Helm方式部署Gitlab、Gitlab-Runner、Harbor

Helm方式部署Gitlab、Gitlab-Runner、Harbor

参考文档

安装gitlab

这里演示使用的是国内的极狐gitlab,大家可以使用gitlab官方的helm chart:https://charts.gitlab.io/

  1. 添加gitlab helm仓库
helm repo add gitlab-jh https://charts.gitlab.cn
  1. 更新repo
helm repo update gitlab-jh
  1. 下载charts压缩包到本地
helm pull gitlab-jh/gitlab
  1. 安装
  • 设置了各个组件PVC的存储大小,根据实际情况调整
  • 设置了各个组件的域名,根据实际情况修改
  • 设置了ingress的tls以及证书管理器,下面我会给一个http的安装版本,大家自行参考
  • 设置了默认的ingressclass并不创建新的ingressclass
  • Http访问的部署方式:
helm upgrade -install gitlab gitlab-6.11.13.tgz --namespace gitlab-jh \
  --set global.hosts.domain=example.com \
  --set minio.persistence.size=100Gi \
  --set gitlab.gitaly.persistence.size=500Gi \
  --set prometheus.install=false \
  --set gitlab-runner.install=false \
  --set nginx-ingress.enabled=false \
  --set global.ingress.class=nginx \
  --set global.hosts.https=false \
  --set global.ingress.tls.enabled=false \
  --set global.ingress.configureCertmanager=false \
  --set global.hosts.gitlab.name=gitlab.example.com \
  --set global.hosts.kas.name=gitlab-kas.example.com \
  --set global.hosts.minio.name=gitlab-minio.example.com \
  --set global.hosts.registry.name=gitlab-registry.example.com \
  --set global.hosts.gitlab.https=false \
  --set global.hosts.registry.https=false \
  --set global.hosts.kas.https=false \
  --set global.hosts.minio.https=false
  • Https的部署访问方式:
kubectl -n gitlab-jh create secret tls gitlab-https --cert=/opt/ssl/example.com.pem --key=/opt/ssl/example.com.key

helm upgrade -install gitlab gitlab-6.11.13.tgz --namespace gitlab-jh \
  --set global.hosts.domain=example.com \
  --set minio.persistence.size=100Gi \
  --set gitlab.gitaly.persistence.size=500Gi \
  --set prometheus.install=false \
  --set gitlab-runner.install=false \
  --set nginx-ingress.enabled=false \
  --set global.ingress.class=nginx \
  --set global.hosts.https=true \
  --set global.ingress.tls.enabled=true \
  --set global.ingress.tls.secretName=gitlab-https \
  --set global.ingress.configureCertmanager=false \
  --set global.hosts.gitlab.name=gitlab.example.com \
  --set global.hosts.kas.name=gitlab-kas.example.com \
  --set global.hosts.minio.name=gitlab-minio.example.com \
  --set global.hosts.registry.name=gitlab-registry.example.com \
  --set global.hosts.gitlab.https=true \
  --set global.hosts.registry.https=true \
  --set global.hosts.kas.https=true \
  --set global.hosts.minio.https=true \
  --set certmanager.installCRDs=false \
  --set certmanager.install=false
  1. 等待启动完成,查看初始密码,默认超级管理员用户名是root
kubectl get secret -n gitlab-jh gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 -d; echo
  1. 访问:https://gitlab.example.com

安装Harbor私有镜像仓库

  1. 添加harbor helm仓库
helm repo add harbor https://helm.goharbor.io
  1. 更新repo
helm repo update harbor
  1. 下载charts压缩包到本地
helm pull harbor/harbor
  1. 安装
  • 设置了各组件pvc的大小
  • 域名
  • 取消了tls设置已经ingress中ssl自动转发的注解
  • Http访问的部署方式:
helm upgrade -install harbor harbor-1.13.0.tgz --namespace harbor  --create-namespace \
  --set expose.ingress.hosts.core=harbor.example.com \
  --set externalURL=http://harbor.example.com \
  --set persistence.persistentVolumeClaim.registry.size=200Gi \
  --set persistence.persistentVolumeClaim.jobservice.jobLog.size=10Gi \
  --set persistence.persistentVolumeClaim.database.size=10Gi \
  --set persistence.persistentVolumeClaim.redis.size=10Gi \
  --set persistence.persistentVolumeClaim.trivy.size=10Gi \
  --set expose.tls.enabled=false \
  --set expose.ingress.annotations."ingress\.kubernetes\.io\/ssl-redirect"=null \
  --set expose.ingress.annotations."nginx\.ingress\.kubernetes\.io\/ssl-redirect"=null
  • Https的部署访问方式:
kubectl -n harbor create secret tls harbor-https --cert=/opt/ssl/example.com.pem --key=/opt/ssl/example.com.key

helm upgrade -install harbor harbor-1.13.0.tgz --namespace harbor \
	--set expose.ingress.hosts.core=harbor.example.com \
	--set externalURL=https://harbor.example.com \
	--set persistence.persistentVolumeClaim.registry.size=500Gi \
	--set persistence.persistentVolumeClaim.jobservice.jobLog.size=10Gi \
	--set persistence.persistentVolumeClaim.database.size=10Gi \
	--set persistence.persistentVolumeClaim.redis.size=10Gi \
	--set persistence.persistentVolumeClaim.trivy.size=10Gi \
	--set expose.tls.enabled=true \
	--set expose.tls.certSource=secret \
	--set expose.tls.secret.secretName=harbor-https

部署Gitlab-Runner

本次演示使用的是Gitlab的共享Runner,各位自行部署的时候可以选择project runner

  1. 登录gitlab,进入Admin area查看共享Runner的注册Token
  2. 添加helm repo
helm repo add gitlab https://charts.gitlab.io
  1. 更新 repo
helm repo update gitlab
  1. 下载charts的tgz包
helm pull gitlab/gitlab-runner
  1. 获取minio的AK、SK,主要是CI的Cache需要如果使用artifacts这一步骤可以不需要
kubectl -n gitlab-jh get secrets gitlab-minio-secret -ojsonpath='{.data.accesskey}' | base64 -d; echo
kubectl -n gitlab-jh get secrets gitlab-minio-secret -ojsonpath='{.data.secretkey}' | base64 -d; echo
  1. 配置文件runner-config.toml
[[runners]]
  [runners.kubernetes]
    namespace = "{{.Release.Namespace}}"
    image = "ubuntu:20.04"
  [[runners.kubernetes.host_aliases]]
    # 因为都是私有域名,所以需要设置host映射
    ip = "10.1.16.149"
    hostnames =  ["gitlab.example.com","harbor.example.com"]
  [[runners.kubernetes.volumes.host_path]]
    name = "mvn-repo"
    mount_path = "/.m2"
    host_path = "/.m2"
  # 由于我们使用的是kaniko,所以这个sock不需要了
  # [[runners.kubernetes.volumes.host_path]]
  #   name = "containerd"
  #   mount_path = "/run/containerd/containerd.sock"
  #   read_only = false
  #   host_path = "/run/containerd/containerd.sock"
  # 使用artifacts的话,以下的配置不需要
  [runners.cache]
    Type = "s3"
    Path = "gitlab_runner"
    Shared = true
    [runners.cache.s3]
      ServerAddress = "gitlab-minio-svc:9000"
      BucketName = "runner-cache" 【这个桶需要手动创建,或者使用已有的桶】
      Insecure = true
      AccessKey = "上一步输出的AK"
      SecretKey = "上一步输出的SK"
  1. 安装
helm install gitlab-runner gitlab-runner-0.52.0.tgz --namespace gitlab-jh \
  --set gitlabUrl=https://gitlab.example.com \
  --set runnerRegistrationToken=上面在gitlab界面上获取的注册token \
  --set rbac.create=enabled \
  --set runners.url=https://gitlab.example.com \
  --set runners.executor=kubernetes \
  --set-file runners.config=runner-config.toml \
  --set runners.tags="k8s-runner" \
  --set-json hostAliases='[{"ip":"10.1.16.149","hostnames":["gitlab.example.com","harbor.example.com"]}]'
  • 安装补充:假如上面的安装命令不设置rbac.create=enabled的话,不会影响安装但是会影响使用,在runner执行的过程中可能会出现如下报错信息:
ERROR: Job failed (system failure): prepare environment: setting up credential: secrets is forbidden: User "system:serviceaccount:gitlab-jh:default" cannot create resource "secrets" in API group "" in the namespace "gitlab-jh"
  1. 进入gitlab Admin area查看共享Runner是否已经注册上来了

FAQ

  • Q: Runner执行过程中提示没有拉取代码的权限,怎么办?
  • A: 安装过程中设置指定的rbac规则
--set rbac.create=true \
--set-json rbac.rules='[{"resources":["configmaps","events","pods","pods/attach","pods/exec","secrets","services"],"verbs":["get","list","watch","create","patch","update","delete"]},{"apiGroups":[""],"resources":["pods/exec"],"verbs":["create","patch","delete"]},{"apiGroups":[""],"resources":["pods/log"],"verbs":["get"]}]'
  • Q: 构建后的镜像需要让Runner推送到私有仓库harbor,但是报错Https证书错误,怎么解决?
  • A: 由于我们使用的是kaniko,kaniko默认查验证书是否可信。所以可以在ci文件中kaniko的部分添加如下配置:
--insecure --skip-tls-verify
  • Q: 能不能给个CI的Demo?
  • A: 由于我们使用的是gitlab-ci,所以CI的Demo只能给出gitlab-ci的配置文件,大家可以参考gitlab的官方文档进行配置。
variables:
  MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=/.m2/repository -Djava.awt.headless-true"
  MAVEN_CLI_OPTS: " --batch-mode -errors -fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"

before_script:
  - export DEV_TEST_TAG="$CI_COMMIT_BRANCH-$(date +%m%d)-$CI_COMMIT_SHORT_SHA"
  - export RELEASE_TAG=$CI_COMMIT_TAG

stages:
  - mvn-build
  - build-image
  - deploy-service

mvn_build:
  tags:
    - k8s-runner
  only:
    refs:
      - develop
      - test
      - /^release-.*$/
  image: maven:3.6.3-jdk-11
  stage: mvn-build
  script:
    - mvn $MAVEN_CLI_OPTS clean package -Dmaven.test.skip=true
    - cd target && ls -l
  artifacts:
    paths:
      - target/*.jar
    expire_in: 2 h

build_image:
  image: 
    name: gcr.dockerproxy.com/kaniko-project/executor:debug
    entrypoint: [""]
  tags:
    - k8s-runner
  only:
    refs:
      - develop
      - test
      - /^release-.*$/
  stage: build-image
  script:
    - ls -la target
    - export JARNAME=$(basename $(cd target && ls | grep *.jar) .jar)
    - |
      case "$CI_COMMIT_REF_NAME" in
      release-*)
        echo "Build image from Release Tag"
        export IMAGETAG=$RELEASE_TAG
        echo $IMAGETAG $JARNAME
        ;;
      test | develop)
        echo "Build image from Test or Develop Branch"
        export IMAGETAG=$DEV_TEST_TAG
        echo $IMAGETAG $JARNAME
        ;;
      esac
    - echo "{\"auths\":{\"${REGISTRY_HOST}\":{\"auth\":\"$(printf "%s:%s" "${REGISTRY_USER}" "${REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor --context "${CI_PROJECT_DIR}" --dockerfile "${CI_PROJECT_DIR}/docker/Dockerfile" --destination "$REGISTRY_HOST/library/java-demo:$IMAGETAG" --build-arg APP_NAME="${JARNAME}"
posted @ 2024-12-24 15:23  StupidCN  阅读(843)  评论(0)    收藏  举报