本文作者:徐曉偉
GitLab 是一個全球知名的一體化 DevOps 平臺,很多人都透過私有化部署 GitLab 來進行原始碼託管。極狐GitLab 是 GitLab 在中國的發行版,專門為中國程式設計師服務。可以一鍵式部署極狐GitLab。
本文主要講述了在極狐GitLab 使用者自定義 Pages 域名、SSL/TLS 域名證書。
描述
預設情況下,pages 域名和證書 是被禁用的
自定義域名配置
匯出 helm gitlab 配置
# 將已配置的值匯出到檔案中
helm -n gitlab-test get values my-gitlab > my-gitlab.yaml
檢視 GitLab Pages Custom Domains Service 的 EXTERNAL-IP
[root@anolis-7-9 ~]# kubectl -n gitlab-test get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
cm-acme-http-solver-jpzhd NodePort 10.105.18.121 <none> 8089:32764/TCP 39h
cm-acme-http-solver-kvj5q NodePort 10.99.177.114 <none> 8089:30973/TCP 39h
cm-acme-http-solver-q82j2 NodePort 10.103.217.244 <none> 8089:32188/TCP 39h
my-gitlab-certmanager ClusterIP 10.101.131.129 <none> 9402/TCP 39h
my-gitlab-certmanager-webhook ClusterIP 10.104.249.65 <none> 443/TCP 39h
my-gitlab-gitaly ClusterIP None <none> 8075/TCP,9236/TCP 39h
my-gitlab-gitlab-exporter ClusterIP 10.104.47.204 <none> 9168/TCP 39h
my-gitlab-gitlab-pages-custom-domains LoadBalancer 10.97.49.247 172.25.25.32,10.97.49.247 80:32713/TCP 87m
my-gitlab-gitlab-pages-metrics ClusterIP 10.109.40.15 <none> 9235/TCP 3h3m
my-gitlab-gitlab-shell ClusterIP 10.107.227.187 <none> 22/TCP 39h
my-gitlab-kas ClusterIP 10.108.130.73 <none> 8150/TCP,8153/TCP,8154/TCP,8151/TCP 39h
my-gitlab-minio-svc ClusterIP 10.109.30.226 <none> 9000/TCP 39h
my-gitlab-nginx-ingress-controller LoadBalancer 10.102.62.140 <pending> 80:30875/TCP,443:31768/TCP,22:30561/TCP 39h
my-gitlab-nginx-ingress-controller-metrics ClusterIP 10.96.243.11 <none> 10254/TCP 39h
my-gitlab-postgresql ClusterIP 10.104.225.8 <none> 5432/TCP 39h
my-gitlab-postgresql-hl ClusterIP None <none> 5432/TCP 39h
my-gitlab-postgresql-metrics ClusterIP 10.107.233.118 <none> 9187/TCP 39h
my-gitlab-prometheus-server ClusterIP 10.101.151.224 <none> 80/TCP 39h
my-gitlab-redis-headless ClusterIP None <none> 6379/TCP 39h
my-gitlab-redis-master ClusterIP 10.103.127.195 <none> 6379/TCP 39h
my-gitlab-redis-metrics ClusterIP 10.104.184.133 <none> 9121/TCP 39h
my-gitlab-registry ClusterIP 10.107.98.111 <none> 5000/TCP 39h
my-gitlab-webservice-default ClusterIP 10.110.211.99 <none> 8080/TCP,8181/TCP,8083/TCP 39h
[root@anolis-7-9 ~]# kubectl -n gitlab-test get svc | grep gitlab-pages-custom-domains
my-gitlab-gitlab-pages-custom-domains LoadBalancer 10.97.49.247 172.25.25.32,10.97.49.247 80:32713/TCP 87m
[root@anolis-7-9 ~]#
修改配置
注意:此處填寫的 externalHttp 不能和 gitlab 例項的 IP 相同
- 作者 gitlab 例項域名
gitlab.test.helm.xuxiaowei.cn解析到172.25.25.32 - 作者 gitlab pages 域名
*.pages.test.helm.xuxiaowei.cn、*.test.helm.xuxiaowei.io解析到172.25.25.31 - 文件
global:
pages:
# 用於支援自定義域名:僅支援 HTTP 請求
externalHttp:
# HTTP 請求到達 Pages daemon 的 IP 地址列表。用於支援自定義域名。
# 使用上述 GitLab Pages Custom Domains Service 的部分 EXTERNAL-IP
- 172.25.25.31
- 10.97.49.247
更新配置
helm upgrade -n gitlab-test --install my-gitlab gitlab/gitlab --timeout 600s -f my-gitlab.yaml --version 7.7.0
等待所有 pod 更新完成
[root@anolis-7-9 ~]# kubectl -n gitlab-test get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cm-acme-http-solver-2ldtp 1/1 Running 14 (10m ago) 37h 192.168.210.234 anolis-7-9 <none> <none>
cm-acme-http-solver-94dv5 1/1 Running 14 (10m ago) 37h 192.168.210.247 anolis-7-9 <none> <none>
cm-acme-http-solver-klkpz 1/1 Running 14 (10m ago) 37h 192.168.210.230 anolis-7-9 <none> <none>
my-gitlab-certmanager-8457bfdc8-w858k 1/1 Running 14 (10m ago) 37h 192.168.240.118 anolis-7-7 <none> <none>
my-gitlab-certmanager-cainjector-74df787cf4-j7cfc 1/1 Running 14 (10m ago) 37h 192.168.240.66 anolis-7-7 <none> <none>
my-gitlab-certmanager-webhook-7b86db4c96-dhcxl 1/1 Running 14 (10m ago) 37h 192.168.240.95 anolis-7-7 <none> <none>
my-gitlab-gitaly-0 1/1 Running 14 (10m ago) 37h 192.168.210.228 anolis-7-9 <none> <none>
my-gitlab-gitlab-exporter-55dcfcb595-gl6nm 1/1 Running 14 (10m ago) 37h 192.168.210.242 anolis-7-9 <none> <none>
my-gitlab-gitlab-pages-848b78cbbb-7x6nt 1/1 Running 0 7m14s 192.168.240.115 anolis-7-7 <none> <none>
my-gitlab-gitlab-runner-5f6ff5994c-wdw5l 1/1 Running 3 (10m ago) 4h13m 192.168.210.222 anolis-7-9 <none> <none>
my-gitlab-gitlab-shell-55fdc9cb9f-52gnr 1/1 Running 14 (12m ago) 37h 192.168.240.76 anolis-7-7 <none> <none>
my-gitlab-gitlab-shell-55fdc9cb9f-cfhsh 1/1 Running 14 (10m ago) 37h 192.168.210.223 anolis-7-9 <none> <none>
my-gitlab-issuer-37-gqljk 0/1 Completed 0 7m14s 192.168.240.82 anolis-7-7 <none> <none>
my-gitlab-kas-688dc97ddd-28gr7 1/1 Running 40 (9m39s ago) 37h 192.168.240.96 anolis-7-7 <none> <none>
my-gitlab-kas-688dc97ddd-tvkvd 1/1 Running 46 (9m34s ago) 37h 192.168.210.245 anolis-7-9 <none> <none>
my-gitlab-migrations-37-t69sl 0/1 Completed 0 7m14s 192.168.240.75 anolis-7-7 <none> <none>
my-gitlab-minio-66f584f746-t6qwb 1/1 Running 6 (10m ago) 29h 192.168.210.251 anolis-7-9 <none> <none>
my-gitlab-minio-create-buckets-37-6lsd8 0/1 Completed 0 7m14s 192.168.240.97 anolis-7-7 <none> <none>
my-gitlab-nginx-ingress-controller-6bdd56c45-ch57n 1/1 Running 14 (10m ago) 37h 192.168.240.67 anolis-7-7 <none> <none>
my-gitlab-nginx-ingress-controller-6bdd56c45-cm2lz 1/1 Running 14 (10m ago) 37h 192.168.210.246 anolis-7-9 <none> <none>
my-gitlab-postgresql-0 2/2 Running 28 (10m ago) 37h 192.168.210.244 anolis-7-9 <none> <none>
my-gitlab-prometheus-server-646489c599-8mgc9 2/2 Running 28 (10m ago) 37h 192.168.210.208 anolis-7-9 <none> <none>
my-gitlab-redis-master-0 2/2 Running 28 (10m ago) 37h 192.168.210.239 anolis-7-9 <none> <none>
my-gitlab-registry-78fc549f8d-d2zjv 1/1 Running 14 (10m ago) 37h 192.168.240.98 anolis-7-7 <none> <none>
my-gitlab-registry-78fc549f8d-xbkvh 1/1 Running 14 (10m ago) 37h 192.168.210.240 anolis-7-9 <none> <none>
my-gitlab-sidekiq-all-in-1-v2-7ff55f699b-phhjt 1/1 Running 0 7m14s 192.168.210.235 anolis-7-9 <none> <none>
my-gitlab-toolbox-7f79f69d96-xvl47 1/1 Running 0 6m44s 192.168.240.101 anolis-7-7 <none> <none>
my-gitlab-webservice-default-6f5d96f89c-c779l 2/2 Running 0 7m14s 192.168.240.81 anolis-7-7 <none> <none>
my-gitlab-webservice-default-6f5d96f89c-m2svw 2/2 Running 0 5m7s 192.168.240.78 anolis-7-7 <none> <none>
[root@anolis-7-9 ~]#
檢視專案 Pages 配置
預設 webservice-default Deployment 只有兩個副本,請等待 webservice-default Deployment 恢復正常副本數後再檢視, 否則頁面資料在每次重新整理可能結果不同
自定義域名
新增完成後,需要驗證 DNS,如果你有域名 DNS 許可權,可以選擇新增 DNS 後重新整理驗證。 !
如果你沒有 DNS 許可權,或者你不想驗證 DNS 許可權,可以在管理頁面取消驗證。
取消驗證後,需要重新新增域名才生效
訪問效果
注意:由於此專案存在專案名問題,所以此效果是使用 https://framagit.org/xuxiaowei-com-cn/my-maven-app 的 domain 分支(無專案名)部署的,並且只能使用 http 方式訪問 !
由於只配置了 externalHttp,所以只能透過 http 方式訪問,https 將無法訪問
自定義域名 SSL/TLS 證書 配置
匯出 helm gitlab 配置
# 將已配置的值匯出到檔案中
helm -n gitlab-test get values my-gitlab > my-gitlab.yaml
檢視 GitLab Pages Custom Domains Service 的 EXTERNAL-IP
[root@anolis-7-9 ~]# kubectl -n gitlab-test get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
cm-acme-http-solver-jpzhd NodePort 10.105.18.121 <none> 8089:32764/TCP 39h
cm-acme-http-solver-kvj5q NodePort 10.99.177.114 <none> 8089:30973/TCP 39h
cm-acme-http-solver-q82j2 NodePort 10.103.217.244 <none> 8089:32188/TCP 39h
my-gitlab-certmanager ClusterIP 10.101.131.129 <none> 9402/TCP 39h
my-gitlab-certmanager-webhook ClusterIP 10.104.249.65 <none> 443/TCP 39h
my-gitlab-gitaly ClusterIP None <none> 8075/TCP,9236/TCP 39h
my-gitlab-gitlab-exporter ClusterIP 10.104.47.204 <none> 9168/TCP 39h
my-gitlab-gitlab-pages-custom-domains LoadBalancer 10.97.49.247 172.25.25.32,10.97.49.247 80:32713/TCP 87m
my-gitlab-gitlab-pages-metrics ClusterIP 10.109.40.15 <none> 9235/TCP 3h3m
my-gitlab-gitlab-shell ClusterIP 10.107.227.187 <none> 22/TCP 39h
my-gitlab-kas ClusterIP 10.108.130.73 <none> 8150/TCP,8153/TCP,8154/TCP,8151/TCP 39h
my-gitlab-minio-svc ClusterIP 10.109.30.226 <none> 9000/TCP 39h
my-gitlab-nginx-ingress-controller LoadBalancer 10.102.62.140 <pending> 80:30875/TCP,443:31768/TCP,22:30561/TCP 39h
my-gitlab-nginx-ingress-controller-metrics ClusterIP 10.96.243.11 <none> 10254/TCP 39h
my-gitlab-postgresql ClusterIP 10.104.225.8 <none> 5432/TCP 39h
my-gitlab-postgresql-hl ClusterIP None <none> 5432/TCP 39h
my-gitlab-postgresql-metrics ClusterIP 10.107.233.118 <none> 9187/TCP 39h
my-gitlab-prometheus-server ClusterIP 10.101.151.224 <none> 80/TCP 39h
my-gitlab-redis-headless ClusterIP None <none> 6379/TCP 39h
my-gitlab-redis-master ClusterIP 10.103.127.195 <none> 6379/TCP 39h
my-gitlab-redis-metrics ClusterIP 10.104.184.133 <none> 9121/TCP 39h
my-gitlab-registry ClusterIP 10.107.98.111 <none> 5000/TCP 39h
my-gitlab-webservice-default ClusterIP 10.110.211.99 <none> 8080/TCP,8181/TCP,8083/TCP 39h
[root@anolis-7-9 ~]# kubectl -n gitlab-test get svc | grep gitlab-pages-custom-domains
my-gitlab-gitlab-pages-custom-domains LoadBalancer 10.97.49.247 172.25.25.32,10.97.49.247 80:32713/TCP 87m
[root@anolis-7-9 ~]#
修改配置
注意:此處填寫的 externalHttp 不能和 gitlab 例項的 IP 相同
- 作者 gitlab 例項域名
gitlab.test.helm.xuxiaowei.cn解析到172.25.25.32 - 作者 gitlab pages 域名
*.pages.test.helm.xuxiaowei.cn、*.test.helm.xuxiaowei.io解析到172.25.25.31 - 文件
global:
pages:
# 用於支援自定義域名、SSL/TLS 證書:僅支援 HTTPS 請求
externalHttps:
# HTTPS 請求到達 Pages daemon 的 IP 地址列表。用於支援自定義域名。
# 使用上述 GitLab Pages Custom Domains Service 的部分 EXTERNAL-IP
- 172.25.25.31
- 10.97.49.247
更新配置
helm upgrade -n gitlab-test --install my-gitlab gitlab/gitlab --timeout 600s -f my-gitlab.yaml --version 7.7.0
可以觀察到 GitLab Pages 無法部署
[root@anolis-7-9 ~]# kubectl -n gitlab-test get pod -o wide | grep gitlab-pages
my-gitlab-gitlab-pages-6b5f557b5c-pp6ww 0/1 Init:0/2 0 102s <none> anolis-7-9 <none> <none>
my-gitlab-gitlab-pages-848b78cbbb-7x6nt 1/1 Running 0 94m 192.168.240.115 anolis-7-7 <none> <none>
[root@anolis-7-9 ~]#
檢視無法部署的原因
無法找到 my-gitlab-pages-tls secret,原因是開啟了自定義 域名 SSL/TLS 證書後,需要建立一個 TLS secret
[root@anolis-7-9 ~]# kubectl -n gitlab-test describe pod my-gitlab-gitlab-pages-6b5f557b5c-pp6ww
# 節選
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m42s default-scheduler Successfully assigned gitlab-test/my-gitlab-gitlab-pages-6b5f557b5c-pp6ww to anolis-7-9
Warning FailedMount 34s (x9 over 2m42s) kubelet MountVolume.SetUp failed for volume "init-pages-secrets" : secret "my-gitlab-pages-tls" not found
[root@anolis-7-9 ~]#
建立 my-gitlab-pages-tls TLS secret
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -subj "/C=CN/ST=山東/L=青島/O=徐曉偉工作室/OU=徐曉偉工作室/CN=*.pages.test.helm.xuxiaowei.cn/CN=*.test.helm.xuxiaowei.io/emailAddress=xuxiaowei@xuxiaowei.com.cn" -out ca.crt -utf8
KEY_FILE=ca.key
CERT_FILE=ca.crt
CERT_NAME=my-gitlab-pages-tls
kubectl -n gitlab-test create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
重啟 pages Deployment
[root@anolis-7-9 ~]# kubectl -n gitlab-test rollout restart deployment my-gitlab-gitlab-pages
deployment.apps/my-gitlab-gitlab-pages restarted
[root@anolis-7-9 ~]#
等待所有 pod 更新完成
[root@anolis-7-9 ~]# kubectl -n gitlab-test get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cm-acme-http-solver-2ldtp 1/1 Running 14 (121m ago) 39h 192.168.210.234 anolis-7-9 <none> <none>
cm-acme-http-solver-94dv5 1/1 Running 14 (121m ago) 39h 192.168.210.247 anolis-7-9 <none> <none>
cm-acme-http-solver-klkpz 1/1 Running 14 (121m ago) 39h 192.168.210.230 anolis-7-9 <none> <none>
my-gitlab-certmanager-8457bfdc8-w858k 1/1 Running 14 (121m ago) 39h 192.168.240.118 anolis-7-7 <none> <none>
my-gitlab-certmanager-cainjector-74df787cf4-j7cfc 1/1 Running 14 (121m ago) 39h 192.168.240.66 anolis-7-7 <none> <none>
my-gitlab-certmanager-webhook-7b86db4c96-dhcxl 1/1 Running 14 (121m ago) 39h 192.168.240.95 anolis-7-7 <none> <none>
my-gitlab-gitaly-0 1/1 Running 14 (121m ago) 39h 192.168.210.228 anolis-7-9 <none> <none>
my-gitlab-gitlab-exporter-55dcfcb595-gl6nm 1/1 Running 14 (121m ago) 39h 192.168.210.242 anolis-7-9 <none> <none>
my-gitlab-gitlab-pages-6bd898c7d5-tvspn 1/1 Running 0 4m36s 192.168.240.104 anolis-7-7 <none> <none>
my-gitlab-gitlab-runner-5f6ff5994c-lbbjt 0/1 Running 0 21s 192.168.240.121 anolis-7-7 <none> <none>
my-gitlab-gitlab-shell-55fdc9cb9f-52gnr 1/1 Running 14 (123m ago) 39h 192.168.240.76 anolis-7-7 <none> <none>
my-gitlab-gitlab-shell-55fdc9cb9f-cfhsh 1/1 Running 14 (121m ago) 39h 192.168.210.223 anolis-7-9 <none> <none>
my-gitlab-issuer-38-742q6 0/1 Completed 0 91m 192.168.240.73 anolis-7-7 <none> <none>
my-gitlab-issuer-55-fp5rb 0/1 Completed 0 24m 192.168.240.105 anolis-7-7 <none> <none>
my-gitlab-kas-688dc97ddd-28gr7 1/1 Running 40 (120m ago) 39h 192.168.240.96 anolis-7-7 <none> <none>
my-gitlab-kas-688dc97ddd-tvkvd 1/1 Running 46 (120m ago) 39h 192.168.210.245 anolis-7-9 <none> <none>
my-gitlab-migrations-38-9mz5h 0/1 Completed 0 91m 192.168.210.252 anolis-7-9 <none> <none>
my-gitlab-migrations-55-tbpvq 0/1 Completed 0 24m 192.168.240.90 anolis-7-7 <none> <none>
my-gitlab-minio-66f584f746-t6qwb 1/1 Running 6 (121m ago) 31h 192.168.210.251 anolis-7-9 <none> <none>
my-gitlab-minio-create-buckets-38-lzrsj 0/1 Completed 0 91m 192.168.240.79 anolis-7-7 <none> <none>
my-gitlab-minio-create-buckets-55-g2gvz 0/1 Completed 0 24m 192.168.240.107 anolis-7-7 <none> <none>
my-gitlab-nginx-ingress-controller-6bdd56c45-ch57n 1/1 Running 14 (121m ago) 39h 192.168.240.67 anolis-7-7 <none> <none>
my-gitlab-nginx-ingress-controller-6bdd56c45-cm2lz 1/1 Running 14 (121m ago) 39h 192.168.210.246 anolis-7-9 <none> <none>
my-gitlab-postgresql-0 2/2 Running 28 (121m ago) 39h 192.168.210.244 anolis-7-9 <none> <none>
my-gitlab-prometheus-server-646489c599-8mgc9 2/2 Running 28 (121m ago) 39h 192.168.210.208 anolis-7-9 <none> <none>
my-gitlab-redis-master-0 2/2 Running 28 (121m ago) 38h 192.168.210.239 anolis-7-9 <none> <none>
my-gitlab-registry-78fc549f8d-d2zjv 1/1 Running 14 (121m ago) 39h 192.168.240.98 anolis-7-7 <none> <none>
my-gitlab-registry-78fc549f8d-xbkvh 1/1 Running 14 (121m ago) 39h 192.168.210.240 anolis-7-9 <none> <none>
my-gitlab-sidekiq-all-in-1-v2-84f99f6776-78g2z 1/1 Running 0 24m 192.168.210.197 anolis-7-9 <none> <none>
my-gitlab-toolbox-6cbbbdcbdf-v6mf2 1/1 Running 0 24m 192.168.210.202 anolis-7-9 <none> <none>
my-gitlab-webservice-default-79f7757847-2mw8g 2/2 Running 0 24m 192.168.210.215 anolis-7-9 <none> <none>
my-gitlab-webservice-default-79f7757847-gz9lm 2/2 Running 0 2m27s 192.168.240.117 anolis-7-7 <none> <none>
[root@anolis-7-9 ~]#
建立一個自定義域名 abc123.xuxiaowei.cn 證書
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -subj "/C=CN/ST=ShanDong/L=QingDao/O=xuxiaowei/OU=xuxiaowei/CN=abc123.xuxiaowei.cn/emailAddress=xuxiaowei@xuxiaowei.com.cn" -out ca.crt -utf8
新增/編輯域名,填寫域名 SSL/TLS 證書
體驗 域名 SSL/TLS 證書
號外號外!
極狐GitLab 正在推出DevSecOps 成熟度測評!連結:https://gitlab.cn/devsecops-assessment/ 測評非常全面並提供了可靠建議,即使不付費買產品,對自己想要落地 DevSecOps 的使用者具有很高的參考意義!快來動手試試吧!
