设置独立的 Gitaly

我们将使用 Ubuntu 的 Omnibus GitLab 包。该软件包提供了保证与 chart 服务兼容的服务版本。

创建包含 Omnibus GitLab 的 VM

在您选择的提供商或本地创建 VM。这里是使用 VirtualBox、KVM 和 Bhyve 进行测试的。确保可从集群访问该实例。

将 Ubuntu Server 安装到您创建的 VM 上。确保安装了 openssh-server，并且所有软件包都是最新的。配置网络和主机名。记下主机名/IP，并确保它可以从您的 Kubernetes 集群解析和访问。确保防火墙策略在正确的位置，以允许流量。

按照 Omnibus GitLab 的安装说明进行操作。当您执行包安装时，不要提供EXTERNAL_URL= 值。我们不希望发生自动配置，因为我们将在下一步中提供非常具体的配置。

配置 Omnibus GitLab

创建一个最小的 gitlab.rb 文件放在 /etc/gitlab/gitlab.rb。

注意：以下值应被替换

AUTH_TOKEN should be replaced with the value in the gitaly-secret secret
GITLAB_URL should be replaced with the URL of the GitLab instance
SHELL_TOKEN should be replaced with the value in the gitlab-shell-secret secret
AUTH_TOKEN 应该替换为 gitaly-secret secret 中的值
GITLAB_URL 应该替换为 GitLab 实例的 URL
SHELL_TOKEN 应该替换为 gitlab-shell-secret secret 中的值

# Avoid running unnecessary services on the Gitaly server
postgresql['enable'] = false
redis['enable'] = false
nginx['enable'] = false
puma['enable'] = false
sidekiq['enable'] = false
gitlab_workhorse['enable'] = false
grafana['enable'] = false
gitlab_exporter['enable'] = false
gitlab_kas['enable'] = false

# If you run a seperate monitoring node you can disable these services
prometheus['enable'] = false
alertmanager['enable'] = false

# If you don't run a seperate monitoring node you can
# Enable Prometheus access & disable these extra services
# This makes Prometheus listen on all interfaces. You must use firewalls to restrict access to this address/port.
# prometheus['listen_address'] = '0.0.0.0:9090'
# prometheus['monitor_kubernetes'] = false

# If you don't want to run monitoring services uncomment the following (not recommended)
# node_exporter['enable'] = false

# Prevent database connections during 'gitlab-ctl reconfigure'
gitlab_rails['auto_migrate'] = false

# Configure the gitlab-shell API callback URL. Without this, `git push` will
# fail. This can be your 'front door' GitLab URL or an internal load
# balancer.
gitlab_rails['internal_api_url'] = 'GITLAB_URL'
gitlab_shell['secret_token'] = 'SHELL_TOKEN'

# Make Gitaly accept connections on all network interfaces. You must use
# firewalls to restrict access to this address/port.
# Comment out following line if you only want to support TLS connections
gitaly['listen_addr'] = "0.0.0.0:8075"

# Authentication token to ensure only authorized servers can communicate with
# Gitaly server
gitaly['auth_token'] = 'AUTH_TOKEN'

git_data_dirs({
 'default' => {
   'path' => '/var/opt/gitlab/git-data'
 },
 'storage1' => {
   'path' => '/mnt/gitlab/git-data'
 },
})

# To use TLS for Gitaly you need to add
gitaly['tls_listen_addr'] = "0.0.0.0:8076"
gitaly['certificate_path'] = "path/to/cert.pem"
gitaly['key_path'] = "path/to/key.pem"

创建 gitlab.rb 后，我们将使用 gitlab-ctl reconfigure 重新配置包。任务完成后，使用 gitlab-ctl status 检查正在运行的进程。输出应如下所示：

# gitlab-ctl status
run: gitaly: (pid 30562) 77637s; run: log: (pid 30561) 77637s
run: logrotate: (pid 4856) 1859s; run: log: (pid 31262) 77460s