gitlab + k8s + gitlab-ci + helm 持续集成
文章目录
- gitlab + k8s + cicd + helm 持续集成
- 简介
- Kubernetes 搭建步骤
- 安装前的准备 (所有节点)
- docker 安装 (所有节点)
- kubernetes 安装 (所有节点)
- kubernetes flannel 安装: (所有节点)
- 创建 k8s 主节点 (主节点)
- Nodes 加入集群
- gitlab & runner 搭建步骤
- gitlab 安装:
- gitlab-runner 安装:
- helm 安装:
- k8s 安装 gitlab-runner 整合 helm 3
- 骚操作
- 修改 docker 容器对外映射端口:
- 命名空间创建
- 为 k8s 集群创建 secret (imagePullSecrets):
- 配置 docker 镜像加速
- 配置 docker 私有库 http 访问
- 配置 helm repo
- 错误处理
- gitlab 重启后 502
- error during connect: Post http://docker:2375/v1.40/auth:
- 参考文献
gitlab + k8s + cicd + helm 持续集成
测试项目地址: https://gitee.com/texousliu/demo-gitlabci.git
简介
- 文章主要讲了 gitlab docker 搭建,k8s 集群搭建,gitlab-ci 和 k8s 集成持续交付
- 项目总共用了 4 台服务器:1 台装 gitlab, 3 台装 k8s 集群
- gitlab 服务器安装 docker、gitlab for docker,gitlab-runner for docker
- gitlab-runner 主要用来打包构建镜像,并推送到 gitlab container registry
- gitlab 服务器安装前准备只要关闭防火墙即可
- k8s 集群安装 docker、k8s、flannel
- k8s master 安装 helm、gitlab-runner
- helm 编排容器
- gitlab-runner 执行 helm ,发布项目
Kubernetes 搭建步骤
安装前的准备 (所有节点)
关闭防火墙
$ systemctl stop firewalld
$ systemctl disable firewalld
关闭 swap
$ swapoff -a # 临时
$ vi /etc/fstab # 永久, 注释 swap 那一行
设置主机名
$ vi /etc/sysconfig/network
# HOSTNAME=k8s-master
添加 主机名与 ip 映射
$ cat /etc/hosts
172.16.3.40 k8s-master
172.16.3.41 k8s-node1
172.16.3.42 k8s-node2
同步时间
$ yum install ntpdate -y
$ ntpdate ntp.api.bz
docker 安装 (所有节点)
- docker for centos 官方文档 (英文)
- docker 安装博客
移除旧 docker
$ sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
安装必要的包
$ sudo yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
配置 stable 仓库
$ sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
安装 docker
$ sudo yum install docker-ce docker-ce-cli containerd.io
启动 docker
$ sudo systemctl start docker
配置开机启动
$ sudo systemctl enable docker
kubernetes 安装 (所有节点)
- Kubernetes 安装教程官网 (英文)
编写 kubernetes.repo 文件
$ cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
关闭 selinux
$ setenforce 0
$ sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
安装 kubelet kubeadm kubectl
$ yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
配置启动 kubelet
$ systemctl enable --now kubelet
流量桥接(如果需要)
$ cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
$ sysctl --system
kubernetes flannel 安装: (所有节点)
- Kubernetes flannel 安装官网 (英文)
执行安装命令
$ kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/2140ac876ef134e0ed5af15c65e414cf26827915/Documentation/kube-flannel.yml
创建 k8s 主节点 (主节点)
- Kubernetes 主节点初始化官网 (英文)
$ kubeadm init \
--apiserver-advertise-address=192.168.220.35 \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.17.0 \
--service-cidr=10.1.0.0/16 \
--pod-network-cidr=10.244.0.0/16
# --apiserver-advertise-address: 填写主节点 ip
# --image-repository: 国内使用 aliyun 镜像
# --kubernetes-version: k8s 版本号
# 后面两个配置不需要变,固定就好
# 安装好后日志打印的最后一行需要保留下来, 这是 node 节点加入的命令: 如果命令过期的话,需要重新生成 secret
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
Nodes 加入集群
根据主节点安装成功日志打印最后一行提示加入
gitlab & runner 搭建步骤
gitlab 安装:
- Gitlab Fot Docker 官方文档
- Gitlab For Docker 安装配置博客
获取 gitlab 镜像
$ docker pull gitlab/gitlab-ce
运行 gitlab 镜像
说明:5005 是用来开启私有镜像仓库的端口, 如果需要开启私有镜像仓库的则需要映射
$ docker run -d \
--name gitlab --restart always \
-p 443:443 -p 80:80 -p 222:22 -p 5005:5005 \
-v /home/gitlab/config:/etc/gitlab \
-v /home/gitlab/logs:/var/log/gitlab \
-v /home/gitlab/data:/var/opt/gitlab \
gitlab/gitlab-ce
# -d:后台运行
# -p:将容器内部端口向外映射
# --name:命名容器名称
# -v:将容器内数据文件夹或者日志、配置等文件夹挂载到宿主机指定目录
配置 gitlab
$ vi /home/gitlab/config/gitlab.rb
# 配置http协议所使用的访问地址,不加端口号默认为80
external_url 'http://192.168.220.40'
# 配置ssh协议所使用的访问地址和端口
gitlab_rails['gitlab_ssh_host'] = '192.168.220.40'
gitlab_rails['gitlab_shell_ssh_port'] = 222 # 此端口是run时22端口映射的222端口
# 如果不想开启镜像仓库则不需要下面的配置: 比如已经有 nexus3 或者不使用 gitlab-ci/cd 流程
registry_external_url 'http://192.168.220.40:5005'
gitlab_rails['registry_enabled'] = true
gitlab_rails['registry_host'] = "192.168.220.40"
gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"
重启 gitlab
$ docker restart gitlab
gitlab-runner 安装:
- Gitlab-runner For Docker 官方文档
- 如果需要集成 gitlab cicd 发布流程的则需要安装 gitlab-runner
- gitlab-runner 的安装不需要和 gitlab 在同一台服务启
安装 gitlab-runner
$ docker run -d --name gitlab-runner --restart always \
-v /srv/gitlab-runner/config:/etc/gitlab-runner \
-v /var/run/docker.sock:/var/run/docker.sock \
gitlab/gitlab-runner:latest
注册 runner
$ docker run --rm -t -i -v /srv/gitlab-runner/config:/etc/gitlab-runner gitlab/gitlab-runner register
# 输入 gitlab -> settings -> runners 中的 url
# 输入 gitlab -> settings -> runners 中的 token
# 输入描述
# 输入 tags gitlab cicd 的时候要用到
# 选择 runner exector
# 如果是 docker exector
# alpine:latest
配置 maven 挂载
配置后就不用每次都去远程下载 jar
$ vi /srv/gitlab-runner/config/config.toml
# 找到 volumes
# volumes = ["/var/run/docker.sock:/var/run/docker.sock","/cache","/data/.m2/:/root/.m2/"]
# .gitlab-ci.yml 添加
# variables:
# MAVEN_OPTS: "-Dmaven.repo.local=/root/.m2"
配置 docker 私有库 http 访问
配置后访问私有镜像仓库才不会走 https
$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com", "http://hub-mirror.c.163.com"],
"insecure-registries":["192.168.220.40:5005"]
}
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
helm 安装:
- helm 官方文档
下载文件 & 解压文件
$ tar -zxvf helm-v3.0.2-linux-amd64.tar.gz
配置 helm
$ mv linux-amd64/helm /usr/local/bin/helm
查看是否安装成功
$ helm help
k8s 安装 gitlab-runner 整合 helm 3
- gitlab-runner for k8s 官方文档
- gitlab-runner 安装到 default namespace:
下载 gitlab-runner charts
$ helm pull gitlab/gitlab-runner
解压下载后的 *.tgz
$ tar -zxvf gitlab-runner-0.12.0.tgz
进入 gitlab-runner 修改 values.yaml
$ vi gitlab-runner/values.yaml
gitlabUrl: https://gitlab.example.com/
runnerRegistrationToken: ""
rbac:
create: true
clusterWideAccess: true
serviceAccountName: gitlab-runner-gitlab-runner
runners:
tags: ""
serviceAccountName: gitlab-runner-gitlab-runner
添加 helm 仓库
$ helm repo add gitlab https://charts.gitlab.io
启动 gitlab-runner
# For Helm 3
$ helm install --namespace <NAMESPACE> gitlab-runner -f <CONFIG_VALUES_FILE> gitlab/gitlab-runner
更新配置
$ helm upgrade --namespace <NAMESPACE> -f values.yaml gitlab-runner gitlab/gitlab-runner
创建角色: 用来追加权限,helm 权限不足
# 添加配置文件
$ vi role-gitlab-runner-services.yaml
# 配置文件内容
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-runner-services
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- "apps"
resources:
- deployments
verbs:
- get
- list
- watch
- create
- patch
- delete
# 执行配置文件
$ kubectl apply -f role-gitlab-runner-services.yaml
绑定 serviceaccount 和 role
$ kubectl create clusterrolebinding crbd-gitlab-runner-serivces \
--clusterrole=gitlab-runner-services \
--serviceaccount=<NAMESPACE>:gitlab-runner-gitlab-runner \
--namespace=<NAMESPACE>
如果 上面两步有问题可以执行以下语句重新设置
# 删除角色用户绑定
$ kubectl delete clusterrolebinding crbd-gitlab-runner-serivces
# 删除角色
$ kubectl delete clusterrole gitlab-runner-services
骚操作
修改 docker 容器对外映射端口:
- docker容器添加对外映射端口
获取容器
$ docker ps -a
查看 Id
$ docker inspect --containerid-- | grep Id
进入容器对应目录
$ cd /var/lib/docker/containers
$ cd --Id--
停止 docker
$ systemctl stop docker
修改对应文件:config.v2.json, hostconfig.json
$ vi hostconfig.json
# 关键字 PortBindings
$ vi config.v2.json
# 关键字 ExposedPorts
重启 docker
$ systemctl start docker
命名空间创建
编写 yaml 文件
$ vi gitlab-runner-namespaces.yaml
apiVersion: v1
kind: Namespace
metadata:
name: web-servers
labels:
name: web-servers
创建命名空间
$ kubectl apply -f gitlab-runner-namespaces.yaml
为 k8s 集群创建 secret (imagePullSecrets):
- k8s实战之从私有仓库拉取镜像 - kubernetes
登录 docker (gitlab 登录的用户名和密码:或者在管理员处生成 token)
$ docker login 192.168.220.40:5005 -u root -p ****
验证账户是否有拉取镜像的权限
$ docker pull ***
创建 secret
$ kubectl -n [namespace] create secret docker-registry [secret-key] \
--docker-server=192.168.220.40:5005 \
--docker-username=root \
--docker-password=****
配置 k8s 项目发布文件 imagePullSecrets
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-api
namespace: web-servers
spec:
selector:
matchLabels:
app: test-api
replicas: 3
template:
metadata:
labels:
app: test-api
namespace: web-servers
spec:
imagePullSecrets:
- name: [secret-key]
containers:
- name: test-api
image: 192.168.220.40:5005/test-group/test-api:master
imagePullPolicy: Always
env:
envFrom:
ports:
- name: http
containerPort: 7080
配置 docker 镜像加速
$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com", "http://hub-mirror.c.163.com"]
}
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
配置 docker 私有库 http 访问
$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://registry.docker-cn.com", "http://hub-mirror.c.163.com"],
"insecure-registries":["192.168.220.40:5005"]
}
$ sudo systemctl daemon-reload
$ sudo systemctl restart docker
配置 helm repo
# stable https://kubernetes-charts.storage.googleapis.com/
# incubator https://aliacs-app-catalog.oss-cn-hangzhou.aliyuncs.com/charts-incubator/
# gitlab https://charts.gitlab.io
# aliyuncs https://apphub.aliyuncs.com
# bitnami https://charts.bitnami.com/bitnami
$ helm repo add --name-- --url--
错误处理
gitlab 重启后 502
==> /var/log/gitlab/unicorn/unicorn_stderr.log <==
ArgumentError: Already running on PID:464 (or pid=/opt/gitlab/var/unicorn/unicorn.pid is stale)
/opt/gitlab/embedded/lib/ruby/gems/2.6.0/gems/unicorn-5.4.1/lib/unicorn/http_server.rb:205:in `pid='
/opt/gitlab/embedded/lib/ruby/gems/2.6.0/gems/unicorn-5.4.1/lib/unicorn/http_server.rb:137:in `start'
/opt/gitlab/embedded/lib/ruby/gems/2.6.0/gems/unicorn-5.4.1/bin/unicorn:126:in `>'
/opt/gitlab/embedded/bin/unicorn:23:in `load'
/opt/gitlab/embedded/bin/unicorn:23:in `>'
直接进入容器 docker exec -it gitlab /bin/bash 删除 unicorn.pid rm -f /opt/gitlab/var/unicorn/unicorn.pid
error during connect: Post http://docker:2375/v1.40/auth:
在 .gitlab-ci.yml 中添加
services:
- docker:dind
或者编辑 config.toml: volumes = ["/var/run/docker.sock:/var/run/docker.sock","/cache","/data/.m2/.m2/"]
官方不建议 docker:dind 和 volumes 同时使用,会报警告
运行中如果出现警告
8 *** WARNING: Service runner-54veezcJ-project-1-concurrent-0-docker-0 probably didn't start properly.
9 Health check error:
10 service "runner-54veezcJ-project-1-concurrent-0-docker-0-wait-for-service" timeout
11 Health check container logs:
12 Service container logs:
13 2020-01-12T03:47:12.937638103Z Generating RSA private key, 4096 bit long modulus (2 primes)
14 2020-01-12T03:47:13.372231321Z .......................................................................................................................++++
15 2020-01-12T03:47:13.802294515Z ............................................................................................................................++++
16 2020-01-12T03:47:13.802602245Z e is 65537 (0x010001)
17 2020-01-12T03:47:13.825214061Z Generating RSA private key, 4096 bit long modulus (2 primes)
18 2020-01-12T03:47:13.898733513Z ...................++++
19 2020-01-12T03:47:14.152767307Z ........................................................................++++
20 2020-01-12T03:47:14.153038007Z e is 65537 (0x010001)
21 2020-01-12T03:47:14.188604234Z Signature ok
22 2020-01-12T03:47:14.188640014Z subject=CN = docker:dind server
23 2020-01-12T03:47:14.188645194Z Getting CA Private Key
24 2020-01-12T03:47:14.199326798Z /certs/server/cert.pem: OK
25 2020-01-12T03:47:14.202184844Z Generating RSA private key, 4096 bit long modulus (2 primes)
26 2020-01-12T03:47:14.704597101Z ................................................................................................................................................++++
27 2020-01-12T03:47:14.849756207Z ........................................++++
28 2020-01-12T03:47:14.850123836Z e is 65537 (0x010001)
29 2020-01-12T03:47:14.872807703Z Signature ok
30 2020-01-12T03:47:14.872845853Z subject=CN = docker:dind client
31 2020-01-12T03:47:14.872929393Z Getting CA Private Key
32 2020-01-12T03:47:14.884195236Z /certs/client/cert.pem: OK
33 2020-01-12T03:47:14.889143189Z mount: permission denied (are you root?)
34 2020-01-12T03:47:14.889326308Z Could not mount /sys/kernel/security.
35 2020-01-12T03:47:14.889347098Z AppArmor detection and --privileged mode might break.
36 2020-01-12T03:47:14.890875106Z mount: permission denied (are you root?)
37 *********
可以通过配置 config.toml
$ vi /srv/gitlab-runner/config/config.toml
# privileged = true
参考文献
- docker for centos 官方文档 (英文)
- docker 安装博客
- Kubernetes 安装教程官网 (英文)
- Kubernetes flannel 安装官网 (英文)
- Kubernetes 主节点初始化官网 (英文)
- Gitlab Fot Docker 官方文档
- Gitlab For Docker 安装配置博客
- Gitlab-runner For Docker 官方文档
- helm 官方文档
- gitlab-runner for k8s 官方文档
- docker容器添加对外映射端口
- k8s实战之从私有仓库拉取镜像 - kubernetes