Namespace
1
2
| [root@k8s-master1 ~]# kubectl create namespace devops
namespace/devops created
|
Secret
1
2
3
4
| [root@k8s-master1 ~]# kubectl create secret tls zhch.lan -n devops \
--cert=/home/zc/cert/zhch.lan.crt \
--key=/home/zc/cert/zhch.lan.key
secret/zhch.lan created
|
ConfigMap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab
namespace: devops
data:
gitlab.rb: |
external_url 'https://git.zhch.lan'
nginx['listen_port'] = 8180
nginx['listen_https'] = false
gitlab_rails['time_zone'] = 'Asia/Shanghai'
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.163.com"
gitlab_rails['smtp_port'] = 465
gitlab_rails['smtp_user_name'] = "nest0321@163.com"
gitlab_rails['smtp_password'] = "********"
gitlab_rails['smtp_domain'] = "163.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['smtp_tls'] = true
gitlab_rails['smtp_pool'] = false
gitlab_rails['gitlab_email_from'] = "nest0321@163.com"
user["git_user_email"] = "nest0321@163.com"
postgresql['shared_buffers'] = "128MB"
prometheus_monitoring['enable'] = false
|
PVC
1
2
3
4
5
6
7
8
9
10
11
12
13
| apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab
namespace: devops
spec:
accessModes:
- ReadWriteMany
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
#storageClassName: "managed-nfs-storage"
|
Deployment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-ce
namespace: devops
spec:
replicas: 1
selector:
matchLabels:
app: gitlab-ce
template:
metadata:
labels:
app: gitlab-ce
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- gitlab-ce
topologyKey: kubernetes.io/hostname
containers:
- image: gitlab/gitlab-ce:16.7.0-ce.0
imagePullPolicy: IfNotPresent
name: gitlab-ce
ports:
- containerPort: 8180
name: web
protocol: TCP
- containerPort: 22
name: ssh
protocol: TCP
env:
- name: TZ
value: 'Asia/Shanghai'
resources:
requests:
memory: 1Gi
cpu: 10m
limits:
memory: 4Gi
cpu: 2000m
volumeMounts:
- name: gitlab
mountPath: /var/opt/gitlab
subPath: gitlab-data
- name: gitlab
mountPath: /etc/gitlab
subPath: gitlab-config
- name: gitlab-rb
mountPath: /etc/gitlab/gitlab.rb
subPath: gitlab.rb
restartPolicy: Always
volumes:
- name: gitlab-rb
configMap:
name: gitlab
items:
- key: gitlab.rb
path: gitlab.rb
- name: gitlab
persistentVolumeClaim:
claimName: gitlab
#dnsConfig:
# nameservers:
# - 192.168.3.157 # 自建 DNS 服务地址
#dnsPolicy: ClusterFirst
|
Service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| apiVersion: v1
kind: Service
metadata:
name: gitlab
namespace: devops
spec:
selector:
app: gitlab-ce
type: ClusterIP
ports:
- port: 80
targetPort: web
protocol: TCP
name: web
- port: 22
targetPort: ssh
protocol: TCP
name: ssh
|
Ingress
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitlab
namespace: devops
spec:
ingressClassName: nginx
tls:
- hosts:
- git.zhch.lan
secretName: zhch.lan
rules:
- host: git.zhch.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitlab
port:
number: 80
|
初始密码
- 用户名
root
- 初始密码:进入容器内查看文件
/etc/gitlab/initial_root_password ,或者进入挂载的文件服务器上去查看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| [root@k8s-master1 gitlab-config]# pwd
/root/nfs_data/rw/default/devops-gitlab-pvc-838f896d-24b6-4482-bf42-d38e016ca339/gitlab-config
[root@k8s-master1 gitlab-config]# ls
gitlab.rb gitlab-secrets.json initial_root_password ssh_host_ecdsa_key ssh_host_ecdsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub trusted-certs
[root@k8s-master1 gitlab-config]# cat initial_root_password
# WARNING: This value is valid only in the following conditions
# 1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the first time (usually, the first reconfigure run).
# 2. Password hasn't been changed manually, either via UI or via command line.
#
# If the password shown here doesn't work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.
Password: IbRbpNPvjHS+FwcENUcqEG/9ccqcZCavVGcGhVe1hbU=
# NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.
|
SSH 22
1
2
3
4
5
6
7
| apiVersion: v1
kind: ConfigMap
metadata:
name: ingress-tcp
namespace: ingress-nginx
data:
22: "devops/gitlab:22" # namespace/service:port ,key 与 port 可以不一样
|
kubectl edit service/ingress-nginx-controller -n ingress-nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| ports:
- appProtocol: http
name: http
nodePort: 31734
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
nodePort: 32740
port: 443
protocol: TCP
targetPort: https
- name: gitlab-ssh # 新增
port: 22 # 外网访问的端口
protocol: TCP
targetPort: 22 # ConfigMap 中的 key
|
kubectl edit deploy/ingress-nginx-controller -n ingress-nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| template:
metadata:
creationTimestamp: null
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
- /nginx-ingress-controller
- --tcp-services-configmap=ingress-nginx/ingress-tcp # 新增
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-nginx-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
|
1
2
3
4
5
6
7
8
9
10
11
12
| # 推荐使用 ED25519、RSA;选择 RSA 时,推荐的 key size 是 3072 或更大
[zc@Test ~]$ ssh-keygen -t ed25519 -C "hczhch@ymail.com"
# 私钥 ~/.ssh/id_ed25519 公钥:~/.ssh/id_ed25519.pub
[zc@Test ~]$ ssh-keygen -t rsa -b 4096 -C "hczhch@ymail.com"
# 私钥 ~/.ssh/id_rsa 公钥:~/.ssh/id_rsa.pub
# 把公钥添加到 Gitlab 中
# 如果 ~/.ssh/known_hosts 文件中存在旧的 git.zhch.lan host 记录,则先删除
# git clone ...
|
# ssh-keygen -f 可以指定路径
C:\Users\zhch>ssh-keygen -t ed25519 -C "hczhch@ymail.com" -f "C:\Users\zhch\.ssh\jenkins\id_ed25519"
# 私钥 C:\Users\zhch\.ssh\jenkins\id_ed25519
# 公钥 C:\Users\zhch\.ssh\jenkins\id_ed25519.pub
自签证书问题
git config --global http.sslVerify false
D:\workspace\Jenkins_gitee\tensquare_parent>git push --set-upstream origin main
fatal: unable to access 'https://git.zhch.lan/test/tensquare_parent.git/': SSL certificate problem: self signed certificate
D:\workspace\Jenkins_gitee\tensquare_parent>git config --global http.sslVerify false
gitlab 角色
Guest:可以创建issue、发表评论,不能读写版本库Reporter:可以克隆代码,不能提交,QA、PM 可以赋予这个权限Developer:可以克隆代码、开发、提交、push,普通开发可以赋予这个权限Maintainer:可以创建项目、添加tag、保护分支、添加项目成员、编辑项目,核心开发可以赋予这个权限Owner:可以设置项目访问权限 - Visibility Level、删除项目、迁移项目、管理组成员,开发组组长可以赋予这个权限
