单机 SRE 展示项目:详细部署方案(GitLab + Harbor + Trivy + Argo Rollouts + kube-prometheus-stack + k3s)
适用环境:Ubuntu 24.04 / 32G / 200G / IP: 192.168.101.100(干净初始化机器)
0. 总览与目录
- 容器与编排:k3s(单机)
- 代码平台:GitLab Community Edition(容器化)
- 制品仓库:Harbor(镜像+Helm OCI)
- 安全扫描:Trivy(CI 集成 + Harbor 弱点扫描)
- 发布策略:Argo Rollouts(金丝雀/蓝绿)
- 可观测性:kube-prometheus-stack(Prometheus + Alertmanager + Grafana)
目录建议:
/opt/sre-lab/
infra/ # compose 与配置
manifests/ # k8s yaml(argo rollouts 等)
helm-values/ # helm values 覆盖
docs/ # 文档与截图1. 基础准备
# 1) 系统更新
sudo apt update && sudo apt -y upgrade
# 2) 安装必要工具
sudo apt -y install curl wget git apt-transport-https ca-certificates gnupg lsb-release jq
# 3) Docker Engine(可选:若仅用 containerd 也可)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update && sudo apt -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo usermod -aG docker $USER
# 4) 安装 k3s(单机)
curl -sfL https://get.k3s.io | sh -
# 等待就绪
sudo kubectl get node -o wide
# 5) Helm
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# 6) kubectl 自动补全(可选)
sudo apt -y install bash-completion
source /etc/bash_completion
kubectl completion bash | sudo tee /etc/bash_completion.d/kubectl >/dev/null
# 7) 目录
sudo mkdir -p /opt/sre-lab/infra /opt/sre-lab/manifests /opt/sre-lab/helm-values /opt/sre-lab/docs2. 安装 GitLab(容器化)
采用 omnibus 镜像,单机 PoC 用 http 即可,后续可启用 https。
cat >/opt/sre-lab/infra/gitlab-compose.yml <<'YAML'
version: "3.8"
services:
gitlab:
image: gitlab/gitlab-ce:latest
container_name: gitlab
hostname: gitlab.local
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://192.168.101.100'
gitlab_rails['gitlab_shell_ssh_port'] = 2224
ports:
- "8082:80"
- "2224:22"
volumes:
- ./gitlab/config:/etc/gitlab
- ./gitlab/logs:/var/log/gitlab
- ./gitlab/data:/var/opt/gitlab
restart: unless-stopped
YAML
cd /opt/sre-lab/infra && docker compose -f gitlab-compose.yml up -d
# 初始化需几分钟,访问 http://192.168.101.100:8082 设置 root 密码注册 Runner(Docker 执行器,或使用 Kubernetes 执行器后续接入 k8s):
cat >/opt/sre-lab/infra/gitlab-runner-compose.yml <<'YAML'
version: "3.8"
services:
gitlab-runner:
image: gitlab/gitlab-runner:alpine
container_name: gitlab-runner
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./gitlab-runner/config:/etc/gitlab-runner
restart: unless-stopped
YAML
docker compose -f /opt/sre-lab/infra/gitlab-runner-compose.yml up -d
# 在 GitLab UI -> Admin -> Runners 获取注册令牌
sudo docker exec -it gitlab-runner gitlab-runner register
# 选择 docker 执行器,默认镜像建议:docker:stable 或 docker:243. 安装 Harbor(镜像+Helm OCI)
Harbor 提供镜像与 Helm OCI 支持(可替代 ChartMuseum)。
# 1) 下载安装
cd /opt/sre-lab/infra
wget https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-online-installer-v2.10.0.tgz
sudo tar xzf harbor-online-installer-v2.10.0.tgz
cd harbor
# 2) 生成基础配置
sudo cp harbor.yml.tmpl harbor.yml
sudo sed -i 's/hostname: reg.mydomain.com/hostname: 192.168.101.100/g' harbor.yml
sudo sed -i 's/port: 443/port: 8083/g' harbor.yml
sudo sed -i 's/^https:/#https:/g' harbor.yml
sudo sed -i 's/^ port: 443/# port: 443/g' harbor.yml
sudo sed -i 's/^ certificate:/# certificate:/g' harbor.yml
sudo sed -i 's/^ private_key:/# private_key:/g' harbor.yml
# 3) 安装
sudo ./install.sh --with-trivy
# 访问 http://192.168.101.100:8083 (默认 admin / Harbor12345)Docker/Helm 使用 Harbor:
# Docker 登录
docker login 192.168.101.100:8083 -u admin -p 'Harbor12345'
# 推送镜像
docker tag demo/web:latest 192.168.101.100:8083/library/demo-web:1.0.0
docker push 192.168.101.100:8083/library/demo-web:1.0.0
# Helm(使用 OCI)
export HELM_EXPERIMENTAL_OCI=1
helm registry login 192.168.101.100:8083 -u admin -p 'Harbor12345'
# 打包
helm package helm/demo -d dist
# 推送到 oci://
helm push dist/demo-1.0.0.tgz oci://192.168.101.100:8083/libraryk3s 访问私有仓库(HTTP/自签证书请相应配置):
sudo tee /etc/rancher/k3s/registries.yaml >/dev/null <<'EOF'
mirrors:
"192.168.101.100:8083":
endpoint:
- "http://192.168.101.100:8083"
EOF
sudo systemctl restart k3s4. 安装 kube-prometheus-stack(监控)
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
# values 最小化覆盖(Grafana 使用 3001 端口通过 NodePort 暴露)
cat >/opt/sre-lab/helm-values/kps-values.yaml <<'YAML'
grafana:
service:
type: NodePort
nodePort: 30001
adminPassword: admin123
prometheus:
service:
type: NodePort
nodePort: 30000
YAML
helm upgrade --install kps prometheus-community/kube-prometheus-stack \
-n monitoring --create-namespace \
-f /opt/sre-lab/helm-values/kps-values.yaml
# 访问 Grafana: http://192.168.101.100:30001 用户/密码:admin/admin123
# 访问 Prometheus: http://192.168.101.100:300005. 安装 Argo Rollouts(金丝雀/蓝绿)
kubectl create namespace argo-rollouts || true
kubectl apply -n argo-rollouts -f https://github.com/argoproj/argo-rollouts/releases/latest/download/install.yaml
# UI(Dashboard)可选安装:
kubectl apply -n argo-rollouts -f https://github.com/argoproj/argo-rollouts/releases/latest/download/dashboard-install.yaml
kubectl -n argo-rollouts port-forward svc/argo-rollouts-dashboard 3100:3100 # 本地查看示例 Rollout(以 demo-web 为例):
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: demo-web
namespace: dev
spec:
replicas: 3
strategy:
canary:
steps:
- setWeight: 20
- pause: {duration: 60}
- setWeight: 50
- pause: {duration: 120}
trafficRouting:
nginx: {}
selector:
matchLabels: { app: demo-web }
template:
metadata: { labels: { app: demo-web } }
spec:
containers:
- name: web
image: 192.168.101.100:8083/library/demo-web:1.0.0
ports:
- containerPort: 8080注意:需使用 Ingress-NGINX 或支持的 LB 作为流量路由(k3s 可安装 ingress-nginx):
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace6. CI:GitLab CI 集成 Trivy + Helm OCI + 部署到 K8s
.gitlab-ci.yml 示例(Docker 执行器):
stages: [build, scan, package, deploy]
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_TLS_CERTDIR: ""
IMAGE: 192.168.101.100:8083/library/demo-web:${CI_COMMIT_SHORT_SHA}
build:
stage: build
image: docker:24
services: ["docker:24-dind"]
script:
- docker login 192.168.101.100:8083 -u "$HARBOR_USER" -p "$HARBOR_PASS"
- docker build -t $IMAGE .
- docker push $IMAGE
scan:
stage: scan
image: aquasec/trivy:latest
script:
- trivy image --exit-code 0 --severity HIGH,CRITICAL $IMAGE
- trivy image --exit-code 1 --severity CRITICAL $IMAGE || (echo "CRITICAL 漏洞阻断" && exit 1)
package:
stage: package
image: alpine/helm:3.13.2
script:
- export HELM_EXPERIMENTAL_OCI=1
- helm registry login 192.168.101.100:8083 -u "$HARBOR_USER" -p "$HARBOR_PASS"
- helm lint helm/demo
- helm package helm/demo -d dist
- helm push dist/*.tgz oci://192.168.101.100:8083/library
artifacts:
paths: [dist]
.deploy_template: &deploy
stage: deploy
image:
name: bitnami/kubectl:1.30
entrypoint: [""]
script:
- kubectl config use-context default
deploy_dev:
<<: *deploy
environment: { name: dev }
script:
- *deploy.script
- helm upgrade --install demo-web helm/demo \
--namespace dev --create-namespace \
--set image.repository=${IMAGE%:*} \
--set image.tag=${CI_COMMIT_SHORT_SHA}
deploy_prod:
<<: *deploy
environment: { name: prod }
only:
- /^release\/.+$/
script:
- *deploy.script
- helm upgrade --install demo-web helm/demo \
--namespace prod --create-namespace \
--set image.repository=${IMAGE%:*} \
--set image.tag=${CI_COMMIT_SHORT_SHA}Kubeconfig 提供给 Runner:可将 /etc/rancher/k3s/k3s.yaml 内容保存为 GitLab 变量(masked, protected)或挂载到 Runner 容器。
7. Ingress 与 HTTPS(可选但推荐)
- 为 GitLab、Harbor、Grafana 等分配域名(如内网 DNS 或 hosts)。
- 使用
ingress-nginx+ cert-manager 自动签发自签证书或内部 CA。
8. 验证与演示
- GitLab 提交 MR → 主干合并触发:构建→Trivy 扫描→推镜像到 Harbor→推 Helm OCI→部署到 dev。
- 观察 kube-prometheus-stack 指标与 Grafana 面板;
- 打
release/x.y.z分支触发 prod; - 使用 Argo Rollouts 逐步放量→验证→如异常回滚。
9. 备份与维护
- GitLab:备份
/opt/sre-lab/infra/gitlab/{config,logs,data} - Harbor:备份
/opt/sre-lab/infra/harbor目录与后端存储 - k3s:
/etc/rancher/k3s、重要命名空间的 PV(如有) - 定期更新:
helm upgrade与镜像升级;Trivy 数据库自动更新
本方案落地后,你将获得:
- GitLab 统一代码与 CI 平台;
- Harbor 统一镜像与 Helm OCI 制品管理;
- Trivy 在 CI 与 Harbor 侧的漏洞把关;
- Argo Rollouts 金丝雀/蓝绿发布;
- kube-prometheus-stack 统一可观测性。