Kubernetes: Gitlab
gitlab
gitlab-chart-kubernetes 采用helm chart方式部署
组件介绍
- Core GitLab components:
- NGINX Ingress web访问入口
- Registry 代码库,可以是硬盘或 分布式文件系统
- GitLab/Gitaly 后台服务,提供对 Git 存储库的高级 RPC 访问的服务
- GitLab/GitLab Exporter
- GitLab/GitLab Grafana 默认不安装
- GitLab/GitLab Pages 默认关闭,类似github page
- GitLab/GitLab Shell 通过 SSH 提供命令处理
- GitLab/Mailroom 邮件,默认关闭
- GitLab/Migrations 迁移服务,默认关闭
- GitLab/Sidekiq 后台服务,从redis队列中提取作业来处理
- GitLab/Task Runner 内部任务管理,包括备份
- GitLab/Webservice 处理web页面和api请求,puma包含webservice(rails 应用)和workhorse(代理)
- Optional dependencies:
- PostgreSQL 默认安装
- Redis 默认安装单点
- MinIO 默认安装,分布式文件系统,兼容s3协议。Glusterfs团队开发
- Optional additions:
- Prometheus 默认安装
- Grafana 默认关闭
- Unprivileged GitLab Runner using the Kubernetes executor
- Automatically provisioned SSL via Let's Encrypt, using Jetstack's cert-manager
- GitLab/Praefect 默认关闭,管理gitaly集群。目前在开发阶段,生产使用 需特殊处理。
- GitLab/Kubernetes Agent Server (KAS) 代理服务器 (KAS) 是一个 GitLab 后端服务,专门用于管理Kubernetes 代理.
gitlab网络架构
组件(14.2版本)
元件图例
- ✅ - 默认安装
- ⚙ - 需要额外配置
- ⤓ - 需要手动安装
- ❌ - 不支持或没有说明
- 不适用 - 不适用
| Component | Description | Omnibus GitLab(rpm) | GitLab chart | CE/EE |
|---|---|---|---|---|
| Certificate Management | TLS证书, Let's Encrypt | ✅ | ✅ | CE & EE |
| Consul | 数据库节点发现、故障转移 | ⚙ | ❌ | EE Only |
| Database Migrations | 数据库迁移 | ✅ | ✅ | CE & EE |
| Elasticsearch | GitLab 中的搜索 | ⤓ | ⤓ | EE Only |
| Gitaly | Git RPC服务,用于处理GitLab发出的所有Git调用 | ✅ | ✅ | CE & EE |
| GitLab Exporter | 生成GitLab 指标 | ✅ | ✅ | CE & EE |
| GitLab Geo Node | 地理分布的GitLab节点 | ⚙ | ❌ | EE Only |
| GitLab Kubernetes Agent | 以云原生方式集成 Kubernetes 集群 | ⚙ | ⚙ | EE Only |
| GitLab Pages | gitlab静态网站 | ⚙ | ❌ | CE & EE |
| GitLab self-monitoring: Alertmanager | Prometheus报警 | ⚙ | ✅ | CE & EE |
| GitLab self-monitoring: Grafana | 指标仪表板 | ✅ | ⚙ | CE & EE |
| GitLab self-monitoring: Jaeger | GitLab链路跟踪 | ❌ | ⚙ | CE & EE |
| GitLab self-monitoring: Prometheus | 时间序列数据库、指标收集和查询服务 | ✅ | ✅ | CE & EE |
| GitLab self-monitoring: Sentry | 跟踪 GitLab 实例生成的错误 | ⤓ | ⤓ | CE & EE |
| GitLab Shell | 处理gitSSH 会话 | ✅ | ✅ | CE & EE |
| GitLab Workhorse | 智能反向代理,处理大型 HTTP 请求 | ✅ | ✅ | CE & EE |
| Inbound email (SMTP) | 接收消息以更新问题 | ⤓ | ⚙ | CE & EE |
| Jaeger integration | 已部署应用程序的分布式跟踪 | ⤓ | ⤓ | EE Only |
| LDAP Authentication | 根据集中的 LDAP 目录对用户进行身份验证 | ⤓ | ⤓ | CE & EE |
| Mattermost | 开源 Slack 替代方案 | ⚙ | ⤓ | CE & EE |
| MinIO | 对象存储服务 | ⤓ | ✅ | CE & EE |
| NGINX | 将请求路由到适当的组件,SSL | ✅ | ✅ | CE & EE |
| Node Exporter | 节点系统指标 | ✅ | N/A | CE & EE |
| Outbound email (SMTP) | 向用户发送电子邮件 | ⤓ | ⚙ | CE & EE |
| Patroni | 管理 PostgreSQL HA 集群领导者选择和复制 | ⚙ | ❌ | EE Only |
| PgBouncer Exporter | PgBouncer指标收集 | ⚙ | ❌ | CE & EE |
| PgBouncer | 数据库连接池、故障转移 | ⚙ | ❌ | EE Only |
| PostgreSQL Exporter | PostgreSQL指标收集 | ✅ | ✅ | CE & EE |
| PostgreSQL | Database | ✅ | ✅ | CE & EE |
| Praefect | Git 客户端和 Gitaly 存储节点之间的透明代理 | ✅ | ⚙ | CE & EE |
| Puma (GitLab Rails) | 处理对 Web 界面和 API 的请求 | ✅ | ✅ | CE & EE |
| Redis Exporter | Redis指标收集 | ✅ | ✅ | CE & EE |
| Redis | 缓存服务 | ✅ | ✅ | CE & EE |
| Registry | 容器镜像库 | ⚙ | ✅ | CE & EE |
| Runner | 执行 GitLab CI/CD 作业 | ⤓ | ✅ | CE & EE |
| Sentry integration | 已部署应用程序的错误跟踪 | ⤓ | ⤓ | CE & EE |
| Sidekiq | 后台作业处理器 | ✅ | ✅ | CE & EE |
组件说明
gitlab: ## https://docs.gitlab.com/charts/charts/gitlab/task-runner - task-runner Task Runner Pod 用于在 GitLab 应用程序中执行定期内务管理任务。这些任务包括备份、Sidekiq 维护和 Rake 任务 镜像registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v14.2.0 ## https://docs.gitlab.com/charts/charts/gitlab/migrations - migrations: 数据迁移,与task-runner使用同一个镜像 ## https://docs.gitlab.com/charts/charts/gitlab/webservice - webservice: Puma(GitLab Rails)的Web服务器由2个容器组成 镜像registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v14.2.0 镜像registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee:v14.2.0 ## https://docs.gitlab.com/charts/charts/gitlab/sidekiq - sidekiq: 后台服务,从redis队列中提取作业来处理 镜像registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v14.2.0 ## https://docs.gitlab.com/charts/charts/gitlab/gitaly - gitaly: Git RPC服务,用于处理GitLab发出的所有Git调用 镜像registry.gitlab.com/gitlab-org/build/cng/gitaly:v14.2.0 ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell - gitlab-shell: git ssh支持 image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-shell:v13.19.1 ## https://docs.gitlab.com/charts/charts/gitlab/gitlab-grafana - gitlab-grafana:
需求
| 服务 | 版本 | 备注 |
| k8s | 1.16+ | |
| helm | v3 | 3.3.1 或更高版本 |
| postgresql | 12 |
gitlab 版本对照
gitlab 14.1.0 helm3
持久化存储
以下应用程序需要持久存储来维护状态。
以下应用程序需要持久存储来维护状态。 Gitaly(保留 Git 存储库) PostgreSQL(保留 GitLab 数据库数据) Redis(保留 GitLab 作业数据) MinIO(持久化对象存储数据)
gitlab chart部署介绍
官方参考:gitlab chart deploy
性能测试:架构参考
样例gitlab
helm upgrade --install -n gitlab-test-xcw gitlab-test-xcw gitlab/gitlab \ --timeout 600s \ --version=5.2.1 \ --dry-run \ `#--域名--` \ `#https://docs.gitlab.com/charts/installation/deployment.html#networking-and-dns` \ `#主机域名https://docs.gitlab.com/charts/charts/globals#configure-host-settings` \ --set global.hosts.domain=example.com \ --set global.hosts.externalIP=10.22.0.71 \ `#--持久存储--` \ `#https://docs.gitlab.com/charts/installation/storage.html` \ `#动态卷 kubectl apply -f gitlab_storageclass.yaml` \ --set gitlab.gitaly.persistence.storageClass=CUSTOM_STORAGE_CLASS_NAME \ --set gitlab.gitaly.persistence.size=200Gi \ --set gitlab.gitaly.persistence.accessMode=ReadWriteMany \ --set postgresql.persistence.storageClass=CUSTOM_STORAGE_CLASS_NAME \ --set postgresql.persistence.size=50Gi \ --set postgresql.persistence.accessModes={ReadWriteMany} \ --set redis.master.persistence.storageClass=CUSTOM_STORAGE_CLASS_NAME \ --set redis.master.persistence.size=20Gi \ --set redis.master.persistence.accessModes={ReadWriteMany} \ --set minio.persistence.storageClass=CUSTOM_STORAGE_CLASS_NAME \ --set minio.persistence.size=40Gi \ `#--tls证书管理--` \ `#https://docs.gitlab.com/charts/installation/tls.html` \ `#导入通配域名证书 https://docs.gitlab.com/charts/installation/tls.html#option-2-use-your-own-wildcard-certificate` \ `#kubectl --namespace=gitlab create secret tls <tls-secret-name> --cert=<path/to-full-chain.crt> --key=<path/to.key>` \ --set certmanager.install=false \ --set global.ingress.configureCertmanager=false \ --set global.ingress.tls.secretName=<tls-secret-name> \ `#--外部postgresql--` \ `#https://docs.gitlab.com/charts/installation/deployment.html#postgresql` \ `#密码可通过secret方式导入` \ `#kubectl -n gitlab create secret generic gitalb-postgresql-password --from-literal=postgresql-password=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64)` \ --set postgresql.install=false \ --set global.psql.host=production.postgress.hostname.local \ --set global.psql.username='gitlab' \ --set global.psql.password.secret=gitlab-postgresql-password \ --set global.psql.password.key=postgres-password \ --set global.psql.database='gitlabhq_production' \ `#--外部redis--` \ `#https://docs.gitlab.com/charts/charts/globals.html#configure-redis-settings` \ `#可选单点、哨兵、集群方式部署` \ `#kubectl create secret generic gitlab-redis-secret --from-literal=password=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64)` \ --set redis.install=false \ --set global.redis.host='redis.example.com' \ --set global.redis.password.secret=gitlab-redis-secret \ --set global.redis.password.key='password' \ `#--启动外部对象存储,不使用内部自建的minio分布式存储,需要提前生成连接密钥--` \ `#https://docs.gitlab.com/charts/advanced/external-object-storage/index.html` \ `#完整样例 https://gitlab.com/gitlab-org/charts/gitlab/blob/master/examples/values-external-objectstorage.yaml` \ `#统一存储,https://docs.gitlab.com/charts/charts/globals.html#consolidated-object-storage` \ `#存储启动默认值https://docs.gitlab.com/12.10/charts/charts/globals.html#configure-minio-settings` \ `#gitlab各存储桶连接样例,https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/objectstorage/rails.s3.yaml` \ `#kubectl -n gitlab create secret generic gitlab-rails-storage --from-file=connection=rails.yaml` \ --set global.minio.enabled=false \ --set global.appConfig.object_store.enabled=true \ --set global.appConfig.object_store.connection.secret=gitlab-rails-storage \ --set global.appConfig.object_store.connection.key=connection \ --set global.appConfig.lfs.bucket=gitlab-lfs \ --set global.appConfig.artifacts.bucket=gitlab-artifacts \ --set global.appConfig.uploads.bucket=gitlab-uploads \ --set global.appConfig.packages.bucket=gitlab-packages \ --set global.appConfig.externalDiffs.enabled=true \ --set global.appConfig.externalDiffs.bucket=gitlab-externaldiffs \ --set global.appConfig.terraformState.enabled=true \ --set global.appConfig.terraformState.bucket=gitlab-terraform \ --set global.appConfig.pseudonymizer.bucket=gitlab-pseudonymizer \ --set global.appConfig.dependencyProxy.enabled=true \ --set global.appConfig.dependencyProxy.bucket=gitlab-dependencyproxy \ `#docker镜像库` \ `#https://docs.gitlab.com/charts/advanced/external-object-storage/index.html#docker-registry-images` \ `#docker镜像存储地址样例 https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/objectstorage/registry.s3.yaml` \ `#kubectl --namespace=gitlab create secret generic registry-storage --from-file=config=registry-storage.yaml` \ --set registry.storage.secret=registry-storage \ --set registry.storage.key=config \ --set global.registry.bucket=bucket-name \ `#备份` \ `#https://docs.gitlab.com/charts/advanced/external-object-storage/index.html#backups` \ `#备份存储配置样例 https://docs.gitlab.com/charts/advanced/external-object-storage/index.html#backups-storage-example` \ `kubectl --namespace=gitlab create secret generic storage-config --from-file=config=storage.config` \ --set global.appConfig.backups.bucket=gitlab-backup-storage \ --set global.appConfig.backups.tmpBucket=gitlab-tmp-storage \ --set gitlab.task-runner.backups.objectStorage.config.secret=storage-config \ --set gitlab.task-runner.backups.objectStorage.config.key=config \ `#--监控--` \ `#https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus#configuration` \ --set prometheus.server.persistentVolume.storageClass=CUSTOM_STORAGE_CLASS_NAME \ --set prometheus.server.persistentVolume.accessModes={ReadWriteMany} \ --set prometheus.server.persistentVolume.size=10Gi \ `#--外发电子邮件--` \ `#https://docs.gitlab.com/charts/installation/command-line-options.html#outgoing-email-configuration` \ `#kubectl --namespace=gitlab create secret generic gitlab-smtp-password --from-literal=password=yourpasswordhere` \ --set [email protected] \ --set global.email.display_name='GitLab' \ --set global.smtp.enabled=true \ --set global.smtp.address=smtp.exmail.qq.com \ --set global.smtp.tls=true \ --set global.smtp.port=456 \ --set global.smtp.user_name="[email protected]" \ --set global.smtp.password.secret="gitlab-smtp-password" \ --set global.smtp.password.key=password \ --set global.smtp.authentication="login" \ --set global.smtp.starttls_auto=true \ --set global.smtp.pool=true \ `#--rbac--` \ `#https://docs.gitlab.com/charts/installation/deployment.html#rbac` \ --set certmanager.rbac.create=false \ `#--cpu和内存配置--` \ `#最小化配置 https://docs.gitlab.com/charts/installation/deployment.html#cpu-and-ram-resource-requirements` \ --set gitlab-runner.install=false \ --set nginx-ingress.controller.replicaCount=3 \ --set nginx-ingress.controller.minAvailable=2 \ --set nginx-ingress.defaultBackend.replicaCount=2 \ --set rails.bootsnap.enabled=false \ --set nginx-ingress.controller.replicaCount=3 \ --set nginx-ingress.controller.replicaCount=3 \ `#时区` \ --set global.time_zone=Asia/Shanghai \ `#--ldap配置--` \ `#https://docs.gitlab.com/charts/charts/globals.html#ldap` \ `#https://docs.gitlab.com/ee/administration/auth/ldap/` \ `#kubectl --namespace=gitlab create secret generic gitlab-ldap-password --from-literal=password=yourpasswordhere` \ --set global.appConfig.ldap.servers.main.label='LDAP' \ --set global.appConfig.ldap.servers.main.host='ldap.cici.com' \ --set global.appConfig.ldap.servers.main.port='389' \ --set global.appConfig.ldap.servers.main.uid='cn' \ --set global.appConfig.ldap.servers.main.bind_dn='cn=gitlab_admin\,ou=sys_admins\,dc=cici\,dc=com' \ --set global.appConfig.ldap.servers.main.base='ou=staff\,dc=cici\,dc=com' \ --set global.appConfig.ldap.servers.main.password.secret='gitlab-ldap' \ --set global.appConfig.ldap.servers.main.password.key='password' \ --set global.appConfig.ldap.servers.main.allow_username_or_email_login=true \ `#--omniauth认证--` \ `#https://docs.gitlab.com/charts/charts/globals#omniauth` \ --set global.appConfig.omniauth.enabled=true \ `#--自动备份--` \ `#https://docs.gitlab.com/charts/backup-restore/index.html` \ --set gitlab.task-runner.backups.cron.enabled=true \ --set gitlab.task-runner.backups.cron.schedule='0 2 * * *' \ `#--上传限制--` \ --set global.ingress.proxyBodySize=10Gi \ `#--qos服务质量--` \ --set nginx-ingress.controller.resources.requests.cpu='100m' \ --set nginx-ingress.controller.resources.requests.memory='100Mi' \ `#--3k用户--` \ `#开启gitaly代理praefect,启动gitaly集群` \ `#praefect启动限制,安装后创建对应库https://docs.gitlab.com/charts/charts/gitlab/praefect/index.html` \ --set global.praefect.enabled=true \ `#--自定义镜像--` \ --set global.kubectl.image.repository=registry.gitlab.com/gitlab-org/build/cng/kubectl \ --set global.kubectl.image.tag="1.16.15" \ --set global.certificates.image.repository=registry.gitlab.com/gitlab-org/build/cng/alpine-certificates \ --set global.certificates.image.tag="20191127-r2" \ --set nginx-ingress.controller.image.repository=registry.gitlab.com/gitlab-org/cloud-native/mirror/images/ingress-nginx/controller \ --set nginx-ingress.controller.image.tag="v0.41.2" \ --set nginx-ingress.controller.image.digest="" \ --set nginx-ingress.defaultBackend.image.repository=registry.gitlab.com/gitlab-org/cloud-native/mirror/images/defaultbackend-amd64 \ --set nginx-ingress.defaultBackend.image.tag="1.5" \ --set gitlab.task-runner.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee \ --set gitlab.task-runner.image.tag="v14.2.1" \ --set gitlab.migrations.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee \ --set gitlab.migrations.image.tag="v14.2.1" \ --set gitlab.gitaly.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitaly \ --set gitlab.gitaly.image.tag="v14.2.1" \ --set gitlab.praefect.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitaly \ --set gitlab.praefect.image.tag="v14.2.1" \ --set gitlab.sidekiq.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee \ --set gitlab.sidekiq.image.tag="v14.2.1" \ --set gitlab.gitlab-shell.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-shell \ --set gitlab.gitlab-shell.image.tag="v13.19.1" \ --set gitlab.webservice.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee \ --set gitlab.webservice.image.tag="v14.2.1" \ --set gitlab.webservice.workhorse.image=registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ee \ --set gitlab.webservice.workhorse.tag="v14.2.1" \ --set registry.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry \ --set registry.image.tag="v3.9.0-gitlab" \ --set postgresql.image.repository=bitnami/postgresql \ --set postgresql.image.tag="12.7.0" \ --set redis.image.repository=bitnami/redis \ --set redis.image.tag="6.0.9-debian-10-r0" \ --set gitlab-runner.image=gitlab/gitlab-runner:alpine-v14.2.0 \ --set gitlab.gitlab-exporter.image.repository=registry.gitlab.com/gitlab-org/build/cng/gitlab-exporter \ --set gitlab.gitlab-exporter.image.tag="11.2.0" \ --set postgresql.metrics.image.repository=bitnami/postgres-exporter \ --set postgresql.metrics.image.tag="0.8.0-debian-10-r99" \ --set redis.metrics.image.repository=bitnami/redis-exporter \ --set redis.metrics.image.tag="1.12.1-debian-10-r11" \ --set prometheus.image.repository="prom/prometheus" \ --set prometheus.image.tag="v2.21.0" \ --set prometheus.configmapReload.image.repository="jimmidyson/configmap-reload" \ --set prometheus.configmapReload.image.tag="v0.4.0" \ --set global.busybox.image.repository=registry.gitlab.com/gitlab-org/cloud-native/mirror/images/busybox \ --set global.busybox.image.tag=latest #初次登录 #kubectl get secret <name>-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo
样例gitlab-runner
查看对应版本
helm search repo -l gitlab/gitlab-runner
GitLab Runner注册
1类型 - shared :运行整个平台项目的作业(gitlab) - group:运行特定group下的所有项目的作业(group) - specific: 运行指定的项目作业(project) 2状态 - locked:锁定无法运行项目作业 - paused:暂停不会运行作业 3获取注册token 获取shared类型runnertoken - 进入admin--概览--Runner 获取group类型的runnertoken - 进入group -> Settings -> CI/CD -> Runners -> Group Runners 获取specific类型的runnertoken - 进入具体的项目 -> Settings -> CI/CD -> Runners -> Specific Runners
部署helm
# For Helm 2 helm install --namespace <NAMESPACE> --name gitlab-runner -f <CONFIG_VALUES_FILE> gitlab/gitlab-runner # For Helm 3 helm install --namespace gitlab-test-xcw gitlab-runner-test-xcw gitlab/gitlab-runner \ -f values-test.yaml \ --dry-run \ --version=0.32.0 \ `#--请求配置--` \ `#https://docs.gitlab.com/runner/install/kubernetes.html#required-configuration` \ --set gitlabUrl=https://git-test-xcw.cici.com \ --set runnerRegistrationToken=TkZXLz8yOhP5g50p7YseGzkkYHs24eUqrT8I1Sgl42qn0tHyZtl0PmvS4SsEqlG3 \ `#--自定义镜像--` \ --set image=gitlab/gitlab-runner:alpine-v14.2.0 \ --set runners.image=ubuntu:16.04 #指定values-test.yaml填写[[runners]] #卸载 helm delete -n gitlab-test-xcw gitlab-runner-test-xcw #local linux cat <<\EOF> /etc/gitlab-runner/config.toml concurrent = 8 check_interval = 0 [session_server] session_timeout = 1800 [[runners]] name = "gitlab-runner1" url = "https://git.cici.com/" token = "7c032b4d7954156e8fe47f4828fb79" executor = "shell" [runners.cache] [[runners]] name = "gitlab-runner1-2" url = "https://git.cici.com/" Token = "ed5dc1ce69bc92d6403ac7a3b88dac" executor = "shell" [runners.cache] [[runners]] name = "gitlab-runner1-3" url = "https://git.cici.com/" token = "f62a7ad1cf3ef656bdb2b104569389" executor = "shell" [Runners.cache] EOF
部署yum
https://docs.gitlab.com/runner/install/linux-repository.html
#安装gitlab runner包 # For Debian/Ubuntu/Mint curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash # For RHEL/CentOS/Fedora curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.rpm.sh" | sudo bash # for DEB based systems apt-cache madison gitlab-runner sudo apt-get install gitlab-runner-14.2.0-1 # for RPM based systems yum list gitlab-runner --showduplicates | sort -r sudo yum install gitlab-runner-14.2.0-1 #修改数据位置并创建目录授权用户gitlab-runner cat /etc/systemd/system/gitlab-runner.service --working-directory /data/gitlab-runner systemctl status gitlab-runner #增加作业数量 sed -ri 's/(concurrent ).*/\1= 10/g' /etc/gitlab-runner/config.toml #向 GitLab Server 完成註冊 #注册类型shared, group, specific #a.共享 gitlab-runner register \ --non-interactive \ --url "https://git-test-xcw.cici.com/" \ --registration-token "m-pV8RG2Rxh5LJj2pCNb" \ --executor "shell" \ --description "gitlab-runner1" \ --tag-list "java,maven" \ --run-untagged="true" \ --locked="false" \ --access-level="not_protected" #b.指定项目(需要公钥信息) gitlab-runner register \ --non-interactive \ --url "https://git-test-xcw.cici.com/" \ --registration-token "h8aw81DkHm2NhaBEAohX" \ --executor "shell" \ --description "gitlab-runner1-2" \ --tag-list "java,maven" \ --run-untagged="true" \ --locked="false" \ --access-level="not_protected" ##将gitlab-runner用户的公钥上传到gitlab中(可选) #ssh-keygen -t rsa -C "[email protected]" -P '' #cat .ssh/id_rsa.pub #更新git yum install http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm yum install git yum update git
测试环境
3k用户
提前准备
#在指定目录内生成要准备的文件 mkdir customize_conf; cd customize_conf
持久卷
准备一台机器创建好对目录
#mkdir -p /data/gitlab-test-xcw/{gitaly{,2,3},postgresql,prometheus,redis} #Gitaly存储 200Gi #3k用户集群需要创建至少3个gitaly服务供praefect代理,默认不启动praefect,创建一个gitaly pv就好。 cat <<\EOF> gitlab-pv-sc.yaml --- #gitaly1 apiVersion: v1 kind: PersistentVolume metadata: name: gitlab-gitaly-test-xcw labels: storage: gitaly-data-test-xcw spec: capacity: storage: "200Gi" accessModes: - "ReadWriteMany" volumeMode: Filesystem local: path: /data/gitlab-test-xcw/gitaly storageClassName: "gitlab-storageclass-test-xcw" nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 10.22.0.18 --- #gitaly2 apiVersion: v1 kind: PersistentVolume metadata: name: gitlab-gitaly2-test-xcw labels: storage: gitaly2-data-test-xcw spec: capacity: storage: "200Gi" accessModes: - "ReadWriteMany" volumeMode: Filesystem local: path: /data/gitlab-test-xcw/gitaly2 storageClassName: "gitlab-storageclass-test-xcw" nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 10.22.0.18 --- #gitaly3 apiVersion: v1 kind: PersistentVolume metadata: name: gitlab-gitaly3-test-xcw labels: storage: gitaly3-data-test-xcw spec: capacity: storage: "200Gi" accessModes: - "ReadWriteMany" volumeMode: Filesystem local: path: /data/gitlab-test-xcw/gitaly3 storageClassName: "gitlab-storageclass-test-xcw" nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 10.22.0.18 --- #postgresql apiVersion: v1 kind: PersistentVolume metadata: name: gitlab-postgresql-test-xcw labels: storage: postgresql-data-test-xcw spec: capacity: storage: "50Gi" accessModes: - "ReadWriteMany" volumeMode: Filesystem local: path: /data/gitlab-test-xcw/postgresql storageClassName: "gitlab-storageclass-test-xcw" nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 10.22.0.18 --- #redis apiVersion: v1 kind: PersistentVolume metadata: name: gitlab-redis-test-xcw labels: storage: redis-data-test-xcw spec: capacity: storage: "20Gi" accessModes: - "ReadWriteMany" volumeMode: Filesystem local: path: /data/gitlab-test-xcw/redis storageClassName: "gitlab-storageclass-test-xcw" nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 10.22.0.18 --- #prometheus apiVersion: v1 kind: PersistentVolume metadata: name: gitlab-prometheus-test-xcw labels: storage: prometheus-data-test-xcw spec: capacity: storage: "10Gi" accessModes: - "ReadWriteMany" volumeMode: Filesystem local: path: /data/gitlab-test-xcw/prometheus storageClassName: "gitlab-storageclass-test-xcw" nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - 10.22.0.18 --- kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: gitlab-storageclass-test-xcw provisioner: kubernetes.io/no-provisioner volumeBindingMode: WaitForFirstConsumer reclaimPolicy: Retain EOF kubectl apply -f gitlab-pv-sc.yaml
域名证书
kubectl --namespace=gitlab-test-xcw create secret tls cici-com --cert=cici.com.crt --key=cici.com.key
启动外部对象存储
ak
主账号ID 100000xxx 用户名 gitlab-test-xcw 登录密码 - SecretId Axxxx SecretKey oLxxx
腾讯云COS存储用户权限策略
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"name/cos:*"
],
"resource": [
"qcs::cos:ap-beijing:uid/1254024480:gitlab-backup-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-backup-test-xcw-1254024480/*",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-backup-tmp-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-backup-tmp-test-xcw-1254024480/*",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-artifacts-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-artifacts-test-xcw-1254024480/*",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-lfs-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-lfs-test-xcw-1254024480/*",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-packages-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-packages-test-xcw-1254024480/*",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-pseudonymizer-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-pseudonymizer-test-xcw-1254024480/*",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-uploads-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-uploads-test-xcw-1254024480/*",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-registry-test-xcw-1254024480/",
"qcs::cos:ap-beijing:uid/1254024480:gitlab-registry-test-xcw-1254024480/*"
]
}
]
}
密钥创建
#统一存储 cat <<EOF> object-storage-test.yaml provider: AWS region: ap-beijing aws_access_key_id: AKIDxxx aws_secret_access_key: oLxxxx aws_signature_version: 2 host: "cos.ap-beijing.myqcloud.com" endpoint: "https://cos.ap-beijing.myqcloud.com" EOF kubectl --namespace=gitlab-test-xcw create secret generic gitlab-rails-storage --from-file=connection=object-storage-test.yaml #镜像存储 cat >registry-test.yaml<<EOF s3: bucket: gitlab-registry-test accesskey: AKIDMxxxx secretkey: oLaZIxxxx regionendpoint: "https://cos.ap-beijing.myqcloud.com" region: ap-beijing EOF kubectl --namespace=gitlab-test-xcw create secret generic gitlab-registry --from-file=config=registry-test.yaml #备份 cat <<EOF> s3cfg_cos [default] access_key = AKxxx secret_key = oLaZxxxx bucket_location = ap-beijing host_base = cos.ap-beijing.myqcloud.com host_bucket = cos.ap-beijing.myqcloud.com signature_v2 = True EOF kubectl --namespace=gitlab-test-xcw create secret generic task-runenr-s3-config --from-file=config=s3cfg_cos
服务连接密码
cat <<\EOF> pg_redis_ldap_smtp.yaml --- apiVersion: v1 kind: Secret metadata: namespace: gitlab-test-xcw name: gitlab-test-pg type: Opaque data: password: cG9zdGdyZXM= --- apiVersion: v1 kind: Secret metadata: namespace: gitlab-test-xcw name: gitlab-test-redis type: Opaque data: password: MTIzNDU2 --- apiVersion: v1 kind: Secret metadata: namespace: gitlab-test-xcw name: gitlab-test-ldap type: Opaque data: password: S3hzWWdKYk52TXdGOEtrcThuZUxiRWtRS1VpYTl4Vks= --- apiVersion: v1 kind: Secret metadata: namespace: gitlab-test-xcw name: gitlab-test-smtp type: Opaque data: password: WiNwczklMGo= EOF kubectl apply -f pg_redis_ldap_smtp.yaml #使用内部生成的redis postgresql,不需要使用这里创建的密钥 #如果内部生成的redis postgresql使用这里的密钥,需要指定下面参数及服务器内部密码参数 # --set global.psql.password.secret=gitlab-test-pg \ # --set global.psql.password.key='password' \ #global.postgresql.postgresqlPassword #global.postgresql.existingSecret
负载均衡ingress slb
自动创建一个clb,这里选择的内网slb,https://cloud.tencent.com/document/product/457/45487
--set nginx-ingress.controller.service.annotations.service\\.kubernetes\\.io\\/qcloud-loadbalancer-internal-subnetid=subnet-fubxophz
指定已创建的clb
--set global.hosts.externalIP=10.22.0.71 \ --set nginx-ingress.controller.service.annotations.service\\.kubernetes\\.io\\/qcloud-loadbalancer-internal-subnetid=subnet-fubxophz \ --set nginx-ingress.controller.service.annotations.kubernetes\\.io\\/ingress\\.existLbId=<loadbalanceid> \
制作私有镜像
为保证版本固定及拉取速度,核心组件最好做成私有镜像
docker push docker.cici.com/library/gitlab/gitlab-container-registry:v3.9.0-gitlab docker push docker.cici.com/library/gitlab/gitlab-shell:v13.19.1 docker push docker.cici.com/library/gitlab/gitlab-workhorse-ee:v14.2.1 docker push docker.cici.com/library/gitlab/gitlab-toolbox-ee:v14.2.1 docker push docker.cici.com/library/gitlab/gitlab-webservice-ee:v14.2.1 docker push docker.cici.com/library/gitlab/gitlab-sidekiq-ee:v14.2.1 docker push docker.cici.com/library/gitlab/gitaly:v14.2.1 docker push docker.cici.com/library/gitlab/gitlab-exporter:11.2.0 docker push docker.cici.com/library/gitlab/kubectl:1.16.15 docker push docker.cici.com/library/gitlab/postgresql:12.7.0 docker push docker.cici.com/library/gitlab/gitlab-runner:alpine-v14.2.0 docker push docker.cici.com/library/gitlab/alpine-certificates:20191127-r2 docker push docker.cici.com/library/gitlab/nginx-ingress-controller:v0.41.2 docker push docker.cici.com/library/gitlab/redis:6.0.9-debian-10-r0 docker push docker.cici.com/library/gitlab/defaultbackend-amd64:1.5 docker push docker.cici.com/library/gitlab/busybox:latest
脚本
cat <<\EOF> create_gitlab_secrets.sh #!/bin/bash # --- 创建持久卷 kubectl apply -f gitlab-pv-sc.yaml # --- 创建域名证书tls secret kubectl --namespace=gitlab-test-xcw create secret tls cici-com --cert=cici.com.crt --key=cici.com.key # --- 启动外部对象存储 #统一存储 kubectl --namespace=gitlab-test-xcw create secret generic gitlab-rails-storage --from-file=connection=object-storage-test.yaml #:<<eof #5.2.1版本前没有整合配置,需要单独执行 kubectl --namespace=gitlab-test-xcw create secret generic gitlab-lfs --from-file=connection=object-storage-test.yaml kubectl --namespace=gitlab-test-xcw create secret generic gitlab-artifacts --from-file=connection=object-storage-test.yaml kubectl --namespace=gitlab-test-xcw create secret generic gitlab-uploads --from-file=connection=object-storage-test.yaml kubectl --namespace=gitlab-test-xcw create secret generic gitlab-packages --from-file=connection=object-storage-test.yaml #kubectl --namespace=gitlab-test-xcw create secret generic gitlab-externaldiffs --from-file=connection=object-storage-test.yaml kubectl --namespace=gitlab-test-xcw create secret generic gitlab-pseudonymizer --from-file=connection=object-storage-test.yaml #eof #镜像存储 kubectl --namespace=gitlab-test-xcw create secret generic gitlab-registry --from-file=config=registry-test.yaml #备份 kubectl --namespace=gitlab-test-xcw create secret generic task-runenr-s3-config --from-file=config=s3cfg_cos # --- 服务连接密码 kubectl apply -f pg_redis_ldap_smtp.yaml EOF
部署
helm发布
helm upgrade --install -n gitlab-test-xcw gitlab-test-xcw gitlab/gitlab \ --timeout 600s \ --version=5.2.1 \ --dry-run \ `#--域名--` \ `#https://docs.gitlab.com/charts/installation/deployment.html#networking-and-dns` \ `#主机域名https://docs.gitlab.com/charts/charts/globals#configure-host-settings` \ --set global.hosts.gitlab.name='git-test-xcw.cici.com' \ --set global.hosts.gitlab.https=true \ --set nginx-ingress.controller.service.annotations.service\\.kubernetes\\.io\\/qcloud-loadbalancer-internal-subnetid=subnet-fubxophz \ `#--持久存储--` \ `#https://docs.gitlab.com/charts/installation/storage.html` \ `#动态卷 kubectl apply -f gitlab_storageclass.yaml` \ --set gitlab.gitaly.persistence.storageClass=gitlab-storageclass-test-xcw \ --set gitlab.gitaly.persistence.size=200Gi \ --set gitlab.gitaly.persistence.accessMode=ReadWriteMany \ --set postgresql.persistence.storageClass=gitlab-storageclass-test-xcw \ --set postgresql.persistence.size=50Gi \ --set postgresql.persistence.accessModes={ReadWriteMany} \ --set redis.master.persistence.storageClass=gitlab-storageclass-test-xcw \ --set redis.master.persistence.size=20Gi \ --set redis.master.persistence.accessModes={ReadWriteMany} \ `#--tls证书管理--` \ `#https://docs.gitlab.com/charts/installation/tls.html` \ `#导入通配域名证书 https://docs.gitlab.com/charts/installation/tls.html#option-2-use-your-own-wildcard-certificate` \ `#kubectl --namespace=gitlab-test-xcw create secret tls cici-com-test-xcw --cert=cici.com.crt --key=cici.com.key` \ --set certmanager.install=false \ --set global.ingress.configureCertmanager=false \ --set global.ingress.tls.secretName=cici-com \ `#--外部postgresql--` \ `#https://docs.gitlab.com/charts/installation/deployment.html#postgresql` \ `#密码可通过secret方式导入` \ `#kubectl -n gitlab create secret generic gitalb-postgresql-password --from-literal=postgresql-password=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64)` \ `#--set postgresql.install=false` \ `#--set global.psql.host=production.postgress.hostname.local` \ `#--set global.psql.username='postgres'` \ `#--set global.psql.password.secret=gitlab-test-pg` \ `#--set global.psql.password.key='password'` \ `#--set global.psql.database='gitlabtest'` \ `#--外部redis--` \ `#https://docs.gitlab.com/charts/charts/globals.html#configure-redis-settings` \ `#可选单点、哨兵、集群方式部署` \ `#kubectl create secret generic gitlab-redis-secret --from-literal=password=$(head -c 512 /dev/urandom | LC_CTYPE=C tr -cd 'a-zA-Z0-9' | head -c 64)` \ `#--set redis.install=false` \ `#--set global.redis.host='redis.example.com'` \ `#--set global.redis.password.secret=gitlab-test-redis` \ `#--set global.redis.password.key='password'` \ `#--启动外部对象存储,不使用内部自建的minio分布式存储,需要提前生成连接密钥--` \ `#https://docs.gitlab.com/charts/advanced/external-object-storage/index.html` \ `#完整样例 https://gitlab.com/gitlab-org/charts/gitlab/blob/master/examples/values-external-objectstorage.yaml` \ `#统一存储,https://docs.gitlab.com/charts/charts/globals.html#consolidated-object-storage` \ `#存储启动默认值https://docs.gitlab.com/12.10/charts/charts/globals.html#configure-minio-settings` \ `#gitlab各存储桶连接样例,https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/objectstorage/rails.s3.yaml` \ `#kubectl --namespace=gitlab-test-xcw create secret generic gitlab-rails-storage --from-file=connection=rails.yaml` \ --set global.minio.enabled=false \ --set global.appConfig.object_store.enabled=true \ --set global.appConfig.object_store.connection.secret=gitlab-rails-storage \ --set global.appConfig.object_store.connection.key=connection \ --set global.appConfig.lfs.bucket=gitlab-lfs-test-xcw-1254024480 \ --set global.appConfig.artifacts.bucket=gitlab-artifacts-test-xcw-1254024480 \ --set global.appConfig.uploads.bucket=gitlab-uploads-test-xcw-1254024480 \ --set global.appConfig.packages.bucket=gitlab-packages-test-xcw-1254024480 \ --set global.appConfig.pseudonymizer.bucket=gitlab-pseudonymizer-test-xcw-1254024480 \ `#docker镜像库` \ `#https://docs.gitlab.com/charts/advanced/external-object-storage/index.html#docker-registry-images` \ `#docker镜像存储地址样例 https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/objectstorage/registry.s3.yaml` \ `#kubectl --namespace=gitlab-test-xcw create secret generic gitlab-registry --from-file=config=registry-test.yaml` \ --set registry.storage.secret=gitlab-registry \ --set registry.storage.key=config \ --set global.registry.bucket=gitlab-registry-test-xcw-1254024480 \ `#备份` \ `#https://docs.gitlab.com/charts/advanced/external-object-storage/index.html#backups` \ `#备份存储配置样例 https://docs.gitlab.com/charts/advanced/external-object-storage/index.html#backups-storage-example` \ `#kubectl --namespace=gitlab-test-xcw create secret generic task-runenr-s3-config --from-file=config=s3cfg_cos` \ --set global.appConfig.backups.bucket=gitlab-backup-test-xcw-1254024480 \ --set global.appConfig.backups.tmpBucket=gitlab-backup-tmp-test-xcw-1254024480 \ --set gitlab.task-runner.backups.objectStorage.config.secret=task-runenr-s3-config \ --set gitlab.task-runner.backups.objectStorage.config.key=config \ `#--监控--` \ `#https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus#configuration` \ --set prometheus.server.persistentVolume.storageClass=gitlab-storageclass-test-xcw \ --set prometheus.server.persistentVolume.accessModes={ReadWriteMany} \ --set prometheus.server.persistentVolume.size=10Gi \ `#--外发电子邮件--` \ `#https://docs.gitlab.com/charts/installation/command-line-options.html#outgoing-email-configuration` \ `#kubectl --namespace=gitlab create secret generic gitlab-smtp-password --from-literal=password=yourpasswordhere` \ --set [email protected] \ --set global.email.display_name='GitLab' \ --set global.smtp.enabled=true \ --set global.smtp.address=smtp.exmail.qq.com \ --set global.smtp.tls=true \ --set global.smtp.port=456 \ --set global.smtp.user_name="[email protected]" \ --set global.smtp.password.secret="gitlab-test-smtp" \ --set global.smtp.password.key=password \ --set global.smtp.authentication="login" \ --set global.smtp.starttls_auto=true \ --set global.smtp.pool=true \ `#--rbac--` \ `#https://docs.gitlab.com/charts/installation/deployment.html#rbac` \ --set certmanager.rbac.create=false \ `#--cpu和内存配置--` \ `#最小化配置 https://docs.gitlab.com/charts/installation/deployment.html#cpu-and-ram-resource-requirements` \ --set gitlab-runner.install=false \ --set nginx-ingress.controller.replicaCount=3 \ --set nginx-ingress.controller.minAvailable=2 \ --set nginx-ingress.defaultBackend.replicaCount=2 \ `#时区` \ --set global.time_zone=Asia/Shanghai \ `#--ldap配置--` \ `#https://docs.gitlab.com/charts/charts/globals.html#ldap` \ `#https://docs.gitlab.com/ee/administration/auth/ldap/` \ `#kubectl --namespace=gitlab create secret generic gitlab-ldap-password --from-literal=password=yourpasswordhere` \ --set global.appConfig.ldap.servers.main.label='LDAP' \ --set global.appConfig.ldap.servers.main.host='ldap.cici.com' \ --set global.appConfig.ldap.servers.main.port='389' \ --set global.appConfig.ldap.servers.main.uid='cn' \ --set global.appConfig.ldap.servers.main.bind_dn='cn=gitlab_admin\,ou=sys_admins\,dc=cici\,dc=com' \ --set global.appConfig.ldap.servers.main.base='ou=staff\,dc=cici\,dc=com' \ --set global.appConfig.ldap.servers.main.encryption='plain' \ --set global.appConfig.ldap.servers.main.password.secret='gitlab-test-ldap' \ --set global.appConfig.ldap.servers.main.password.key='password' \ --set global.appConfig.ldap.servers.main.user_filter='(&(memberOf=cn=rds\,ou=groups\,dc=cici\,dc=com))' \ --set global.appConfig.ldap.servers.main.attributes.username='[cn]' \ --set global.appConfig.ldap.servers.main.attributes.email='[mail\, email]' \ --set global.appConfig.ldap.servers.main.attributes.name='displayName' \ --set global.appConfig.ldap.servers.main.attributes.first_name='givenName' \ --set global.appConfig.ldap.servers.main.attributes.last_name='sn' \ --set global.appConfig.ldap.servers.main.allow_username_or_email_login=true \ `#--omniauth认证--` \ `#https://docs.gitlab.com/charts/charts/globals#omniauth` \ --set global.appConfig.omniauth.enabled=true \ `#--自动备份--` \ `#https://docs.gitlab.com/charts/backup-restore/index.html` \ --set gitlab.task-runner.backups.cron.enabled=true \ --set gitlab.task-runner.backups.cron.schedule='0 2 * * *' \ `#--上传限制--` \ --set global.ingress.proxyBodySize=10Gi \ `#--qos服务质量--` \ --set nginx-ingress.controller.resources.requests.cpu='100m' \ --set nginx-ingress.controller.resources.requests.memory='100Mi' \ `#--3k用户--` \ `#开启gitaly代理pracefect,启动gitaly集群` \ `#praefect启动限制,安装后创建对应库https://docs.gitlab.com/charts/charts/gitlab/praefect/index.html` \ --set global.praefect.enabled=true \ `#--自定义镜像--` \ --set global.kubectl.image.repository=docker.cici.com/library/gitlab/kubectl \ --set global.kubectl.image.tag="1.16.15" \ --set global.certificates.image.repository=docker.cici.com/library/gitlab/alpine-certificates \ --set global.certificates.image.tag="20191127-r2" \ --set nginx-ingress.controller.image.repository=docker.cici.com/library/gitlab/nginx-ingress-controller \ --set nginx-ingress.controller.image.tag="v0.41.2" \ --set nginx-ingress.controller.image.digest="" \ --set nginx-ingress.defaultBackend.image.repository=docker.cici.com/library/gitlab/defaultbackend-amd64 \ --set nginx-ingress.defaultBackend.image.tag="1.5" \ --set gitlab.task-runner.image.repository=docker.cici.com/library/gitlab/gitlab-toolbox-ee \ --set gitlab.task-runner.image.tag="v14.2.1" \ --set gitlab.migrations.image.repository=docker.cici.com/library/gitlab/gitlab-toolbox-ee \ --set gitlab.migrations.image.tag="v14.2.1" \ --set gitlab.gitaly.image.repository=docker.cici.com/library/gitlab/gitaly \ --set gitlab.gitaly.image.tag="v14.2.1" \ --set gitlab.praefect.image.repository=docker.cici.com/library/gitlab/gitaly \ --set gitlab.praefect.image.tag="v14.2.1" \ --set gitlab.sidekiq.image.repository=docker.cici.com/library/gitlab/gitlab-sidekiq-ee \ --set gitlab.sidekiq.image.tag="v14.2.1" \ --set gitlab.gitlab-shell.image.repository=docker.cici.com/library/gitlab/gitlab-shell \ --set gitlab.gitlab-shell.image.tag="v13.19.1" \ --set gitlab.webservice.image.repository=docker.cici.com/library/gitlab/gitlab-webservice-ee \ --set gitlab.webservice.image.tag="v14.2.1" \ --set gitlab.webservice.workhorse.image=docker.cici.com/library/gitlab/gitlab-workhorse-ee \ --set gitlab.webservice.workhorse.tag="v14.2.1" \ --set registry.image.repository=docker.cici.com/library/gitlab/gitlab-container-registry \ --set registry.image.tag="v3.9.0-gitlab" \ --set postgresql.image.repository=docker.cici.com/library/gitlab/postgresql \ --set postgresql.image.tag="12.7.0" \ --set redis.image.repository=docker.cici.com/library/gitlab/redis \ --set redis.image.tag="6.0.9-debian-10-r0" \ --set gitlab-runner.image=docker.cici.com/library/gitlab/gitlab-runner:alpine-v14.2.0 \ --set gitlab.gitlab-exporter.image.repository=docker.cici.com/library/gitlab/gitlab-exporter \ --set gitlab.gitlab-exporter.image.tag="11.2.0" \ --set global.busybox.image.repository=docker.cici.com/library/gitlab/busybox \ --set global.busybox.image.tag=latest #初次登录 #kubectl -n gitlab-test-xcw get secret gitlab-test-xcw-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo
3k用户 如果启动了3k用户集群,pracefect是无法运行的。请查看对应后续操作 Praefect chart(alpha) 创建praefect连接的postgresql库praefect
#1登录到您的数据库实例 kubectl -n gitlab-test-xcw exec -it $(kubectl -n gitlab-test-xcw get pods -l app=postgresql -o custom-columns=NAME:.metadata.name --no-headers) -- bash PGPASSWORD=$(cat $POSTGRES_POSTGRES_PASSWORD_FILE) psql -U postgres -d template1 #2创建数据库用户 CREATE ROLE praefect WITH LOGIN; #3设置数据库用户密码 #获取密码 kubectl -n gitlab-test-xcw get secret gitlab-test-xcw-praefect-dbsecret -o jsonpath="{.data.secret}" | base64 --decode #在psql提示中设置密码 \password praefect #4创建数据库: CREATE DATABASE praefect WITH OWNER praefect;
卸载
helm uninstall -n gitlab-test-xcw gitlab-test-xcw cat <<\EOF> delete_gitlab_secrets.sh #!/bin/bash NS=gitlab-test-xcw RELEASE_NAME=gitlab-test-xcw kubectl -n $NS delete secrets \ gitlab-rails-storage \ gitlab-registry \ task-runenr-s3-config \ gitlab-test-pg \ gitlab-test-redis \ gitlab-test-ldap \ gitlab-test-smtp \ cici-com \ gitlab-artifacts \ gitlab-lfs \ gitlab-packages \ gitlab-uploads \ gitlab-pseudonymizer \ `#自动创建的` \ ${RELEASE_NAME}-gitaly-secret \ ${RELEASE_NAME}-gitlab-initial-root-password \ ${RELEASE_NAME}-gitlab-runner-secret \ ${RELEASE_NAME}-gitlab-shell-host-keys \ ${RELEASE_NAME}-gitlab-shell-secret \ ${RELEASE_NAME}-gitlab-workhorse-secret \ ${RELEASE_NAME}-rails-secret \ ${RELEASE_NAME}-registry-httpsecret \ ${RELEASE_NAME}-registry-notification \ ${RELEASE_NAME}-registry-secret \ ${RELEASE_NAME}-postgresql-password \ ${RELEASE_NAME}-redis-secret kubectl -n $NS delete cm ingress-controller-leader-gitlab-test-xcw-nginx echo "delete secrets Complete" echo "请求查看对应PVPVC绑定情况,可删除" kubectl get pv |grep test-xcw kubectl -n gitlab-test-xcw get pvc kubectl get sc |grep gitlab EOF
破解
- 准备文件-license.rb
直接从docker镜像中复制下来修改。如
docker pull registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v14.2.1 docker run --rm -d --name temp registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v14.2.1 sleep 10 docker cp temp:/srv/gitlab/ee/app/models/license.rb .
添加有效期license.rb
def license return unless self.data @license ||= begin Gitlab::License.import(self.data) rescue Gitlab::License::ImportError nil end #-----add if @license @license.expires_at = Date.new(2028,12,16) @license.notify_admins_at = Date.new(2028,12,16) @license.notify_users_at = Date.new(2028,12,16) @license.restrictions[:active_user_count] = 5000 @license.restrictions[:add_ons][:GitLab_Geo] = 5000 @license.restrictions[:add_ons][:GitLab_FileLocks] = 5000 @license.restrictions[:add_ons][:GitLab_ServiceDesk] = 5000 @license.restrictions[:add_ons][:GitLab_DeployBoard] = 5000 @license.restrictions[:add_ons][:GitLab_Auditor_User] = 5000 end @license #----- end - 准备文件-files_denylist.yml
注释了(pem|key),允许往gitlab中提交`.pem`, `.key`文件
之前版本文件名为files_blacklist.yml(<=4.0.12)
docker pull registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v14.2.1 docker run --rm -d --name temp registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v14.2.1 sleep 10 docker cp temp:/srv/gitlab/ee/lib/gitlab/checks/files_denylist.yml . cat <<\EOF> files_denylist.yml - aws\/credentials$ # RSA DSA ECSDA and ED25519 SSH keys - (ssh|config)\/(personal|server)_(rsa|dsa|ed\d+|ecdsa) - id_rsa$ - id_dsa$ - id_ed25519$ - id_ecdsa$ # privatekey.pem and secret.key # - \.(pem|key)$ # files ending in .history or _history - "[._]history$" - ".DS_Store" EOF
- ruby生成lisence
生成一次就行,可持续使用
cat <<\EOF> l.rb require 'openssl' require 'gitlab/license' key_pair = OpenSSL::PKey::RSA.generate(2048) File.open("license_key", "w") { |f| f.write(key_pair.to_pem) } public_key = key_pair.public_key File.open("license_key.pub", "w") { |f| f.write(public_key.to_pem) } private_key = OpenSSL::PKey::RSA.new File.read("license_key") Gitlab::License.encryption_key = private_key license = Gitlab::License.new license.licensee = { "Name" => "none", "Company" => "none", "Email" => "[email protected]" } license.starts_at = Date.new(2021, 1, 1) license.restrictions = { plan: 'ultimate' } puts "License:" puts license data = license.export puts "Exported license:" puts data File.open("GitLabBV.gitlab-license", "w") { |f| f.write(data) } public_key = OpenSSL::PKey::RSA.new File.read("license_key.pub") Gitlab::License.encryption_key = public_key data = File.read("GitLabBV.gitlab-license") $license = Gitlab::License.import(data) puts "Imported license:" puts $license unless $license raise "The license is invalid." end if $license.restricted?(:active_user_count) active_user_count = User.active.count if active_user_count > $license.restrictions[:active_user_count] raise "The active user count exceeds the allowed amount!" end end if $license.notify_admins? puts "The license is due to expire on #{$license.expires_at}." end if $license.notify_users? puts "The license is due to expire on #{$license.expires_at}." end module Gitlab class GitAccess def check(cmd, changes = nil) if $license.block_changes? return build_status_object(false, "License expired") end end end end puts "This instance of GitLab Enterprise Edition is licensed to:" $license.licensee.each do |key, value| puts "#{key}: #{value}" end if $license.expired? puts "The license expired on #{$license.expires_at}" elsif $license.will_expire? puts "The license will expire on #{$license.expires_at}" else puts "The license will never expire." end EOF
docker-compose
cat <<\EOF> docker-compose.yml version: '3' services: ruby: image: 'ruby:latest' hostname: ruby command: bash -c "cd /root/test && gem install gitlab-license && rm GitLabBV.gitlab-license license_key license_key.pub && ruby license.rb" volumes: - './:/root/test:Z' EOF
脚本目录下会生成三个文件:
- license_key 为私钥
- license_key.pub 为公钥。替换/opt/gitlab/embedded/service/gitlab-rails/.license_encryption_key.pub
- GitLabBV.gitlab-license 为 license 文件
导入许可:
- 登录gitlab后台,管理中心->许可证 (/admin/license),导入 GitLabBV.gitlab-license
- 镜像制作
需要破解的镜像
- registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v14.2.1
- registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v14.2.1
- registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v14.2.1
- 镜像文件Dockerfile
#task-runner cat <<\EOF> task-runner-Dockerfile FROM registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ee:v14.2.1 #FROM docker.cici.com/library/gitlab/gitlab-toolbox-ee:v14.2.1 #COPY ./license.rb /srv/gitlab/ee/app/models/license.rb COPY ./license_key.pub /srv/gitlab/.license_encryption_key.pub COPY ./files_denylist.yml /srv/gitlab/ee/lib/gitlab/checks/files_denylist.yml EOF #sidekiq cat <<\EOF> sidekiq-Dockerfile FROM registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ee:v14.2.1 #FROM docker.cici.com/library/gitlab/gitlab-sidekiq-ee:v14.2.1 #COPY ./license.rb /srv/gitlab/ee/app/models/license.rb COPY ./license_key.pub /srv/gitlab/.license_encryption_key.pub COPY ./files_denylist.yml /srv/gitlab/ee/lib/gitlab/checks/files_denylist.yml EOF #webservice cat <<\EOF> webservice-Dockerfile FROM registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ee:v14.2.1 #FROM docker.cici.com/library/gitlab/gitlab-webservice-ee:v14.2.1 #COPY ./license.rb /srv/gitlab/ee/app/models/license.rb COPY ./license_key.pub /srv/gitlab/.license_encryption_key.pub COPY ./files_denylist.yml /srv/gitlab/ee/lib/gitlab/checks/files_denylist.yml EOF
- 制作镜像
cat <<\EOF> build.sh #!/bin/bash docker build -t docker.cici.com/library/gitlab/$1 -f $2 . docker push docker.cici.com/library/gitlab/$1 EOF #Task-runner bash build.sh gitlab-toolbox-ee:v14.2.1-x1 task-runner-Dockerfile #Sidekiq bash build.sh gitlab-sidekiq-ee:v14.2.1-x1 sidekiq-Dockerfile #webservice bash build.sh gitlab-webservice-ee:v14.2.1-x1 webservice-Dockerfile
gitlab 12.3.1-ee helm2.17.0 pod:tiller-deploy clustrolebinding: helm
helm upgrade --install gitlab-test-xcw gitlab/gitlab \ --timeout 600s \ --set global.hosts.domain=gitlab-test-xcw.cici.com \ --set global.hosts.externalIP=10.22.0.128 \ --set [email protected] \ --version=2.3.2 \ -n gitlab-test-xcw --dry-run
部署脚本
下载对应版本gilab chart至本地,将有差异的部署参数单独写入文件,方便后期修正。
helm get values -n gitlab-test-xcw gitlab-test-xcw >customize_conf/values-test.yaml
部署
cat <<\EOF> deploy-gitlab-test.sh helm upgrade --install -n gitlab-test-xcw gitlab-test-xcw gitlab/gitlab \ --timeout 600s \ --version=5.2.1 \ --dry-run \ -f customize_conf/values-test.yaml \ --set global.hosts.gitlab.name='git-test-xcw.cici.com' \ `#--外部postgresql--` \ `#--set postgresql.install=false` \ `#--set global.psql.host=production.postgress.hostname.local` \ `#--set global.psql.password.secret=gitlab-test-pg` \ `#--set global.psql.password.key='password'` \ `#--外部redis--` \ `#--set redis.enabled=false` \ `#--set global.redis.host='redis.example.com'` \ `#--set global.redis.password.secret=gitlab-test-redis` \ `#--set global.redis.password.key='password'` \ --set gitlab.migrations.enabled=true EOF
性能测试
准备数据环境
数据分为,垂直和水平:
- 垂直:该区域由一个或多个大型项目组成。默认GitLab FOSS项目gitlabhq
- 横向:该区域由大量子组组成,每个子组又包含大量项目。
mkdir /data/gitlab-gpt/{results,config/{environments,projects}} -p
cd /data/gitlab-gpt/config/environments
cat <<\EOF> 10k.json
{
"environment": {
"name": "10k",
"url": "https://git-test-xcw.cici.com",
"user": "gpt-admin",
"config": {
"latency": "0"
},
"storage_nodes": ["default"]
},
"gpt_data": {
"root_group": "gpt",
"large_projects": {
"group": "large_projects",
"project": "gitlabhq"
},
"many_groups_and_projects": {
"group": "many_groups_and_projects",
"subgroups": 250,
"subgroup_prefix": "gpt-subgroup-",
"projects": 10,
"project_prefix": "gpt-project-"
}
}
}
EOF
: <<eof
通常只需要改变:name,url,user和storage_nodes
name- 环境的名称。主要用于输出和结果
url- 环境的完整 URL,用于所有测试和其他区域。
user- 作为创建用户步骤的一部分准备的用户名称。
storage_nodes-目标 GitLab 环境中的存储库存储阵列
eof
# 大项目比较大,ingress开放上传限制
docker run --rm -it \
-e ACCESS_TOKEN=MnLzZsfPNF-Bgtmomgsm \
-v /data/gitlab-gpt/config:/config \
-v /data/gitlab-gpt/results:/results \
--add-host git-test-xcw.cici.com:10.22.0.207 \
gitlab/gpt-data-generator \
--environment 10k.json
#--no-horizontal #不导入水平数据
#--no-vertical #不导入垂直数据
#导入自定义项目docker run --rm -it -e ACCESS_TOKEN=MnLzZsfPNF-Bgtmomgsm -v /data/gitlab-gpt/config:/config -v /data/gitlab-gpt/results:/results --add-host git-test-xcw.cici.com:10.22.0.207 gitlab/gpt-data-generator --environment 10k.json --no-horizontal --large-project-tarball=/config/gitlabhq_export_13.0.0.tar.gz
运行测试
提供3种类型测试
- API- 针对API端点的测试(RPS 目标:100%)
- Git - 针对 Git 端点的测试(RPS 目标:10%)
- Web - 针对网页端点的测试(RPS 目标:10%)
:<<EOF 目标环境用户数使用以下选项文件: 1千 - 60s_20rps.json 2k - 60s_40rps.json 3k - 60s_60rps.json 5k - 60s_100rps.json 10k - 60s_200rps.json EOF mkdir /data/gitlab-gpt/{results,tests,config/{environments,options,projects}} -p cd /data/gitlab-gpt/ cat <<\EOF> config/options/60s_40rps.json { "stages": [ { "duration": "5s", "target": 40 }, { "duration": "50s", "target": 40 }, { "duration": "5s", "target": 0 } ], "rps": 40, "batchPerHost": 0 } EOF cat <<\EOF> config/options/60s_60rps.json { "stages": [ { "duration": "5s", "target": 60 }, { "duration": "50s", "target": 60 }, { "duration": "5s", "target": 0 } ], "rps": 60, "batchPerHost": 0 } EOF cat <<\EOF> tests/api_v4_projects_project.js import http from "k6/http"; import { group } from "k6"; import { Rate } from "k6/metrics"; import { logError, getRpsThresholds, getTtfbThreshold, getLargeProjects, selectRandom } from "../../lib/gpt_k6_modules.js"; export let rpsThresholds = getRpsThresholds() export let ttfbThreshold = getTtfbThreshold() export let successRate = new Rate("successful_requests") export let options = { thresholds: { "successful_requests": [`rate>${__ENV.SUCCESS_RATE_THRESHOLD}`], "http_req_waiting": [`p(90)<${ttfbThreshold}`], "http_reqs": [`count>=${rpsThresholds['count']}`] } }; export let projects = getLargeProjects(['encoded_path']); export function setup() { console.log('') console.log(`RPS Threshold: ${rpsThresholds['mean']}/s (${rpsThresholds['count']})`) console.log(`TTFB P90 Threshold: ${ttfbThreshold}ms`) console.log(`Success Rate Threshold: ${parseFloat(__ENV.SUCCESS_RATE_THRESHOLD)*100}%`) } export default function() { group("API - Project Overview", function() { let project = selectRandom(projects); let params = { headers: { "Accept": "application/json", "PRIVATE-TOKEN": `${__ENV.ACCESS_TOKEN}` } }; let res = http.get(`${__ENV.ENVIRONMENT_URL}/api/v4/projects/${project['encoded_path']}`, params); /20(0|1)/.test(res.status) ? successRate.add(true) : (successRate.add(false), logError(res)); }); } EOF #整个跑测试耗时久,可以添加--test参数单独一块测试 docker run --rm -it \ -e ACCESS_TOKEN=MnLzZsfPNF-Bgtmomgsm \ -v /data/gitlab-gpt/config:/config \ -v /data/gitlab-gpt/tests:/tests \ -v /data/gitlab-gpt/results:/results \ --add-host git-test-xcw.cici.com:10.22.0.207 \ gitlab/gitlab-performance-tool \ --environment 10k.json \ --options 60s_40rps.json --tests api_v4_groups_projects.js #3k用户 docker run --rm -it \ -e ACCESS_TOKEN=MnLzZsfPNF-Bgtmomgsm \ -v /data/gitlab-gpt/config:/config \ -v /data/gitlab-gpt/tests:/tests \ -v /data/gitlab-gpt/results:/results \ --add-host git-test-xcw.cici.com:10.22.0.207 \ gitlab/gitlab-performance-tool \ --environment 10k.json \ --options 60s_60rps.json
性能测试结果
默认云环境部署最小是支持2k用户性能评估的。部分存在单点 从3k用户开始,高可用无单点。
| service | nodes | 配置 | 副本 | hpa | ||||
| 2k | 3k | now | 2k | 3K | 3k | now | ||
| Webservice | 3 | 2 | 6 | 3C7.2G | 16C14.4G | 4pods 4woker/pod | 6pods 2woker/pod | 10 |
| Sidekiq | 2 | 3 | 4 | 2C7.5G | 4C15G | 3 | 4 | 10 |
| nginx | 2 | 2 | 3 | 1C3.75G | 2C7.5G | 3 | 3 | |
| PostgreSQL | 1 | 3 | externa | 2C7.5G | 2C7.5G | 3 | TX | |
| Redis | 1 | 3 | externa | 1C3.75G | 2C7.5G | 3 | TX | |
| Gitaly | 1 | 3 | 1 | 4C15G | 4C15G | 3 | 1 | |
| Object storage | n/a | n/a | TX-COS | n/a | n/a | n/a | TX |
- 测试输出
输出说明:
首先是有关环境、测试和 GPT 版本的统计信息。 接下来是环境的总体结果得分。通常,性能良好的环境应高于 90%。 得分后是每次测试运行的主要结果表。在此表中,每列显示以下内容: NAME- 测试运行的名称。匹配文件tests夹中的测试文件名 RPS - 测试期间使用的 RPS 目标。 RPS RESULT - RPS 与通过阈值一起实现。 TTFB AVG-以毫秒为单位的平均第一个字节时间(TTFB)。 TTFB P90- TTFB的第 90 个百分位数及其通过阈值。 REQ STATUS - 测试发出的返回成功状态(返回 HTTP 代码 200 / 201)的请求的百分比及其通过阈值。 RESULT - 基于阈值的测试的最终结果。 最后,根据结果如何,输出将以摘要的一些可选信息注释结束。
输出内容:2k用户用例。 40个请求/s,运行60秒
* Environment: 10k * Environment Version: 14.2.1-ee `018e6242bd5` * Option: 60s_40rps * Date: 2021-08-31 * Run Time: 1h 12m 25.77s (Start: 02:50:49 UTC, End: 04:03:14 UTC) * GPT Version: v2.8.0 Overall Results Score: 98.85%NAME RPS RPS RESULT TTFB AVG TTFB P90 REQ STATUS RESULT api_v4_groups 40/s 39.77/s (>32.00/s) 72.94ms 86.81ms (<500ms) 100.00% (>99%) Passed api_v4_groups_group 40/s 32.87/s (>3.20/s) 1075.29ms 1453.04ms (<7500ms) 100.00% (>99%) Passed api_v4_groups_group_subgroups 40/s 39.74/s (>32.00/s) 83.29ms 96.44ms (<500ms) 100.00% (>99%) Passed api_v4_groups_issues 40/s 39.22/s (>9.60/s) 241.84ms 280.66ms (<3500ms) 100.00% (>99%) Passed api_v4_groups_merge_requests 40/s 39.2/s (>9.60/s) 225.06ms 265.36ms (<3500ms) 100.00% (>99%) Passed api_v4_groups_projects 40/s 38.73/s (>16.00/s) 387.26ms 592.31ms (<3500ms) 100.00% (>99%) Passed api_v4_projects 40/s 27.02/s (>4.80/s) 1313.96ms 2025.90ms (<7000ms) 99.81% (>99%) Passed api_v4_projects_deploy_keys 40/s 39.88/s (>32.00/s) 51.42ms 62.10ms (<500ms) 100.00% (>99%) Passed api_v4_projects_issues 40/s 39.48/s (>32.00/s) 167.83ms 190.70ms (<500ms) 100.00% (>99%) Passed api_v4_projects_issues_issue 40/s 39.44/s (>32.00/s) 180.38ms 218.84ms (<1500ms) 100.00% (>99%) Passed api_v4_projects_issues_search 40/s 39.04/s (>4.80/s) 261.99ms 368.66ms (<12000ms) 100.00% (>99%) Passed api_v4_projects_languages 40/s 39.89/s (>32.00/s) 48.10ms 56.08ms (<500ms) 100.00% (>99%) Passed api_v4_projects_merge_requests 40/s 39.36/s (>32.00/s) 155.13ms 181.33ms (<500ms) 100.00% (>99%) Passed api_v4_projects_merge_requests_merge_request 40/s 39.43/s (>16.00/s) 216.78ms 279.00ms (<2750ms) 100.00% (>99%) Passed api_v4_projects_merge_requests_merge_request_changes 40/s 36.04/s (>16.00/s) 935.58ms 1392.85ms (<3500ms) 100.00% (>99%) Passed api_v4_projects_merge_requests_merge_request_commits 40/s 39.74/s (>32.00/s) 70.32ms 84.07ms (<500ms) 100.00% (>99%) Passed api_v4_projects_merge_requests_merge_request_discussions 40/s 39.49/s (>32.00/s) 145.58ms 180.19ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project 40/s 39.69/s (>32.00/s) 122.40ms 152.55ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project_pipelines 40/s 39.82/s (>32.00/s) 63.29ms 77.12ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project_pipelines_pipeline 40/s 39.68/s (>32.00/s) 77.16ms 97.31ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project_services 40/s 39.91/s (>32.00/s) 45.74ms 51.68ms (<500ms) 99.12% (>99%) Passed api_v4_projects_releases 40/s 39.68/s (>32.00/s) 79.28ms 95.06ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_branches 40/s 39.69/s (>32.00/s) 49.57ms 56.89ms (<500ms) 99.58% (>99%) Passed api_v4_projects_repository_branches_branch 40/s 39.81/s (>32.00/s) 80.35ms 95.04ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_branches_search 40/s 39.65/s (>9.60/s) 46.20ms 50.55ms (<6000ms) 100.00% (>99%) Passed api_v4_projects_repository_commits 40/s 39.79/s (>32.00/s) 73.83ms 85.78ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_commits_commit 40/s 39.83/s (>32.00/s) 64.10ms 72.95ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_commits_commit_diff 40/s 39.63/s (>32.00/s) 121.59ms 140.03ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_compare 40/s 39.56/s (>3.20/s) 59.82ms 71.01ms (<8000ms) 100.00% (>99%) Passed api_v4_projects_repository_files_file 40/s 39.68/s (>32.00/s) 125.64ms 205.37ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_files_file_blame 40/s 4.17/s (>0.32/s) 8426.11ms 11272.54ms (<35000ms) 100.00% (>99%) Passed api_v4_projects_repository_files_file_raw 40/s 39.77/s (>32.00/s) 86.64ms 109.73ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_tags 40/s 12.43/s (>6.40/s) 2959.33ms 3836.65ms (<10000ms) 100.00% (>99%) Passed api_v4_projects_repository_tree 40/s 39.69/s (>32.00/s) 100.75ms 117.95ms (<500ms) 100.00% (>99%) Passed api_v4_user 40/s 39.83/s (>32.00/s) 44.66ms 50.18ms (<500ms) 100.00% (>99%) Passed api_v4_users 40/s 39.66/s (>32.00/s) 105.30ms 134.00ms (<500ms) 100.00% (>99%) Passed git_ls_remote 4/s 4.01/s (>3.20/s) 54.07ms 61.20ms (<500ms) 100.00% (>99%) Passed git_pull 4/s 3.99/s (>3.20/s) 71.51ms 88.70ms (<500ms) 100.00% (>99%) Passed web_group 4/s 4.01/s (>3.20/s) 135.83ms 183.69ms (<500ms) 100.00% (>99%) Passed web_group_issues 4/s 3.91/s (>3.20/s) 306.77ms 335.46ms (<500ms) 100.00% (>99%) Passed web_group_merge_requests 4/s 3.96/s (>3.20/s) 286.81ms 324.81ms (<500ms) 100.00% (>99%) Passed web_project 4/s 3.98/s (>3.20/s) 252.23ms 299.84ms (<500ms) 100.00% (>99%) Passed web_project_branches 4/s 3.89/s (>3.20/s) 369.64ms 416.38ms (<800ms) 100.00% (>99%) Passed web_project_branches_search 4/s 3.75/s (>3.20/s) 725.64ms 788.16ms (<1300ms) 100.00% (>99%) Passed web_project_commit 4/s 3.34/s (>0.64/s) 1023.11ms 3192.27ms (<10000ms) 100.00% (>99%) Passed web_project_commits 4/s 3.83/s (>3.20/s) 417.67ms 459.98ms (<750ms) 100.00% (>99%) Passed web_project_file_blame 4/s 1.16/s (>0.03/s) 2848.92ms 3632.63ms (<7000ms) 100.00% (>99%) Passed web_project_file_rendered 4/s 3.87/s (>2.56/s) 556.67ms 1401.66ms (<1500ms) 100.00% (>99%) FAILED web_project_file_source 4/s 3.79/s (>0.32/s) 602.75ms 951.71ms (<1700ms) 100.00% (>99%) Passed web_project_files 4/s 3.96/s (>3.20/s) 171.19ms 229.41ms (<800ms) 100.00% (>99%) Passed web_project_issue 4/s 3.93/s (>3.20/s) 306.58ms 753.12ms (<2000ms) 100.00% (>99%) Passed web_project_issues 4/s 3.95/s (>3.20/s) 274.76ms 309.11ms (<500ms) 100.00% (>99%) Passed web_project_issues_search 4/s 3.98/s (>3.20/s) 282.06ms 323.16ms (<500ms) 100.00% (>99%) Passed web_project_merge_request 4/s 3.22/s (>1.28/s) 1837.29ms 4669.98ms (<7500ms) 100.00% (>99%) Passed web_project_merge_request_changes 4/s 3.83/s (>3.20/s) 422.94ms 689.98ms (<1500ms) 100.00% (>99%) Passed web_project_merge_request_commits 4/s 3.71/s (>1.92/s) 619.33ms 722.99ms (<1750ms) 100.00% (>99%) Passed web_project_merge_requests 4/s 3.98/s (>3.20/s) 276.73ms 314.99ms (<500ms) 100.00% (>99%) Passed web_project_pipelines 4/s 3.96/s (>1.92/s) 297.46ms 428.77ms (<1000ms) 100.00% (>99%) Passed web_project_pipelines_pipeline 4/s 3.96/s (>3.20/s) 500.62ms 1012.73ms (<2500ms) 100.00% (>99%) Passed web_project_repository_compare 4/s 0.84/s (>0.16/s) 4439.88ms 5183.79ms (<7500ms) 100.00% (>99%) Passed web_project_tags 4/s 3.75/s (>2.56/s) 708.61ms 783.40ms (<1500ms) 100.00% (>99%) Passed web_user 4/s 4.0/s (>1.92/s) 173.82ms 265.93ms (<4000ms) 100.00% (>99%) Passed 输出内容:3k用户用例。 60个请求/s,运行60秒
* Environment: 10k * Environment Version: 14.2.1-ee `018e6242bd5` * Option: 60s_60rps * Date: 2021-08-31 * Run Time: 1h 12m 35.66s (Start: 06:32:26 UTC, End: 07:45:01 UTC) * GPT Version: v2.8.0 Overall Results Score: 98.67%
NAME RPS RPS RESULT TTFB AVG TTFB P90 REQ STATUS RESULT api_v4_groups 60/s 59.48/s (>48.00/s) 196.27ms 351.89ms (<500ms) 100.00% (>99%) Passed api_v4_groups_group 60/s 12.89/s (>4.80/s) 4241.66ms 6280.03ms (<7500ms) 100.00% (>99%) Passed api_v4_groups_group_subgroups 60/s 59.51/s (>48.00/s) 115.17ms 165.60ms (<500ms) 100.00% (>99%) Passed api_v4_groups_issues 60/s 54.75/s (>14.40/s) 955.93ms 1197.23ms (<3500ms) 100.00% (>99%) Passed api_v4_groups_merge_requests 60/s 57.91/s (>14.40/s) 676.09ms 984.77ms (<3500ms) 100.00% (>99%) Passed api_v4_groups_projects 60/s 50.65/s (>24.00/s) 1040.49ms 1621.93ms (<3500ms) 100.00% (>99%) Passed api_v4_projects 60/s 23.44/s (>7.20/s) 2340.33ms 3362.55ms (<7000ms) 100.00% (>99%) Passed api_v4_projects_deploy_keys 60/s 59.78/s (>48.00/s) 53.79ms 65.42ms (<500ms) 100.00% (>99%) Passed api_v4_projects_issues 60/s 58.93/s (>48.00/s) 187.38ms 237.11ms (<500ms) 100.00% (>99%) Passed api_v4_projects_issues_issue 60/s 58.59/s (>48.00/s) 204.43ms 266.81ms (<1500ms) 99.88% (>99%) Passed api_v4_projects_issues_search 60/s 58.52/s (>7.20/s) 295.56ms 411.93ms (<12000ms) 100.00% (>99%) Passed api_v4_projects_languages 60/s 59.75/s (>48.00/s) 51.46ms 60.84ms (<500ms) 100.00% (>99%) Passed api_v4_projects_merge_requests 60/s 59.07/s (>48.00/s) 177.71ms 225.57ms (<500ms) 100.00% (>99%) Passed api_v4_projects_merge_requests_merge_request 60/s 58.82/s (>24.00/s) 262.37ms 397.07ms (<2750ms) 100.00% (>99%) Passed api_v4_projects_merge_requests_merge_request_changes 60/s 52.88/s (>24.00/s) 963.39ms 1540.11ms (<3500ms) 94.81% (>99%) FAILED api_v4_projects_merge_requests_merge_request_commits 60/s 59.6/s (>48.00/s) 77.44ms 93.66ms (<500ms) 100.00% (>99%) Passed api_v4_projects_merge_requests_merge_request_discussions 60/s 59.16/s (>48.00/s) 156.24ms 197.77ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project 60/s 59.32/s (>48.00/s) 122.09ms 149.43ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project_pipelines 60/s 59.74/s (>48.00/s) 63.12ms 73.93ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project_pipelines_pipeline 60/s 59.49/s (>48.00/s) 77.71ms 95.56ms (<500ms) 100.00% (>99%) Passed api_v4_projects_project_services 60/s 59.78/s (>48.00/s) 51.16ms 60.73ms (<500ms) 100.00% (>99%) Passed api_v4_projects_releases 60/s 59.53/s (>48.00/s) 79.78ms 111.13ms (<500ms) 89.65% (>99%) FAILED api_v4_projects_repository_branches 60/s 59.54/s (>48.00/s) 52.88ms 63.13ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_branches_branch 60/s 59.65/s (>48.00/s) 86.54ms 110.07ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_branches_search 60/s 59.54/s (>14.40/s) 54.37ms 64.79ms (<6000ms) 100.00% (>99%) Passed api_v4_projects_repository_commits 60/s 59.32/s (>48.00/s) 82.66ms 103.07ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_commits_commit 60/s 59.69/s (>48.00/s) 68.67ms 79.86ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_commits_commit_diff 60/s 59.43/s (>48.00/s) 131.34ms 156.27ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_compare 60/s 59.19/s (>4.80/s) 64.70ms 76.06ms (<8000ms) 100.00% (>99%) Passed api_v4_projects_repository_files_file 60/s 59.38/s (>48.00/s) 136.53ms 179.17ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_files_file_blame 60/s 8.11/s (>0.48/s) 6544.49ms 8564.36ms (<35000ms) 100.00% (>99%) Passed api_v4_projects_repository_files_file_raw 60/s 59.63/s (>48.00/s) 86.77ms 108.45ms (<500ms) 100.00% (>99%) Passed api_v4_projects_repository_tags 60/s 35.86/s (>9.60/s) 1501.96ms 2341.98ms (<10000ms) 100.00% (>99%) Passed api_v4_projects_repository_tree 60/s 59.56/s (>48.00/s) 105.67ms 130.88ms (<500ms) 100.00% (>99%) Passed api_v4_user 60/s 59.71/s (>48.00/s) 43.68ms 52.09ms (<500ms) 100.00% (>99%) Passed api_v4_users 60/s 59.5/s (>48.00/s) 107.09ms 137.20ms (<500ms) 100.00% (>99%) Passed git_ls_remote 6/s 6.01/s (>4.80/s) 66.97ms 79.01ms (<500ms) 100.00% (>99%) Passed git_pull 6/s 6.01/s (>4.80/s) 70.12ms 83.64ms (<500ms) 100.00% (>99%) Passed web_group 6/s 5.97/s (>4.80/s) 153.34ms 197.28ms (<500ms) 99.16% (>99%) Passed web_group_issues 6/s 5.76/s (>4.80/s) 321.23ms 356.40ms (<500ms) 100.00% (>99%) Passed web_group_merge_requests 6/s 5.83/s (>4.80/s) 271.90ms 313.86ms (<500ms) 100.00% (>99%) Passed web_project 6/s 5.94/s (>4.80/s) 255.85ms 290.56ms (<500ms) 100.00% (>99%) Passed web_project_branches 6/s 5.85/s (>4.80/s) 384.70ms 460.07ms (<800ms) 100.00% (>99%) Passed web_project_branches_search 6/s 4.77/s (>4.80/s) 1031.66ms 1430.82ms (<1300ms) 100.00% (>99%) FAILED web_project_commit 6/s 5.54/s (>0.96/s) 804.76ms 2066.71ms (<10000ms) 100.00% (>99%) Passed web_project_commits 6/s 5.77/s (>4.80/s) 412.15ms 485.07ms (<750ms) 100.00% (>99%) Passed web_project_file_blame 6/s 1.81/s (>0.05/s) 2767.15ms 3354.83ms (<7000ms) 100.00% (>99%) Passed web_project_file_rendered 6/s 5.79/s (>3.84/s) 568.17ms 1160.80ms (<1500ms) 100.00% (>99%) Passed web_project_file_source 6/s 5.67/s (>0.48/s) 630.89ms 1112.25ms (<1700ms) 100.00% (>99%) Passed web_project_files 6/s 5.89/s (>4.80/s) 170.16ms 233.29ms (<800ms) 100.00% (>99%) Passed web_project_issue 6/s 5.89/s (>4.80/s) 293.45ms 742.88ms (<2000ms) 100.00% (>99%) Passed web_project_issues 6/s 5.84/s (>4.80/s) 279.11ms 307.90ms (<500ms) 100.00% (>99%) Passed web_project_issues_search 6/s 5.9/s (>4.80/s) 280.01ms 318.71ms (<500ms) 100.00% (>99%) Passed web_project_merge_request 6/s 5.26/s (>1.92/s) 1143.74ms 4119.07ms (<7500ms) 100.00% (>99%) Passed web_project_merge_request_changes 6/s 5.78/s (>4.80/s) 397.73ms 680.55ms (<1500ms) 100.00% (>99%) Passed web_project_merge_request_commits 6/s 5.68/s (>2.88/s) 652.54ms 919.78ms (<1750ms) 100.00% (>99%) Passed web_project_merge_requests 6/s 5.91/s (>4.80/s) 265.21ms 307.71ms (<500ms) 100.00% (>99%) Passed web_project_pipelines 6/s 5.9/s (>2.88/s) 314.51ms 469.81ms (<1000ms) 100.00% (>99%) Passed web_project_pipelines_pipeline 6/s 5.94/s (>4.80/s) 549.83ms 1138.55ms (<2500ms) 100.00% (>99%) Passed web_project_repository_compare 6/s 1.17/s (>0.24/s) 4492.35ms 5205.89ms (<7500ms) 100.00% (>99%) Passed web_project_tags 6/s 5.56/s (>3.84/s) 758.64ms 901.92ms (<1500ms) 100.00% (>99%) Passed web_user 6/s 5.97/s (>2.88/s) 193.58ms 310.01ms (<4000ms) 100.00% (>99%) Passed #+end_src
生产环境
修改对应pv存储大小/节点,可用直接使用3k测试环境配置。生产最好有外置redis和postgresql。
前期准备-脚本
已提前备好资源
- pv存储设置
- 外部对象存储开通权限访问策略
- 证书文件
- 外部redis
- 外部postgresql
- ldap
- gitlab邮件账号
cat <<\EOF> create_gitlab_secrets_prod.sh #!/bin/bash NS="gitlab-ns" # --- 创建持久卷 #kubectl apply -f gitlab-pv-sc.yaml # --- 创建域名证书tls secret kubectl --namespace=$NS create secret tls cici-com --cert=cici.com.crt --key=cici.com.key # --- 启动外部对象存储 #统一存储 kubectl --namespace=$NS create secret generic gitlab-rails-storage --from-file=connection=object-storage-prod.yaml :<<eof #5.2.1版本前没有整合配置,需要单独执行 kubectl --namespace=$NS create secret generic gitlab-lfs --from-file=connection=object-storage-prod.yaml kubectl --namespace=$NS create secret generic gitlab-artifacts --from-file=connection=object-storage-prod.yaml kubectl --namespace=$NS create secret generic gitlab-uploads --from-file=connection=object-storage-prod.yaml kubectl --namespace=$NS create secret generic gitlab-packages --from-file=connection=object-storage-prod.yaml #kubectl --namespace=$NS create secret generic gitlab-externaldiffs --from-file=connection=object-storage-prod.yaml kubectl --namespace=$NS create secret generic gitlab-pseudonymizer --from-file=connection=object-storage-prod.yaml eof #镜像存储 kubectl --namespace=$NS create secret generic gitlab-registry --from-file=config=registry-prod.yaml #备份 kubectl --namespace=$NS create secret generic task-runenr-s3-config --from-file=config=s3cfg_cos-prod # --- 服务连接密码 kubectl apply -f pg_redis_ldap_smtp-prod.yaml EOF
部署脚本
下载对应版本gilab chart至本地,将有差异的部署参数单独写入文件,方便后期修正。
cat <<\EOF> deploy-gitlab-prod.sh helm upgrade --install -n gitlab-xcw gitlab . \ --timeout 600s \ --dry-run \ -f customize_conf/values-prod.yaml \ --set global.hosts.gitlab.name='git-xcw.cici.com' \ `#--外部postgresql--` \ `#--set postgresql.install=false` \ `#--set global.psql.host=production.postgress.hostname.local` \ `#--set global.psql.password.secret=gitlab-pg` \ `#--set global.psql.password.key='password'` \ `#--外部redis--` \ `#--set redis.enabled=false` \ `#--set global.redis.host='redis.example.com'` \ `#--set global.redis.password.secret=gitlab-redis` \ `#--set global.redis.password.key='password'` \ --set gitlab.migrations.enabled=true EOF
升级之
官方参考:迭代升级
差异比较
| 比较 | 12.3.1(2.3.2) | 14.2.1(5.2.1) | 13.0.14(4.0.12) | 12.10.14(3.3.13) |
| helm | v2.16.1 | v3.6.3 | helm3/2 | helm3/2 |
| chart | - | - | Webservice替换unicorn | |
| 支持对象存储整合object_store | ||||
| postgresql.image.{repository,tag} | postgresql.{image,imageTag} | |||
| redis-master.persistence.accessModes | redis.persistence.accessMode | |||
| 服务-postgresql | 10.4 (9.6.x-10.x) | 12.7 | 11.7.0 | 10.9.0 |
| 镜像-task-runner | gitlab-task-runner-ee | gitlab-toolbox-ee | ||
| 镜像-unicorn(webservice) | gitlab-unicorn-ee | gitlab-webservice-ee | ||
| gitlab-workhorse-ee | ||||
| 服务-migrations | - | y | ||
| 服务-praefect | - | - 开发阶段 | ||
| 服务-task-runner-cron | - | y | ||
| externalDiffs差异化 | y | 不使用:详情 性能降低 | ||
| 服务-prometheus | - | y | ||
| hpa | registry: 2-10 | registry: 2-10 | ||
| gitlab-shell: 2-10 已删 | gitlab-shell: 2-10 | |||
| sidekiq: 1-10 已删 | sidekiq: 1-10 | |||
| unicorn: 2-10 已删 | ||||
| pod | gitlab-shell: 6 | gitlab-shell: | ||
| registry: 2 | registry: | |||
| sidekiq: 2 | sidekiq | |||
| task-runner: 1 | task-runner: 1 | |||
| unicorn: 6 | webservice: | |||
| ingress-controller: 3 | ingress-controller: | |||
| ingress-backend: 2 | ingress-backend: | |||
| 分支 | master | main |
配置
描述与默认安装14.2.1版本的额外设置
- 概览
- runner
- 运行没有标记的作业
- runner
- 推送规则 admin–推送规则–打开禁止密钥推送
- 系统钩子
- 部署密钥
- 标记
- 设置
- 通用
- 默认的群组项目创建保护: 维护者
- 默认分支保护:Not protected
- 账号: 默认项目限制:10,最大附件大小 (MB):100,用户的 OAuth 应用程序:不勾
- 注册:不启动注册
- CICD
- 集成和部署:默认产物过期时间:0
- 项目中的Auto DevOps去勾选
- 报告
- 滥用报告:email:[email protected]
- 指标与分析:
- 分析 - 性能栏:devops
- 偏好
- 邮件:勾选在通知电子邮件正文中包含作者姓名
- 通用
迭代升级
需要按照以下升级步骤确保主版本升级成功:
- 升级到先前主要版本的最新次要版本。
- 升级到X.0.Z目标主要版本的第一个次要版本 ( )。
- 继续升级到较新的版本。
#查版本 $ helm2 list --namespace=gitlab-test NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE gitlab-test 5 Tue Dec 29 18:46:04 2020 FAILED gitlab-2.3.2 12.3.1 gitlab-test #查自定义配置 helm2 get values gitla-test helm get values -n gitlab-test-xcw gitlab-test-xcw >5.2.1-bed.yaml
gitlab版本:
11.10.0 -> 11.11.3 -> 11.11.8 -> 12.1.0 -> 12.3.1 -> 12.10.14 -> 13.0.14-> 13.1.11-> 13.8.8 -> 13.12.10 -> 14.0.10 -> 14.1.5 -> 最新14.Y.Z
对应的chart版本:
1.8.0 -> 1.9.3 -> 1.9.8 -> 2.1.0 -> 2.3.2 -> 3.3.13 -> 4.0.12 -> 4.1.12 -> 4.8.8 -> 4.12.10 -> 5.0.10 -> 5.1.5 -> 5.2.1
升级前检查及备份
https://docs.gitlab.com/ee/update/plan_your_upgrade.html
对于回滚,提前做好数据备份和密钥备份便于后面恢复数据
#备份 #https://docs.gitlab.com/charts/backup-restore/backup.html kubectl -n gitlab-test-xcw exec -it <gitlab task-runner pod> -- backup-utility #备份密钥 #https://docs.gitlab.com/charts/backup-restore/backup.html#backup-the-secrets kubectl -n gitlab get secrets | grep rails-secret kubectl -n gitlab get secrets <rails-secret-name> -o jsonpath="{.data['secrets\.yml']}" | base64 --decode > secrets.yaml
使用外置数据库
https://github.com/bitnami/bitnami-docker-postgresql
https://github.com/bitnami/bitnami-docker-redis
#cat docker-compose.yml version: '3.9' services: postgresql: image: 'docker.io/bitnami/postgresql:10' restart: always ports: - 15432:5432 #- POSTGRESQL_USERNAME=cmn_git_web_rw environment: - TZ=Asia/Shanghai - ALLOW_EMPTY_PASSWORD=yes - POSTGRESQL_PASSWORD=postgres - POSTGRESQL_DATABASE=cici_cmn_git volumes: - 'postgresql_data:/bitnami/postgresql' networks: - app-pr redis: image: 'docker.io/bitnami/redis:6.0-debian-10' restart: always ports: - 16379:6379 environment: - TZ=Asia/Shanghai - REDIS_PASSWORD=123456 - REDIS_DISABLE_COMMANDS=FLUSHDB,FLUSHALL volumes: - 'redis_data:/bitnami' networks: - app-pr volumes: postgresql_data: driver: local redis_data: driver: local networks: app-pr: driver: bridge #docker-compose up -d #卸载 #docker-compose stop #docker-compose rm -v #docker-compose down -v #删除数据卷
准备生产数据
数据备份在腾讯云cos中,使用coscmd工具将数据导入新环境中
#cat my-up-down.sh #!/bin/bash # FILE=$1 #DOWN_FILE=1631823001_2021_09_16_12.3.1-ee_gitlab_backup.tar #down avg 8分26秒 #\cp ~/.cos.conf.prod ~/.cos.conf #coscmd download ${FILE} ./ #up avg 13分57秒 \cp ~/.cos.conf.bedin ~/.cos.conf coscmd upload ${FILE}
依次升级对应版本安
#查找版本 helm search repo -l gitlab/gitlab #下载(可选,用来对比差异) helm pull gitlab/gitlab --version=2.3.2 # 安装升级12.3.1版本,如是新环境需导入备份数据 cat <<\EOF> up-gitlab-2.3.2-test.sh helm upgrade --install --force --namespace=gitlab-test-xcw gitlab-test-xcw gitlab/gitlab \ --timeout 600s \ --version=2.3.2 \ `#--dry-run` \ --debug \ -f values-customize-2.3.2-test.yaml \ --set global.hosts.gitlab.name='git-test-xcw.cici.com' \ `#--外部postgresql--` \ --set postgresql.install=false \ --set global.psql.host='10.0.0.59' \ --set global.psql.port=15432 \ --set global.psql.password.secret=gitlab-test-pg \ --set global.psql.password.key='password' \ `#--外部redis--` \ --set redis.enabled=false \ --set global.redis.host='10.0.0.59' \ --set global.redis.port=16379 \ --set global.redis.password.secret=gitlab-test-redis \ --set global.redis.password.key='password' \ `#--set gitlab.migrations.enabled=true` EOF
gitlab-test-xcw-migrations
image: registry.gitlab.com/gitlab-org/build/cng/gitlab-rails-ee:v12.3.1
#upgrade to GitLab Helm Chart version 2.6.0 before upgrading to 3.3.13 helm upgrade --install --force --namespace=gitlab-test-xcw gitlab-test-xcw gitlab/gitlab \ --timeout 600s \ --version=3.3.13 \ `#--dry-run` \ --debug \ -f values-customize-3.3.13-test.yaml \ --set global.hosts.gitlab.name='git-test-xcw.cici.com' \ `#--外部postgresql--` \ --set postgresql.install=false \ --set global.psql.host='10.0.0.59' \ --set global.psql.port=35432 \ --set global.psql.password.secret=gitlab-test-pg \ --set global.psql.password.key='password' \ `#--外部redis--` \ --set redis.install=false \ --set global.redis.host='10.0.0.59' \ --set global.redis.port=16379 \ --set global.redis.password.secret=gitlab-test-redis \ --set global.redis.password.key='password' \ `#--set gitlab.migrations.enabled=true`
gitlab备份恢复
官方升级计划:升级计划
官方参考:chart备份与恢复
https://gitlab.com/gitlab-org/charts/gitlab/-/blob/v2.3.2/doc/backup-restore/index.md
cos:gitlab-backup-1254024480
备份
Task Runner pod中通过backup-utility程序进行GitLab 备份
创建备份
分为手动和自动
手动:在Task Runner pod 中运行命令`backup-utility`备份 如果有bucket配置会上传,命名格式<timestamp>_<version>_gitlab_backup.tar
kubectl exec <Task Runner pod name> -it -- backup-utility
自动:基于cron备份
--set gitlab.task-runner.backups.cron.enabled=true --set gitlab.task-runner.backups.cron.schedule='0 1 * * *'
备份秘密
如果使用gitlab-runner构建,需要备份rails secrets。防止只恢复数据后, runner页面报500错误
kubectl -n gitlab get secrets | grep rails-secret kubectl -n gitlab get secrets <rails-secret-name> -o jsonpath="{.data['secrets\.yml']}" | base64 --decode > secrets.yaml
恢复
如果您的备份与当前安装的版本不同,则必须 在恢复备份之前降级 GitLab 安装。
GitLab Helm chart 提供的备份实用程序支持从以下任何位置恢复 tarball
- 从gitlab-backups 的对象存储服务桶中恢复。这是默认情况。
- 从 pod 访问的公共 URL中恢复。
- 令将本地文件复制到 Task Runner pod容器中恢复。利用`kubectl cp`命令
恢复 Rails 的secrets
`/etc/gitlab/gitlab-secrets.json`pod中文件表现为 `secrets.yml`
#切到升级的k8s环境 kubectl config use-context k8s-test-context #查找 rails secrets 的对象名称 kubectl -n gitlab-test-xcw get secrets | grep rails-secret #删除现有的秘密 kubectl -n gitlab-test-xcw delete secret gitlab-test-xcw-rails-secret #使用与旧密钥相同的名称创建新密钥,并传入您的本地 YAML 文件 #local-yaml-filepath为备份时导出的rails的secrets文件 kubectl -n gitlab-test-xcw create secret generic gitlab-test-xcw-rails-secret --from-file=secrets.yml=<local-yaml-filepath> #如果找不到原来的秘钥文件了,可以重置秘钥 #gitlab-rails console #>ApplicationSetting.current.reset_runners_registration_token! #=>true
重新启动 Pod
使用新的机密,需要重新启动 Webservice、Sidekiq 和 Task Runner pod
helm_release_name=gitlab-test-xcw kubectl -n gitlab-test-xcw delete pods -lapp=sidekiq,release=${helm_release_name} #v5.2.1 unicorn 改为webservice kubectl -n gitlab-test-xcw delete pods -lapp=unicorn,release=${helm_release_name} kubectl -n gitlab-test-xcw delete pods -lapp=task-runner,release=${helm_release_name}
恢复备份文件
tarball命名格式确保<timestamp>_<version>_gitlab_backup.tar
#恢复方式1:bucket桶中读取tarball文件,默认 kubectl exec <Task Runner pod name> -it -- backup-utility --restore -t <timestamp>_<version> #恢复方式2:url #您可以提供本地路径作为 URL,只要它采用以下格式: file://<path> kubectl exec <Task Runner pod name> -it -- backup-utility --restore -f <URL>
此过程将花费时间,具体取决于 tarball 的大小。
- 测试数据恢复时间:
- 60G恢复时间, 2.56s user 2.40s system 0% cpu 3:39:08.33 total
恢复过程将删除数据库的现有内容,将现有存储库移动到临时位置并提取 tarball 的内容。
存储库将被移动到磁盘上的相应位置,其他数据,如工件、上传、LFS 等,将被 上传到对象存储中的相应存储区。
迁移
从 Helm Chart 迁移到 Linux 包
附录
多版本镜像上传
- docker-image-v3.3.13.sh
- docker-image-v4.0.12.sh
- docker-image-v4.12.10.sh
- docker-image-v4.8.8.sh
- docker-image-v5.0.10.sh
- docker-image-v5.2.4.sh
多版本chart-values
- values-customize-2.3.2-test.yaml
- values-customize-3.3.13-test.yaml
- values-customize-4.0.12-test.yaml
- values-customize-4.12.10-test.yaml
- values-customize-5.0.10-test.yaml
- values-customize-5.2.4-test.yaml