1 安装Harbor镜像仓库(之前已部署 ,略)
可参考之前的《Kubernetes业务迁移.pdf》
网站-账号密码
http://gitlab.oldxu.net:30080/users/sign_in ( root/ admin12345 )
http://sonar.oldxu.net:30080/ (admin / admin12345) #初始 admin / admin
2 交付GitLab至K8S (sts、svc、ingress)
Gitlab以容器方式运行,需要持久化如下几个目录中的数据
#拉取 推送
docker pull gitlab/gitlab-ce:14.6.0-ce.0
docker tag gitlab/gitlab-ce:14.6.0-ce.0 harbor.oldxu.net/ops/gitlab-ce:14.6.0
docker push harbor.oldxu.net/ops/gitlab-ce:14.6.0
#创建 ns 、和docker-registry
kubectl create ns ops
kubectl create secret docker-registry harbor-admin \
--docker-username=admin \
--docker-password=Harbor12345 \
--docker-server=harbor.oldxu.net \
-n ops
1、 gitlab-sts.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gitlib
namespace: ops
spec:
serviceName: "gitlab-svc"
selector:
matchLabels:
app: gitlab
template:
metadata:
labels:
app: gitlab
spec:
imagePullSecrets:
- name: harbor-admin
containers:
- name: gitlab-ce
image: harbor.oldxu.net/ops/gitlab-ce:14.6.0
imagePullPolicy: IfNotPresent
env:
- name: GITLAB_ROOT_PASSWORD
value: "admin123"
- name: GITLAB_OMNIBUS_CONFIG
value: |
external_url "http://gitlab.oldxu.net"
gitlab_rails['time_zone'] = 'Asia/Shanghai'
node_exporter['enable'] = false
redis_exporter['enable'] = false
postgres_exporter['enable'] = false
gitlab_exporter['enable'] = false
grafana['enable'] = false
grafana['reporting_enabled'] = false
prometheus['enable'] = false
prometheus['monitor_kubernetes'] = false
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
volumeMounts:
- name: data
mountPath: /etc/gitlab
subPath: config
- name: data
mountPath: /var/opt/gitlab
subPath: data
- name: data
mountPath: /var/log/gitlab
subPath: logs
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteMany"]
storageClassName: "nfs"
resources:
requests:
storage: 25Gi
2、 gitlab-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: gitlab-svc
namespace: ops
spec:
clusterIP: None
selector:
app: gitlab
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
3、 gitlab-ingress.yaml
#apiVersion: networking.k8s.io/v1
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: gitlab-ingress
namespace: ops
spec:
ingressClassName: "nginx"
rules:
- host: "gitlab.oldxu.net"
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: gitlab-svc
servicePotr: 80
#service:
# name: gitlab-svc
# port:
# name: http
设置gitlab的界面语言为中文
3 交付PostgreSQL至K8S (sts 、 svc)
部署说明:
Sonarqube扫描流程:
1、使用SonarScanner客户端工具将代码源文件以http/https方式推送给Sonarqube服务端;
2、Sonarqube服务端基于ElasticSerach对代码进行分析,而后将分析结果存储至Database;
3、Sonarqube服务端读取Database数据,然后将扫描结果进行前端展示;
所以,安装Sonarqube之前需要先安装依赖的数据库,后期进行漏洞扫描时还需要借助SonarScanner客户端;
#Sonarqube需要PostgreSQL
#下载postgresql镜像
docker pull postgres:13.8
docker tag 621268accecf harbor.oldxu.net/ops/postgres:13.8
docker push harbor.oldxu.net/ops/postgres:13.8
1、 pgsql-sts.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgresql
namespace: ops
spec:
serviceName: "pgsql-svc"
selector:
matchLabels:
app: pgsql
template:
metadata:
labels:
app: pgsql
spec:
imagePullSecrets:
- name: harbor-admin
containers:
- name: postgresql
image: harbor.oldxu.net/ops/postgres:13.8
imagePullPolicy: IfNotPresent
env:
- name: POSTGRES_DB
value: sonardb
- name: POSTGRES_USER
value: sonar
- name: POSTGRES_PASSWORD
value: "123456"
ports:
- containerPort: 5432
volumeMounts:
- name: db
mountPath: /var/lib/postgresql/data
volumeClaimTemplates:
- metadata:
name: db
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: "nfs"
resources:
requests:
storage: 20Gi
2、 pgsql-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: pgsql-svc
namespace: ops
spec:
clusterIP: None
selector:
app: pgsql
ports:
- port: 5432
3、检查postgresql
kubectl exec -it -n ops postgresql-0 -- bash
root@postgresql-0:/# psql -Usonar -d sonardb
sonardb=# \l+
4 交付Sonarqube至K8S (sts、svc、ingress)
#下载sonarqube镜像
docker pull sonarqube:9.7-community
docker tag sonarqube:9.7-community harbor.oldxu.net/ops/sonarqube:9.7
docker push harbor.oldxu.net/ops/sonarqube:9.7
1、 sonarqube-sts.yaml
#需要借助busybox调整内核参数
2、 sonarqube-svc.yaml
3、 sonarqube-ingress.yaml
4、 访问sonarqube
安装中文插件,随后出现install pending, 随后点击 “restart server”
5 交付Jenkins至K8S (rbac 、 sts 、svc 、 ingress)
#下载 ,打tab ,推送
docker pull jenkins/jenkins:2.346.3-2-lts
docker tag jenkins/jenkins:2.346.3-2-lts harbor.oldxu.net/ops/jenkins:2.346
docker push harbor.oldxu.net/ops/jenkins:2.346
创建RBAC (Jenkins) 01-jenkins-rbac.yaml
# serviceaccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: ops
---
# clusterRole
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments", "ingresses"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/log", "events"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
# clusterrolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins
namespace: ops
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: ops
02-jenkins-sts.yaml
03-jenkins-svc.yaml
04-jenkins-ingress.yaml
访问Jenkins , 安装插件
[root@master01 04-jenkins]# kubectl exec -it -n ops jenkins-0 -- bash
root@jenkins-0:/# cat /var/jenkins_home/secrets/initialAdminPassword
9c6f0d23cc194970a3e8326708dbabbf
6 制作Jenkins pod template
6.1、maven
wget https://linux.oldxu.net/settings_docker.xml
[root@node4 maven]# cat Dockerfile
FROM maven:3.8.6-openjdk-8
ADD ./settings_docker.xml /usr/share/maven/conf/settings.xml
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
[root@node4 maven]# ls
Dockerfile settings_docker.xml
#构建推送
docker build -t harbor.oldxu.net/ops/maven:3.8.6 .
docker push harbor.oldxu.net/ops/maven:3.8.6
6.2、sonar
docker pull emeraldsquad/sonar-scanner:2.3.0
docker tag emeraldsquad/sonar-scanner:2.3.0 harbor.oldxu.net/ops/sonar-scanner:2.3.0
docker push harbor.oldxu.net/ops/sonar-scanner:2.3.0
6.3、NodeJs
cat Dockerfile
FROM centos:7
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
RUN curl --silent --location https://rpm.nodesource.com/setup_14.x |bash -
RUN yum install nodejs gcc-c++ make vim -y && \
yum clean all
[root@node4 nodejs]# ls
Dockerfile
docker build -t harbor.oldxu.net/ops/nodejs:14.20 .
docker push harbor.oldxu.net/ops/nodejs:14.20
6.4、Docker
docker pull docker:20.10
docker tag docker:20.10 harbor.oldxu.net/ops/docker:20.10
docker push harbor.oldxu.net/ops/docker:20.10
6.5、kubelet
[root@node4 kubelet]# cat kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
FROM centos:7
# 1、调整时区
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
echo 'Asia/Shanghai' >/etc/timezone
# 2、添加yum源
ADD ./kubernetes.repo /etc/yum.repos.d/kubernetes.repo
# 3、安装Kubectl
RUN yum makecache && yum install kubectl-1.22.3 -y && \
yum clean all
[root@node4 kubelet]# ls
Dockerfile kubernetes.repo
docker build -t harbor.oldxu.net/ops/kubectl:1.22.3 .
docker push harbor.oldxu.net/ops/kubectl:1.22.3
