术语解释:

1. Gitlab

GitLab是一个利用Ruby on Rails开发的开源应用程序,实现一个自托管的Git项目仓库,可通过Web界面进行访问公开的或者私人项目。 它拥有与GitHub类似的功能,能够浏览源代码,管理缺陷和注释。可以管理团队对仓库的访问,它非常易于浏览提交过的版本并提供一个文件历史库。团队成员可以利用内置的简单聊天程序(Wall)进行交流。它还提供一个代码片段收集功能可以轻松实现代码复用,便于日后有需要的时候进行查找。

2. Gitlab-CI

Gitlab-CI是GitLab Continuous Integration(Gitlab持续集成)的简称。 从Gitlab的8.0版本开始,gitlab就全面集成了Gitlab-CI,并且对所有项目默认开启。 只要在项目仓库的根目录添加.gitlab-ci.yml文件,并且配置了Runner(运行器),那么每一次合并请求(MR)或者push都会触发CI pipeline

3. Gitlab-runner

Gitlab-runner.gitlab-ci.yml脚本的运行器,Gitlab-runner是基于Gitlab-CI的API进行构建的相互隔离的机器(或虚拟机)。GitLab Runner 不需要和Gitlab安装在同一台机器上,但是考虑到GitLab Runner的资源消耗问题和安全问题,也不建议这两者安装在同一台机器上。

Gitlab Runner分为两种,Shared runners和Specific runners。 Specific runners只能被指定的项目使用,Shared runners则可以运行所有开启 Allow shared runners选项的项目。

4. Pipelines

Pipelines是定义于.gitlab-ci.yml中的不同阶段的不同任务。 我把Pipelines理解为流水线,流水线包含有多个阶段(stages),每个阶段包含有一个或多个工序(jobs),比如先购料、组装、测试、包装再上线销售,每一次push或者MR都要经过流水线之后才可以合格出厂。而.gitlab-ci.yml正是定义了这条流水线有哪些阶段,每个阶段要做什么事。

5. Badges

徽章,当Pipelines执行完成,会生成徽章,你可以将这些徽章加入到你的README.md文件或者你的网站。

徽章的链接形如: http://example.gitlab.com/namespace/project/badges/branch/build.svg

部署实现

第一步:helm部署gitlab命令:

helm install gitlab gitlab/  --timeout 600s --set global.hosts.domain=linjb.com --set certmanager-issuer.email=1576654308@qq.com --set global.hosts.gitlab.https=false  --set global.hosts.https=false --set global.ingress.tls.enabled=false

第二步:在coredns中配置域名的解析为集群内地址。

第三步:登录集群:

root账号为:kubectl get secret -gitlab-initial-root-password -ojsonpath=’{.data.password}’ | base64 –decode ; echo

第四步:登录集群后的操作

  • 设置允许本机IP的流量访问
  • 查看gitlab-runner是否正常
  • 配置operation即k8s,用作CD
kubectl apply -f gitlab-admin-service-account.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: gitlab
    namespace: kube-system
---

kubectl get secrets | grep default-token
kubectl get secret default-token-v2n9k   -o jsonpath="{['data']['ca\.crt']}" | base64 --decode

hub与gitlab-runner配置调整

gitlb-runner需要设置非TLS,此处为私有仓库。

runners:
  config: |
    [[runners]]
      url = "10.20.250.21"
      token = ""
      [runners.docker]
        tls_verify = false
        image = "docker:19.03.12"
        privileged = true
        disable_cache = false
        volumes = ["/cache"]
      [runners.kubernetes]
        image = "ubuntu:20.04"
        privileged = true
      [[runners.kubernetes.volumes.empty_dir]]
        name = "docker-certs"
        mount_path = "/certs/client"
        medium = "Memory"

使用示例

第一步:项目跟目录新建.gitlab-ci.yml文件

.gitlab-ci.yml

---
推送到docker.io的配置
---
stages:
  - docker-build

# This file is a template, and might need editing before it works on your project.
docker-build:
  # Official docker image.
  image: docker:19.03.12
  stage: docker-build
  services:
   - name: docker:19.03.12-dind
  variables:
    # Tell docker CLI how to talk to Docker daemon; see
    # https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-executor
    DOCKER_HOST: tcp://docker:2375
    # Use the overlayfs driver for improved performance:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
    
  before_script:
    - docker info
    - docker login -u ** -p ** docker.io
  script:
    - docker build -t linjinbao66/my-nginx .
    - docker push linjinbao66/my-nginx 
  only:
    - master
---
推送到私有仓库的配置
---
stages:
  - docker-build

# This file is a template, and might need editing before it works on your project.
docker-build:
  # Official docker image.
  image: docker:19.03.12
  stage: docker-build
  services:
   - name: docker:19.03.12-dind
     command: [ "--insecure-registry=10.20.250.21" ]
  variables:
    # Tell docker CLI how to talk to Docker daemon; see
    # https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-executor
    DOCKER_HOST: tcp://docker:2375
    # Use the overlayfs driver for improved performance:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
    
  before_script:
    - docker info
    - docker login -u * -p * 10.20.250.21
  script:
    - docker build --pull -t 10.20.250.21/library/my-nginx .
    - docker push 10.20.250.21/library/my-nginx
  only:
    - master

第二步:新建Dockerfile文件

Dockerfile

FROM busybox
RUN echo "my-busybox"

提交之后即可触发编译。

部分日志:

 Product License: Community Engine
$ docker login -u admin -p Admin@harbor2020 10.20.250.21
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ docker build --pull -t 10.20.250.21/library/my-nginx .
Step 1/2 : FROM busybox
latest: Pulling from library/busybox
4c892f00285e: Pulling fs layer
4c892f00285e: Verifying Checksum
4c892f00285e: Download complete
4c892f00285e: Pull complete
Digest: sha256:e1488cb900233d035575f0a7787448cb1fa93bed0ccc0d4efc1963d7d72a8f17
Status: Downloaded newer image for busybox:latest
 ---> 22667f53682a
Step 2/2 : RUN echo "my-busybox"
 ---> Running in dff9b51d1aeb
my-busybox
Removing intermediate container dff9b51d1aeb
 ---> 15b007c1b2cb
Successfully built 15b007c1b2cb
Successfully tagged 10.20.250.21/library/my-nginx:latest
$ docker push 10.20.250.21/library/my-nginx
The push refers to repository [10.20.250.21/library/my-nginx]
6b245f040973: Preparing
6b245f040973: Pushed
latest: digest: sha256:966c710cf6a56d9817370b9fe2608cbec4c5b5b52fb5e3952d9b63f5149974dd size: 527
Job succeeded