从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor 示例
Posted Updated  Jack Liu distributed10 minutes read (About 1428 words)

从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor 示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor

> 在完成基础集群搭建的基础上,本文新增代码仓库(Gitea)与镜像仓库(Harbor)的集成部署指南,实现完整的 DevOps 工具链闭环。

---

<!--more-->

## 🧩 一、前置要求补充

### 1.1 安装 Ingress 控制器
```bash
# 安装 Nginx Ingress(需在 Master 节点执行)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml

# 验证安装状态
kubectl get pods -n ingress-nginx

1.2 创建共享存储目录(所有节点)

1
2
sudo mkdir -p /opt/k8s-data/{gitea,harbor}
sudo chmod 777 /opt/k8s-data/{gitea,harbor}  # 测试环境简化权限

📦 二、集成 Gitea 代码仓库

2.1 创建 PostgreSQL 数据库(依赖 Helm 3)

1
2
3
4
5
6
7
8
9
10
11
12
13
# 添加 Bitnami 仓库
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

# 创建数据库命名空间
kubectl create namespace gitea

# 部署 PostgreSQL
helm install gitea-db bitnami/postgresql \
  --namespace gitea \
  --set auth.postgresPassword=yourStrongPassword \
  --set persistence.size=5Gi \
  --set persistence.hostPath=/opt/k8s-data/gitea/db

2.2 部署 Gitea 服务

2.2.1 创建配置文件 ConfigMap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# gitea-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitea-config
  namespace: gitea
data:
  app.ini: |
    [server]
    DOMAIN = gitea.wdft.com
    ROOT_URL = https://gitea.wdft.com/
    
    [database]
    DB_TYPE = postgres
    HOST = gitea-db-postgresql:5432
    NAME = postgres
    USER = postgres
    PASSWD = yourStrongPassword
    
    [repository]
    ROOT = /data/git/repositories

2.2.2 部署 Gitea 应用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# gitea-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitea
  namespace: gitea
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea
  template:
    metadata:
      labels:
        app: gitea
    spec:
      containers:
      - name: gitea
        image: gitea/gitea:latest
        ports:
        - containerPort: 3000
        volumeMounts:
        - name: gitea-config
          mountPath: /etc/gitea/app.ini
          subPath: app.ini
        - name: gitea-data
          mountPath: /data
      volumes:
      - name: gitea-config
        configMap:
          name: gitea-config
      - name: gitea-data
        hostPath:
          path: /opt/k8s-data/gitea
---
apiVersion: v1
kind: Service
metadata:
  name: gitea
  namespace: gitea
spec:
  ports:
  - port: 80
    targetPort: 3000
  selector:
    app: gitea
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gitea-ingress
  namespace: gitea
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: gitea
            port:
              number: 80

2.2.3 应用部署

1
2
kubectl apply -f gitea-config.yaml
kubectl apply -f gitea-deployment.yaml

2.2.4 访问初始化

1
2
3
4
5
6
7
8
# 查看 Ingress IP
kubectl get ingress -n gitea

# 浏览器访问 http://<INGRESS_IP> 并完成初始化:
# 数据库选择 PostgreSQL
# 数据库用户名/密码:postgres / yourStrongPassword
# 仓库根目录:/data/git/repositories
# 确认域名配置为 gitea.wdft.com

🌊 三、集成 Harbor 镜像仓库

3.1 安装 Helm 客户端(所有节点)

1
2
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh && ./get_helm.sh

3.2 部署 Harbor 依赖组件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 创建命名空间
kubectl create namespace harbor

# 部署 Redis
helm install harbor-redis bitnami/redis \
  --namespace harbor \
  --set password=redisPassword \
  --set persistence.hostPath=/opt/k8s-data/harbor/redis

# 部署 PostgreSQL
helm install harbor-db bitnami/postgresql \
  --namespace harbor \
  --set auth.postgresPassword=harborPassword \
  --set persistence.hostPath=/opt/k8s-data/harbor/db

3.3 创建 Harbor 配置文件

3.3.1 自签名证书生成(Master 节点)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mkdir -p /opt/certs
cd /opt/certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
 -key ca.key -out ca.crt

openssl req -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
 -keyout harbor.key -out harbor.csr

openssl x509 -req -sha512 -days 3650 \
 -CA ca.crt -CAkey ca.key -CAcreateserial \
 -in harbor.csr -out harbor.crt

# 所有节点信任证书
sudo cp /opt/certs/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo systemctl restart containerd

3.3.2 创建 Harbor Values 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# harbor-values.yaml
hostname: harbor.wdft.com

networkPolicy:
  notary: false
  clair: false
  chartmuseum: false

externalURL: https://harbor.wdft.com
ssl:
  enabled: true
  cert:
    certificate: |-
      -----BEGIN CERTIFICATE-----
      $(cat /opt/certs/harbor.crt | grep -v "BEGIN CERTIFICATE" | grep -v "END CERTIFICATE")
      -----END CERTIFICATE-----
    privateKey: |-
      -----BEGIN PRIVATE KEY-----
      $(cat /opt/certs/harbor.key | grep -v "BEGIN PRIVATE KEY" | grep -v "END PRIVATE KEY")
      -----END PRIVATE KEY-----

database:
  type: external
  external:
    host: harbor-db-postgresql
    port: 5432
    username: postgres
    password: harborPassword
    database: harbor

redis:
  host: harbor-redis
  port: 6379
  password: redisPassword

persistence:
  persistentVolumeClaim:
    registry:
      existingClaim: ""
    jobservice:
      existingClaim: ""
    chartmuseum:
      existingClaim: ""
    clair:
      existingClaim: ""
    notary:
      existingClaim: ""
    trivy:
      existingClaim: ""
  hostPath:
    /opt/k8s-data/harbor

3.4 部署 Harbor

1
2
3
4
5
6
7
8
# 添加 Harbor Helm 仓库
helm repo add harbor https://helm.goharbor.io
helm repo update

# 安装 Harbor
helm install harbor harbor/harbor \
  --namespace harbor \
  --values harbor-values.yaml

3.5 配置 Ingress 规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# harbor-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: harbor-ingress
  namespace: harbor
  annotations:
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
  - hosts:
    - harbor.wdft.com
    secretName: harbor-ingress-tls
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: harbor-core
            port:
              number: 443
1
2
3
4
5
6
7
# 创建 TLS Secret
kubectl -n harbor create secret tls harbor-ingress-tls \
  --cert=/opt/certs/harbor.crt \
  --key=/opt/certs/harbor.key

# 应用 Ingress
kubectl apply -f harbor-ingress.yaml

🔄 四、集成验证

4.1 修改 Go 应用部署文件

1
2
# 修改 deployment.yaml 中的 image 字段
image: harbor.wdft.com/library/go-hello:1.0

4.2 配置 Kubernetes 秘钥

1
2
3
4
5
6
7
8
9
10
11
12
13
# 创建镜像拉取秘钥
kubectl create secret docker-registry regcred \
  --docker-server=https://harbor.wdft.com \
  --docker-username=admin \
  --docker-password=Harbor12345 \
  --docker-email=admin@wdft.com

# 修改 Deployment 添加 imagePullSecrets
spec:
  template:
    spec:
      imagePullSecrets:
      - name: regcred

4.3 推送镜像到 Harbor

1
2
3
4
5
6
# 登录 Harbor
docker login harbor.wdft.com -u admin -p Harbor12345

# 重新构建并推送镜像
docker build -t harbor.wdft.com/library/go-hello:1.0 .
docker push harbor.wdft.com/library/go-hello:1.0

🧪 五、完整 CI/CD 流程演示

  1. 代码提交
    在 Gitea 创建新仓库 go-hello,推送代码:

    1
    2
    git remote add origin http://git.wdft.com/ljq/go-hello.git
    git push -u origin master

  2. 镜像构建
    修改构建命令指向私有仓库:

    1
    2
    docker build -t harbor.wdft.com/ljq/go-hello:latest .
    docker push harbor.wdft.com/ljq/go-hello:latest

  3. 生产部署
    更新 Deployment 镜像地址后重新部署:

    1
    kubectl apply -f deployment.yaml

📌 六、配置参考图示

1
2
3
4
5
6
7
8
9
+-------------------+     +------------------+     +-------------------+
|                   |     |                  |     |                   |
|   Gitea Code Repo |<--->| Harbor Registry  |<--->| Kubernetes Cluster|
|                   |     |                  |     |                   |
+-------------------+     +------------------+     +-------------------+
       ^                          ^                        ^
       |                          |                        |
       v                          v                        v
  Developer Workstation    CI/CD Pipeline        Production Environment

📚 七、后续优化建议

  1. 安全加固

    • 使用 Let’s Encrypt 自动签发证书
    • 配置 RBAC 权限隔离
    • 启用 Harbor 的 Clair 漏洞扫描

  2. 存储优化

    • 替换 hostPath 为 NFS 或云存储
    • 配置 Harbor 的 MinIO 后端存储

  3. 高可用

    • 部署 PostgreSQL + Patroni 集群
    • 使用 Redis Cluster 替代单实例

  4. 监控告警

    • 部署 Prometheus + Grafana
    • 配置 Harbor 自带的监控面板

```

💡 注意事项:

  1. harbor.wdft.comgitea.wdft.com 替换为实际域名
  2. 生产环境应使用独立存储类(StorageClass)
  3. 所有敏感信息应通过 Kubernetes Secret 管理
  4. 建议为 Harbor 配置独立的 DNS 解析记录
Eight Fallacies of Distributed Systems (分布式八大谬论)
Posted Updated  Jack Liu distributeda few seconds read (About 90 words)

Eight Fallacies of Distributed Systems (分布式八大谬论)

Eight Fallacies of Distributed Systems

The network is reliable

网络可靠。

Latency is zero

延迟为零。

Bandwidth is infinite

带宽是无限的。

The network is secure

网络是安全的。

Topology doesn’t change

拓扑不会改变。

There is one administrator

只有一个管理员。

Transport cost is zero

运输成本为零。

The network is homogeneous

网络是同质的。

Follow

CLUSTRMAPS

Links

Archives

Advertisement

Recents

Categories

Tags

AI1
CDN1
Cloud-Distributed2
Cloud-Native2
Cloud-Native-Framework1
Distributed-Systems2
GIT1
GO方法值1
GPG1
GPG21
GUI1
Ghostty1
Go24
Go Summary notes1
Go null judge1
Go(Struct|Method|Receiver)1
Go(map)1
Go(new,make,struct{})1
Go(string)1
Go-Polymorphism1
Go-Printf1
Go-chain-operation1
Go-init()1
Google1
JS1
JSON1
JavaScript1
K8S1
K8S-Build1
Movie1
Note The Legend of 19001
OpenSSH1
VIM1
VIM Author1
ansi-lib1
banner1
centos72
chattr1
clang6
cli1
daily1
debian1
firewalld1
format1
func1
go1
go-pprof1
goroutine1
hexo1
homebrew3
interface1
io1
kebernetes1
laravel1
laravel-artisan1
linux5
lua1
macos3
macro1
motd1
mysql1
mysql8.01
mysql8.x1
neofetch1
nginx1
package time1
php1
pointer1
reflect反射1
rocky1
rocky-linux1
rocky-linux-tools1
rsync1
services1
slice切片本质1
stable-diffusion-webui1
struct1
switch1
systemd-service1
terminal1
travel1
type2
type关键词总结1
utf8mb41
utf8mb4_0900_ai_ci1
utf8mb4_general_ci1
人生1
日常1
生活1
转载1
配置文件体系1
防火墙1
×