官方文档:Deploy the GitLab Helm chart | GitLab
官方文档(推荐,国内镜像):部署极狐GitLab Helm chart | 极狐GitLab
前提条件
cert-manager
nginx-ingress
添加代码仓库
helm repo add gitlab http://charts.gitlab.io/
# 国内版
helm repo add gitlab-jh https://charts.gitlab.cnhelm pull gitlab/gitlab --untar
# 国内版
helm pull gitlab-jh/gitlab --untar修改values.yaml
global:
common:
labels: {}
image: {}
pod:
labels: {}
# 改为ce,社区版
# 国内版不需要修改,默认:jh
edition: ce
gitlabVersion: "17.2.0"
## https://docs.gitlab.com/charts/charts/globals#application-resource
application:
create: false
links: []
allowClusterRoles: true
hosts:
# 根据自身域名修改,写到二级域名即可
domain: sreok.cn
hostSuffix:
https: true
externalIP:
ssh:
gitlab: {}
minio: {}
registry: {}
tls: {}
smartcard: {}
kas: {}
pages: {}
ingress:
apiVersion: ""
# 改为false,已经安装过不需要安装
configureCertmanager: false
useNewIngressForCerts: false
provider: nginx
# 改为ingressClass名称
class: nginx
annotations: {}
enabled: true
tls:
# 已存在的自签名证书,secret
enabled: true
secretName: devops-tls
path: /
pathType: Prefix
...
...
...
certmanager:
# 关闭certmanager下载,因为我已经安装过了
installCRDs: false
nameOverride: certmanager
# 关闭certmanager下载,因为我已经安装过了
install: false
rbac:
create: true
nginx-ingress: &nginx-ingress
# 关闭nginx-ingress下载
enabled: false
tcpExternalConfig: "true"
controller: &nginx-ingress-controller
addHeaders:
Referrer-Policy: strict-origin-when-cross-origin
config: &nginx-ingress-controller-config
annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\""
hsts: "true"
hsts-include-subdomains: "false"
hsts-max-age: "63072000"
server-name-hash-bucket-size: "256"
use-http2: "true"
ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl-protocols: "TLSv1.3 TLSv1.2"
server-tokens: "false"
# Configure smaller defaults for upstream-keepalive-*, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration
upstream-keepalive-connections: 100 # Limit of 100 held-open connections
upstream-keepalive-time: 30s # 30 second limit for connection reuse
upstream-keepalive-timeout: 5 # 5 second timeout to hold open idle connections
upstream-keepalive-requests: 1000 # 1000 requests per connection, before recycling
...
...
...
prometheus:
# 关闭prometheus下载
install: false
rbac:
create: true
alertmanager:
enabled: false
alertmanagerFiles:
alertmanager.yml: {}
kubeStateMetrics:
enabled: false
nodeExporter:
enabled: false
pushgateway:
enabled: false
server:
retention: 15d
strategy:
type: Recreate
image:
tag: v2.38.0
...
...
...
gitlab-runner:
# 使用自签名证书时, gitlab-runner 图表无法正常运行。参考链接:https://docs.gitlab.com/charts/installation/tls.html#option-4-use-auto-generated-self-signed-wildcard-certificate
# 关闭gitlab-runner下载
install: false
rbac:
create: true
runners:
locked: false
secret: "nonempty"
config: |
[[runners]]
[runners.kubernetes]
image = "ubuntu:22.04"
{{- if .Values.global.minio.enabled }}
[runners.cache]
Type = "s3"
Path = "gitlab-runner"
Shared = true
[runners.cache.s3]
ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }}
BucketName = "runner-cache"
BucketLocation = "us-east-1"
Insecure = false
{{ end }}
podAnnotations:
gitlab.com/prometheus_scrape: "true"
gitlab.com/prometheus_port: 9252
...
...
...中文注释处修改。
安装
cd gitlab/
helm upgrade --install -n devops gitlab .获取密码
kubectl get secret -n devops gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo
# 或者
kubectl get secrets -n devops gitlab-gitlab-initial-root-password -o yaml
# base64 -d 解密password客户端导入自签证书
git config --global http.sslCAInfo /path/to/ca.crt