本文将详细介绍如何在 Kubernetes 集群中部署 GitLab Runner,包括环境准备、Runner 配置、认证设置、网络支持、Harbor 集成等完整的部署和配置流程。
环境要求
基础环境
- Kubernetes 集群 (版本 >= 1.16)
- Helm (版本 >= 3.9)
- kubectl 已配置可访问集群
- GitLab 服务器已部署(版本 >= 15.11)
版本选择
helm repo add gitlab https://charts.gitlab.io
helm repo update gitlab
helm search repo -l gitlab/gitlab-runner | grep 15.11
|
Runner 安装配置
准备安装包
mkdir -p gitlab-runner && cd gitlab-runner
helm pull gitlab/gitlab-runner --version v0.52.1
tar xf gitlab-runner-0.52.1.tgz
cp gitlab-runner/values.yaml{,.bak}
|
配置 Runner
编辑 gitlab-runner/values.yaml 配置文件:
image:
registry: docker.io
image: gitlab/gitlab-runner
tag: alpine-v15.11.1
imagePullSecrets:
- name: "harbor-credentials"
replicas: 1
gitlabUrl: http://your-gitlab-server:port/
concurrent: 10
logLevel: info
rbac:
create: true
metrics:
enabled: true
portName: metrics
port: 9252
serviceMonitor:
enabled: false
runners:
config: |
[[runners]]
[runners.kubernetes]
namespace = "{{.Release.Namespace}}"
image = "ubuntu:16.04"
[runners.custom_build_dir]
enabled = true
# 缓存配置 - 使用 MinIO
[runners.cache]
Type = "s3"
Path = "runner"
Shared = true
[runners.cache.s3]
ServerAddress = "your-minio-server:9000"
BucketName = "runner-cache"
AccessKey = "your-access-key"
SecretKey = "your-secret-key"
Insecure = true
executor: kubernetes
privileged: true
tags: "kubernetes"
secret: gitlab-runner
builds:
cpuLimit: 2010m
cpuLimitOverwriteMaxAllowed: 2010m
memoryLimit: 2060Mi
memoryLimitOverwriteMaxAllowed: 2060Mi
cpuRequests: 100m
cpuRequestsOverwriteMaxAllowed: 100m
memoryRequests: 128Mi
memoryRequestsOverwriteMaxAllowed: 128Mi
services:
cpuLimit: 200m
memoryLimit: 256Mi
cpuRequests: 100m
memoryRequests: 128Mi
helpers:
cpuLimit: 200m
memoryLimit: 256Mi
cpuRequests: 100m
memoryRequests: 128Mi
image: "gitlab/gitlab-runner-helper:x86_64-v15.11.1"
resources:
limits:
memory: 256Mi
cpu: 200m
requests:
memory: 128Mi
cpu: 100m
|
认证配置
创建命名空间
kubectl create ns gitlab-runner
|
配置镜像仓库认证
kubectl create secret docker-registry harbor-credentials \
--docker-server=your-harbor-server \
--docker-username=your-robot-account \
--docker-password=your-robot-password \
-n gitlab-runner
|
配置 Runner 注册令牌
kubectl create secret generic gitlab-runner \
--from-literal=runner-registration-token=your-registration-token \
--from-literal=runner-token="" \
--type=Opaque \
-n gitlab-runner
|
部署 Runner
安装
helm install gitlab-runner ./gitlab-runner \
-f gitlab-runner/values.yaml \
--namespace gitlab-runner \
--create-namespace
|
更新配置
helm upgrade gitlab-runner ./gitlab-runner \
-f gitlab-runner/values.yaml \
--namespace gitlab-runner
|
卸载
helm -n gitlab-runner uninstall gitlab-runner
|
网络配置
GitLab 服务器配置
- 修改 GitLab 主配置:
gitlab_rails['outbound_local_requests'] = { "allow" => true }
gitlab-ctl restart
|
- 配置网络访问白名单:
- 访问路径:
http(s)://<gitlab-server>:<port>/admin/application_settings/network
- 启用以下选项:
- 添加允许访问的内网域名/IP:
harbor.your-domain.com
minio.your-domain.com
traefik.your-domain.com
argocd.your-domain.com
yourserver-internal-ips
|
Harbor 集成
GitLab 配置 Harbor
- 访问配置页面:
http(s)://<gitlab-server>:<port>/groups/your-group/-/settings/integrations
- 找到 Harbor 配置区域:
配置 Harbor 证书
在所有 Worker 节点上配置 Harbor 证书:
cp /etc/tls/harbor/ca.crt /etc/ssl/certs/
cp /etc/tls/harbor/harbor.cert /etc/ssl/certs/
update-ca-certificates
systemctl restart containerd
|
故障排查
常见问题
- 镜像拉取失败
kubectl get secret harbor-credentials -n gitlab-runner
kubectl describe secret harbor-credentials -n gitlab-runner
ls -l /etc/ssl/certs/harbor*
|
- Runner 注册失败
kubectl get pods -n gitlab-runner
kubectl logs -f <runner-pod-name> -n gitlab-runner
curl -k https://your-gitlab-server/
|
资源限制验证
检查 Runner Pod 的资源限制是否生效:
kubectl get pod <runner-pod-name> -n gitlab-runner -o yaml
|
日志查看
kubectl logs -f <runner-pod-name> -n gitlab-runner
kubectl logs -f <build-pod-name> -n gitlab-runner
|
最佳实践
资源配置建议
- 根据项目规模和构建需求调整资源限制
- 为不同类型的构建任务设置不同的资源配置
- 合理设置缓存策略,提高构建效率
安全建议
- 使用专用的 Runner 命名空间
- 配置适当的 RBAC 权限
- 定期更新 Runner 版本
- 使用 HTTPS 进行安全通信
- 妥善保管各类密钥和证书