k8s1.22部署gitlab对接keycloak

添加 gitlab repo, 下载 chart 包

helm repo add gitlab https://charts.gitlab.io/
helm repo update
helm pull gitlab/gitlab

查看 values.yaml 及依赖的 requirements.yaml相关参数

values.yaml

requirements.yaml

keycloak 添加 giltab client

略

添加gitab 对接keycloak 使用 secret

创建 provider文件

name: openid_connect
label: keycloak
args:
  name: "openid_connect"
  scope: ["openid","profile",]
  response_type:  "code"
  issuer: "https://sso.example.com/auth/realms/oc"
  client_auth_method: "query"
  uid_field: "preferred_username"
  send_scope_to_token_endpoint: false
  discovery: true
  client_options:
    identifier: "gitlab-92250"
    secret: "<凭证>"
    redirect_uri: "https://gitlab-apps92250.example.com/users/auth/openid_connect/callback"

创建gitlab-keycloak-oauth2-secret secret

kubectl create secret generic gitlab-keycloak-oauth2-secret --from-file=provider -n cicd

创建外部redis secret

kubectl create secret generic gitlab-redis-secret --from-literal=redis-password=xxxxxx -n cicd

创建 values.yaml

# --- Global settings ---

global:
  hosts:
    domain: example.com
    hostSuffix: apps92250
    tls:
      secretName: example-com-tls
  ingress:
    configureCertmanager: false
    class: nginx
    tls:
      secretName: example-com-tls
      enabled: true

  # 外部redis连接信息
  redis:
    host: 172.16.180.8
    password:
      secret: gitlab-redis-secret
      key: "redis-password"

  # keycloak 配置
  appConfig:
    omniauth:
      enabled: true
      syncProfileAttributes: ["openid", "profile", "email", "groups"]
      allowSingleSignOn: ["openid_connect"]
      auto_link_user: ["openid_connect"]
      providers:
        - secret: gitlab-keycloak-oauth2-secret
          key: provider

certmanager:
  install: false

gitlab-runner:
  # 外部gitlab 不能访问，所以配置内部svc 地址
  gitlabUrl: "http://gitlab-webservice-default.cicd.svc:8181"
  runners:
    locked: false
    cache:
      secretName: gitlab-minio-secret
    config: |
      [[runners]]
        # 外部gitlab 不能访问，所以配置内部svc 地址
        clone_url = "http://gitlab-webservice-default.cicd.svc:8181"
        [runners.cache]
          Type = "s3"
          Path = "gitlab-runner"
          Shared = true
          [runners.cache.s3]
            # 外部minio 不能访问，所以配置内部svc 地址
            ServerAddress = "gitlab-minio-svc.cicd.svc:9000"
            BucketName = "runner-cache"
            BucketLocation = "us-east-1"
            Insecure = true

redis:
  install: false

postgresql:
  persistence:
    storageClass: "nfs4-client"
    subPath: "postgresql"
    size: 50Gi

minio:
  persistence:
    storageClass: "nfs4-client"
    subPath: "minio"
    size: 100Gi

gitlab:
  gitaly:
    persistence:
      storageClass: "nfs4-client"
      subPath: "gitaly"
      size: 50Gi

nginx-ingress:
  enabled: false

registry:
  enabled: true

prometheus:
  install: false

执行安装gitlab

helm upgrade --install gitlab gitlab-5.6.0.tgz \
  --namespace=cicd --create-namespace \
  --timeout 600s \
  -f values.yaml

参考

https://github.com/paradeum-team/operator-env/blob/main/gitlab-cicd/k8s1.20%E4%BD%BF%E7%94%A8helm%E9%83%A8%E7%BD%B2gitlab.md

https://docs.gitlab.com/ee/

https://docs.gitlab.com/ee/ci/ci_cd_for_external_repos/

https://docs.gitlab.com/charts/charts/globals.html#configure-oauth-settings

https://docs.gitlab.com/ee/administration/auth/oidc.html

https://github.com/DvcLAB/DvcLAB/issues/33

https://fswb-documentation.knowis.net/1.0/Installation/content/post_install_configuration.html

Previoushelm安装argocd Next使用Tekton+Helm-Chart+ArgoCD构建GitOps CICD

Last updated 3 years ago