User Tools
devsecops_и_промышленные_решения
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
devsecops_и_промышленные_решения [2025/12/04 19:33] val [1.3 Развертывание FreeIPA] |
devsecops_и_промышленные_решения [2025/12/15 12:59] (current) val [2.3 Стратегии развертывания и масштабирование нагрузки] |
||
|---|---|---|---|
| Line 22: | Line 22: | ||
| ==== 1.1 Схема стенда, импорт, настройка и запуск VM gate и server ==== | ==== 1.1 Схема стенда, импорт, настройка и запуск VM gate и server ==== | ||
| - | * !!! kubeN 8Gb !!! | + | * !!! kubeN 8Gb RAM + 4 CPU!!! |
| <code> | <code> | ||
| Line 91: | Line 91: | ||
| * [[Система Kubernetes#Подготовка к развертыванию через Kubespray]] | * [[Система Kubernetes#Подготовка к развертыванию через Kubespray]] | ||
| * Развертывание Kubernetes через Kubespray ([[Система Kubernetes#Вариант 2 (docker)]]) | * Развертывание Kubernetes через Kubespray ([[Система Kubernetes#Вариант 2 (docker)]]) | ||
| - | |||
| - | ==== 1.5 (??? может в k8s?) Развертывание GitLab ==== | ||
| - | |||
| - | * FreeIPA [[Решение FreeIPA#Создание ключа и сертификата для gitlab на той же системе]] | ||
| - | * Инструмент GitLab [[Инструмент GitLab|Установка через docker-compose]] | ||
| - | <code> | ||
| - | # cat docker-compose.yml | ||
| - | ... | ||
| - | userns_mode: 'host' | ||
| - | ... | ||
| - | external_url 'https://server.corpX.un:4443' | ||
| - | ... | ||
| - | - '4443:4443' | ||
| - | ... | ||
| - | </code> | ||
| - | |||
| - | * Создать УЗ student через [[Инструмент GitLab#REST API интерфейс]] ??? Может это в ДЕВОПС2 а здесь интегрировать с KC? | ||
| - | |||
| - | * ??? Может, не понадобится, или не сразу | ||
| - | <code> | ||
| - | bash -c ' | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube1:/usr/local/share/ca-certificates/ | ||
| - | ssh kube1 update-ca-certificates | ||
| - | ssh kube1 systemctl restart containerd | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube2:/usr/local/share/ca-certificates/ | ||
| - | ssh kube2 update-ca-certificates | ||
| - | ssh kube2 systemctl restart containerd | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube3:/usr/local/share/ca-certificates/ | ||
| - | ssh kube3 update-ca-certificates | ||
| - | ssh kube3 systemctl restart containerd | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube4:/usr/local/share/ca-certificates/ | ||
| - | ssh kube4 update-ca-certificates | ||
| - | ssh kube4 systemctl restart containerd | ||
| - | ' | ||
| - | |||
| - | kubeN# | ||
| - | crictl pull server.corpX.un:5000/student/gowebd | ||
| - | crictl images | ||
| - | crictl rmi server.corpX.un:5000/student/gowebd | ||
| - | </code> | ||
| ==== 1.5 Установка и инициализация компьютеров пользователей ==== | ==== 1.5 Установка и инициализация компьютеров пользователей ==== | ||
| Line 176: | Line 136: | ||
| * Использование распределённых хранилищ ([[Система Kubernetes#longhorn]]) | * Использование распределённых хранилищ ([[Система Kubernetes#longhorn]]) | ||
| - | * Инструмент GitLab [[Инструмент GitLab#Установка через docker-compose]] + %s/server.co/gitlab.co/g | + | * [[Решение FreeIPA#Создание ключа и сертификата для стороннего сервиса]] |
| - | * [[Система Kubernetes#kompose]] | + | |
| <code> | <code> | ||
| - | kube1:~/gitlab# cat docker-compose.yml | + | server# scp /opt/freeipa-data/gitlab.* kube1:/tmp/ |
| - | </code><code> | + | |
| - | services: | + | |
| - | gitlab: | + | |
| - | image: 'gitlab/gitlab-ce:latest' | + | |
| - | restart: always | + | |
| - | hostname: 'gitlab' | + | |
| - | environment: | + | |
| - | GITLAB_ROOT_PASSWORD: "strongpassword" | + | |
| - | GITLAB_OMNIBUS_CONFIG: | | + | |
| - | prometheus_monitoring['enable'] = false | + | |
| - | gitlab_rails['registry_enabled'] = true | + | |
| - | gitlab_rails['registry_host'] = "gitlab.corpX.un" | + | |
| - | external_url 'http://gitlab.corpX.un' | + | |
| - | registry_external_url 'http://gitlab.corpX.un:5000' | + | |
| - | gitlab_rails['registry_port'] = "5050" | + | |
| - | registry['registry_http_addr'] = "0.0.0.0:5050" | + | |
| - | ports: | + | |
| - | - '80:80' | + | |
| - | - '2222:22' | + | |
| - | - '5000:5000' | + | |
| - | volumes: | + | |
| - | - vol1:/var/opt/gitlab | + | |
| - | shm_size: '256m' | + | |
| - | logging: | + | |
| - | driver: "json-file" | + | |
| - | options: | + | |
| - | max-size: "2048m" | + | |
| - | volumes: | + | |
| - | vol1: | + | |
| - | </code><code> | + | |
| - | kube1:~/gitlab# kompose convert | + | |
| - | kube1:~/gitlab# tail -n1 vol1-persistentvolumeclaim.yaml | + | server# scp /opt/freeipa-data/etc/ipa/ca.crt kube1:/tmp/ |
| - | storage: 2000Mi | + | |
| - | kube1:~/gitlab# kubectl -n my-gitlab-ns apply -f vol1-persistentvolumeclaim.yaml,gitlab-service.yaml,gitlab-deployment.yaml | + | kubectl -n my-gitlab-ns create secret generic gitlab-tls \ |
| + | --from-file=tls.crt=/tmp/gitlab.crt \ | ||
| + | --from-file=tls.key=/tmp/gitlab.key \ | ||
| + | --from-file=ca.crt=/tmp/ca.crt | ||
| </code> | </code> | ||
| - | * [[Решение FreeIPA#Создание ключа и сертификата для стороннего сервиса]] | + | * Инструмент GitLab [[Инструмент GitLab#Установка через docker-compose]] + %s/server.corpX/gitlab.corpX/ |
| - | * [[Система Kubernetes#secrets tls]] (gitlab-tls в ns my-gitlab-ns) | + | |
| <code> | <code> | ||
| - | server# scp /opt/freeipa-data/gitlab.* kube1:/tmp/ | + | ... |
| + | privileged: true | ||
| + | ... | ||
| + | - '22:22' | ||
| + | ... | ||
| + | # - '/etc/gitlab:/etc/gitlab' | ||
| + | ... | ||
| + | </code> | ||
| + | * Инструмент GitLab [[Инструмент GitLab#Клиент OpenID]] + %s/^/8пробелов/ | ||
| - | kube1:~/gitlab# kubectl create secret tls gitlab-tls --key /tmp/gitlab.key --cert /tmp/gitlab.crt -n my-gitlab-ns | + | * [[Система Kubernetes#kompose]] |
| - | kube1:~/gitlab# cat my-ingress.yaml | + | <code> |
| + | kube1:~/gitlab# kompose convert | ||
| + | |||
| + | kube1:~/gitlab# cat vol1-persistentvolumeclaim.yaml | ||
| </code><code> | </code><code> | ||
| - | apiVersion: networking.k8s.io/v1 | + | ... |
| - | kind: Ingress | + | storage: 2000Mi |
| - | metadata: | + | |
| - | name: my-ingress | + | |
| - | spec: | + | |
| - | ingressClassName: nginx | + | |
| - | tls: | + | |
| - | - hosts: | + | |
| - | - gitlab.corpX.un | + | |
| - | secretName: gitlab-tls | + | |
| - | rules: | + | |
| - | - host: gitlab.corpX.un | + | |
| - | http: | + | |
| - | paths: | + | |
| - | - backend: | + | |
| - | service: | + | |
| - | name: gitlab | + | |
| - | port: | + | |
| - | number: 80 | + | |
| - | path: / | + | |
| - | pathType: Prefix | + | |
| </code><code> | </code><code> | ||
| - | kube1:~/gitlab# kubectl -n my-gitlab-ns apply -f my-ingress.yaml | + | kube1:~/gitlab# cat gitlab-deployment.yaml |
| + | </code><code> | ||
| + | ... | ||
| + | image: ... | ||
| + | lifecycle: | ||
| + | postStart: | ||
| + | exec: | ||
| + | command: | ||
| + | - /bin/sh | ||
| + | - -c | ||
| + | - | | ||
| + | mkdir -p /etc/gitlab/trusted-certs/ | ||
| + | cp /etc/gitlab/tmp/ca.crt /etc/gitlab/trusted-certs/ca.crt | ||
| + | ... | ||
| + | volumeMounts: | ||
| + | - name: secret-tls-volume | ||
| + | subPath: tls.crt | ||
| + | mountPath: /etc/gitlab/ssl/gitlab.corpX.un.crt | ||
| + | - name: secret-tls-volume | ||
| + | subPath: tls.key | ||
| + | mountPath: /etc/gitlab/ssl/gitlab.corpX.un.key | ||
| + | - name: secret-tls-volume | ||
| + | subPath: ca.crt | ||
| + | mountPath: /etc/gitlab/tmp/ca.crt | ||
| + | ... | ||
| + | hostname: gitlab | ||
| + | volumes: | ||
| + | - name: secret-tls-volume | ||
| + | secret: | ||
| + | secretName: gitlab-tls | ||
| + | ... | ||
| + | </code><code> | ||
| + | kube1:~/gitlab# cat gitlab-service.yaml | ||
| + | </code><code> | ||
| + | ... | ||
| + | spec: | ||
| + | loadBalancerIP: 192.168.X.66 | ||
| + | type: LoadBalancer | ||
| + | ... | ||
| + | </code><code> | ||
| + | kube1:~/gitlab# kubectl -n my-gitlab-ns apply -f vol1-persistentvolumeclaim.yaml,gitlab-service.yaml,gitlab-deployment.yaml | ||
| + | |||
| + | kube1:~/gitlab# kubectl -n my-gitlab-ns logs pods/gitlab-<TAB> -f | ||
| </code> | </code> | ||
| + | * Создать УЗ user1 через [[Инструмент GitLab#REST API интерфейс]] и связать через [[Инструмент GitLab#Клиент OpenID]] | ||
| - | * Стратегии развертывания и масштабирование нагрузки | + | ==== 2.3 Стратегии развертывания и масштабирование нагрузки ==== |
| - | * ArgoCD и универсальный Helm Chart | + | |
| + | * Добавляем корпоративный сертификат в кластер kubernetes | ||
| + | <code> | ||
| + | server# | ||
| + | |||
| + | bash -c ' | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube1:/usr/local/share/ca-certificates/ | ||
| + | ssh kube1 update-ca-certificates | ||
| + | ssh kube1 systemctl restart containerd | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube2:/usr/local/share/ca-certificates/ | ||
| + | ssh kube2 update-ca-certificates | ||
| + | ssh kube2 systemctl restart containerd | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube3:/usr/local/share/ca-certificates/ | ||
| + | ssh kube3 update-ca-certificates | ||
| + | ssh kube3 systemctl restart containerd | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube4:/usr/local/share/ca-certificates/ | ||
| + | ssh kube4 update-ca-certificates | ||
| + | ssh kube4 systemctl restart containerd | ||
| + | ' | ||
| + | </code> | ||
| + | |||
| + | * [[Система Kubernetes#Управление образами]] | ||
| + | |||
| + | * [[Стратегии деплоя в Kubernetes]] | ||
| + | |||
| + | ==== 2.4 ArgoCD и универсальный Helm Chart ==== | ||
| ===== Модуль 3: Безопасность в DevOps ===== | ===== Модуль 3: Безопасность в DevOps ===== | ||
| Line 292: | Line 282: | ||
| * Брокеры сообщения (Kafka или RabbitMQ) | * Брокеры сообщения (Kafka или RabbitMQ) | ||
| * Service Mesh (Istio) | * Service Mesh (Istio) | ||
| + | |||
| + | |||
devsecops_и_промышленные_решения.1764866003.txt.gz · Last modified: 2025/12/04 19:33 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
