GitLab完整部署配置手册(PostgreSQL+S3+监控+网关)

1. 添加 GitLab Helm 仓库

# 添加GitLab官方仓库
helm repo add gitlab https://charts.gitlab.io/
helm repo update

# 创建GitLab命名空间
kubectl create namespace gitlab

2. PostgreSQL 配置（专属用户/库 + 读写分离赋权）

进入 PostgreSQL 主库执行

kubectl exec -it -n postgresql $(kubectl get pods -n postgresql -l role=primary -o name | cut -d '/' -f2) -- psql -U postgres

数据库操作 SQL

-- 方式1：强制删除原有gitlabhq_production库
DROP DATABASE IF EXISTS gitlabhq_production WITH (FORCE);

-- 方式2：分步删除（避免进程占用）
-- 1. 撤销所有连接权限
REVOKE CONNECT ON DATABASE gitlabhq_production FROM public;

-- 2. 强制终止残留进程
SELECT pg_terminate_backend(pid) 
FROM pg_stat_activity 
WHERE datname = 'gitlabhq_production' AND pid <> pg_backend_pid();

-- 3. 查看未提交事务
SELECT gid, prepared, owner, database FROM pg_prepared_xacts;

-- 4. 回滚未提交事务（替换
<gid>）
ROLLBACK PREPARED '
<gid>';

-- 5. 执行删除
DROP DATABASE gitlabhq_production;

-- 1. 创建GitLab专用数据库（英文本地化）
CREATE DATABASE gitlabhq_production 
  ENCODING 'UTF8' 
  LC_COLLATE 'en_US.UTF-8' 
  LC_CTYPE 'en_US.UTF-8' 
  TEMPLATE template0;

-- 2. 创建GitLab专用用户（密码gitlab2026）
CREATE USER gitlab WITH PASSWORD 'gitlab2026';

-- 3. 赋权（全权限）
GRANT ALL PRIVILEGES ON DATABASE gitlabhq_production TO gitlab;
ALTER ROLE gitlab SET client_encoding TO 'utf8';
ALTER ROLE gitlab SET default_transaction_isolation TO 'read committed';
ALTER ROLE gitlab SET timezone TO 'UTC';

\c gitlabhq_production
GRANT ALL ON SCHEMA public TO gitlab;
ALTER SCHEMA public OWNER TO gitlab;
ALTER USER gitlab SUPERUSER;

-- 4. 验证配置
\c gitlabhq_production;
SHOW server_encoding;  -- 输出：UTF8
SELECT datname, datcollate, datctype 
FROM pg_database;    -- 输出：en_US.UTF-8

-- 5. 退出
\q

验证 PostgreSQL 配置

kubectl exec -it -n postgresql $(kubectl get pods -n postgresql -l role=primary -o name | cut -d '/' -f2) -- psql -U postgres
\l  -- 查看gitlabhq_production数据库
\du -- 查看gitlab用户权限
\c gitlabhq_production;
SELECT current_user;  -- 验证用户切换

创建数据库密码 Secret

kubectl create secret generic gitlab-postgres-password -n gitlab \
  --from-literal=password=gitlab2026

创建 S3 Bucket 连接参数 Secret

kubectl create secret generic object-storage -n gitlab \
  --from-literal=connection='{
    "provider":"AWS",
    "region":"us-east-1",
    "endpoint":"http://rook-ceph-rgw-s3-store.rook-ceph.svc:80",
    "path_style":true,
    "aws_access_key_id":"5XQ8OBGZWG8MNO6M52Y2",
    "aws_secret_access_key":"3negGAxSrskJ0OediH3osHLEAhs36AAoE8sD9nRt"
  }'

3. 部署 GitLab（指定版本）

# 查看helm chart版本
helm search repo gitlab/gitlab --versions

# 安装/升级GitLab
helm upgrade --install gitlab gitlab/gitlab -n gitlab \
  -f gitlab-values.yaml 

# 等待部署完成（约5-10分钟）
kubectl -n gitlab wait --for=condition=Ready pods --all --timeout=600s

# 查看root初始密码
kubectl -n gitlab get secret gitlab-gitlab-initial-root-password -o jsonpath="{.data.password}" | base64 --decode; echo

4. 创建 HTTPRoute 网关配置

# httproute.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: gitlab
  namespace: gitlab
spec:
  parentRefs:
  - name: gateway
    namespace: istio-ingress
  hostnames: 
  - "gitlab.infraserviceonline.com"
  - "ide.infraserviceonline.com"
  rules:
  - filters:
    - type: RequestHeaderModifier
      requestHeaderModifier:
        set:
          - name: X-Forwarded-Proto
            value: https
    backendRefs:
    - name: gitlab-webservice-default
      port: 8181
    matches:
    - path:
        type: PathPrefix
        value: /

5. 创建 ServiceMonitor 监控配置

cat <<EOF | kubectl apply -f -
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: gitlab-components-monitor
  namespace: gitlab
  labels:
    release: prometheus-operator
spec:
  selector:
    matchLabels:
      release: gitlab
  namespaceSelector:
    matchNames:
      - gitlab
  endpoints:
  - port: http-metrics-ws
    path: /metrics
    interval: 30s
    honorLabels: true
  - port: http-metrics
    path: /metrics
    interval: 30s
    honorLabels: true
EOF

6. S3 对象存储配置（values.yaml 片段）

# 对象存储配置 (Artifacts, LFS 等)
appConfig:
  # 全局通用的对象存储连接配置
  object_store:
    enabled: true
    proxy_download: true
    connection:
      secret: object-storage
      key: connection
  # 各模块配置
  lfs:
    enabled: true
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  artifacts:
    enabled: true
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  uploads:
    enabled: true
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  packages:
    enabled: true
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  externalDiffs:
    enabled: false
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  terraformState:
    enabled: false
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  dependencyProxy:
    enabled: false
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  ciSecureFiles:
    enabled: false
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
  backups:
    bucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead
    tmpBucket: ceph-bkt-aad0791f-76df-43d3-9313-cca489d46ead

  microsoft_graph_mailer:
    enabled: false
  incomingEmail:
    enabled: false
  serviceDeskEmail:
    enabled: false

参考文档

https://docs.gitlab.com/charts/releases/9.10.3/