本篇作者 徐晓伟
应用 Helm 简便快捷的部署与治理 极狐 GitLab
前提条件
- k8s 实现 helm 的配置
- k8s 实现 ingress 的配置
-
内存至多 10G
- 演示环境是 龙蜥 Anolis 8.4(即:CentOS 8.4)最小化装置
- k8s 版本 1.28.2
- calico 版本 3.26.1
- nginx ingress 版本 1.8.0
- 极狐 gitlab 版本 v16.7.0,对应的 helm 版本是 7.7.0
- 无其余运行的软件,总内存应用 7.4G 左右,思考到故障转移、更新配置、降级等等因素,估算须要内存为 10G
阐明
- 本文以 helm 极狐 gitlab 7.7.0 为例(即:gitlab-jh v16.7.0)
- 演示环境应用 k8s 为两个工作节点,每个工作节点 4 核、8G,数据应用 local PV 贮存
- 演示环境的 IP 是 172.25.25.32
- 应用 helm 装置 / 配置 gitlab 的域名信息如下,如果特地阐明,则应用下表中的值
域名 | 作用 | 阐明 |
---|---|---|
test.helm.xuxiaowei.cn | 将用于所有对外裸露服务的域名 | 默认状况下,其余域名在此域名前拼接失去 |
gitlab.test.helm.xuxiaowei.cn | 内部拜访 gitlab 实例的域名 | |
minio.test.helm.xuxiaowei.cn | 对象贮存域名 | |
registry.test.helm.xuxiaowei.cn | 容器镜像仓库域名 | |
kas.test.helm.xuxiaowei.cn |
文档
-
TLS 配置
- certmanager-issuer.email:Let’s Encrypt 账号的电子邮件地址
- global.ingress.configureCertmanager:配置 cert-manager 以从 Let’s Encrypt 获取证书,默认值:true
-
根本配置
- global.hosts.domain:将用于所有对外裸露服务的域名
- global.edition:要装置的版本标识,默认值:ee
- global.time_zone:全局时区,默认值:UTC
-
Deploy the Community Edition
- global.edition:要装置的版本标识,默认值:ee
- cert-manager Helm
增加 helm gitlab 仓库
ArtifactHub 网址 | 仓库地址 | 版本 | |
---|---|---|---|
gitlab/gitlab | https://artifacthub.io/packages/helm/gitlab/gitlab | http://charts.gitlab.io | 社区版、企业版 |
gitlab-jh/gitlab | https://artifacthub.io/packages/helm/gitlab-jh/gitlab | https://charts.gitlab.cn | 企业版(中国特供) |
国内用户举荐应用 gitlab-jh/gitlab 仓库
helm repo add gitlab-jh https://charts.gitlab.cn
更新仓库
helm repo update
查看仓库中可用的版本
helm search repo gitlab
helm search repo gitlab --versions
- gitlab、gitlab-jh 仓库中可用的局部版本如下
CHART VERSION | APP VERSION |
---|---|
7.8.0 | v16.8.0 |
7.7.3 | v16.7.3 |
7.6.5 | v16.6.5 |
7.5.7 | v16.5.7 |
7.4.5 | v16.4.5 |
7.3.7 | v16.3.7 |
7.2.9 | v16.2.9 |
7.1.6 | v16.1.6 |
7.0.8 | v16.0.8 |
6.11.13 | v15.11.13 |
6.10.8 | v15.10.8 |
6.9.8 | v15.9.8 |
6.8.6 | v15.8.6 |
6.7.9 | v15.7.9 |
6.6.8 | v15.6.8 |
6.5.9 | v15.5.9 |
6.4.6 | v15.4.6 |
6.3.5 | v15.3.5 |
6.2.5 | v15.2.5 |
6.1.6 | v15.1.6 |
6.0.5 | v15.0.5 |
helm 装置 gitlab
定义环境变量(重要,后续命令根本都须要此环境变量)
环境变量名称 | 环境变量值 | 含意 | 阐明 |
---|---|---|---|
GITLAB_HELM_NS | gitlab-test | GitLab 装置的命名空间 | |
GITLAB_HELM_NAME | my-gitlab | GitLab 装置名称 |
echo "export GITLAB_HELM_NS=gitlab-test" >> /etc/profile
echo "export GITLAB_HELM_NAME=my-gitlab" >> /etc/profile
cat /etc/profile
source /etc/profile
echo $GITLAB_HELM_NS
echo $GITLAB_HELM_NAME
创立命令空间
kubectl create namespace $GITLAB_HELM_NS
生成证书阐明
-
global.ingress.configureCertmanager=true
global.ingress.configureCertmanager
默认值为true
- cert-manager 会从 Let’s Encrypt 申请证书,默认验证形式
HTTP-01
,所以certmanager-issuer.email
参数是必须的,否则将报错,如果你的 k8s 有公网 IP,并且能够将域名解析到 k8s,举荐此形式(如果应用DNS01
,则须要满足 DNS01 配置) -
证书信息
[root@k8s ~]# openssl x509 -in configureCertmanager-true.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: df:84:a6:b7:44:a6:98:a7:ec:88:8b:5d:d2:60:e1:13 Signature Algorithm: ecdsa-with-SHA512 Issuer: CN = cert-manager.local Validity Not Before: Sep 12 10:32:20 2023 GMT Not After : Dec 11 10:32:20 2023 GMT Subject: serialNumber = 1234567890 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c8:90:66:d6:83:9b:b9:72:8c:52:7c:fe:d6:59: 03:f3:4a:5b:af:89:4c:ee:18:a3:c4:19:67:72:a1: bd:92:91:e8:d8:98:e2:0b:7f:83:21:06:c1:11:b1: 5e:d2:8b:7c:e6:a0:ca:d9:d5:a6:ec:e9:56:53:6b: d3:44:c6:22:69:26:7c:35:8c:48:3e:ac:9b:f0:35: 2f:02:50:1d:f9:80:48:1e:1e:99:fb:ea:96:66:9c: 03:a7:ca:7a:c4:41:a4:fd:8d:17:ad:4b:84:1b:bf: f0:b0:71:d3:97:d3:fe:b3:1a:04:a1:dc:13:58:a5: 88:46:06:97:9a:12:a7:98:46:d5:f6:d0:d0:8d:99: 6e:50:66:91:6a:7f:84:4e:26:f3:f1:4c:bc:ba:a0: 9c:47:c4:8c:4e:4a:b6:9d:df:87:cf:ae:e5:b1:9b: 1f:22:4c:1a:cf:96:a1:b8:f2:38:d8:bb:f3:6e:57: 41:40:53:0e:d9:ac:7b:bf:19:54:f4:db:62:f0:de: dd:2c:30:57:66:90:a1:e9:0b:e3:4b:75:70:33:52: 32:e4:f7:d8:92:b0:28:47:1b:24:58:30:48:8f:bf: 52:6f:55:43:76:42:21:13:8a:35:f8:9f:11:0b:66: 26:52:c4:69:0f:31:69:52:e6:0c:58:5c:7a:32:da: 46:8f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Authority Key Identifier: keyid:A1:D1:7D:26:55:D9:3E:63:A9:17:07:FC:0A:09:29:3E:8A:DE:76:DA X509v3 Subject Alternative Name: DNS:gitlab.test.helm.xuxiaowei.cn Signature Algorithm: ecdsa-with-SHA512 30:81:88:02:42:01:ee:04:e5:99:7a:d1:92:68:f2:0d:ac:c9: eb:62:a7:ea:ae:06:da:f6:0a:5d:0c:2b:66:5c:46:ba:e3:01: 1e:14:b0:ec:a1:51:fc:55:9e:7d:41:65:85:35:3d:93:d8:a9: 4c:90:84:d9:d2:3f:58:6a:58:f1:fc:da:7f:4c:6a:5c:f0:02: 42:01:66:92:fe:c2:78:bc:57:99:3f:0c:83:5f:bb:27:2a:e3: 8d:61:40:70:e9:70:bc:50:bf:a6:5c:47:46:2a:89:6c:06:31: dd:e4:53:cb:12:0c:f1:37:88:f6:87:e0:25:3c:ae:2b:e3:e6: 60:c9:fa:59:6a:fc:2f:78:03:17:49:2b:d7 [root@k8s ~]#
- 验证实现后,会应用 Let’s Encrypt 申请的证书
-
global.ingress.configureCertmanager=false
- 不会从 Let’s Encrypt 申请证书,不必设置
certmanager-issuer.email
参数 -
证书信息
[root@k8s ~]# openssl x509 -in configureCertmanager-false.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 07:0a:fe:dd:4b:6e:86:2a:fa:ff:91:8d:1c:e0:e0:c1:9b:50:a5:d2 Signature Algorithm: sha512WithRSAEncryption Issuer: O = gitlab-test, OU = my-gitlab, CN = GitLab Helm Chart Validity Not Before: Sep 12 14:45:00 2023 GMT Not After : Sep 11 14:45:00 2024 GMT Subject: CN = test.helm.xuxiaowei.cn Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:90:b1:3c:85:51:87:a0:91:93:22:a4:5b:99:21: d4:97:c6:f6:64:3b:d8:c0:6d:a6:39:08:31:26:89: aa:6e:52:45:2d:cb:a7:41:dc:bc:ff:9d:61:57:21: ea:c3:52:ef:b3:37:0b:7b:17:13:5b:44:f3:68:40: e4:af:eb:01:4f:d3:4a:ec:22:3b:22:e6:c2:78:b9: 6d:0b:fc:0f:54:0f:bc:b8:60:4c:a5:e1:70:89:1f: cf:36:f3:a2:af:ea:ed:c0:5a:f0:3b:b1:8d:d8:87: cc:34:f7:84:d6:3c:6d:cf:fb:69:c0:de:7c:b9:ab: 3f:ff:52:3d:ee:18:8e:69:b8:cf:ba:67:c4:eb:ed: 7c:b9:91:b8:1b:19:9d:3f:56:3f:5c:55:2c:d7:54: 55:e1:fa:18:69:24:05:28:f9:f6:a8:41:5f:74:d6: 73:73:28:d9:d4:da:a2:f3:bc:07:ab:44:7d:e2:46: 52:80:5c:8c:29:74:b3:11:03:d8:02:fa:42:e7:dc: 67:22:1d:e4:64:79:ef:be:b8:5a:8c:37:81:88:46: 3b:08:3c:5d:9f:25:21:21:5e:1c:1a:55:bd:1f:03: 18:bb:f0:7f:51:7c:2e:6e:71:37:77:23:ee:84:45: a4:6b:24:c3:0c:6f:e7:b1:7f:09:1f:eb:4f:df:ee: cd:e8:47:b9:f8:ad:80:4c:ea:74:17:65:cb:6c:dd: 26:15:42:2f:f7:7c:66:de:a2:15:4d:8e:8c:f9:48: 78:78:cc:b8:8c:0c:94:aa:74:69:e9:dd:ce:a0:e8: 86:f4:93:ba:1c:e4:9a:ae:6c:d3:c7:62:00:1e:a7: 33:db:cf:9d:a1:9e:6a:53:35:79:03:d0:76:99:9d: ef:e5:11:9f:25:1c:f4:0d:d1:e6:c2:75:e4:ef:74: 12:b6:9d:0c:a5:79:ce:84:d1:e3:1a:a9:04:49:26: e3:4d:26:28:8b:1c:b5:b5:c5:5e:29:58:b4:aa:d3: f5:8e:3d:e3:9a:51:20:97:d3:9b:60:6a:36:c2:39: 20:cf:3c:01:76:04:02:60:5d:ad:cd:27:cb:63:99: 52:80:36:9a:3e:71:da:85:bf:cb:54:bf:44:6b:e9: 73:43:df:f7:8b:36:4f:4a:65:1f:ea:db:6f:23:f3: 8e:54:f4:9d:bd:18:31:f2:0c:21:e0:c1:42:4c:52: f4:88:80:c4:3c:e8:af:1d:e3:a2:a0:5b:d4:dd:ef: 88:f9:63:2e:b3:5d:38:b2:56:e5:9d:c3:02:c6:36: f9:ea:87:a7:ff:34:ca:2d:85:65:12:f6:ef:d7:4c: e0:1c:18:19:79:c2:81:7b:db:a2:26:af:de:5c:f4: b8:5a:85 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: BA:C4:D0:7E:F5:2A:47:E0:1D:94:58:12:23:2E:C0:89:5E:5E:98:5A X509v3 Authority Key Identifier: keyid:E3:5B:EE:60:6C:C2:1A:46:CB:8D:F7:7C:AF:CC:99:59:37:6F:74:B7 X509v3 Subject Alternative Name: DNS:test.helm.xuxiaowei.cn, DNS:*.test.helm.xuxiaowei.cn Signature Algorithm: sha512WithRSAEncryption 15:fe:40:19:5d:1b:d5:da:5f:a1:3f:c1:a8:87:ec:1c:09:f9: df:24:07:1a:45:63:d4:2b:5e:47:01:5c:61:62:68:b7:40:cb: da:ef:01:d9:19:29:78:36:53:00:1f:5f:7d:38:23:1b:ad:44: 6b:a4:db:ee:e3:04:18:63:34:ee:04:71:95:60:44:fc:4f:16: 33:67:04:e0:33:1f:c6:61:47:28:c5:73:cc:f1:89:c1:0a:d0: 4a:ee:45:65:9f:12:4a:d7:cc:57:f9:ce:95:ba:17:3a:f2:00: a5:b0:34:8b:89:79:6d:92:db:d9:af:0b:71:f5:3a:74:4b:87: b2:c5:a6:59:1a:46:3b:45:c8:07:15:1d:da:e7:01:b2:e9:f9: 00:49:b3:ac:72:d4:ff:3f:e5:46:38:b6:fd:a2:04:2d:99:96: 67:5d:59:da:58:7b:1b:dc:38:5b:65:c6:bb:9c:6e:ba:d2:88: 49:d8:ba:5d:09:dd:aa:60:83:83:98:00:4b:a7:65:48:63:c6: d1:6d:90:10:86:16:f0:66:3d:74:25:62:63:76:fc:f2:83:d9: 5c:a3:42:56:72:f0:cc:97:de:12:d1:e0:03:42:fb:53:d0:b9: 9f:37:b2:c6:df:7f:93:a4:20:6b:dd:fb:f3:6d:ae:3e:51:d4: 93:f6:d6:56:50:13:fa:f3:77:3b:ac:33:fe:ce:ee:56:07:e9: bb:52:d8:4d:c9:9b:fb:7d:1a:36:f1:2f:de:17:ce:65:18:c1: b8:92:6f:c3:34:8a:e9:28:0f:e4:fc:f0:3c:95:fe:0a:c4:0f: 4a:ae:c6:a0:97:c8:0a:6c:f7:09:39:f2:0e:ce:29:a0:5e:0b: 10:82:26:63:61:4f:3a:49:f5:e3:32:84:78:c0:de:fe:c4:78: ee:52:01:6f:45:bf:ff:19:82:eb:45:31:b7:94:87:fa:f9:b6: f0:ef:16:39:1f:52:21:93:97:1b:59:82:36:05:d4:b4:4f:a3: 78:d1:44:03:42:d7:dc:cd:6f:3e:be:8e:78:03:63:e3:55:ea: c6:0b:06:af:25:7a:21:16:b5:b7:18:4e:d2:87:53:72:c9:88: bf:9c:aa:95:e0:be:a3:3d:ac:d2:d7:05:31:72:4e:fb:0f:a6: 82:f0:0b:c1:1f:08:2e:2e:66:22:73:dd:a6:70:9b:a0:c1:8e: 40:67:e2:c4:ae:18:ae:d2:78:a9:20:a3:9c:48:72:ac:a7:b4: 1b:43:f3:04:2b:d7:44:59:76:c0:fe:dc:02:24:08:a1:94:18: e7:fd:f1:bc:ba:8e:a1:6b:33:9d:90:80:e8:c8:21:20:45:73: b3:fd:f0:8e:5e:03:e3:05 [root@k8s ~]#
- 不会从 Let’s Encrypt 申请证书,不必设置
执行装置命令
# 其中 my-gitlab 是装置到本地的 helm gitlab 的名称
# 其中 gitlab/gitlab 是须要装置的软件名称,gitlab-jh 应用 gitlab-jh/gitlab
# 其中 gitlab/gitlab 默认为企业版,如果要应用社区版,请减少参数 --set global.edition=ce
# 其中 7.7.0 是 gitlab 版本,可自行抉择
# 其中 certmanager-issuer.email 是 Let’s Encrypt 账号的电子邮件地址,填写一个本人的邮件地址即可,用于证书到期前揭示
# 其中 --timeout 600s 示意超时工夫为 600s
# Helm v3
helm -n $GITLAB_HELM_NS install $GITLAB_HELM_NAME gitlab/gitlab --version 7.7.0 \
--set certmanager-issuer.email=your@email.com \
--set global.time_zone=Asia/Shanghai \
--set global.hosts.domain=test.helm.xuxiaowei.cn \
--timeout 600s
# Helm v2
#helm -n $GITLAB_HELM_NS install --name $GITLAB_HELM_NAME gitlab/gitlab --version 7.7.0 \
# --set certmanager-issuer.email=your@email.com \
# --set global.time_zone=Asia/Shanghai \
# --set global.hosts.domain=test.helm.xuxiaowei.cn \
# --timeout 600s
导出 helm gitlab 配置
# 将已配置的值导出到文件中
helm -n $GITLAB_HELM_NS get values $GITLAB_HELM_NAME > $GITLAB_HELM_NAME.yaml
[root@anolis-7-9 ~]# cat $GITLAB_HELM_NAME.yaml
USER-SUPPLIED VALUES:
certmanager-issuer:
email: your@email.com
global:
hosts:
domain: test.helm.xuxiaowei.cn
time_zone: Asia/Shanghai
[root@anolis-7-9 ~]#
更新 helm gitlab 配置
# 如果须要批改 gitlab 配置,可批改配置文件后,执行下列命令进行更新
helm upgrade -n $GITLAB_HELM_NS --install $GITLAB_HELM_NAME gitlab/gitlab --timeout 600s -f $GITLAB_HELM_NAME.yaml --version 7.7.0
# 或者间接应用 --set 设置新配置,应用 --version 设置新版本号
# helm upgrade -n $GITLAB_HELM_NS --install $GITLAB_HELM_NAME gitlab/gitlab \
# --set 你须要设置的配置 \
# --version 新版本号 \
# -f $GITLAB_HELM_NAME.yaml \
# --timeout 600s \
# --version 7.7.0
创立 PV、绑定 PVC
查看 PVC
[root@anolis-7-9 ~]# kubectl -n $GITLAB_HELM_NS get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
data-my-gitlab-postgresql-0 Pending 2m49s
my-gitlab-minio Pending 2m50s
my-gitlab-prometheus-server Pending 2m50s
redis-data-my-gitlab-redis-master-0 Pending 2m49s
repo-data-my-gitlab-gitaly-0 Pending 2m49s
[root@anolis-7-9 ~]#
创立 PVC
- 演示环境应用 k8s 单机器群测试,数据应用 local PV 贮存
- 因为应用 local PV,local PV 须要指定节点调度,所以须要给节点打标签
-
上面操作是给节点 k8s 减少一个标签,标签名是
gitlab-test
,标签值是local-pv
- 演示环境应用 k8s 单机器群测试,只有一个接节点,名称就是 k8s
- 此处的 标签名、标签值 与 上面 PV 配置文件中的 标签名、标签值 对应
- 应用 local PV 贮存的节点名称是 anolis-7-9
# 演示环境
[root@anolis-7-9 ~]# kubectl get node --show-labels
NAME STATUS ROLES AGE VERSION LABELS
anolis-7-7 Ready <none> 3h4m v1.28.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=anolis-7-7,kubernetes.io/os=linux
anolis-7-9 Ready control-plane 3h14m v1.28.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=anolis-7-9,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
[root@anolis-7-9 ~]# kubectl label nodes anolis-7-9 $GITLAB_HELM_NS=local-pv
node/anolis-7-9 labeled
[root@anolis-7-9 ~]# kubectl get node --show-labels
NAME STATUS ROLES AGE VERSION LABELS
anolis-7-7 Ready <none> 3h4m v1.28.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=anolis-7-7,kubernetes.io/os=linux
anolis-7-9 Ready control-plane 3h14m v1.28.2 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,gitlab-test=local-pv,kubernetes.io/arch=amd64,kubernetes.io/hostname=anolis-7-9,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node.kubernetes.io/exclude-from-external-load-balancers=
[root@anolis-7-9 ~]#
- 创立 PV 文件夹
# PV 数据贮存在 /gitlab-test 文件夹
mkdir -p /$GITLAB_HELM_NS/data-$GITLAB_HELM_NAME-postgresql-0-pv
mkdir -p /$GITLAB_HELM_NS/$GITLAB_HELM_NAME-minio-pv
mkdir -p /$GITLAB_HELM_NS/$GITLAB_HELM_NAME-prometheus-server-pv
mkdir -p /$GITLAB_HELM_NS/redis-data-$GITLAB_HELM_NAME-redis-master-0-pv
mkdir -p /$GITLAB_HELM_NS/repo-data-$GITLAB_HELM_NAME-gitaly-0-pv
如果须要清空数据请执行
rm /$GITLAB_HELM_NS/data-$GITLAB_HELM_NAME-postgresql-0-pv -rf
rm /$GITLAB_HELM_NS/$GITLAB_HELM_NAME-minio-pv -rf
rm /$GITLAB_HELM_NS/$GITLAB_HELM_NAME-prometheus-server-pv -rf
rm /$GITLAB_HELM_NS/redis-data-$GITLAB_HELM_NAME-redis-master-0-pv -rf
rm /$GITLAB_HELM_NS/repo-data-$GITLAB_HELM_NAME-gitaly-0-pv -rf
- 创立 PV、绑定 PVC
cat <<EOF > $GITLAB_HELM_NS-pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: data-$GITLAB_HELM_NAME-postgresql-0-pv
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 8Gi
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: data-$GITLAB_HELM_NAME-postgresql-0
namespace: $GITLAB_HELM_NS
local:
path: /$GITLAB_HELM_NS/data-$GITLAB_HELM_NAME-postgresql-0-pv
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: $GITLAB_HELM_NS
operator: In
values:
- local-pv
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: $GITLAB_HELM_NAME-minio-pv
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 10Gi
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: $GITLAB_HELM_NAME-minio
namespace: $GITLAB_HELM_NS
local:
path: /$GITLAB_HELM_NS/$GITLAB_HELM_NAME-minio-pv
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: $GITLAB_HELM_NS
operator: In
values:
- local-pv
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: $GITLAB_HELM_NAME-prometheus-server-pv
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 8Gi
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: $GITLAB_HELM_NAME-prometheus-server
namespace: $GITLAB_HELM_NS
local:
path: /$GITLAB_HELM_NS/$GITLAB_HELM_NAME-prometheus-server-pv
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: $GITLAB_HELM_NS
operator: In
values:
- local-pv
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: redis-data-$GITLAB_HELM_NAME-redis-master-0-pv
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 8Gi
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: redis-data-$GITLAB_HELM_NAME-redis-master-0
namespace: $GITLAB_HELM_NS
local:
path: /$GITLAB_HELM_NS/redis-data-$GITLAB_HELM_NAME-redis-master-0-pv
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: $GITLAB_HELM_NS
operator: In
values:
- local-pv
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: repo-data-$GITLAB_HELM_NAME-gitaly-0-pv
spec:
accessModes:
- ReadWriteOnce
capacity:
storage: 50Gi
claimRef:
apiVersion: v1
kind: PersistentVolumeClaim
name: repo-data-$GITLAB_HELM_NAME-gitaly-0
namespace: $GITLAB_HELM_NS
local:
path: /$GITLAB_HELM_NS/repo-data-$GITLAB_HELM_NAME-gitaly-0-pv
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: $GITLAB_HELM_NS
operator: In
values:
- local-pv
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
EOF
# 查看
cat $GITLAB_HELM_NS-pv.yaml
# 利用
kubectl apply -f $GITLAB_HELM_NS-pv.yaml
# 查看后果
[root@anolis-7-9 ~]# kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
data-my-gitlab-postgresql-0-pv 8Gi RWO Retain Bound gitlab-test/data-my-gitlab-postgresql-0 33s
my-gitlab-minio-pv 10Gi RWO Retain Bound gitlab-test/my-gitlab-minio 33s
my-gitlab-prometheus-server-pv 8Gi RWO Retain Bound gitlab-test/my-gitlab-prometheus-server 33s
redis-data-my-gitlab-redis-master-0-pv 8Gi RWO Retain Bound gitlab-test/redis-data-my-gitlab-redis-master-0 33s
repo-data-my-gitlab-gitaly-0-pv 50Gi RWO Retain Bound gitlab-test/repo-data-my-gitlab-gitaly-0 33s
[root@anolis-7-9 ~]# kubectl -n $GITLAB_HELM_NS get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
data-my-gitlab-postgresql-0 Bound data-my-gitlab-postgresql-0-pv 8Gi RWO 11m
my-gitlab-minio Bound my-gitlab-minio-pv 10Gi RWO 11m
my-gitlab-prometheus-server Bound my-gitlab-prometheus-server-pv 8Gi RWO 11m
redis-data-my-gitlab-redis-master-0 Bound redis-data-my-gitlab-redis-master-0-pv 8Gi RWO 11m
repo-data-my-gitlab-gitaly-0 Bound repo-data-my-gitlab-gitaly-0-pv 50Gi RWO 11m
[root@anolis-7-9 ~]#
查看 helm gitlab pod 状态
[root@anolis-7-9 ~]# kubectl -n $GITLAB_HELM_NS get pod
NAME READY STATUS RESTARTS AGE
cm-acme-http-solver-2ldtp 1/1 Running 0 11m
cm-acme-http-solver-94dv5 1/1 Running 0 11m
cm-acme-http-solver-klkpz 1/1 Running 0 11m
cm-acme-http-solver-szbks 1/1 Running 0 11m
my-gitlab-certmanager-8457bfdc8-w858k 1/1 Running 0 12m
my-gitlab-certmanager-cainjector-74df787cf4-j7cfc 1/1 Running 0 12m
my-gitlab-certmanager-webhook-7b86db4c96-dhcxl 1/1 Running 0 12m
my-gitlab-gitaly-0 0/1 Pending 0 12m
my-gitlab-gitlab-exporter-55dcfcb595-gl6nm 1/1 Running 0 12m
my-gitlab-gitlab-runner-6fb4bf7468-nmnkp 1/1 Running 4 (99s ago) 12m
my-gitlab-gitlab-shell-55fdc9cb9f-cfhsh 1/1 Running 0 12m
my-gitlab-gitlab-shell-55fdc9cb9f-x9r5m 0/1 Init:0/2 0 12m
my-gitlab-issuer-1-wg4b9 0/1 Completed 0 12m
my-gitlab-kas-688dc97ddd-nvmnt 0/1 Init:0/1 0 12m
my-gitlab-kas-688dc97ddd-tvkvd 0/1 CrashLoopBackOff 7 (32s ago) 12m
my-gitlab-migrations-1-zctfx 0/1 Init:1/2 0 12m
my-gitlab-minio-66f584f746-wl85b 0/1 Pending 0 12m
my-gitlab-minio-create-buckets-1-hhwhq 0/1 Terminating 0 12m
my-gitlab-nginx-ingress-controller-6bdd56c45-ch57n 1/1 Running 0 12m
my-gitlab-nginx-ingress-controller-6bdd56c45-cm2lz 1/1 Running 0 12m
my-gitlab-postgresql-0 0/2 Pending 0 12m
my-gitlab-prometheus-server-646489c599-hhvb7 0/2 ContainerCreating 0 12m
my-gitlab-redis-master-0 0/2 ContainerCreating 0 12m
my-gitlab-registry-78fc549f8d-xbkvh 1/1 Running 0 12m
my-gitlab-registry-78fc549f8d-zktzn 0/1 Init:0/2 0 12m
my-gitlab-sidekiq-all-in-1-v2-7f45ccbddd-rcksr 0/1 Init:1/3 0 12m
my-gitlab-toolbox-795884b958-bvfx8 1/1 Running 0 12m
my-gitlab-webservice-default-689f5fcbd8-sv9g4 0/2 Pending 0 12m
my-gitlab-webservice-default-689f5fcbd8-t25nk 0/2 Init:2/3 1 (16s ago) 12m
[root@anolis-7-9 ~]#
删除没有失常运行的 pod,被动触发进行下一步故障复原,节省时间
# 删除示例如下:[root@anolis-7-9 ~]# kubectl -n $GITLAB_HELM_NS delete pod --field-selector 'status.phase!=Running'
pod "my-gitlab-gitaly-0" deleted
pod "my-gitlab-gitlab-shell-55fdc9cb9f-x9r5m" deleted
pod "my-gitlab-issuer-1-wg4b9" deleted
pod "my-gitlab-kas-688dc97ddd-nvmnt" deleted
pod "my-gitlab-migrations-1-zctfx" deleted
pod "my-gitlab-minio-66f584f746-wl85b" deleted
pod "my-gitlab-minio-create-buckets-1-hhwhq" deleted
pod "my-gitlab-postgresql-0" deleted
pod "my-gitlab-prometheus-server-646489c599-hhvb7" deleted
pod "my-gitlab-redis-master-0" deleted
pod "my-gitlab-registry-78fc549f8d-zktzn" deleted
pod "my-gitlab-sidekiq-all-in-1-v2-7f45ccbddd-rcksr" deleted
pod "my-gitlab-webservice-default-689f5fcbd8-sv9g4" deleted
pod "my-gitlab-webservice-default-689f5fcbd8-t25nk" deleted
期待所有 pod 都处于 Running 状态
-
pod 名称蕴含
gitlab-runner
的除外gitlab-runner
pod 应用域名和 https 协定注册到 GitLab,因为 DNS 和证书均为配置,所以 gitlab-runner 无奈失常工作,这是失常景象,如果你不应用 GitLab Runner CI/CD 流水线,可不必理睬,或者将 GitLab Runner 正本数批改为 0kubectl -n $GITLAB_HELM_NS scale deployment.apps/$GITLAB_HELM_NAME-gitlab-runner --replicas=0
[root@anolis-7-9 ~]# kubectl -n $GITLAB_HELM_NS get pod
NAME READY STATUS RESTARTS AGE
cm-acme-http-solver-2ldtp 1/1 Running 2 (6m49s ago) 59m
cm-acme-http-solver-94dv5 1/1 Running 2 (6m49s ago) 59m
cm-acme-http-solver-klkpz 1/1 Running 2 (6m49s ago) 59m
cm-acme-http-solver-szbks 1/1 Running 2 (6m49s ago) 59m
my-gitlab-certmanager-8457bfdc8-w858k 1/1 Running 2 (7m46s ago) 61m
my-gitlab-certmanager-cainjector-74df787cf4-j7cfc 1/1 Running 2 (7m46s ago) 61m
my-gitlab-certmanager-webhook-7b86db4c96-dhcxl 1/1 Running 2 (7m46s ago) 61m
my-gitlab-gitaly-0 1/1 Running 2 (6m49s ago) 47m
my-gitlab-gitlab-exporter-55dcfcb595-gl6nm 1/1 Running 2 (6m49s ago) 61m
my-gitlab-gitlab-runner-6fb4bf7468-nmnkp 0/1 Error 17 (66s ago) 61m
my-gitlab-gitlab-shell-55fdc9cb9f-52gnr 1/1 Running 2 (7m46s ago) 47m
my-gitlab-gitlab-shell-55fdc9cb9f-cfhsh 1/1 Running 2 (6m49s ago) 61m
my-gitlab-kas-688dc97ddd-28gr7 1/1 Running 9 (5m44s ago) 47m
my-gitlab-kas-688dc97ddd-tvkvd 1/1 Running 18 (5m56s ago) 61m
my-gitlab-minio-66f584f746-md7rm 1/1 Running 1 (6m49s ago) 16m
my-gitlab-nginx-ingress-controller-6bdd56c45-ch57n 1/1 Running 2 (6m46s ago) 61m
my-gitlab-nginx-ingress-controller-6bdd56c45-cm2lz 1/1 Running 2 (6m49s ago) 61m
my-gitlab-postgresql-0 2/2 Running 4 (6m49s ago) 47m
my-gitlab-prometheus-server-646489c599-8mgc9 2/2 Running 4 (6m49s ago) 47m
my-gitlab-redis-master-0 2/2 Running 4 (6m49s ago) 21m
my-gitlab-registry-78fc549f8d-d2zjv 1/1 Running 2 (7m46s ago) 47m
my-gitlab-registry-78fc549f8d-xbkvh 1/1 Running 2 (6m49s ago) 61m
my-gitlab-sidekiq-all-in-1-v2-7f45ccbddd-spg9w 1/1 Running 2 (6m46s ago) 47m
my-gitlab-toolbox-795884b958-bvfx8 1/1 Running 2 (6m49s ago) 61m
my-gitlab-webservice-default-689f5fcbd8-5pqnh 2/2 Running 0 47m
my-gitlab-webservice-default-689f5fcbd8-qphjd 2/2 Running 0 87s
[root@anolis-7-9 ~]#
批改 DNS,拜访 gitlab
- 演示环境:Windows 批改
C:\Windows\System32\drivers\etc\hosts
172.25.25.32 gitlab.test.helm.xuxiaowei.cn
172.25.25.32 minio.test.helm.xuxiaowei.cn
# 不应用 GitLab 提供的 镜像库 可疏忽 registry 域名
172.25.25.32 registry.test.helm.xuxiaowei.cn
# Pages 页面 域名
# 不应用 Pages 性能可疏忽 Pages 域名
172.25.25.32 pages.test.helm.xuxiaowei.cn
# 此处演示仅减少两个 pages 子域名,如果要应用 Pages 性能,请应用通配符将 *.pages.test.helm.xuxiaowei.cn 解析到服务器 IP
# 用户 Pages 页面 域名,其中用户名为 root
172.25.25.32 root.pages.test.helm.xuxiaowei.cn
# 用户 Pages 页面 域名,其中用户名为 xuxiaowei
172.25.25.32 xuxiaowei.pages.test.helm.xuxiaowei.cn
登陆 GitLab
拜访 https://gitlab.test.helm.xuxiaowei.cn,浏览器提醒:
点击 持续返回 gitlab.test.helm.xuxiaowei.cn(不平安)
,可抉择 中文
获取管理员 root
用户的初始化明码
kubectl -n $GITLAB_HELM_NS get secrets $GITLAB_HELM_NAME-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo
登陆之后的后果
敞开新导航栏(可选,较高版本只能应用新导航栏,无奈应用旧导航栏)
进入偏好设置,批改为中文菜单(可选)
- 偏好设置网址:https://gitlab.test.helm.xuxiaowei.cn/-/profile/preferences
- 新版导航栏
- 旧版导航栏
本地化配置(可选)
设置未登录用户的默认语言为中文
-
进入管理员页面
-
进入偏好设置
-
设置未登录用户的默认语言为中文
禁用注册性能(可选)
更多对于极狐 GitLab 信息和最佳实际,请搜寻【极狐 GitLab】。