官方文档:Deploy the GitLab Helm chart | GitLab

官方文档(推荐,国内镜像):部署极狐GitLab Helm chart | 极狐GitLab

前提条件

  • cert-manager

  • nginx-ingress

添加代码仓库

1
2
3
helm repo add gitlab http://charts.gitlab.io/
# 国内版
helm repo add gitlab-jh https://charts.gitlab.cn
1
2
3
helm pull gitlab/gitlab --untar
# 国内版
helm pull gitlab-jh/gitlab --untar

修改values.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
global:
  common:
    labels: {}

  image: {}

  pod:
    labels: {}

  # 改为ce,社区版
  # 国内版不需要修改,默认:jh
  edition: ce

  gitlabVersion: "17.2.0"

  ## https://docs.gitlab.com/charts/charts/globals#application-resource
  application:
    create: false
    links: []
    allowClusterRoles: true
  hosts:
    # 根据自身域名修改,写到二级域名即可
    domain: sreok.cn
    hostSuffix:
    https: true
    externalIP:
    ssh:
    gitlab: {}
    minio: {}
    registry: {}
    tls: {}
    smartcard: {}
    kas: {}
    pages: {}
  ingress:
    apiVersion: ""
    # 改为false,已经安装过不需要安装
    configureCertmanager: false
    useNewIngressForCerts: false
    provider: nginx
    # 改为ingressClass名称
    class: nginx
    annotations: {}
    enabled: true
    tls:
      # 已存在的自签名证书,secret
      enabled: true
      secretName: devops-tls
    path: /
    pathType: Prefix

...
...
...

certmanager:
  # 关闭certmanager下载,因为我已经安装过了
  installCRDs: false
  nameOverride: certmanager
  # 关闭certmanager下载,因为我已经安装过了
  install: false
  rbac:
    create: true

nginx-ingress: &nginx-ingress
  # 关闭nginx-ingress下载
  enabled: false
  tcpExternalConfig: "true"
  controller: &nginx-ingress-controller
    addHeaders:
      Referrer-Policy: strict-origin-when-cross-origin
    config: &nginx-ingress-controller-config
      annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""
      hsts: "true"
      hsts-include-subdomains: "false"
      hsts-max-age: "63072000"
      server-name-hash-bucket-size: "256"
      use-http2: "true"
      ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
      ssl-protocols: "TLSv1.3 TLSv1.2"
      server-tokens: "false"
      # Configure smaller defaults for upstream-keepalive-*, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration
      upstream-keepalive-connections: 100 # Limit of 100 held-open connections
      upstream-keepalive-time:        30s # 30 second limit for connection reuse
      upstream-keepalive-timeout:       5 # 5 second timeout to hold open idle connections
      upstream-keepalive-requests:   1000 # 1000 requests per connection, before recycling

...
...
...
prometheus:
  # 关闭prometheus下载 
  install: false
  rbac:
    create: true
  alertmanager:
    enabled: false
  alertmanagerFiles:
    alertmanager.yml: {}
  kubeStateMetrics:
    enabled: false
  nodeExporter:
    enabled: false
  pushgateway:
    enabled: false
  server:
    retention: 15d
    strategy:
      type: Recreate
    image:
      tag: v2.38.0

...
...
...
gitlab-runner:
  # 使用自签名证书时, gitlab-runner 图表无法正常运行。参考链接:https://docs.gitlab.com/charts/installation/tls.html#option-4-use-auto-generated-self-signed-wildcard-certificate
  # 关闭gitlab-runner下载
  install: false
  rbac:
    create: true
  runners:
    locked: false
    secret: "nonempty"
    config: |
      [[runners]]
        [runners.kubernetes]
        image = "ubuntu:22.04"
        {{- if .Values.global.minio.enabled }}
        [runners.cache]
          Type = "s3"
          Path = "gitlab-runner"
          Shared = true
          [runners.cache.s3]
            ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }}
            BucketName = "runner-cache"
            BucketLocation = "us-east-1"
            Insecure = false
        {{ end }}
  podAnnotations:
    gitlab.com/prometheus_scrape: "true"
    gitlab.com/prometheus_port: 9252
...
...
...

中文注释处修改。

安装

1
2
cd gitlab/
helm upgrade --install -n devops gitlab .

获取密码

1
2
3
4
5
kubectl get secret  -n devops gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo

# 或者
kubectl get secrets -n devops gitlab-gitlab-initial-root-password  -o yaml
# base64 -d 解密password

客户端导入自签证书

1
git config --global http.sslCAInfo /path/to/ca.crt