容器鏡像倉庫harbor+cosign的安裝使用

harbor2.5版本開始支持cosign做鏡像簽名，本周實踐了一下，

ubuntu20.04.4，安裝docker，sudo apt install docker.io，

sudo systemctl enable docker，

sudo gpasswd -a ubuntu docker，

newgrp docker，

安裝docker-compose，sudo apt install docker-compose，

給harbor起個本地域名，sudo vim /etc/hosts，

10.90.11.120 harbortrivy.com

給harbor創建私鑰和證書，

openssl genrsa -out ca.key 4096，

openssl req -x509 -new -nodes -sha512 -days 3650 \

 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbortrivy.com" \

 -key ca.key \

 -out ca.crt，

openssl genrsa -out harbortrivy.com.key 4096，

openssl req -sha512 -new \

   -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=harbortrivy.com" \

   -key harbortrivy.com.key \

   -out harbortrivy.com.csr，

cat > v3.ext <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1=harbortrivy.com

DNS.2=harbortrivy

DNS.3=ubuntu

EOF

openssl x509 -req -sha512 -days 3650 \

   -extfile v3.ext \

   -CA ca.crt -CAkey ca.key -CAcreateserial \

   -in harbortrivy.com.csr \

   -out harbortrivy.com.crt，

下載harbor在線安裝版本，

wget https://github.com/goharbor/harbor/releases/download/v2.5.0/harbor-online-installer-v2.5.0.tgz，

tar -zxvf harbor-online-installer-v2.5.0.tgz，cd harbor，

修改配置，vim harbor.yml，

hostname: harbortrivy.com

certificate: /home/ubuntu/harbortrivy.com.crt

private_key: /home/ubuntu/harbortrivy.com.key

harbor_admin_password: harbortrivy

安裝，指定trivy，notary等參數，

sudo ./install.sh --with-notary --with-trivy --with-chartmuseum，

安裝成功后，https登錄，admin/harbortrivy，

在docker客戶端，需要把harbor的證書弄過來放到docker的目錄下，

sudo mkdir -p /etc/docker/certs.d/harbortrivy.com，

sudo cp ca.crt /etc/docker/certs.d/harbortrivy.com，

還需要更新系統的ca證書，

sudo cp ca.crt /usr/local/share/ca-certificates/，

sudo update-ca-certificate，

登錄一下，docker login --username=admin harbortrivy.com，

下載cosign程序，

sudo wget https://github.com/sigstore/cosign/releases/download/v1.7.2/cosign-linux-amd64 -O /usr/local/bin/cosign，

sudo chmod +x /usr/local/bin/cosign，

創建簽名的公私鑰，cosign generate-key-pair，

下載log4j的鏡像做實驗，

docker pull ghcr.io/christophetd/log4shell-vulnerable-app，

docker tag 248241e9f7fa harbortrivy.com/library/log4shell-vulnerable-app:latest，

docker push harbortrivy.com/library/log4shell-vulnerable-app:latest，

用cosign對log4j鏡像做簽名，

cosign sign --key cosign.key harbortrivy.com/library/log4shell-vulnerable-app:latest，

用cosign對log4j鏡像的簽名做驗證，

cosign verify --key cosign.pub harbortrivy.com/library/log4shell-vulnerable-app:latest，

同樣支持對未簽名的鏡像限制下載，