K8s 环境下 Harbor+Docker 私有仓库部署与SpringBoot应用指南
2025.10.10 18:46浏览量:1简介:本文详细阐述在K8s集群中搭建Docker与Harbor私有镜像仓库的完整流程,并指导如何将SpringBoot应用部署至该环境,涵盖环境准备、Harbor安装、Docker镜像推送、K8s资源编排及运维优化等关键步骤。
一、环境准备与架构设计
1.1 基础设施要求
K8s集群需满足以下条件:
- 节点操作系统:CentOS 7/8或Ubuntu 20.04+
- 容器运行时:Docker 20.10+或containerd 1.6+
- 网络插件:Calico/Flannel实现Pod网络互通
- 存储类:配置动态存储卷(如NFS/Ceph)
典型架构设计:
[开发终端] → [Harbor仓库] → [K8s Master]↑ ↓[Docker镜像] ← [Worker节点] ← [SpringBoot Pod]
1.2 组件版本选择
| 组件 | 推荐版本 | 关键特性 |
|---|---|---|
| Kubernetes | 1.24+ | 移除Dockershim,支持CRI标准 |
| Harbor | 2.6+ | 增强OAuth2集成,支持镜像复制 |
| Docker | 20.10.17 | 优化BuildKit性能,改进安全扫描 |
二、Harbor私有仓库搭建
2.1 安装前配置
# 修改主机名(所有节点)hostnamectl set-hostname harbor-server# 配置/etc/hostsecho "192.168.1.10 harbor-server" >> /etc/hosts# 安装依赖包yum install -y conntrack ntpdate ipset jq iptables curl sysstat wget socat
2.2 Harbor部署流程
下载安装包:
wget https://github.com/goharbor/harbor/releases/download/v2.6.2/harbor-online-installer-v2.6.2.tgztar xzf harbor-online-installer-v2.6.2.tgzcd harbor
配置修改(harbor.yml):
hostname: harbor-serverhttp:port: 80https:certificate: /data/cert/server.crtprivate_key: /data/cert/server.keyharbor_admin_password: Harbor12345database:password: root123max_idle_conns: 50max_open_conns: 100
安装执行:
./prepare./install.sh --with-trivy # 启用漏洞扫描
2.3 高级配置技巧
镜像复制:配置多地域仓库同步
# 在harbor.yml中添加replication:- name: aliyun-mirrordisabled: falsefilters:- project: "**"repository: "**"tag: "**"destinations:- url: https://registry-vpc.cn-hangzhou.aliyuncs.compassword: "ALIYUN_PASSWORD"
存储优化:使用对象存储(如MinIO)
# 修改common/config/registry/config.ymlstorage:cache:layerinfo: rediss3:accesskey: minioadminsecretkey: minioadminregion: us-east-1bucket: harbor-registryencrypt: false
三、Docker镜像构建与推送
3.1 SpringBoot应用Docker化
- 多阶段构建示例(Dockerfile):
```dockerfile构建阶段
FROM maven:3.8.6-jdk11 AS build
WORKDIR /app
COPY pom.xml .
RUN mvn dependency:go-offline
COPY src ./src
RUN mvn package -DskipTests
运行阶段
FROM openjdk:11-jre-slim
WORKDIR /app
COPY —from=build /app/target/*.jar app.jar
EXPOSE 8080
ENTRYPOINT [“java”,”-jar”,”app.jar”]
2. **构建优化技巧**:- 使用`.dockerignore`文件排除无关文件- 启用BuildKit加速构建:```bashexport DOCKER_BUILDKIT=1docker build --progress=plain -t myapp:1.0 .
3.2 镜像推送流程
登录Harbor:
docker login harbor-server --username=admin --password=Harbor12345
标记并推送:
docker tag myapp:1.0 harbor-server/library/myapp:1.0docker push harbor-server/library/myapp:1.0
漏洞扫描:
```bash使用Trivy扫描本地镜像
trivy image —severity CRITICAL myapp:1.0
Harbor界面自动扫描配置
在Project设置中启用自动扫描策略
# 四、K8s环境部署## 4.1 资源定义文件示例1. **Deployment配置**(myapp-deployment.yaml):```yamlapiVersion: apps/v1kind: Deploymentmetadata:name: myappspec:replicas: 3selector:matchLabels:app: myapptemplate:metadata:labels:app: myappspec:containers:- name: myappimage: harbor-server/library/myapp:1.0ports:- containerPort: 8080resources:requests:cpu: "500m"memory: "512Mi"limits:cpu: "1000m"memory: "1Gi"livenessProbe:httpGet:path: /actuator/healthport: 8080initialDelaySeconds: 30periodSeconds: 10
- Service配置(myapp-service.yaml):
apiVersion: v1kind: Servicemetadata:name: myapp-servicespec:selector:app: myappports:- protocol: TCPport: 80targetPort: 8080type: ClusterIP
4.2 部署最佳实践
镜像拉取策略:
spec:containers:- image: harbor-server/library/myapp:1.0imagePullPolicy: IfNotPresent # 生产环境建议Always
配置管理:
# 使用ConfigMap存储配置apiVersion: v1kind: ConfigMapmetadata:name: app-configdata:application.properties: |spring.datasource.url=jdbc
//mysql-service:3306/db
HPA自动扩缩容:
apiVersion: autoscaling/v2kind: HorizontalPodAutoscalermetadata:name: myapp-hpaspec:scaleTargetRef:apiVersion: apps/v1kind: Deploymentname: myappminReplicas: 2maxReplicas: 10metrics:- type: Resourceresource:name: cputarget:type: UtilizationaverageUtilization: 70
五、运维与优化
5.1 监控体系搭建
Prometheus配置:
# 添加ServiceMonitorapiVersion: monitoring.coreos.com/v1kind: ServiceMonitormetadata:name: myapp-monitorspec:selector:matchLabels:app: myappendpoints:- port: webinterval: 30spath: /actuator/prometheus
Grafana仪表盘:
- 导入SpringBoot Actuator模板(ID:3151)
- 关键监控指标:
- JVM内存使用率
- 请求吞吐量(requests/sec)
- 错误率(5xx占比)
5.2 持续集成流程
- Jenkins流水线示例:
pipeline {agent anystages {stage('Build') {steps {sh 'mvn clean package'sh 'docker build -t myapp:${BUILD_NUMBER} .'}}stage('Scan') {steps {sh 'trivy image --severity CRITICAL myapp:${BUILD_NUMBER}'}}stage('Push') {steps {withCredentials([usernamePassword(credentialsId: 'harbor-cred',usernameVariable: 'USER', passwordVariable: 'PASS')]) {sh 'docker login harbor-server -u $USER -p $PASS'sh 'docker tag myapp:${BUILD_NUMBER} harbor-server/library/myapp:${BUILD_NUMBER}'sh 'docker push harbor-server/library/myapp:${BUILD_NUMBER}'}}}stage('Deploy') {steps {sh 'kubectl set image deployment/myapp myapp=harbor-server/library/myapp:${BUILD_NUMBER}'}}}}
5.3 故障排查指南
镜像拉取失败:
# 检查节点docker日志journalctl -u docker -n 100 --no-pager# 验证insecure-registries配置cat /etc/docker/daemon.json
Pod启动异常:
# 获取详细事件kubectl describe pod <pod-name># 查看容器日志kubectl logs <pod-name> -c myapp --previous
Harbor性能优化:
- 数据库调优:修改
/harbor/common/config/database/core.envDB_CONNECTION_POOL_SIZE=100DB_MAX_IDLE_CONNS=50
- 缓存配置:调整Redis内存策略
# 在Redis节点执行config set maxmemory 2gbconfig set maxmemory-policy allkeys-lru
六、安全加固建议
6.1 网络策略实施
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata:name: restrict-myappspec:podSelector:matchLabels:app: myapppolicyTypes:- Ingressingress:- from:- podSelector:matchLabels:app: ingress-nginxports:- protocol: TCPport: 8080
6.2 镜像签名验证
生成签名密钥:
cosign generate-key-pair
签名镜像:
cosign sign --key cosign.key harbor-server/library/myapp:1.0
K8s验证配置:
# 在Deployment中添加注解annotations:seccomp.security.alpha.kubernetes.io/pod: runtime/defaultcontainer.apparmor.security.beta.kubernetes.io/myapp: runtime/defaultcosign.sigstore.dev/signature: "eyJhbGciOiJFUzI1NiIsImtpZCI6..."
通过上述完整流程,开发者可在K8s环境中构建起企业级的Docker镜像管理体系,实现SpringBoot应用的高效部署与运维。实际实施时需根据具体业务场景调整参数配置,建议先在测试环境验证后再迁移至生产环境。
发表评论
登录后可评论,请前往 登录 或 注册