1-Kuernetes安装极狐Github
一、前期准备
-
Kubernetes集群安装
- 1-Kubernetes基于Centos7构建基础环境(一)
- 2-Kubernetes基于Centos7构建基础环境(二)
- 3-Kubernetes基于Centos7构建基础环境(三)
-
Helm安装
- 0-kubernetes-helm安装
-
安装目录
# gitlab yaml执行存放位置
[root@master140 xincan]# pwd
/xincan/gitlab
[root@master140 jihu-15.9.3]# tree -L 1
├── gitlab-runner-values.yaml
└── gitlab-values.yaml
# 证书存放位置
[root@master140 cert]# pwd
/xincan/secrets/cert
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.crt
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
│ ├── client.crt
│ ├── client.csr
│ ├── client-csr.json
│ ├── client-key.pem
│ └── client.pem
├── peer
│ ├── peer.crt
│ ├── peer.csr
│ ├── peer-csr.json
│ ├── peer-key.pem
│ └── peer.pem
└── server
├── server.crt
├── server.csr
├── server-csr.json
├── server-key.pem
└── server.pem
4 directories, 21 files
[root@master140 cert]#
二、组件安装
- helm添加charts
- 此处采用 gitlab 6.9.3 版本
- 此处采用 runner 0.50.1 版本
# 添加极狐charts库
[root@master140 gitlab]# helm repo add gitlab https://charts.gitlab.cn
# 更新charts库
[root@master140 ~]# helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "gitlab" chart repository
Update Complete. ⎈Happy Helming!⎈
[root@master140 ~]#
# 查看charts
[root@master140 ~]# helm repo ls
NAME URL
gitlab https://charts.gitlab.cn
[root@master140 ~]#
# 查看极狐版本
[root@master140 ~]# helm search repo gitlab -l
NAME CHART VERSION APP VERSION DESCRIPTION
gitlab/ 6.10.0 15.10.0 The One DevOps Platform
gitlab/gitlab 6.9.3 15.9.3 The One DevOps Platform
gitlab/gitlab 6.9.2 15.9.2 The One DevOps Platform
gitlab/gitlab 6.9.1 15.9.1 The One DevOps Platform
...............................
gitlab/gitlab-runner 0.51.0 15.10.0 GitLab Runner
gitlab/gitlab-runner 0.50.1 15.9.1 GitLab Runner
[root@master140 ~]#
- 证书安装
-
安装cfssl
三、gitlab安装
- 创建命名空间
[root@master140 jihu-15.9.3]# kubectl create ns gitlab
[root@master140 jihu-15.9.3]# kubectl get ns
NAME STATUS AGE
calico-apiserver Active 19d
calico-system Active 19d
default Active 19d
gitlab Active 19d
ingress-nginx Active 16d
kube-node-lease Active 19d
kube-public Active 19d
kube-system Active 19d
tigera-operator Active 19d
[root@master140 jihu-15.9.3]#
- 在 gitlab 创建证书
[root@master140 jihu-15.9.3]# kubectl -n gitlab create secret tls gitlab.xincan.com --cert=/xincan/secrets/cert/server/server.crt --key=/xincan/secrets/cert/server/server-key.pem
secret/gitlab.xincan.com created
NAME TYPE DATA AGE
default-token-zkpdw kubernetes.io/service-account-token 3 19d
gitlab.xincan.com kubernetes.io/tls 2 142m
[root@master140 cert]#
- 编写 gitlab-values.yaml
- 两种方式配置,任选其一,两种各有好处,第一种,原生gitlab安装,第二种,屏蔽gitlab,部分组件安装,如certmanager等
- 第一种:以下配置,通过gitlab生成 ingress controller、ingressClass、ingress
[root@master140 jihu-15.9.3]# cat gitlab-values.yaml
global:
time_zone: "Asia/Shanghai" # 设置gitlab时区
storageClass: xincan-nfs-storage # 全局配置存储
hosts:
domain: xincan.com # 配置根域名,用于gitlab生成(gitlab.xincan.com, kas.xincan.com, registry.xincan.com, minio.xincan.com)
exernalIP: 10.1.90.140 # 外部访问IP地址(此处选择kubernetes主节点IP)
https: true # 是否启用https访问
ingress:
apiVersion: ""
configureCertmanager: false # 原先true修改false
provider: nginx
annotations: {}
enabled: true
tls:
enabled: true # 是否开启tls
secretName: gitlab.xincan.com # 设置 secret 名字,一般如设置为域名,第一步创建证书名称【gitlab.xincan.com】
path: /
pathType: Prefix
certmanager-issuer: # 证书生成所使用的邮箱
email: jiangxincan@hatech.com.cn
certmanager:
installCRDs: false
nameOverride: certmanager
install: false # 关闭 自动创建 证书服务
rbac:
create: false # 关闭 自动创建 权限
gitlab:
gitaly:
persistence:
enabled: true
storageClass: xincan-nfs-storage
size: 20Gi
postgresql:
persistence:
enabled: true
storageClass: xincan-nfs-storage # 配置 postgresql nfs存储(生产环境不推荐)
size: 5Gi
redis:
master:
persistence:
enabled: true
storageClass: xincan-nfs-storage # 配置 postgresql nfs存储(生产环境不推荐)
size: 2Gi
minio:
persistence:
enabled: true
storageClass: xincan-nfs-storage # 配置 postgresql nfs存储(生产环境不推荐)
size: 10Gi
prometheus:
install: false # 关闭Prometheus
gitlab-runner:
install: false # 不安装 gitlab-runner,稍后安装
[root@master140 jihu-15.9.3]#
- 安装gitlab
[root@master140 jihu-15.9.3]# helm install gitlab gitlab/gitlab -n gitlab --version 6.9.3 -f gitlab-values.yaml
## 也可以使用,如下命令,更新时使用更好
[root@master140 jihu-15.9.3]# helm upgrade --install gitlab gitlab/gitlab -n gitlab --version 6.9.3 -f gitlab-values.yaml
- 第二种:自己集群中有ingress的情况
- 修改配置文件如下
[root@master140 jihu-15.9.3]# cat gitlab-values.yaml
global:
time_zone: "Asia/Shanghai" # 设置gitlab时区
storageClass: xincan-nfs-storage # 全局配置存储
hosts:
domain: xincan.com # 配置根域名,用于gitlab生成(gitlab.xincan.com, kas.xincan.com, registry.xincan.com, minio.xincan.com)
exernalIP: 10.1.90.140 # 外部访问IP地址(此处选择kubernetes主节点IP)
https: true # 是否启用https访问,关闭https,手动在ingress处配置
ingress:
apiVersion: ""
configureCertmanager: false # 原先true修改false
provider: nginx
annotations: {}
enabled: false # 关闭ingress创建(不创建ingress,下面自己创建)
tls:
enabled: false # 是否开启tls, enabled: 已经关闭,此处不需要
secretName: gitlab.xincan.com # 设置 secret 名字,一般如设置为域名,第一步创建证书名称【gitlab.xincan.com】, enabled: 已经关闭,此处不需要
path: /
pathType: Prefix
certmanager-issuer: # 证书生成所使用的邮箱
email: jiangxincan@hatech.com.cn
certmanager:
installCRDs: false
nameOverride: certmanager
install: false # 关闭 自动创建 证书服务
rbac:
create: false # 关闭 自动创建 权限
gitlab:
gitaly:
persistence:
enabled: true
storageClass: xincan-nfs-storage
size: 20Gi
postgresql:
persistence:
enabled: true
storageClass: xincan-nfs-storage # 配置 postgresql nfs存储(生产环境不推荐)
size: 5Gi
redis:
master:
persistence:
enabled: true
storageClass: xincan-nfs-storage # 配置 postgresql nfs存储(生产环境不推荐)
size: 2Gi
minio:
persistence:
enabled: true
storageClass: xincan-nfs-storage # 配置 postgresql nfs存储(生产环境不推荐)
size: 10Gi
prometheus:
install: false # 关闭Prometheus
gitlab-runner:
install: false # 不安装 gitlab-runner,稍后安装
[root@master140 jihu-15.9.3]#
- 查询已有的ingress信息
[root@master140 jihu-15.9.3]# kubectl -n ingress-nginx get pod,svc,ingressclass
NAME READY STATUS RESTARTS AGE
pod/ingress-nginx-admission-create-m27d5 0/1 Completed 0 17d
pod/ingress-nginx-admission-patch-sk2ng 0/1 Completed 1 17d
pod/ingress-nginx-controller-sfp9l 1/1 Running 0 17d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/ingress-nginx-controller NodePort 10.96.1.156 <none> 80:30231/TCP,443:32246/TCP 17d
service/ingress-nginx-controller-admission ClusterIP 10.96.3.251 <none> 443/TCP 17d
NAME CONTROLLER PARAMETERS AGE
ingressclass.networking.k8s.io/nginx k8s.io/ingress-nginx <none> 17d
[root@master140 jihu-15.9.3]#
- 编排ingress,暴露gitlab,域名访问
[root@master140 jihu-15.9.3]#
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitlab-webservice-default
namespace: gitlab
labels:
app: webservice
chart: webservice-6.9.3
release: gitlab
heritage: Helm
gitlab.com/webservice-name: default
annotations:
kubernetes.io/ingress.provider: "nginx"
nginx.ingress.kubernetes.io/service-upstream: "true"
spec:
ingressClassName: "gitlab-nginx"
rules:
- host: gitlab.xincan.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitlab-webservice-default
port:
number: 8181
tls:
- hosts:
- gitlab.xincan.com
secretName: gitlab.xincan.com
[root@master140 jihu-15.9.3]#
- 安装gitlab
[root@master140 jihu-15.9.3]# helm install gitlab gitlab/gitlab -n gitlab --version 6.9.3 -f gitlab-values.yaml
## 也可以使用,如下命令,更新时使用更好
[root@master140 jihu-15.9.3]# helm upgrade --install gitlab gitlab/gitlab -n gitlab --version 6.9.3 -f gitlab-values.yaml
- 安装结果如下(主要部分):
[root@master140 jihu-15.9.3]# kubectl -n gitlab get secrets,pod,svc,ing,pvc,pv
NAME TYPE DATA AGE
secret/default-token-zkpdw kubernetes.io/service-account-token 3 20d
secret/gitlab-gitaly-secret Opaque 1 150m
secret/gitlab-gitlab-initial-root-password Opaque 1 150m
secret/gitlab-gitlab-kas-secret Opaque 1 150m
secret/gitlab-gitlab-runner-secret Opaque 2 150m
secret/gitlab-gitlab-shell-host-keys Opaque 8 150m
secret/gitlab-gitlab-shell-secret Opaque 1 150m
secret/gitlab-gitlab-suggested-reviewers Opaque 1 150m
secret/gitlab-gitlab-workhorse-secret Opaque 1 150m
secret/gitlab-kas-private-api Opaque 1 150m
secret/gitlab-minio-secret Opaque 2 150m
secret/gitlab-postgresql-password Opaque 2 150m
secret/gitlab-rails-secret Opaque 1 150m
secret/gitlab-redis-secret Opaque 1 150m
secret/gitlab-registry-httpsecret Opaque 1 150m
secret/gitlab-registry-notification Opaque 1 150m
secret/gitlab-registry-secret Opaque 2 150m
secret/gitlab.xincan.com kubernetes.io/tls 2 147m
secret/sh.helm.release.v1.gitlab.v1 helm.sh/release.v1 1 150m
NAME READY STATUS RESTARTS AGE
pod/gitlab-gitaly-0 1/1 Running 0 149m
pod/gitlab-gitlab-exporter-84dc494465-pnkpg 1/1 Running 0 149m
pod/gitlab-gitlab-shell-68df76c86c-bbf2p 1/1 Running 0 149m
pod/gitlab-gitlab-shell-68df76c86c-z44w4 1/1 Running 0 149m
pod/gitlab-kas-796dcfddf6-9dxlz 1/1 Running 0 149m
pod/gitlab-kas-796dcfddf6-dk7ms 1/1 Running 0 149m
pod/gitlab-migrations-1-v9zgh 0/1 Completed 0 149m
pod/gitlab-minio-67ccd59c56-nzhtq 1/1 Running 0 149m
pod/gitlab-minio-create-buckets-1-2h4jj 0/1 Completed 0 149m
pod/gitlab-postgresql-0 2/2 Running 0 149m
pod/gitlab-redis-master-0 2/2 Running 0 149m
pod/gitlab-registry-6c69c7b68f-rwnnx 1/1 Running 0 149m
pod/gitlab-registry-6c69c7b68f-rzhjg 1/1 Running 0 149m
pod/gitlab-runner-6794799cb7-vrtwt 1/1 Running 0 34m
pod/gitlab-sidekiq-all-in-1-v2-769f56758-b8rwn 1/1 Running 0 149m
pod/gitlab-toolbox-5fd59d8bf9-zf7wx 1/1 Running 0 149m
pod/gitlab-webservice-default-5fcc77db88-rbzxf 2/2 Running 0 149m
pod/gitlab-webservice-default-5fcc77db88-vrsgl 2/2 Running 0 149m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/gitlab-gitaly ClusterIP None <none> 8075/TCP,9236/TCP 149m
service/gitlab-gitlab-exporter ClusterIP 10.96.1.193 <none> 9168/TCP 149m
service/gitlab-gitlab-shell ClusterIP 10.96.2.115 <none> 22/TCP 149m
service/gitlab-kas ClusterIP 10.96.0.12 <none> 8150/TCP,8153/TCP,8154/TCP,8151/TCP 149m
service/gitlab-minio-svc ClusterIP 10.96.3.247 <none> 9000/TCP 149m
service/gitlab-postgresql ClusterIP 10.96.0.47 <none> 5432/TCP 149m
service/gitlab-postgresql-headless ClusterIP None <none> 5432/TCP 149m
service/gitlab-postgresql-metrics ClusterIP 10.96.2.237 <none> 9187/TCP 149m
service/gitlab-redis-headless ClusterIP None <none> 6379/TCP 149m
service/gitlab-redis-master ClusterIP 10.96.0.23 <none> 6379/TCP 149m
service/gitlab-redis-metrics ClusterIP 10.96.0.140 <none> 9121/TCP 149m
service/gitlab-registry ClusterIP 10.96.0.183 <none> 5000/TCP 149m
service/gitlab-webservice-default ClusterIP 10.96.1.222 <none> 8080:32491/TCP,8181/TCP,8083:32483/TCP 149m
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/gitlab-webservice-default nginx gitlab.xincan.com 10.1.90.140 80, 443 19h
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
persistentvolumeclaim/data-gitlab-postgresql-0 Bound pvc-b752b8d9-bef6-45cb-8a77-24e6698c9bb1 5Gi RWO xincan-nfs-storage 149m
persistentvolumeclaim/gitlab-minio Bound pvc-e473c473-0a78-44f1-b7ff-b918ff3c6a97 10Gi RWO xincan-nfs-storage 149m
persistentvolumeclaim/redis-data-gitlab-redis-master-0 Bound pvc-436395b1-c5b3-4bf2-922f-cc8e268c019b 2Gi RWO xincan-nfs-storage 149m
persistentvolumeclaim/repo-data-gitlab-gitaly-0 Bound pvc-6deed5dc-1a37-4e91-9026-95439fd0b56a 20Gi RWO xincan-nfs-storage 149m
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
persistentvolume/pvc-436395b1-c5b3-4bf2-922f-cc8e268c019b 2Gi RWO Delete Bound gitlab/redis-data-gitlab-redis-master-0 xincan-nfs-storage 149m
persistentvolume/pvc-6deed5dc-1a37-4e91-9026-95439fd0b56a 20Gi RWO Delete Bound gitlab/repo-data-gitlab-gitaly-0 xincan-nfs-storage 149m
persistentvolume/pvc-b752b8d9-bef6-45cb-8a77-24e6698c9bb1 5Gi RWO Delete Bound gitlab/data-gitlab-postgresql-0 xincan-nfs-storage 149m
persistentvolume/pvc-e473c473-0a78-44f1-b7ff-b918ff3c6a97 10Gi RWO Delete Bound gitlab/gitlab-minio xincan-nfs-storage 149m
[root@master140 jihu-15.9.3]#
-
证书处理
- 将证书复制到有浏览器的电脑上
- 以下是将centos证书复制到win10的D盘
xincan@LAPTOP-0IL6VNO0 D: [14:33] ❯ dir Directory: D:\ ❯ scp -r root@10.1.90.140:/xincan/secrets/cert . Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 2023/4/3 19:04 cert d---- 2023/3/17 9:26 Program Files d---- 2022/10/19 15:09 Program Files (x86) xincan@LAPTOP-0IL6VNO0 D: [14:33]- 浏览器导入ca证书
-
域名访问
-
配置本地hosts,服务器ip地址,指向gitlab.xincan.com
-
初始用户为 root
-
密码查询如下
-
[root@master140 jihu-15.9.3]# kubectl -n gitlab get secret gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo
xbAxGSSpXv5yCcgWcyfw2JKHf0qLDeDHDdb6lbI3Crn59hX8szi1SZ09K3i3Lde6
[root@master140 jihu-15.9.3]#
- 登录进去后更改密码即可
四,卸载
- 清除secrets,pv,pvc
- 卸载时使用
[root@master140 gitlab]# kubectl -n gitlab delete secrets `kubectl -n gitlab get secrets | grep gitlab | awk '{print $1}'`
[root@master140 gitlab]# kubectl -n gitlab delete pvc --all
[root@master140 gitlab]# kubectl -n gitlab delete ing --all
