从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor 示例
Posted Updated  Jack Liu distributed10 minutes read (About 1428 words)

从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor 示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 从零开始:使用三台服务器搭建最简 Kubernetes 集群并集成 Gitea + Harbor

> 在完成基础集群搭建的基础上,本文新增代码仓库(Gitea)与镜像仓库(Harbor)的集成部署指南,实现完整的 DevOps 工具链闭环。

---

<!--more-->

## 🧩 一、前置要求补充

### 1.1 安装 Ingress 控制器
```bash
# 安装 Nginx Ingress(需在 Master 节点执行)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml

# 验证安装状态
kubectl get pods -n ingress-nginx

1.2 创建共享存储目录(所有节点)

1
2
sudo mkdir -p /opt/k8s-data/{gitea,harbor}
sudo chmod 777 /opt/k8s-data/{gitea,harbor}  # 测试环境简化权限

📦 二、集成 Gitea 代码仓库

2.1 创建 PostgreSQL 数据库(依赖 Helm 3)

1
2
3
4
5
6
7
8
9
10
11
12
13
# 添加 Bitnami 仓库
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

# 创建数据库命名空间
kubectl create namespace gitea

# 部署 PostgreSQL
helm install gitea-db bitnami/postgresql \
  --namespace gitea \
  --set auth.postgresPassword=yourStrongPassword \
  --set persistence.size=5Gi \
  --set persistence.hostPath=/opt/k8s-data/gitea/db

2.2 部署 Gitea 服务

2.2.1 创建配置文件 ConfigMap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# gitea-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitea-config
  namespace: gitea
data:
  app.ini: |
    [server]
    DOMAIN = gitea.wdft.com
    ROOT_URL = https://gitea.wdft.com/
    
    [database]
    DB_TYPE = postgres
    HOST = gitea-db-postgresql:5432
    NAME = postgres
    USER = postgres
    PASSWD = yourStrongPassword
    
    [repository]
    ROOT = /data/git/repositories

2.2.2 部署 Gitea 应用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# gitea-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitea
  namespace: gitea
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea
  template:
    metadata:
      labels:
        app: gitea
    spec:
      containers:
      - name: gitea
        image: gitea/gitea:latest
        ports:
        - containerPort: 3000
        volumeMounts:
        - name: gitea-config
          mountPath: /etc/gitea/app.ini
          subPath: app.ini
        - name: gitea-data
          mountPath: /data
      volumes:
      - name: gitea-config
        configMap:
          name: gitea-config
      - name: gitea-data
        hostPath:
          path: /opt/k8s-data/gitea
---
apiVersion: v1
kind: Service
metadata:
  name: gitea
  namespace: gitea
spec:
  ports:
  - port: 80
    targetPort: 3000
  selector:
    app: gitea
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gitea-ingress
  namespace: gitea
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: gitea
            port:
              number: 80

2.2.3 应用部署

1
2
kubectl apply -f gitea-config.yaml
kubectl apply -f gitea-deployment.yaml

2.2.4 访问初始化

1
2
3
4
5
6
7
8
# 查看 Ingress IP
kubectl get ingress -n gitea

# 浏览器访问 http://<INGRESS_IP> 并完成初始化:
# 数据库选择 PostgreSQL
# 数据库用户名/密码:postgres / yourStrongPassword
# 仓库根目录:/data/git/repositories
# 确认域名配置为 gitea.wdft.com

🌊 三、集成 Harbor 镜像仓库

3.1 安装 Helm 客户端(所有节点)

1
2
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh && ./get_helm.sh

3.2 部署 Harbor 依赖组件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 创建命名空间
kubectl create namespace harbor

# 部署 Redis
helm install harbor-redis bitnami/redis \
  --namespace harbor \
  --set password=redisPassword \
  --set persistence.hostPath=/opt/k8s-data/harbor/redis

# 部署 PostgreSQL
helm install harbor-db bitnami/postgresql \
  --namespace harbor \
  --set auth.postgresPassword=harborPassword \
  --set persistence.hostPath=/opt/k8s-data/harbor/db

3.3 创建 Harbor 配置文件

3.3.1 自签名证书生成(Master 节点)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
mkdir -p /opt/certs
cd /opt/certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
 -key ca.key -out ca.crt

openssl req -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=Harbor/CN=harbor.wdft.com" \
 -keyout harbor.key -out harbor.csr

openssl x509 -req -sha512 -days 3650 \
 -CA ca.crt -CAkey ca.key -CAcreateserial \
 -in harbor.csr -out harbor.crt

# 所有节点信任证书
sudo cp /opt/certs/ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
sudo systemctl restart containerd

3.3.2 创建 Harbor Values 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# harbor-values.yaml
hostname: harbor.wdft.com

networkPolicy:
  notary: false
  clair: false
  chartmuseum: false

externalURL: https://harbor.wdft.com
ssl:
  enabled: true
  cert:
    certificate: |-
      -----BEGIN CERTIFICATE-----
      $(cat /opt/certs/harbor.crt | grep -v "BEGIN CERTIFICATE" | grep -v "END CERTIFICATE")
      -----END CERTIFICATE-----
    privateKey: |-
      -----BEGIN PRIVATE KEY-----
      $(cat /opt/certs/harbor.key | grep -v "BEGIN PRIVATE KEY" | grep -v "END PRIVATE KEY")
      -----END PRIVATE KEY-----

database:
  type: external
  external:
    host: harbor-db-postgresql
    port: 5432
    username: postgres
    password: harborPassword
    database: harbor

redis:
  host: harbor-redis
  port: 6379
  password: redisPassword

persistence:
  persistentVolumeClaim:
    registry:
      existingClaim: ""
    jobservice:
      existingClaim: ""
    chartmuseum:
      existingClaim: ""
    clair:
      existingClaim: ""
    notary:
      existingClaim: ""
    trivy:
      existingClaim: ""
  hostPath:
    /opt/k8s-data/harbor

3.4 部署 Harbor

1
2
3
4
5
6
7
8
# 添加 Harbor Helm 仓库
helm repo add harbor https://helm.goharbor.io
helm repo update

# 安装 Harbor
helm install harbor harbor/harbor \
  --namespace harbor \
  --values harbor-values.yaml

3.5 配置 Ingress 规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# harbor-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: harbor-ingress
  namespace: harbor
  annotations:
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  tls:
  - hosts:
    - harbor.wdft.com
    secretName: harbor-ingress-tls
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: harbor-core
            port:
              number: 443
1
2
3
4
5
6
7
# 创建 TLS Secret
kubectl -n harbor create secret tls harbor-ingress-tls \
  --cert=/opt/certs/harbor.crt \
  --key=/opt/certs/harbor.key

# 应用 Ingress
kubectl apply -f harbor-ingress.yaml

🔄 四、集成验证

4.1 修改 Go 应用部署文件

1
2
# 修改 deployment.yaml 中的 image 字段
image: harbor.wdft.com/library/go-hello:1.0

4.2 配置 Kubernetes 秘钥

1
2
3
4
5
6
7
8
9
10
11
12
13
# 创建镜像拉取秘钥
kubectl create secret docker-registry regcred \
  --docker-server=https://harbor.wdft.com \
  --docker-username=admin \
  --docker-password=Harbor12345 \
  --docker-email=admin@wdft.com

# 修改 Deployment 添加 imagePullSecrets
spec:
  template:
    spec:
      imagePullSecrets:
      - name: regcred

4.3 推送镜像到 Harbor

1
2
3
4
5
6
# 登录 Harbor
docker login harbor.wdft.com -u admin -p Harbor12345

# 重新构建并推送镜像
docker build -t harbor.wdft.com/library/go-hello:1.0 .
docker push harbor.wdft.com/library/go-hello:1.0

🧪 五、完整 CI/CD 流程演示

  1. 代码提交
    在 Gitea 创建新仓库 go-hello,推送代码:

    1
    2
    git remote add origin http://git.wdft.com/ljq/go-hello.git
    git push -u origin master

  2. 镜像构建
    修改构建命令指向私有仓库:

    1
    2
    docker build -t harbor.wdft.com/ljq/go-hello:latest .
    docker push harbor.wdft.com/ljq/go-hello:latest

  3. 生产部署
    更新 Deployment 镜像地址后重新部署:

    1
    kubectl apply -f deployment.yaml

📌 六、配置参考图示

1
2
3
4
5
6
7
8
9
+-------------------+     +------------------+     +-------------------+
|                   |     |                  |     |                   |
|   Gitea Code Repo |<--->| Harbor Registry  |<--->| Kubernetes Cluster|
|                   |     |                  |     |                   |
+-------------------+     +------------------+     +-------------------+
       ^                          ^                        ^
       |                          |                        |
       v                          v                        v
  Developer Workstation    CI/CD Pipeline        Production Environment

📚 七、后续优化建议

  1. 安全加固

    • 使用 Let’s Encrypt 自动签发证书
    • 配置 RBAC 权限隔离
    • 启用 Harbor 的 Clair 漏洞扫描

  2. 存储优化

    • 替换 hostPath 为 NFS 或云存储
    • 配置 Harbor 的 MinIO 后端存储

  3. 高可用

    • 部署 PostgreSQL + Patroni 集群
    • 使用 Redis Cluster 替代单实例

  4. 监控告警

    • 部署 Prometheus + Grafana
    • 配置 Harbor 自带的监控面板

```

💡 注意事项:

  1. harbor.wdft.comgitea.wdft.com 替换为实际域名
  2. 生产环境应使用独立存储类(StorageClass)
  3. 所有敏感信息应通过 Kubernetes Secret 管理
  4. 建议为 Harbor 配置独立的 DNS 解析记录
Follow

CLUSTRMAPS

Links

Archives

Advertisement

Recents

Categories

Tags

AI1
CDN1
Cloud-Distributed2
Cloud-Native2
Cloud-Native-Framework1
Distributed-Systems2
GIT1
GO方法值1
GPG1
GPG21
GUI1
Ghostty1
Go24
Go Summary notes1
Go null judge1
Go(Struct|Method|Receiver)1
Go(map)1
Go(new,make,struct{})1
Go(string)1
Go-Polymorphism1
Go-Printf1
Go-chain-operation1
Go-init()1
Google1
JS1
JSON1
JavaScript1
K8S1
K8S-Build1
Movie1
Note The Legend of 19001
OpenSSH1
VIM1
VIM Author1
ansi-lib1
banner1
centos72
chattr1
clang6
cli1
daily1
debian1
firewalld1
format1
func1
go1
go-pprof1
goroutine1
hexo1
homebrew3
interface1
io1
kebernetes1
laravel1
laravel-artisan1
linux5
lua1
macos3
macro1
motd1
mysql1
mysql8.01
mysql8.x1
neofetch1
nginx1
package time1
php1
pointer1
reflect反射1
rocky1
rocky-linux1
rocky-linux-tools1
rsync1
services1
slice切片本质1
stable-diffusion-webui1
struct1
switch1
systemd-service1
terminal1
travel1
type2
type关键词总结1
utf8mb41
utf8mb4_0900_ai_ci1
utf8mb4_general_ci1
人生1
日常1
生活1
转载1
配置文件体系1
防火墙1
×