.1.0 "/harbor/entrypoint.…" 40 minutes ago Up 40 minutes (healthy) harbor-jobservice
ce540caa5355 goharbor/nginx-photon:v2.1.0 "nginx -g 'daemon of…" 40 minutes ago Up 9 minutes (healthy) 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp nginx
c8c71e144c9e goharbor/harbor-core:v2.1.0 "/harbor/entrypoint.…" 40 minutes ago Up 40 minutes (healthy) harbor-core
e5a1c50932f7 goharbor/registry-photon:v2.1.0 "/home/harbor/entryp…" 40 minutes ago Up 40 minutes (healthy) registry
6c06ed2b2b20 goharbor/harbor-registryctl:v2.1.0 "/home/harbor/start.…" 40 minutes ago Up 40 minutes (healthy) registryctl
b68793f7fecb goharbor/redis-photon:v2.1.0 "redis-server /etc/r…" 40 minutes ago Up 40 minutes (healthy) redis
d570d32629da goharbor/harbor-portal:v2.1.0 "nginx -g 'daemon of…" 40 minutes ago Up 40 minutes (healthy) harbor-portal
99b8537023f9 goharbor/harbor-db:v2.1.0 "/docker-entrypoint.…" 40 minutes ago Up 40 minutes (healthy) harbor-db
b2d9a608c46c goharbor/harbor-log:v2.1.0 "/bin/sh -c /usr/loc…" 40 minutes ago Up 40 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
[root@harbor cert]# docker restart ce540caa5355
上面的ce540caa5355就是nginx 的docker 容器ID
重启完成后验证证书更新完成