添加 gitlab repo, 下载 chart 包
helm repo add gitlab https://charts.gitlab.io/
helm repo update
helm pull gitlab/gitlab
查看 values.yaml 及依赖的 requirements.yaml相关参数
values.yaml
requirements.yaml
keycloak 添加 giltab client
略
添加gitab 对接keycloak 使用 secret
创建 provider文件
name: openid_connect
label: keycloak
args:
name: "openid_connect"
scope: ["openid","profile",]
response_type: "code"
issuer: "https://sso.example.com/auth/realms/oc"
client_auth_method: "query"
uid_field: "preferred_username"
send_scope_to_token_endpoint: false
discovery: true
client_options:
identifier: "gitlab-92250"
secret: "<凭证>"
redirect_uri: "https://gitlab-apps92250.example.com/users/auth/openid_connect/callback"
创建gitlab-keycloak-oauth2-secret secret
kubectl create secret generic gitlab-keycloak-oauth2-secret --from-file=provider -n cicd
创建外部redis secret
kubectl create secret generic gitlab-redis-secret --from-literal=redis-password=xxxxxx -n cicd
创建 values.yaml
# --- Global settings ---
global:
hosts:
domain: example.com
hostSuffix: apps92250
tls:
secretName: example-com-tls
ingress:
configureCertmanager: false
class: nginx
tls:
secretName: example-com-tls
enabled: true
# 外部redis连接信息
redis:
host: 172.16.180.8
password:
secret: gitlab-redis-secret
key: "redis-password"
# keycloak 配置
appConfig:
omniauth:
enabled: true
syncProfileAttributes: ["openid", "profile", "email", "groups"]
allowSingleSignOn: ["openid_connect"]
auto_link_user: ["openid_connect"]
providers:
- secret: gitlab-keycloak-oauth2-secret
key: provider
certmanager:
install: false
gitlab-runner:
# 外部gitlab 不能访问,所以配置内部svc 地址
gitlabUrl: "http://gitlab-webservice-default.cicd.svc:8181"
runners:
locked: false
cache:
secretName: gitlab-minio-secret
config: |
[[runners]]
# 外部gitlab 不能访问,所以配置内部svc 地址
clone_url = "http://gitlab-webservice-default.cicd.svc:8181"
[runners.cache]
Type = "s3"
Path = "gitlab-runner"
Shared = true
[runners.cache.s3]
# 外部minio 不能访问,所以配置内部svc 地址
ServerAddress = "gitlab-minio-svc.cicd.svc:9000"
BucketName = "runner-cache"
BucketLocation = "us-east-1"
Insecure = true
redis:
install: false
postgresql:
persistence:
storageClass: "nfs4-client"
subPath: "postgresql"
size: 50Gi
minio:
persistence:
storageClass: "nfs4-client"
subPath: "minio"
size: 100Gi
gitlab:
gitaly:
persistence:
storageClass: "nfs4-client"
subPath: "gitaly"
size: 50Gi
nginx-ingress:
enabled: false
registry:
enabled: true
prometheus:
install: false
执行安装gitlab
helm upgrade --install gitlab gitlab-5.6.0.tgz \
--namespace=cicd --create-namespace \
--timeout 600s \
-f values.yaml
参考
https://github.com/paradeum-team/operator-env/blob/main/gitlab-cicd/k8s1.20%E4%BD%BF%E7%94%A8helm%E9%83%A8%E7%BD%B2gitlab.md
https://docs.gitlab.com/ee/
https://docs.gitlab.com/ee/ci/ci_cd_for_external_repos/
https://docs.gitlab.com/charts/charts/globals.html#configure-oauth-settings
https://docs.gitlab.com/ee/administration/auth/oidc.html
https://github.com/DvcLAB/DvcLAB/issues/33
https://fswb-documentation.knowis.net/1.0/Installation/content/post_install_configuration.html