1. 说明
Gitlab 依赖如下镜像, 如在离线环境请自行导入镜像;同时,Gitlab 还需要 Postgres 数据库 ,请在部署 Gitlab 前对其配置。
docker.io/library/redis:6.2 docker.io/sameersbn/gitlab:15.4.2 docker.io/library/postgres:14
2. 注意事项
由于 Gitlab CE 不支持 LDAP 分配管理员 (这是 Gitlab EE 的功能) ,所以需要部署后手动为用户分配管理员权限,如无法接受可使用 Gitea 部署。
3. 部署前准备
Gitlab 依赖于 Postgres 和 Redis,在部署前你需要预先配置其依赖。
3.1. 创建 LDAP 用户组
Gitlab 被配置为只有归属于 cn=develop 的用户和管理员才能登陆,需要在 LDAP 下创建名为 develop 的 groupOfNames 用户组。 (集群已自动创建)
1
cn=develop,ou=groups,dc=cluster,dc=local
4. 开始部署
4.1. 创建 Gitlab 配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: v1
kind: ConfigMap
metadata:
name: conf-gitlab
namespace: core-app
labels:
app: gitlab
data:
DB_NAME: 'gitlabhq_production' (1)
DB_USER: 'gitlab' (2)
HOST: gitlab.d7z.net (3)
PAGES_HOST: pages.d7z.net (3)
LDAP_USERS_FILTER: '(|(memberOf=cn=admin,ou=groups,dc=cluster,dc=local)(memberOf=cn=develop,ou=groups,dc=cluster,dc=local))' (4)
---
apiVersion: v1
kind: Secret
metadata:
name: secret-gitlab
namespace: core-app
labels:
app: gitlab
stringData:
DB_PASS: 'password'(5)
ADMIN_PASS: 'gitlab-root-password' (6)
DB_KEY_SECRETS: 'long-and-random-alpha-numeric-string' (7)
SESSION_KEY_SECRETS: 'long-and-random-alpha-numeric-string' (7)
OTP_KEY_SECRETS: 'long-and-random-alpha-numeric-string' (7)
PAGES_KEY_SECRETS: 'long-and-random-alpha-numeric-string' (7)
其中
| 1 | 如果你修改了 Postgres 的数据库名称,则需要在此更改 |
| 2 | 如果你修改了 Postgres 的用户,则需要在此更改 |
| 3 | 请将其修改为你 Gitlab 对应的域名 |
| 4 | LDAP 的过滤条件 |
| 5 | 如果你修改了 Postgres 的密码,则需要在此更改 |
| 6 | 由于 Gitlab CE 无法动态分配管理员,请修改默认管理员密码并妥善保存(请不要使用默认配置)。 |
| 7 | 在部署时请自定义 Secrets ,可使用 pwgen -Bsv1 64 生成 (请不要使用默认配置)。 |
4.2. 创建 Gitlab 持久卷
使用以下配置创建 Gitlab 的持久卷。同时为 Gitlab 所需要的 Redis 创建持久卷。
| Gitlab 将提交保存至持久卷,可按照实际需求调整大小,较高的磁盘性能可提升 Gitlab 提交速度。 |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-gitlab-data
namespace: core-app
labels:
app: gitlab
spec:
storageClassName: 'sc-nfs-share'
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 300Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-gitlab-redis
namespace: core-app
labels:
app: gitlab
spec:
storageClassName: 'sc-nfs-share'
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-gitlab-postgres
namespace: core-app
labels:
app: gitlab
spec:
storageClassName: 'sc-nfs-share'
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
5. 创建 Gitlab Server
使用以下配置创建 Gitlab Server。
点击展开
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
apiVersion: v1
kind: ConfigMap
metadata:
name: conf-gitlab-pg-init
namespace: core-app
labels:
app: gitlab
data:
00-init-database.sh: |
#!/usr/bin/env bash
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-END_SQL
CREATE EXTENSION pg_trgm;
END_SQL
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: sts-gitlab
namespace: core-app
labels:
app: gitlab
spec:
serviceName: svc-gitlab
selector:
matchLabels:
app: gitlab
replicas: 1
template:
metadata:
labels:
app: gitlab
spec:
containers:
- name: gitlab-postgres
image: docker.io/library/postgres:14
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
- name: postgres-init
mountPath: /docker-entrypoint-initdb.d/
env:
- name: POSTGRES_USER
valueFrom:
configMapKeyRef:
name: conf-gitlab
key: DB_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: secret-gitlab
key: DB_PASS
- name: 'POSTGRES_DB'
valueFrom:
configMapKeyRef:
key: DB_NAME
name: conf-gitlab
- name: 'PGDATA'
value: "/var/lib/postgresql/data/pgdata"
- name: gitlab-redis
image: docker.io/library/redis:6.2
volumeMounts:
- name: gitlab-redis
mountPath: /data
- name: gitlab-server
image: docker.io/sameersbn/gitlab:15.4.2
volumeMounts:
- name: gitlab-data
mountPath: /home/git/data
resources:
requests:
memory: 4Gi
env:
- name: GITLAB_SSH_PORT
value: "22"
- name: GITLAB_PORT
value: "443"
- name: GITLAB_HTTPS
value: "true"
- name: SSL_SELF_SIGNED
value: "true"
- name: GITLAB_HOST
valueFrom:
configMapKeyRef:
name: conf-gitlab
key: HOST
- name: GITLAB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: secret-gitlab
key: ADMIN_PASS
- name: GITLAB_SECRETS_DB_KEY_BASE
valueFrom:
secretKeyRef:
name: secret-gitlab
key: DB_KEY_SECRETS
- name: GITLAB_SECRETS_SECRET_KEY_BASE
valueFrom:
secretKeyRef:
name: secret-gitlab
key: SESSION_KEY_SECRETS
- name: GITLAB_SECRETS_OTP_KEY_BASE
valueFrom:
secretKeyRef:
name: secret-gitlab
key: OTP_KEY_SECRETS
- name: GITLAB_PAGES_ACCESS_SECRET
valueFrom:
secretKeyRef:
name: secret-gitlab
key: PAGES_KEY_SECRETS
- name: GITLAB_PACKAGES_ENABLED
value: 'false'
- name: GITLAB_REGISTRY_ENABLED
value: 'false'
- name: GITLAB_PAGES_ENABLED
value: 'true'
- name: GITLAB_PAGES_DOMAIN
valueFrom:
configMapKeyRef:
name: conf-gitlab
key: PAGES_HOST
- name: GITLAB_PAGES_HTTPS
value: 'false'
- name: GITLAB_PAGES_HTTP
value: 'true'
- name: DB_HOST
value: "127.0.0.1"
- name: DB_PORT
value: "5432"
- name: DB_NAME
valueFrom:
configMapKeyRef:
name: conf-gitlab
key: DB_NAME
- name: DB_USER
valueFrom:
configMapKeyRef:
name: conf-gitlab
key: DB_USER
- name: DB_PASS
valueFrom:
secretKeyRef:
name: secret-gitlab
key: DB_PASS
- name: REDIS_HOST
value: "127.0.0.1"
- name: REDIS_PORT
value: "6379"
- name: LDAP_ENABLED
value: "true"
- name: LDAP_LABEL
value: "LDAP"
- name: "LDAP_HOST"
valueFrom:
configMapKeyRef:
key: LDAP_HOST
name: conf-ldap
- name: LDAP_PORT
value: "389"
- name: LDAP_UID
value: "uid"
- name: LDAP_ACTIVE_DIRECTORY
value: "false"
- name: LDAP_METHOD
value: "plain"
- name: LDAP_BIND_DN
valueFrom:
configMapKeyRef:
name: conf-ldap
key: LDAP_BIND_DN
- name: LDAP_PASS
valueFrom:
secretKeyRef:
key: LDAP_BIND_DN_PASSWORD
name: secret-ldap-service
- name: LDAP_BASE
valueFrom:
configMapKeyRef:
key: LDAP_USERS_DN
name: conf-ldap
- name: LDAP_USER_FILTER
valueFrom:
configMapKeyRef:
key: LDAP_USERS_FILTER
name: conf-gitlab
volumes:
- name: gitlab-data
persistentVolumeClaim:
claimName: pvc-gitlab-data
- name: gitlab-redis
persistentVolumeClaim:
claimName: pvc-gitlab-redis
- name: postgres-data
persistentVolumeClaim:
claimName: pvc-gitlab-postgres
- name: postgres-init
configMap:
name: conf-gitlab-pg-init
配置导入完成后,使用如下命令监控启动结果。
1
kubectl get pods -n core-app -l app=gitlab
5.1. 关联 Service
Server 创建完成且工作正常后,使用以下配置创建对应的 Service。
Gitlab 需要暴露 22 端口以便使用 ssh 提交,请根据对应的 LoadBalancer 实现自行配置,此处使用的是 metallb 。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
apiVersion: v1
kind: Service
metadata:
labels:
app: gitlab
name: svc-gitlab
namespace: core-app
spec:
ports:
- name: gitlab-web
protocol: TCP
port: 80
- name: gitlab-ssh
protocol: TCP
port: 22
selector:
app: gitlab
---
apiVersion: v1
kind: Service
metadata:
labels:
app: gitlab
name: svc-gitlab-lb
namespace: core-app
annotations:
metallb.universe.tf/allow-shared-ip: "public-ip-share"
spec:
ports:
- name: gitlab-ssh
protocol: TCP
port: 22
selector:
app: gitlab
type: LoadBalancer
创建完成后使用如下命令查看结果。
1
kubectl get service -n core-app -l app=gitlab
5.2. 关联 Ingress
使用以下配置将 Service 与 Ingress 相关联。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-gitlab
namespace: core-app
labels:
app: gitlab
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-body-size: "0"
spec:
ingressClassName: nginx-public
tls:
- hosts:
- gitlab.d7z.net
secretName: tls-pub-d7z
rules:
- host: gitlab.d7z.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-gitlab
port:
name: gitlab-web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-gitlab-pages
namespace: core-app
labels:
app: gitlab
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
ingressClassName: nginx-public
tls:
- hosts:
- pages.d7z.net
- '*.pages.d7z.net'
secretName: tls-pub-d7z
rules:
- host: pages.d7z.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-gitlab
port:
name: gitlab-web
- host: '*.pages.d7z.net'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-gitlab
port:
name: gitlab-web
6. 测试
6.1. 检查部署结果
使用以下命令查看各个组件的部署结果。
1
kubectl get pods,pvc,service,ingress -n core-app -l app=gitlab
6.2. 测试 LDAP 登陆
创建一个测试用户,并在 cn=develop 下添加对此用户的绑定,然后在 Gitlab 测试登陆,登陆成功后,退出用户并在 LDAP 下删除此用户,然后再次测试,如无法登陆则表明部署成功。