环境
- kubernets version:v1.27.15
- Docker version:27.0.3
- Helm version:v3.15.2
- GitLab version:v17.4.1
快速启动
添加helm gitlab chart仓库
helm repo add gitlab https://charts.gitlab.io
helm repo update执行下面命令快速进行部署
helm upgrade --install gitlab gitlab/gitlab \
--version 8.4.1 \
--timeout 6000s \
--set global.hosts.domain=example.com \
--set certmanager-issuer.email=mail@example.com \
--namespace=gitlab \
--create-namespace这里我们快速启动一套GitLab服务,这里选择自定义了一些配置项
--version 8.4.1:Chart版本为8.4.1,对应的GitLab版本为v17.4.1--timeout 6000s:部署超时时间为6000sglobal.hosts.domain=example.com:配置域名,后续实际生成的域名会根据所配置的域名进行扩展,比如配置了example.com,后续GitLab服务的域名就是gitlab.example.com,Minio服务的域名为minio.example.com。当然,也可以针对每个组件服务自定义域名,详情查看values.yaml或者查阅官方文档certmanager-issuer.email:当使用certmanager提供的证书,必须提供一个邮箱
除此,其余配置都为默认配置。等待片刻,Job执行完成,Pod启动成功,就可以使用域名在浏览器访问GitLab了。默认的用户名为:root,密码可通过下面命令获取:
kubectl get secret -n gitlab gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo自定义部署
在很多情况下,我们不需要安装chart中的所有组件,比如集群环境中已经部署certmanager或者计划使用已有的证书,那就不需要再安装certmanager,我们就可以certmanager.install设置为false,同时设置global.ingress.tls.secretName来自定义证书;还有,如果不需要部署runner服务,那我们就可以将gitlab-runner.install设置为false避免安装runner。
配置私有镜像仓库
配置私有镜像仓库,加快镜像拉取速度
global:
enterpriseImages:
# Default repositories used to pull Gitlab Enterprise Edition images.
# See the image.repository and workhorse.repository template helpers.
migrations:
repository: docker.example.com/gitlab-org/build/cng/gitlab-toolbox-ee
sidekiq:
repository: docker.example.com/gitlab-org/build/cng/gitlab-sidekiq-ee
toolbox:
repository: docker.example.com/gitlab-org/build/cng/gitlab-toolbox-ee
webservice:
repository: docker.example.com/gitlab-org/build/cng/gitlab-webservice-ee
workhorse:
repository: docker.example.com/gitlab-org/build/cng/gitlab-workhorse-ee
geo-logcursor:
repository: docker.example.com/gitlab-org/build/cng/gitlab-geo-logcursor
certificates:
image:
repository: docker.example.com/gitlab-org/build/cng/certificates
kubectl:
image:
repository: docker.example.com/gitlab-org/build/cng/kubectl
gitlabBase:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-base
gitlab:
gitlab-shell:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-shell
service:
name: gitlab-shell
type: NodePort
nodePort: 32022
kas:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-kas
gitlab-exporter:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-exporter
gitaly:
image:
repository: docker.example.com/gitlab-org/build/cng/gitaly
cgroups:
initContainer:
image:
repository: docker.example.com/gitlab-org/build/cng/gitaly-init-cgroups
praefect:
image:
repository: docker.example.com/gitlab-org/build/cng/gitaly
registry:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-container-registry自定义IngressClass
GitLab默认安装nginx-ingress,在集群中已经安装有nginx-ingress的前提下,就需要禁止安装:
nginx-ingress.enabled=false:禁止安装GitLab自带的nginx-ingressglobal.ingress.class=traefik-ingress:设置ingressClassName为已有的traefik-ingress
修改values.yaml,禁用内置Ingress Class,手动指定已有的Ingress Class
global:
ingress:
class: traefik-ingress
nginx-ingress: &nginx-ingress
enabled: false自定义SSL证书
自定义SSL证书的时候,就可以不用安装certmanager,需要修改以下配置项:
--set certmanager.install=false:禁止部署certmanager--set global.ingress.tls.secretName=example-com-tls:自定义证书
创建自定义证书
kubectl create secret tls -n gitlab example-com-tls --key privkey.pem --cert fullchain.pem修改values.yaml,手动指定已经创建好的证书
global:
ingress:
tls:
secretName: example-com-tls配置LDAP
创建secret gitlab-ldap-main-password 用来存放LDAP密码
kubectl create secret generic -n gitlab gitlab-ldap-main-password --from-literal=password=changeme修改values.yaml,更新LDAP相关配置
appConfig:
ldap:
preventSignin: false
servers:
main:
base: ou=Gitlab用户组,dc=example,dc=com
bind_dn: uid=admin,ou=system
encryption: plain
host: 192.168.1.100
label: LDAP
password:
secret: gitlab-ldap-main-password
port: 30389
uid: uid
user_filter: (objectclass=*)配置SMTP
创建secret gitlab-outgoing-mail 用来存放邮箱密码
kubectl create secret generic-n gitlab gitlab-outgoing-mail --from-literal=password=changeme修改values.yaml,更新SMTP相关配置
smtp:
enabled: true
address: smtp.ym.163.com
port: 994
user_name: no-reply@example.com
password:
secret: gitlab-outgoing-mail
authentication: "plain"
tls: true
email:
from: "no-reply@example.com"更改gitlab-shell service类型
为了保证可以通过ssh拉取代码,这里需要修改gitlab-shell的服务类型为NodePort,nodePort为32022
global:
shell:
port: 32022
gitlab:
gitlab-shell:
service:
name: gitlab-shell
type: NodePort
nodePort: 32022
完整values.yaml
针对以上的一些自定义选项,整理一份较完整的清单
global:
enterpriseImages:
# Default repositories used to pull Gitlab Enterprise Edition images.
# See the image.repository and workhorse.repository template helpers.
migrations:
repository: docker.example.com/gitlab-org/build/cng/gitlab-toolbox-ee
sidekiq:
repository: docker.example.com/gitlab-org/build/cng/gitlab-sidekiq-ee
toolbox:
repository: docker.example.com/gitlab-org/build/cng/gitlab-toolbox-ee
webservice:
repository: docker.example.com/gitlab-org/build/cng/gitlab-webservice-ee
workhorse:
repository: docker.example.com/gitlab-org/build/cng/gitlab-workhorse-ee
geo-logcursor:
repository: docker.example.com/gitlab-org/build/cng/gitlab-geo-logcursor
certificates:
image:
repository: docker.example.com/gitlab-org/build/cng/certificates
kubectl:
image:
repository: docker.example.com/gitlab-org/build/cng/kubectl
gitlabBase:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-base
## https://docs.gitlab.com/charts/charts/globals#configure-host-settings
hosts:
domain: example.com
## https://docs.gitlab.com/charts/charts/globals#configure-ingress-settings
ingress:
class: traefik-ingress
tls:
secretName: example-com-tls
appConfig:
## https://docs.gitlab.com/charts/charts/globals#ldap
ldap:
preventSignin: false
servers:
main:
base: ou=Gitlab用户组,dc=example,dc=com
bind_dn: uid=admin,ou=system
encryption: plain
host: 192.168.200.12
label: LDAP
password:
secret: gitlab-ldap-main-password
port: 30389
uid: uid
user_filter: (objectclass=*)
## https://docs.gitlab.com/charts/charts/globals#outgoing-email
## Outgoing email server settings
smtp:
enabled: true
address: smtp.ym.163.com
port: 994
user_name: no-reply@example.com
## https://docs.gitlab.com/charts/installation/secrets#smtp-password
password:
secret: gitlab-outgoing-mail
# domain:
authentication: "plain"
tls: true
## https://docs.gitlab.com/charts/charts/globals#outgoing-email
## Email persona used in email sent by GitLab
email:
from: "no-reply@example.com"
## Timezone for containers.
time_zone: Asia/Shanghai
## https://docs.gitlab.com/charts/charts/globals#configure-gitlab-shell
shell:
port: 32022
## Settings for individual sub-charts under GitLab
## Note: Many of these settings are configurable via globals
gitlab:
gitlab-shell:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-shell
service:
name: gitlab-shell
type: NodePort
nodePort: 32022
kas:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-kas
gitlab-exporter:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-exporter
gitaly:
image:
repository: docker.example.com/gitlab-org/build/cng/gitaly
cgroups:
initContainer:
image:
repository: docker.example.com/gitlab-org/build/cng/gitaly-init-cgroups
praefect:
image:
repository: docker.example.com/gitlab-org/build/cng/gitaly
registry:
image:
repository: docker.example.com/gitlab-org/build/cng/gitlab-container-registry
## Settings to for the Let's Encrypt ACME Issuer
certmanager-issuer:
# The email address to register certificates requested from Let's Encrypt.
# Required if using Let's Encrypt.
email: mail@example.com
## Installation & configuration of jetstack/cert-manager
## See requirements.yaml for current version
certmanager:
installCRDs: false
# Install cert-manager chart. Set to false if you already have cert-manager
# installed or if you are not using cert-manager.
install: false
nginx-ingress: &nginx-ingress
enabled: false
## Installation & configuration of gitlab/gitlab-runner
## See requirements.yaml for current version
gitlab-runner:
install: false
minio:
persistence:
size: 100Gi部署
helm upgrade --install gitlab gitlab/gitlab \
--version 8.4.1 \
--timeout 6000s \
-f values.yaml \
--namespace=gitlab \
--create-namespace部署完成后,获取超级管理员root用户的密码
kubectl get secret -n gitlab gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo