从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor 示例

从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor 示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor

> 在完成基础集群搭建的基础上,本文新增代码仓库(Gitea)与镜像仓库(Harbor)的集成部署指南,实现完整的 DevOps 工具链闭环。

---

<!--more-->

## 🧩 一、前置要求补充

### 1.1 安装 Ingress 控制器
```bash
# 安装 Nginx Ingress(需在 Master 节点执行)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml

# 验证安装状态
kubectl get pods -n ingress-nginx

1.2 创建共享存储目录(所有节点)

1
2
sudo mkdir -p /opt/k8s-data/{gitea,harbor}
sudo chmod 777 /opt/k8s-data/{gitea,harbor} # 测试环境简化权限

📦 二、集成 Gitea 代码仓库

2.1 创建 PostgreSQL 数据库(依赖 Helm 3)

1
2
3
4
5
6
7
8
9
10
11
12
13
# 添加 Bitnami 仓库
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

# 创建数据库命名空间
kubectl create namespace gitea

# 部署 PostgreSQL
helm install gitea-db bitnami/postgresql \
--namespace gitea \
--set auth.postgresPassword=yourStrongPassword \
--set persistence.size=5Gi \
--set persistence.hostPath=/opt/k8s-data/gitea/db

2.2 部署 Gitea 服务

2.2.1 创建配置文件 ConfigMap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# gitea-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-config
namespace: gitea
data:
app.ini: |
[server]
DOMAIN = gitea.wdft.com
ROOT_URL = https://gitea.wdft.com/

[database]
DB_TYPE = postgres
HOST = gitea-db-postgresql:5432
NAME = postgres
USER = postgres
PASSWD = yourStrongPassword

[repository]
ROOT = /data/git/repositories

2.2.2 部署 Gitea 应用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# gitea-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
namespace: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
containers:
- name: gitea
image: gitea/gitea:latest
ports:
- containerPort: 3000
volumeMounts:
- name: gitea-config
mountPath: /etc/gitea/app.ini
subPath: app.ini
- name: gitea-data
mountPath: /data
volumes:
- name: gitea-config
configMap:
name: gitea-config
- name: gitea-data
hostPath:
path: /opt/k8s-data/gitea
---
apiVersion: v1
kind: Service
metadata:
name: gitea
namespace: gitea
spec:
ports:
- port: 80
targetPort: 3000
selector:
app: gitea
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: gitea
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 80

2.2.3 应用部署

1
2
kubectl apply -f gitea-config.yaml
kubectl apply -f gitea-deployment.yaml

2.2.4 访问初始化

1
2
3
4
5
6
7
8
# 查看 Ingress IP
kubectl get ingress -n gitea

# 浏览器访问 http://<INGRESS_IP> 并完成初始化:
# 数据库选择 PostgreSQL
# 数据库用户名/密码:postgres / yourStrongPassword
# 仓库根目录:/data/git/repositories
# 确认域名配置为 gitea.wdft.com

🌊 三、集成 Harbor 镜像仓库

3.1 安装 Helm 客户端(所有节点)

1
2
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh && ./get_helm.sh

3.2 部署 Harbor 依赖组件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 创建命名空间
kubectl create namespace harbor

# 部署 Redis
helm install harbor-redis bitnami/redis \
--namespace harbor \
--set password=redisPassword \
--set persistence.hostPath=/opt/k8s-data/harbor/redis

# 部署 PostgreSQL
helm install harbor-db bitnami/postgresql \
--namespace harbor \
--set auth.postgresPassword=harborPassword \
--set persistence.hostPath=/opt/k8s-data/harbor/db

3.3 创建 Harbor 配置文件

3.3.1 自签名证书生成(Master 节点)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mkdir -p /opt/certs
cd /opt/certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
-key ca.key -out ca.crt

openssl req -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
-keyout harbor.key -out harbor.csr

openssl x509 -req -sha512 -days 3650 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.csr -out harbor.crt

# 所有节点信任证书
sudo cp /opt/certs/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo systemctl restart containerd

3.3.2 创建 Harbor Values 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# harbor-values.yaml
hostname: harbor.wdft.com

networkPolicy:
notary: false
clair: false
chartmuseum: false

externalURL: https://harbor.wdft.com
ssl:
enabled: true
cert:
certificate: |-
-----BEGIN CERTIFICATE-----
$(cat /opt/certs/harbor.crt | grep -v "BEGIN CERTIFICATE" | grep -v "END CERTIFICATE")
-----END CERTIFICATE-----
privateKey: |-
-----BEGIN PRIVATE KEY-----
$(cat /opt/certs/harbor.key | grep -v "BEGIN PRIVATE KEY" | grep -v "END PRIVATE KEY")
-----END PRIVATE KEY-----

database:
type: external
external:
host: harbor-db-postgresql
port: 5432
username: postgres
password: harborPassword
database: harbor

redis:
host: harbor-redis
port: 6379
password: redisPassword

persistence:
persistentVolumeClaim:
registry:
existingClaim: ""
jobservice:
existingClaim: ""
chartmuseum:
existingClaim: ""
clair:
existingClaim: ""
notary:
existingClaim: ""
trivy:
existingClaim: ""
hostPath:
/opt/k8s-data/harbor

3.4 部署 Harbor

1
2
3
4
5
6
7
8
# 添加 Harbor Helm 仓库
helm repo add harbor https://helm.goharbor.io
helm repo update

# 安装 Harbor
helm install harbor harbor/harbor \
--namespace harbor \
--values harbor-values.yaml

3.5 配置 Ingress 规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# harbor-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: harbor-ingress
namespace: harbor
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
tls:
- hosts:
- harbor.wdft.com
secretName: harbor-ingress-tls
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: harbor-core
port:
number: 443
1
2
3
4
5
6
7
# 创建 TLS Secret
kubectl -n harbor create secret tls harbor-ingress-tls \
--cert=/opt/certs/harbor.crt \
--key=/opt/certs/harbor.key

# 应用 Ingress
kubectl apply -f harbor-ingress.yaml

🔄 四、集成验证

4.1 修改 Go 应用部署文件

1
2
# 修改 deployment.yaml 中的 image 字段
image: harbor.wdft.com/library/go-hello:1.0

4.2 配置 Kubernetes 秘钥

1
2
3
4
5
6
7
8
9
10
11
12
13
# 创建镜像拉取秘钥
kubectl create secret docker-registry regcred \
--docker-server=https://harbor.wdft.com \
--docker-username=admin \
--docker-password=Harbor12345 \
--docker-email=admin@wdft.com

# 修改 Deployment 添加 imagePullSecrets
spec:
template:
spec:
imagePullSecrets:
- name: regcred

4.3 推送镜像到 Harbor

1
2
3
4
5
6
# 登录 Harbor
docker login harbor.wdft.com -u admin -p Harbor12345

# 重新构建并推送镜像
docker build -t harbor.wdft.com/library/go-hello:1.0 .
docker push harbor.wdft.com/library/go-hello:1.0

🧪 五、完整 CI/CD 流程演示

  1. 代码提交
    在 Gitea 创建新仓库 go-hello,推送代码:

    1
    2
    git remote add origin http://git.wdft.com/ljq/go-hello.git
    git push -u origin master
  2. 镜像构建
    修改构建命令指向私有仓库:

    1
    2
    docker build -t harbor.wdft.com/ljq/go-hello:latest .
    docker push harbor.wdft.com/ljq/go-hello:latest
  3. 生产部署
    更新 Deployment 镜像地址后重新部署:

    1
    kubectl apply -f deployment.yaml

📌 六、配置参考图示

1
2
3
4
5
6
7
8
9
+-------------------+     +------------------+     +-------------------+
| | | | | |
| Gitea Code Repo |<--->| Harbor Registry |<--->| Kubernetes Cluster|
| | | | | |
+-------------------+ +------------------+ +-------------------+
^ ^ ^
| | |
v v v
Developer Workstation CI/CD Pipeline Production Environment

📚 七、后续优化建议

  1. 安全加固

    • 使用 Let’s Encrypt 自动签发证书
    • 配置 RBAC 权限隔离
    • 启用 Harbor 的 Clair 漏洞扫描
  2. 存储优化

    • 替换 hostPath 为 NFS 或云存储
    • 配置 Harbor 的 MinIO 后端存储
  3. 高可用

    • 部署 PostgreSQL + Patroni 集群
    • 使用 Redis Cluster 替代单实例
  4. 监控告警

    • 部署 Prometheus + Grafana
    • 配置 Harbor 自带的监控面板

```

💡 注意事项:

  1. harbor.wdft.comgitea.wdft.com 替换为实际域名
  2. 生产环境应使用独立存储类(StorageClass)
  3. 所有敏感信息应通过 Kubernetes Secret 管理
  4. 建议为 Harbor 配置独立的 DNS 解析记录