在完成基础集群搭建的基础上,本文新增代码仓库(Gitea)与镜像仓库(Harbor)的集成部署指南,实现完整的 DevOps 工具链闭环。
🧩 一、前置要求补充
1.1 安装 Ingress 控制器
1
2
3
4
5
| # 安装 Nginx Ingress(需在 Master 节点执行)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml
# 验证安装状态
kubectl get pods -n ingress-nginx
|
1.2 创建共享存储目录(所有节点)
1
2
| sudo mkdir -p /opt/k8s-data/{gitea,harbor}
sudo chmod 777 /opt/k8s-data/{gitea,harbor} # 测试环境简化权限
|
📦 二、集成 Gitea 代码仓库
2.1 创建 PostgreSQL 数据库(依赖 Helm 3)
1
2
3
4
5
6
7
8
9
10
11
12
13
| # 添加 Bitnami 仓库
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
# 创建数据库命名空间
kubectl create namespace gitea
# 部署 PostgreSQL
helm install gitea-db bitnami/postgresql \
--namespace gitea \
--set auth.postgresPassword=yourStrongPassword \
--set persistence.size=5Gi \
--set persistence.hostPath=/opt/k8s-data/gitea/db
|
2.2 部署 Gitea 服务
2.2.1 创建配置文件 ConfigMap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-config
namespace: gitea
data:
app.ini: |
[server]
DOMAIN = gitea.wdft.com
ROOT_URL = https://gitea.wdft.com/
[database]
DB_TYPE = postgres
HOST = gitea-db-postgresql:5432
NAME = postgres
USER = postgres
PASSWD = yourStrongPassword
[repository]
ROOT = /data/git/repositories
|
2.2.2 部署 Gitea 应用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
namespace: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
containers:
- name: gitea
image: gitea/gitea:latest
ports:
- containerPort: 3000
volumeMounts:
- name: gitea-config
mountPath: /etc/gitea/app.ini
subPath: app.ini
- name: gitea-data
mountPath: /data
volumes:
- name: gitea-config
configMap:
name: gitea-config
- name: gitea-data
hostPath:
path: /opt/k8s-data/gitea
apiVersion: v1
kind: Service
metadata:
name: gitea
namespace: gitea
spec:
ports:
- port: 80
targetPort: 3000
selector:
app: gitea
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: gitea
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 80
|
2.2.3 应用部署
1
2
| kubectl apply -f gitea-config.yaml
kubectl apply -f gitea-deployment.yaml
|
2.2.4 访问初始化
1
2
3
4
5
6
7
8
| # 查看 Ingress IP
kubectl get ingress -n gitea
# 浏览器访问 http://<INGRESS_IP> 并完成初始化:
# 数据库选择 PostgreSQL
# 数据库用户名/密码:postgres / yourStrongPassword
# 仓库根目录:/data/git/repositories
# 确认域名配置为 gitea.wdft.com
|
🌊 三、集成 Harbor 镜像仓库
3.1 安装 Helm 客户端(所有节点)
1
2
| curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh && ./get_helm.sh
|
3.2 部署 Harbor 依赖组件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # 创建命名空间
kubectl create namespace harbor
# 部署 Redis
helm install harbor-redis bitnami/redis \
--namespace harbor \
--set password=redisPassword \
--set persistence.hostPath=/opt/k8s-data/harbor/redis
# 部署 PostgreSQL
helm install harbor-db bitnami/postgresql \
--namespace harbor \
--set auth.postgresPassword=harborPassword \
--set persistence.hostPath=/opt/k8s-data/harbor/db
|
3.3 创建 Harbor 配置文件
3.3.1 自签名证书生成(Master 节点)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| mkdir -p /opt/certs
cd /opt/certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
-key ca.key -out ca.crt
openssl req -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
-keyout harbor.key -out harbor.csr
openssl x509 -req -sha512 -days 3650 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.csr -out harbor.crt
# 所有节点信任证书
sudo cp /opt/certs/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo systemctl restart containerd
|
3.3.2 创建 Harbor Values 文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
hostname: harbor.wdft.com
networkPolicy:
notary: false
clair: false
chartmuseum: false
externalURL: https://harbor.wdft.com
ssl:
enabled: true
cert:
certificate: |-
-----BEGIN CERTIFICATE-----
$(cat /opt/certs/harbor.crt | grep -v "BEGIN CERTIFICATE" | grep -v "END CERTIFICATE")
-----END CERTIFICATE-----
privateKey: |-
-----BEGIN PRIVATE KEY-----
$(cat /opt/certs/harbor.key | grep -v "BEGIN PRIVATE KEY" | grep -v "END PRIVATE KEY")
-----END PRIVATE KEY-----
database:
type: external
external:
host: harbor-db-postgresql
port: 5432
username: postgres
password: harborPassword
database: harbor
redis:
host: harbor-redis
port: 6379
password: redisPassword
persistence:
persistentVolumeClaim:
registry:
existingClaim: ""
jobservice:
existingClaim: ""
chartmuseum:
existingClaim: ""
clair:
existingClaim: ""
notary:
existingClaim: ""
trivy:
existingClaim: ""
hostPath:
/opt/k8s-data/harbor
|
3.4 部署 Harbor
1
2
3
4
5
6
7
8
| # 添加 Harbor Helm 仓库
helm repo add harbor https://helm.goharbor.io
helm repo update
# 安装 Harbor
helm install harbor harbor/harbor \
--namespace harbor \
--values harbor-values.yaml
|
3.5 配置 Ingress 规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: harbor-ingress
namespace: harbor
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
tls:
- hosts:
- harbor.wdft.com
secretName: harbor-ingress-tls
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: harbor-core
port:
number: 443
|
1
2
3
4
5
6
7
| # 创建 TLS Secret
kubectl -n harbor create secret tls harbor-ingress-tls \
--cert=/opt/certs/harbor.crt \
--key=/opt/certs/harbor.key
# 应用 Ingress
kubectl apply -f harbor-ingress.yaml
|
🔄 四、集成验证
4.1 修改 Go 应用部署文件
1
2
|
image: harbor.wdft.com/library/go-hello:1.0
|
4.2 配置 Kubernetes 秘钥
1
2
3
4
5
6
7
8
9
10
11
12
13
| # 创建镜像拉取秘钥
kubectl create secret docker-registry regcred \
--docker-server=https://harbor.wdft.com \
--docker-username=admin \
--docker-password=Harbor12345 \
--docker-email=admin@wdft.com
# 修改 Deployment 添加 imagePullSecrets
spec:
template:
spec:
imagePullSecrets:
- name: regcred
|
4.3 推送镜像到 Harbor
1
2
3
4
5
6
| # 登录 Harbor
docker login harbor.wdft.com -u admin -p Harbor12345
# 重新构建并推送镜像
docker build -t harbor.wdft.com/library/go-hello:1.0 .
docker push harbor.wdft.com/library/go-hello:1.0
|
🧪 五、完整 CI/CD 流程演示
代码提交
在 Gitea 创建新仓库 go-hello,推送代码:
1
2
| git remote add origin http://git.wdft.com/ljq/go-hello.git
git push -u origin master
|
镜像构建
修改构建命令指向私有仓库:
1
2
| docker build -t harbor.wdft.com/ljq/go-hello:latest .
docker push harbor.wdft.com/ljq/go-hello:latest
|
生产部署
更新 Deployment 镜像地址后重新部署:
1
| kubectl apply -f deployment.yaml
|
📌 六、配置参考图示
1
2
3
4
5
6
7
8
9
| +-------------------+ +------------------+ +-------------------+
| | | | | |
| Gitea Code Repo |<--->| Harbor Registry |<--->| Kubernetes Cluster|
| | | | | |
+-------------------+ +------------------+ +-------------------+
^ ^ ^
| | |
v v v
Developer Workstation CI/CD Pipeline Production Environment
|
📚 七、后续优化建议
安全加固
- 使用 Let’s Encrypt 自动签发证书
- 配置 RBAC 权限隔离
- 启用 Harbor 的 Clair 漏洞扫描
存储优化
- 替换 hostPath 为 NFS 或云存储
- 配置 Harbor 的 MinIO 后端存储
高可用
- 部署 PostgreSQL + Patroni 集群
- 使用 Redis Cluster 替代单实例
监控告警
- 部署 Prometheus + Grafana
- 配置 Harbor 自带的监控面板
💡 注意事项:
- 将
harbor.wdft.com 和 gitea.wdft.com 替换为实际域名
- 生产环境应使用独立存储类(StorageClass)
- 所有敏感信息应通过 Kubernetes Secret 管理
- 建议为 Harbor 配置独立的 DNS 解析记录
