从零开始：使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor 示例

# 从零开始：使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor

> 在完成基础集群搭建的基础上，本文新增代码仓库（Gitea）与镜像仓库（Harbor）的集成部署指南，实现完整的 DevOps 工具链闭环。

---

<!--more-->

## 🧩 一、前置要求补充

### 1.1 安装 Ingress 控制器
```bash
# 安装 Nginx Ingress（需在 Master 节点执行）
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml

# 验证安装状态
kubectl get pods -n ingress-nginx

1.2 创建共享存储目录（所有节点）

sudo mkdir -p /opt/k8s-data/{gitea,harbor}
sudo chmod 777 /opt/k8s-data/{gitea,harbor}  # 测试环境简化权限

---

📦 二、集成 Gitea 代码仓库

2.1 创建 PostgreSQL 数据库（依赖 Helm 3）

# 添加 Bitnami 仓库
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

# 创建数据库命名空间
kubectl create namespace gitea

# 部署 PostgreSQL
helm install gitea-db bitnami/postgresql \
  --namespace gitea \
  --set auth.postgresPassword=yourStrongPassword \
  --set persistence.size=5Gi \
  --set persistence.hostPath=/opt/k8s-data/gitea/db

2.2 部署 Gitea 服务

2.2.1 创建配置文件 ConfigMap

# gitea-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitea-config
  namespace: gitea
data:
  app.ini: |
    [server]
    DOMAIN = gitea.wdft.com
    ROOT_URL = https://gitea.wdft.com/
    
    [database]
    DB_TYPE = postgres
    HOST = gitea-db-postgresql:5432
    NAME = postgres
    USER = postgres
    PASSWD = yourStrongPassword
    
    [repository]
    ROOT = /data/git/repositories

2.2.2 部署 Gitea 应用

# gitea-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitea
  namespace: gitea
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea
  template:
    metadata:
      labels:
        app: gitea
    spec:
      containers:
      - name: gitea
        image: gitea/gitea:latest
        ports:
        - containerPort: 3000
        volumeMounts:
        - name: gitea-config
          mountPath: /etc/gitea/app.ini
          subPath: app.ini
        - name: gitea-data
          mountPath: /data
      volumes:
      - name: gitea-config
        configMap:
          name: gitea-config
      - name: gitea-data
        hostPath:
          path: /opt/k8s-data/gitea
---
apiVersion: v1
kind: Service
metadata:
  name: gitea
  namespace: gitea
spec:
  ports:
  - port: 80
    targetPort: 3000
  selector:
    app: gitea
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gitea-ingress
  namespace: gitea
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: gitea
            port:
              number: 80

2.2.3 应用部署

kubectl apply -f gitea-config.yaml
kubectl apply -f gitea-deployment.yaml

2.2.4 访问初始化

# 查看 Ingress IP
kubectl get ingress -n gitea

# 浏览器访问 http://<INGRESS_IP> 并完成初始化：
# 数据库选择 PostgreSQL
# 数据库用户名/密码：postgres / yourStrongPassword
# 仓库根目录：/data/git/repositories
# 确认域名配置为 gitea.wdft.com

---

🌊 三、集成 Harbor 镜像仓库

3.1 安装 Helm 客户端（所有节点）

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh && ./get_helm.sh

3.2 部署 Harbor 依赖组件

# 创建命名空间
kubectl create namespace harbor

# 部署 Redis
helm install harbor-redis bitnami/redis \
  --namespace harbor \
  --set password=redisPassword \
  --set persistence.hostPath=/opt/k8s-data/harbor/redis

# 部署 PostgreSQL
helm install harbor-db bitnami/postgresql \
  --namespace harbor \
  --set auth.postgresPassword=harborPassword \
  --set persistence.hostPath=/opt/k8s-data/harbor/db

3.3 创建 Harbor 配置文件

3.3.1 自签名证书生成（Master 节点）

mkdir -p /opt/certs
cd /opt/certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
 -key ca.key -out ca.crt

openssl req -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
 -keyout harbor.key -out harbor.csr

openssl x509 -req -sha512 -days 3650 \
 -CA ca.crt -CAkey ca.key -CAcreateserial \
 -in harbor.csr -out harbor.crt

# 所有节点信任证书
sudo cp /opt/certs/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo systemctl restart containerd

3.3.2 创建 Harbor Values 文件

# harbor-values.yaml
hostname: harbor.wdft.com

networkPolicy:
  notary: false
  clair: false
  chartmuseum: false

externalURL: https://harbor.wdft.com
ssl:
  enabled: true
  cert:
    certificate: |-
      -----BEGIN CERTIFICATE-----
      $(cat /opt/certs/harbor.crt | grep -v "BEGIN CERTIFICATE" | grep -v "END CERTIFICATE")
      -----END CERTIFICATE-----
    privateKey: |-
      -----BEGIN PRIVATE KEY-----
      $(cat /opt/certs/harbor.key | grep -v "BEGIN PRIVATE KEY" | grep -v "END PRIVATE KEY")
      -----END PRIVATE KEY-----

database:
  type: external
  external:
    host: harbor-db-postgresql
    port: 5432
    username: postgres
    password: harborPassword
    database: harbor

redis:
  host: harbor-redis
  port: 6379
  password: redisPassword

persistence:
  persistentVolumeClaim:
    registry:
      existingClaim: ""
    jobservice:
      existingClaim: ""
    chartmuseum:
      existingClaim: ""
    clair:
      existingClaim: ""
    notary:
      existingClaim: ""
    trivy:
      existingClaim: ""
  hostPath:
    /opt/k8s-data/harbor

3.4 部署 Harbor

# 添加 Harbor Helm 仓库
helm repo add harbor https://helm.goharbor.io
helm repo update

# 安装 Harbor
helm install harbor harbor/harbor \
  --namespace harbor \
  --values harbor-values.yaml

3.5 配置 Ingress 规则

# harbor-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: harbor-ingress
  namespace: harbor
  annotations:
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
  - hosts:
    - harbor.wdft.com
    secretName: harbor-ingress-tls
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: harbor-core
            port:
              number: 443

# 创建 TLS Secret
kubectl -n harbor create secret tls harbor-ingress-tls \
  --cert=/opt/certs/harbor.crt \
  --key=/opt/certs/harbor.key

# 应用 Ingress
kubectl apply -f harbor-ingress.yaml

---

🔄 四、集成验证

4.1 修改 Go 应用部署文件

# 修改 deployment.yaml 中的 image 字段
image: harbor.wdft.com/library/go-hello:1.0

4.2 配置 Kubernetes 秘钥

# 创建镜像拉取秘钥
kubectl create secret docker-registry regcred \
  --docker-server=https://harbor.wdft.com \
  --docker-username=admin \
  --docker-password=Harbor12345 \
  --docker-email=admin@wdft.com

# 修改 Deployment 添加 imagePullSecrets
spec:
  template:
    spec:
      imagePullSecrets:
      - name: regcred

4.3 推送镜像到 Harbor

# 登录 Harbor
docker login harbor.wdft.com -u admin -p Harbor12345

# 重新构建并推送镜像
docker build -t harbor.wdft.com/library/go-hello:1.0 .
docker push harbor.wdft.com/library/go-hello:1.0

---

🧪 五、完整 CI/CD 流程演示

1. 代码提交
   在 Gitea 创建新仓库 go-hello，推送代码：

   git remote add origin http://git.wdft.com/ljq/go-hello.git
   git push -u origin master

2. 镜像构建
   修改构建命令指向私有仓库：

   docker build -t harbor.wdft.com/ljq/go-hello:latest .
   docker push harbor.wdft.com/ljq/go-hello:latest

3. 生产部署
   更新 Deployment 镜像地址后重新部署：

   kubectl apply -f deployment.yaml

---

📌 六、配置参考图示

+-------------------+     +------------------+     +-------------------+
|                   |     |                  |     |                   |
|   Gitea Code Repo |<--->| Harbor Registry  |<--->| Kubernetes Cluster|
|                   |     |                  |     |                   |
+-------------------+     +------------------+     +-------------------+
       ^                          ^                        ^
       |                          |                        |
       v                          v                        v
  Developer Workstation    CI/CD Pipeline        Production Environment

---

📚 七、后续优化建议

1. 安全加固

   • 使用 Let’s Encrypt 自动签发证书
   • 配置 RBAC 权限隔离
   • 启用 Harbor 的 Clair 漏洞扫描

2. 存储优化

   • 替换 hostPath 为 NFS 或云存储
   • 配置 Harbor 的 MinIO 后端存储

3. 高可用

   • 部署 PostgreSQL + Patroni 集群
   • 使用 Redis Cluster 替代单实例

4. 监控告警

   • 部署 Prometheus + Grafana
   • 配置 Harbor 自带的监控面板

```

💡 注意事项：

1. 将 harbor.wdft.com 和 gitea.wdft.com 替换为实际域名
2. 生产环境应使用独立存储类（StorageClass）
3. 所有敏感信息应通过 Kubernetes Secret 管理
4. 建议为 Harbor 配置独立的 DNS 解析记录