1. kubernetes 安装

(1)更新内核

  1. $ curl -fsSL https://gitee.com/jack_zang/kubernetes/raw/master/install/kubeadm_install_kernel.sh | bash
  2. $ reboot

(2) 开启 ipvs

  1. $ curl -fsSL https://gitee.com/jack_zang/kubernetes/raw/master/install/kubeadm_enable_ipvs.sh | bash

(3) 安装 kubernetes

  1. #$ curl -fsSL https://gitee.com/jack_zang/kubernetes/raw/master/install/kubeadm_install_kubernetes.sh | bash
  3. $ curl -fsSL https://gitee.com/jack_zang/kubernetes/raw/master/install/kubeadm_install_kubernetes.sh|sed  s/1.16.6/1.14.8/g | bash

(4) 创建初始化配置文件

  1. $ cat > /etc/kubernetes/kubeadm-config.yaml <<EOF
  2. apiVersion: kubeadm.k8s.io/v1beta1
  3. kind: ClusterConfiguration
  4. kubernetesVersion: v1.14.8
  5. controlPlaneEndpoint: "192.168.20.61:6443"
  6. apiServer:
  7.   certSANs:
  8.   - 192.168.20.61
  9. networking:
  10.   podSubnet: 10.244.0.0/16
  11. imageRepository: "registry.aliyuncs.com/google_containers"
  12. ---
  13. apiVersion: kubeproxy.config.k8s.io/v1alpha1
  14. kind: KubeProxyConfiguration
  15. mode: ipvs
  16. EOF

(5) 初始化集群

  1. $ kubeadm init --config /etc/kubernetes/kubeadm-config.yaml
  2. $ mkdir -p $HOME/.kube
  3. $ cp -f /etc/kubernetes/admin.conf ${HOME}/.kube/config
  5. $ curl -fsSL https://docs.projectcalico.org/v3.9/manifests/calico.yaml| sed "s@192.168.0.0/16@10.244.0.0/16@g" | kubectl apply -f -

(6) 其它 node 节点加入集群

  1. $ kubeadm token create --print-join-command        # master 节点执行,然后拷贝到 Node 节点执行

(7) 创建持久存储

//安装nfs

  1. $ curl -fsSL https://gitee.com/jack_zang/kubernetes/raw/master/nfs/nfs_install.sh | bash

//创建用户

  1. $ kubectl apply -f https://gitee.com/jack_zang/kubernetes/raw/master/nfs/serviceaccount.yaml
  2. $ kubectl apply -f https://gitee.com/jack_zang/kubernetes/raw/master/nfs/nfs_deployment.yaml
  3. $ kubectl apply -f https://gitee.com/jack_zang/kubernetes/raw/master/nfs/class.yaml

(8) 安装 ingress-control

参考:https://kubernetes.github.io/ingress-nginx/deploy/#bare-metal

//nodeport方式

  1. $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/deploy.yaml

//负载均衡器方式

  1. $ curl -fsSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/deploy.yaml | sed "s@NodePort@LoadBalancer@g" | kubectl apply -f -

(9) 安装 metallb

  1. $ kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.9.3/manifests/namespace.yaml
  2. $ kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.9.3/manifests/metallb.yaml
  3. $ kubectl create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)"
  5. $ cat > metalLB-config.yaml <<EOF
  6. apiVersion: v1
  7. kind: ConfigMap
  8. metadata:
  9.   namespace: metallb-system
  10.   name: config
  11. data:
  12.   config: |
  13.     address-pools:
  14.     - name: default
  15.       protocol: layer2
  16.       addresses:
  17.       - 192.168.20.20-192.168.20.25
  18. EOF
  20. $ kubectl apply -f metalLB-config.yaml

2. 配置 gitlab

由于国内的一些原因,有些镜像无法下载,所以需要对其做一些配置。

//修改 helm 工具,修改 image 镜像下载地址,镜像名称保持不变

  1. $ vim /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/kubernetes/helm/pod.rb
  2. ...
  3.        def container_specification
  4.           {
  5.             name: 'helm',
  6.             image: "harbor.xiodi.cn/tools/#{Gitlab::Kubernetes::Helm::HELM_VERSION}-kube-#{Gitlab::Kubernetes::Helm::KUBECTL_VERSION}",
  7.             env: generate_pod_env(command),
  8.             command: %w(/bin/sh),
  9.             args: %w(-c $(COMMAND_SCRIPT))
  10.           }
  11.         end
  12. ...

//修改 helm init 命令

$ vim /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/kubernetes/helm/init_command.rb
...
       def init_helm_command
          command = %w[helm init --stable-repo-url http://mirror.azure.cn/kubernetes/charts/ --tiller-image harbor.xiodi.cn/tools/tiller:v2.16.3 ] + init_command_flags

          command.shelljoin
        end

...

原始镜像名称:gcr.io/kubernetes-helm/tiller:v2.16.3

//修改 client

$ vim /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/kubernetes/helm/client_command.rb
...
       def init_command
          if local_tiller_enabled?
            <<~HEREDOC.chomp
            export HELM_HOST="localhost:44134"
            tiller -listen ${HELM_HOST} -alsologtostderr &
            helm init --client-only
            HEREDOC
          else
            # Here we are always upgrading to the latest version of Tiller when
            # installing an app. We ensure the helm version stored in the
            # database is correct by also updating this after transition to
            # :installed,:updated in Clusters::Concerns::ApplicationStatus
            'helm init --upgrade --stable-repo-url http://mirror.azure.cn/kubernetes/charts/ --tiller-image harbor.xiodi.cn/tools/tiller:v2.16.3'
          end
        end
...

3. gitlab 添加 k8s 集群

//api地址

$ kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'
https://192.168.20.61:6443

// ca 证书

$ kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-8kxc9   kubernetes.io/service-account-token   3      23m

$ kubectl get secret default-token-8kxc9 -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIwMDQwMTEzNDkzMloXDTMwMDMzMDEzNDkzMlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK84
O0dwlYZYquCwDOf1mK7aHtxb5cjkb+pGEwPXvqy4n7ynVa7lvzaP/woGNg/5xIwg
GjDHTQoaFD/KJxp2AZBg4XV6etlxsqfR6NASPlaz3L0fbxbYI4NEDzCHiZrpiB4w
TK9jlh20xcC1jgWKmWgVYfJTF7QoT2pNTPGhXYvgaXJ0fCdcdUVvjvisAS2yvXBq
rKi74f2BWUQSdsoB+UQtyZNcZUP789SXqBACI1Qdz/Zcd+Oxt+cgtheRpDdokyNO
8/6ToGxy9JDvUkesoG+UKrL6Y/VUW8OvAws7iu/Ja3uQKIVFdWdt3oqbJW8VHaLW
qDd4XYB8tKJvH1M2xT0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAETqbi7w0fs0QELYADCDSMgSiG+8
Q3N84QCtEW3QSpfXFP5tRcagKOPn0Mt87Qpu2klKQ5XErwU8AE5eS4NGM3mykzl8
oHjR1ej1OkWKMtobai/qbPfIg3EkPnC/0PjSrhM43B/MSIWj09YnnlD0WbGZTdBt
WS1aOoo4ntw20l2WKcpDsg5K/x5k6HWNnx8gthYpwajY854XA2CbPJSapeY6KSmE
to7no/BJTEK0xclhlJ2amxpXZsGYIUyFvVjbsbWmyuPKfO8kDEfnYYdh8UxR/RLb
1H7LPB6bvyJsWESVyUrTUZFQN6fDUUcqODGtVEDD30odVHDbfS2U8gsRChE=
-----END CERTIFICATE-----

//创建服务令牌

$ cat > gitlab-admin-service-account.yaml <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: gitlab-admin
  namespace: kube-system
EOF

$ kubectl apply -f gitlab-admin-service-account.yaml
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')

// 安装 helm
// 安装 Runner