gitlab分离克隆端口笔记
一、需求描述
要求gitlab访问端口跟克隆端口不一致,克隆端口只允许git操作推拉代码,不允许访问页面等其他操作。
二、docker compose部署
-
web页面访问端口为20023,也可以克隆代码。20021端口只能克隆代码
1、docker compose部署脚本
services:
gitlab:
shm_size: 1G
container_name: gitlab
image: gitlab/gitlab-ce:16.3.7-ce.0
restart: always
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url "http://127.0.0.1:20023"
# 必须跟external_url保持一致 否则内部跳转会出问题,比如代码仓库里的成员名称跳转403
nginx['listen_port'] = 20023
nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/gitlab-clone-only.conf;"
gitlab_rails['gitlab_shell_ssh_port'] = 20022
gitlab_rails['gitlab_http_clone_host'] = "127.0.0.1"
gitlab_rails['gitlab_http_clone_port'] = 20021
TZ: "Asia/Shanghai"
ports:
- "20021:20021"
- "20022:22"
- "20023:20023"
volumes:
- ./data:/var/opt/gitlab
- ./logs:/var/log/gitlab
- ./conf:/etc/gitlab
- /etc/localtime:/etc/localtime:ro
- ./gitlab-clone-only.conf:/etc/nginx/conf.d/gitlab-clone-only.conf2、gitlab 屏蔽20021端口访问nginx配置
# cat gitlab-clone-only.conf
server {
listen 0.0.0.0:20021;
#listen *:20021 ssl http2; # 注意该配置,没有该配置将导致https拉取代码失败
server_name 127.0.0.1;
#ssl_certificate /etc/gitlab/ssl/server.crt;
#ssl_certificate_key /etc/gitlab/ssl/server.key;
client_max_body_size 1024m;
location ~ (\.git(/.*)?$) {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
proxy_request_buffering off;
}
location / {
proxy_cache off;
#proxy_pass http://gitlab-workhorse;
return 403;
}
}三、k8s部署
-
web页面访问端口为31080,也可以克隆代码。31088端口只能克隆代码
root@master:/opt/gitlab# cat deployment.yml
# gitlab-nginx-configmap.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab-nginx-config
namespace: middleware
data:
gitlab-http-clone-only.conf: |
server {
listen 0.0.0.0:31088;
server_name 192.168.41.50;
location ~ (\.git(/.*)?$) {
proxy_cache off;
proxy_pass http://gitlab-workhorse;
proxy_request_buffering off;
}
location / {
proxy_cache off;
#proxy_pass http://gitlab-workhorse;
return 403;
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-ee
namespace: middleware
spec:
selector:
matchLabels:
app: gitlab
# 项目的提交历史记录将只保留最近的 100 次提交 超出这个范围的提交将被删除或不可访问(具体取决于 GitLab 的实现方式)
revisionHistoryLimit: 100
template:
metadata:
labels:
app: gitlab
spec:
containers:
- env:
- name: GITLAB_OMNIBUS_CONFIG
value: |
# 强化主服务端口绑定 外部访问 URL
external_url 'http://192.168.41.50:31080'
# SSH 相关配置
gitlab_rails['gitlab_shell_ssh_port'] = 31022
gitlab_rails['gitlab_ssh_host'] = '192.168.41.50'
gitlab_rails['time_zone'] = 'Asia/Shanghai'
# 数据库相关配置
gitlab_rails['db_adapter'] = "postgresql"
gitlab_rails['db_encoding'] = "utf8"
gitlab_rails['db_database'] = "gitlab"
gitlab_rails['db_username'] = "postgres"
gitlab_rails['db_password'] = "123456"
gitlab_rails['db_host'] = '192.168.41.50'
gitlab_rails['db_port'] = 30431
# 分离 Workhorse
#gitlab_workhorse['listen_network'] = 'tcp'
#gitlab_workhorse['listen_addr'] = '0.0.0.0:31080'
# 必须跟external_url保持一致 否则内部跳转会出问题,比如代码仓库里的成员名称跳转403
nginx['listen_port'] = 31080
nginx['custom_nginx_config'] = "include /etc/nginx/conf.d/gitlab-http-clone-only.conf;"
# 新增配置,允许使用 31088 端口进行 HTTP 方式的代码操作
gitlab_rails['gitlab_http_clone_host'] = '192.168.41.50'
gitlab_rails['gitlab_http_clone_port'] = 31088
- name: TZ
value: Asia/Shanghai
- name: GITLAB_TIMEZONE
value: Beijing
# 用于加密 CI 密钥变量及数据库中的重要凭证。如果丢失这个密码,将无法使用已经存在的 CI 密钥。
- name: GITLAB_SECRETS_DB_KEY_BASE
value: long-and-random-alpha-numeric-string
# 用于密码重置链接以及其他“标准”身份验证功能。如果丢失这个密码,电子邮件中的密码重置 token 将重置。
- name: GITLAB_SECRETS_SECRET_KEY_BASE
value: long-and-random-alpha-numeric-string
# 用于加密数据库的 2FA 密钥。如果丢失这个密码,所有用户都无法通过 2FA 登录
- name: GITLAB_SECRETS_OTP_KEY_BASE
value: long-and-random-alpha-numeric-string
- name: GITLAB_ROOT_PASSWORD
#valueFrom:
# secretKeyRef:
# name: git-user-pass
# key: password
value: 123456
- name: GITLAB_ROOT_EMAIL
value: 851448443@qq.com
- name: GITLAB_HOST
value: 192.168.41.50
- name: GITLAB_PORT
value: "31080"
- name: GITLAB_SSH_PORT
value: "31022"
- name: GITLAB_NOTIFY_ON_BROKEN_BUILDS
value: "true"
- name: GITLAB_NOTIFY_PUSHER
value: "false"
- name: GITLAB_BACKUP_SCHEDULE
value: daily
- name: GITLAB_BACKUP_TIME
value: 01:00
name: gitlab
image: 192.168.41.200/devops/gitlab/gitlab-ee:16.11.10-ee.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 443
name: https
- containerPort: 31080
name: http
- containerPort: 31088
name: http-git
- containerPort: 22
name: ssh
resources:
requests:
memory: "2048Mi"
cpu: 2
limits:
memory: "8096Mi"
cpu: 4
volumeMounts:
- name: timezone
mountPath: /etc/localtime
readOnly: true
- name: gitlab
mountPath: /etc/gitlab
subPath: gitlab-config # 使用 subPath 在宿主机的挂载目录上设置一个子目录,用于存放上面指定目录的数据
- name: gitlab
mountPath: /var/log/gitlab
subPath: gitlab-logs
- name: gitlab
mountPath: /var/opt/gitlab
subPath: gitlab-data
- name: gitlab-nginx-config
mountPath: /etc/nginx/conf.d/gitlab-http-clone-only.conf
subPath: gitlab-http-clone-only.conf
imagePullSecrets:
- name: harbor-secret
volumes:
- name: timezone
hostPath:
path: /etc/localtime
type: ""
- name: gitlab
persistentVolumeClaim:
claimName: gitlab-pvc #绑定下面创建的 PVC
- name: gitlab-nginx-config # 新增此行,匹配 volumeMounts 中的名称
configMap:
name: gitlab-nginx-config # 关联已定义的 ConfigMap
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-pvc
namespace: middleware
spec:
storageClassName: nfs-sc
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
name: gitlab-svc
namespace: middleware
spec:
type: NodePort
ports:
- port: 443 # pod端口
nodePort: 31443 # 外部端口
targetPort: 443 # 容器端口
name: https
- port: 31080
nodePort: 31080
targetPort: 31080
name: http
- port: 31088
nodePort: 31088
targetPort: 31088
name: http-git
- port: 22
nodePort: 31022
targetPort: 22
name: ssh
selector:
app: gitlab
