本文作者:徐曉偉
GitLab 是一個全球知名的一體化 DevOps 平臺,很多人都透過私有化部署 GitLab 來進行原始碼託管。極狐GitLab 是 GitLab 在中國的發行版,專門為中國程式設計師服務。可以一鍵式部署極狐GitLab。
問題參見:
場景是極狐GitLab Runner 新增 MinIO 域名 host的時候卻無法驗證 MinIO(快取伺服器)域名證書
解決方案
下載證書
# 下載證書
openssl s_client -showcerts -connect minio.test.helm.xuxiaowei.cn:443 -servername minio.test.helm.xuxiaowei.cn < /dev/null 2>/dev/null | openssl x509 -outform PEM > minio.test.helm.xuxiaowei.cn.crt
將證書匯入到 k8s 中
# -n=gitlab-test:指定名稱空間
# create configmap minio-certs:建立 ConfigMap 名稱是 minio-certs
# --from-file=minio.test.helm.xuxiaowei.cn.crt=minio.test.helm.xuxiaowei.cn.crt:配置來自檔案,檔名 minio.test.helm.xuxiaowei.cn.crt,放入 ConfigMap 中的鍵也是 minio.test.helm.xuxiaowei.cn.crt
kubectl -n=gitlab-test create configmap minio-certs --from-file=minio.test.helm.xuxiaowei.cn.crt=minio.test.helm.xuxiaowei.cn.crt
# 檢視
# kubectl -n=gitlab-test get configmap minio-certs -o yaml
匯出 helm gitlab 配置
helm -n gitlab-test get values my-gitlab > my-gitlab.yaml
檢視 極狐gitlab runner 預設配置
# 此處為節選,不同版本可能會存在差異,請以 https://artifacthub.io/packages/helm/gitlab/gitlab?modal=values 中的配置為準
gitlab-runner:
runners:
config: |
[[runners]]
[runners.kubernetes]
image = "ubuntu:22.04"
{{- if .Values.global.minio.enabled }}
[runners.cache]
Type = "s3"
Path = "gitlab-runner"
Shared = true
[runners.cache.s3]
ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }}
BucketName = "runner-cache"
BucketLocation = "us-east-1"
Insecure = false
{{ end }}
修改 helm gitlab 配置
gitlab-runner:
runners:
config: |
[[runners]]
[runners.kubernetes]
image = "ubuntu:22.04"
# https://docs.gitlab.cn/runner/executors/kubernetes.html#configmap-%E5%8D%B7
# https://docs.gitlab.cn/runner/executors/kubernetes.html#%E9%85%8D%E7%BD%AE%E5%8D%B7%E7%B1%BB%E5%9E%8B
# https://kubernetes.io/zh-cn/docs/concepts/storage/volumes/
# https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/
[[runners.kubernetes.volumes.config_map]]
name = "minio-certs"
mount_path = "/etc/ssl/certs/minio.test.helm.xuxiaowei.cn.crt"
sub_path = "minio.test.helm.xuxiaowei.cn.crt"
[runners.kubernetes.volumes.config_map.items]
"minio.test.helm.xuxiaowei.cn.crt" = "minio.test.helm.xuxiaowei.cn.crt"
{{- if .Values.global.minio.enabled }}
[runners.cache]
Type = "s3"
Path = "gitlab-runner"
Shared = true
[runners.cache.s3]
ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }}
BucketName = "runner-cache"
BucketLocation = "us-east-1"
Insecure = false
{{ end }}
更新 helm gitlab 配置
helm upgrade -n gitlab-test --install my-gitlab gitlab/gitlab -f my-gitlab.yaml --timeout 600s --version 7.7.0
檢視修改結果
-
等待所有
gitlab-runner舊pod刪除完成,新pod正常執行時,重試流水線,即可正確訪問到 MinIO(快取伺服器)的 域名- 首次執行,沒有快取伺服器沒有依賴,下載失敗
- 首次執行成功,依賴上傳至快取伺服器
- 後續執行,快取伺服器已經有依賴了,下載成功了,並且流水線時長大大縮短了
- 首次執行,沒有快取伺服器沒有依賴,下載失敗
-
檢視配置如下
[root@anolis-7-9 ~]# kubectl -n gitlab-test get pod | grep runner my-gitlab-gitlab-runner-57fddb64b7-xdndt 1/1 Running 0 10m runner-z1gihfdz-project-1-concurrent-0-k3h251j8 2/2 Running 0 20s [root@anolis-7-9 ~]#注意,檢視的是 helper 容器,可以看到容器內已經有自己配置的證書了, 所以才能信任 MinIO(快取伺服器)的 證書
[root@anolis-7-9 ~]# kubectl -n gitlab-test exec -it runner-z1gihfdz-project-1-concurrent-0-k3h251j8 -c helper cat /etc/ssl/certs/minio.test.helm.xuxiaowei.cn.crt kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. -----BEGIN CERTIFICATE----- MIICqjCCAgugAwIBAgIQbha0RtIy+yeQHAEidwDJXzAKBggqhkjOPQQDBDAdMRsw GQYDVQQDExJjZXJ0LW1hbmFnZXIubG9jYWwwHhcNMjMxMjIyMDUwNTMyWhcNMjQw MzIxMDUwNTMyWjAVMRMwEQYDVQQFEwoxMjM0NTY3ODkwMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAxoxsHstWtaaMLYDojvL5zw4C20ZkS3IJJ1u5S7Qv C1yiz3d6LrWnb7RSEWGO2ckZoYNRfHnDipEJnC8nY0BU2SvYfG8+sx80Fpyt1+5V TkMU8WSFnNtgPupojGEKsWRLEFg1lEu5mH36v1d0EO31/r7D69uO3rRbh7UpN9f6 /BbJV/f+TpyDsAYEuZa2jqkRyR6KIDSQkQtZvVsSlpcB4Z3EQpCj31tOpufLjIxY qPGUrOcL9mIsc+wz+CvxQFU5n3H650F6p0AG/EzjZ6ClghPRxZrTLfY9iQP2zxnQ B941eW1y40nmHttmRg0whDJFU3i6VpALPE6Bv0w9X+bJtQIDAQABo2owaDAOBgNV HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRkqQQEnhfwEmG6 AC+eFFOS91CTfDAnBgNVHREEIDAeghxtaW5pby50ZXN0LmhlbG0ueHV4aWFvd2Vp LmNuMAoGCCqGSM49BAMEA4GMADCBiAJCAaGgfzw1PYdr81UP/xpXE1tsYV+fYlDp oj/AJBtnUsaLonnVihknaEUe97aFstiiPkgu33C37evwUBZXneIKZ2+QAkIBchVK Q7ywP+X/8rSAse46rwNyx0y+svLnwUTp/sen2I/9EGVU20ESm5X1x/iyGNsmFNlb I8Bn2W7QLYcdpvAJ/wY= -----END CERTIFICATE----- [root@anolis-7-9 ~]#
更多關於極狐GitLab 的最佳實踐,請搜尋關注【極狐GitLab】公眾號或者登入極狐GitLab 官網 https://gitlab.cn 進行學習。