User Tools
devsecops_и_промышленные_решения
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
devsecops_и_промышленные_решения [2025/12/15 10:24] val [2.2 Развертывание GitLab] |
devsecops_и_промышленные_решения [2025/12/15 12:59] (current) val [2.3 Стратегии развертывания и масштабирование нагрузки] |
||
|---|---|---|---|
| Line 91: | Line 91: | ||
| * [[Система Kubernetes#Подготовка к развертыванию через Kubespray]] | * [[Система Kubernetes#Подготовка к развертыванию через Kubespray]] | ||
| * Развертывание Kubernetes через Kubespray ([[Система Kubernetes#Вариант 2 (docker)]]) | * Развертывание Kubernetes через Kubespray ([[Система Kubernetes#Вариант 2 (docker)]]) | ||
| - | |||
| - | ==== 1.5 (??? может в k8s?) Развертывание GitLab ==== | ||
| - | |||
| - | * FreeIPA [[Решение FreeIPA#Создание ключа и сертификата для gitlab на той же системе]] | ||
| - | * Инструмент GitLab [[Инструмент GitLab|Установка через docker-compose]] | ||
| - | <code> | ||
| - | # cat docker-compose.yml | ||
| - | ... | ||
| - | userns_mode: 'host' | ||
| - | ... | ||
| - | external_url 'https://server.corpX.un:4443' | ||
| - | ... | ||
| - | - '4443:4443' | ||
| - | ... | ||
| - | </code> | ||
| - | |||
| - | * Создать УЗ student через [[Инструмент GitLab#REST API интерфейс]] ??? Может это в ДЕВОПС2 а здесь интегрировать с KC? | ||
| - | |||
| - | * ??? Может, не понадобится, или не сразу | ||
| - | <code> | ||
| - | bash -c ' | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube1:/usr/local/share/ca-certificates/ | ||
| - | ssh kube1 update-ca-certificates | ||
| - | ssh kube1 systemctl restart containerd | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube2:/usr/local/share/ca-certificates/ | ||
| - | ssh kube2 update-ca-certificates | ||
| - | ssh kube2 systemctl restart containerd | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube3:/usr/local/share/ca-certificates/ | ||
| - | ssh kube3 update-ca-certificates | ||
| - | ssh kube3 systemctl restart containerd | ||
| - | scp /opt/freeipa-data/etc/ipa/ca.crt kube4:/usr/local/share/ca-certificates/ | ||
| - | ssh kube4 update-ca-certificates | ||
| - | ssh kube4 systemctl restart containerd | ||
| - | ' | ||
| - | |||
| - | kubeN# | ||
| - | crictl pull server.corpX.un:5000/student/gowebd | ||
| - | crictl images | ||
| - | crictl rmi server.corpX.un:5000/student/gowebd | ||
| - | </code> | ||
| ==== 1.5 Установка и инициализация компьютеров пользователей ==== | ==== 1.5 Установка и инициализация компьютеров пользователей ==== | ||
| Line 194: | Line 154: | ||
| privileged: true | privileged: true | ||
| ... | ... | ||
| - | - '2222:22' | + | - '22:22' |
| ... | ... | ||
| # - '/etc/gitlab:/etc/gitlab' | # - '/etc/gitlab:/etc/gitlab' | ||
| ... | ... | ||
| </code> | </code> | ||
| - | * Инструмент GitLab [[Инструмент GitLab#Клиент OpenID]] | + | * Инструмент GitLab [[Инструмент GitLab#Клиент OpenID]] + %s/^/8пробелов/ |
| - | + | ||
| - | <code> | + | |
| - | kube1:~/gitlab# cat docker-compose.yml | + | |
| - | </code><code> | + | |
| - | services: | + | |
| - | gitlab: | + | |
| - | privileged: true | + | |
| - | image: 'gitlab/gitlab-ce:18.6.2-ce.0' | + | |
| - | # image: 'gitlab/gitlab-ce:latest' | + | |
| - | restart: always | + | |
| - | hostname: 'gitlab.corpX.un' | + | |
| - | environment: | + | |
| - | GITLAB_ROOT_PASSWORD: "strongpassword" | + | |
| - | GITLAB_OMNIBUS_CONFIG: | | + | |
| - | prometheus_monitoring['enable'] = false | + | |
| - | gitlab_rails['registry_enabled'] = true | + | |
| - | gitlab_rails['registry_host'] = "gitlab.corpX.un" | + | |
| - | external_url 'https://gitlab.corpX.un' | + | |
| - | registry_external_url 'https://gitlab.corpX.un:5000' | + | |
| - | gitlab_rails['registry_port'] = "5050" | + | |
| - | registry['registry_http_addr'] = "127.0.0.1:5050" | + | |
| - | ports: | + | |
| - | - '443:443' | + | |
| - | - '2222:22' | + | |
| - | - '5000:5000' | + | |
| - | volumes: | + | |
| - | - vol1:/var/opt/gitlab | + | |
| - | shm_size: '256m' | + | |
| - | volumes: | + | |
| - | vol1: | + | |
| - | </code> | + | |
| * [[Система Kubernetes#kompose]] | * [[Система Kubernetes#kompose]] | ||
| Line 238: | Line 167: | ||
| kube1:~/gitlab# cat vol1-persistentvolumeclaim.yaml | kube1:~/gitlab# cat vol1-persistentvolumeclaim.yaml | ||
| + | </code><code> | ||
| ... | ... | ||
| storage: 2000Mi | storage: 2000Mi | ||
| + | </code><code> | ||
| kube1:~/gitlab# cat gitlab-deployment.yaml | kube1:~/gitlab# cat gitlab-deployment.yaml | ||
| + | </code><code> | ||
| ... | ... | ||
| image: ... | image: ... | ||
| Line 253: | Line 184: | ||
| mkdir -p /etc/gitlab/trusted-certs/ | mkdir -p /etc/gitlab/trusted-certs/ | ||
| cp /etc/gitlab/tmp/ca.crt /etc/gitlab/trusted-certs/ca.crt | cp /etc/gitlab/tmp/ca.crt /etc/gitlab/trusted-certs/ca.crt | ||
| - | |||
| ... | ... | ||
| volumeMounts: | volumeMounts: | ||
| Line 266: | Line 196: | ||
| mountPath: /etc/gitlab/tmp/ca.crt | mountPath: /etc/gitlab/tmp/ca.crt | ||
| ... | ... | ||
| + | hostname: gitlab | ||
| volumes: | volumes: | ||
| - name: secret-tls-volume | - name: secret-tls-volume | ||
| Line 271: | Line 202: | ||
| secretName: gitlab-tls | secretName: gitlab-tls | ||
| ... | ... | ||
| + | </code><code> | ||
| kube1:~/gitlab# cat gitlab-service.yaml | kube1:~/gitlab# cat gitlab-service.yaml | ||
| + | </code><code> | ||
| ... | ... | ||
| spec: | spec: | ||
| Line 278: | Line 210: | ||
| type: LoadBalancer | type: LoadBalancer | ||
| ... | ... | ||
| + | </code><code> | ||
| kube1:~/gitlab# kubectl -n my-gitlab-ns apply -f vol1-persistentvolumeclaim.yaml,gitlab-service.yaml,gitlab-deployment.yaml | kube1:~/gitlab# kubectl -n my-gitlab-ns apply -f vol1-persistentvolumeclaim.yaml,gitlab-service.yaml,gitlab-deployment.yaml | ||
| + | |||
| + | kube1:~/gitlab# kubectl -n my-gitlab-ns logs pods/gitlab-<TAB> -f | ||
| </code> | </code> | ||
| - | * Стратегии развертывания и масштабирование нагрузки | + | * Создать УЗ user1 через [[Инструмент GitLab#REST API интерфейс]] и связать через [[Инструмент GitLab#Клиент OpenID]] |
| - | * ArgoCD и универсальный Helm Chart | + | |
| + | ==== 2.3 Стратегии развертывания и масштабирование нагрузки ==== | ||
| + | |||
| + | * Добавляем корпоративный сертификат в кластер kubernetes | ||
| + | <code> | ||
| + | server# | ||
| + | |||
| + | bash -c ' | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube1:/usr/local/share/ca-certificates/ | ||
| + | ssh kube1 update-ca-certificates | ||
| + | ssh kube1 systemctl restart containerd | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube2:/usr/local/share/ca-certificates/ | ||
| + | ssh kube2 update-ca-certificates | ||
| + | ssh kube2 systemctl restart containerd | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube3:/usr/local/share/ca-certificates/ | ||
| + | ssh kube3 update-ca-certificates | ||
| + | ssh kube3 systemctl restart containerd | ||
| + | scp /opt/freeipa-data/etc/ipa/ca.crt kube4:/usr/local/share/ca-certificates/ | ||
| + | ssh kube4 update-ca-certificates | ||
| + | ssh kube4 systemctl restart containerd | ||
| + | ' | ||
| + | </code> | ||
| + | |||
| + | * [[Система Kubernetes#Управление образами]] | ||
| + | |||
| + | * [[Стратегии деплоя в Kubernetes]] | ||
| + | |||
| + | ==== 2.4 ArgoCD и универсальный Helm Chart ==== | ||
| ===== Модуль 3: Безопасность в DevOps ===== | ===== Модуль 3: Безопасность в DevOps ===== | ||
| Line 321: | Line 282: | ||
| * Брокеры сообщения (Kafka или RabbitMQ) | * Брокеры сообщения (Kafka или RabbitMQ) | ||
| * Service Mesh (Istio) | * Service Mesh (Istio) | ||
| + | |||
| + | |||
devsecops_и_промышленные_решения.1765783449.txt.gz · Last modified: 2025/12/15 10:24 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
