安装指南
简介
Connectors 系统采用模块化架构,包含以下组件:
- Connectors Operator:负责管理其他 connector 组件部署和生命周期的中心管理组件
- ConnectorsCore:必需的核心组件,为所有 connector 类型提供基础
- ConnectorsGit:可选组件,增加对通用 Git 服务的支持。
- ConnectorsGitHub:可选组件,增加对 GitHub 特定功能的支持。
- ConnectorsGitLab:可选组件,增加对 GitLab 特定功能的支持(GitLab CLI、增强身份验证)
- ConnectorsOCI:可选组件,增加对容器 registry(Harbor、Distribution 等)的支持
- ConnectorsK8S:可选组件,增加对 Kubernetes 集群的支持
- ConnectorsMaven:可选组件,增加对 Maven registry 的支持(例如,Maven Central,或托管在 Sonatype Nexus 上的 Maven 仓库)。
- ConnectorsPyPI:可选组件,增加对 Python package registry 的支持(例如,PyPI,或托管在 Sonatype Nexus 上的 Python 仓库)。
- ConnectorsNPM:可选组件,增加对 Node.js package registry 的支持(例如,npm,或托管在 Sonatype Nexus 上的 Node.js 仓库)。
- ConnectorsHarbor:可选组件,增加对 Harbor 容器 registry 的支持。
- ConnectorsSonarQube:可选组件,增加对 SonarQube 和 SonarCloud 平台的代码质量分析支持。
本文档提供了安装和配置 Connectors 系统的说明。
前提条件
在安装之前,请确保你具备以下条件:
- 一个 kubernetes 集群
- 已配置可与集群通信的 kubectl CLI
- 集群上的管理员权限
- Connectors Operator 在 ACP Operator Hub 上处于
Ready 状态
安装的 Pod Security 要求
Kubernetes 在命名空间级别强制执行 Pod Security Standards(PSS)。Connectors 系统由具有不同权限要求的组件组成:
注意:如果命名空间配置的策略不足(例如,对 CSI 组件使用 restricted 或 baseline),由于特权操作被阻止,CSI driver 将无法启动。相反,在不需要的情况下应用 privileged 会扩大命名空间的攻击面。
安装 Connectors Operator
首先,安装负责管理所有其他组件生命周期的 Connectors Operator。
-
为 operator 创建一个命名空间:
kubectl create namespace connectors-operator
-
应用 operator subscription YAML:
cat <<EOF | kubectl apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
annotations:
cpaas.io/target-namespaces: ""
labels:
catalog: platform
name: connectors-operator
namespace: connectors-operator
spec:
channel: alpha
installPlanApproval: Manual
name: connectors-operator
source: platform
sourceNamespace: cpaas-system
EOF
kubectl wait --for=condition=InstallPlanPending subscription.operators.coreos.com/connectors-operator -n connectors-operator
installplanname=$(kubectl get subscription.operators.coreos.com -n connectors-operator connectors-operator -ojsonpath='{.status.installPlanRef.name}')
kubectl patch installplan -n connectors-operator ${installplanname} --type='merge' -p='{"spec":{"approved":true}}'
-
验证 operator 正在运行:
kubectl get pods -n connectors-operator
你应该会看到 connectors-operator pod 正在运行:
NAME READY STATUS RESTARTS AGE
connectors-operator-controller-manager-xxxxxx-xxxxx 2/2 Running 0 1m
-
验证已创建 Custom Resource Definitions(CRDs):
kubectl get crds | grep connectors
你应该会看到包含以下内容的 CRDs:
connectorscore.operator.connectors.alauda.io
connectorsgit.operator.connectors.alauda.io
connectorsoci.operator.connectors.alauda.io
安装 ConnectorsCore
在 operator 运行后,安装必需的 ConnectorsCore 组件:
-
为 connector 组件创建一个命名空间(如果尚未创建):
kubectl create namespace connectors-system
-
创建 ConnectorsCore custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorscore -n connectors-system
-
等待状态显示 ConnectorsCore 已就绪:
kubectl wait --for=condition=Ready connectorscore/connectors-core -n connectors-system --timeout=300s
-
验证 core pods 正在运行:
kubectl get pods -n connectors-system
你应该会看到包括以下内容的 core 组件:
NAME READY STATUS RESTARTS AGE
connectors-api-xxxxxx 1/1 Running 0 2m
connectors-controller-manager-xxxxxx 1/1 Running 0 2m
connectors-proxy-xxxxxx 1/1 Running 0 2m
-
验证 connector 功能所需的 CRDs 已安装:
kubectl get crds | grep connectors.alauda.io
你应该会看到:
connectorclasses.connectors.alauda.io
connectors.connectors.alauda.io
安装 ConnectorsGit(可选)
如需增加对 GitHub、GitLab 等 Git 服务的支持,请安装 ConnectorsGit 组件:
-
创建 ConnectorsGit custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGit
metadata:
name: connectors-git
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsgit -n connectors-system
-
等待状态显示 ConnectorsGit 已就绪:
kubectl wait --for=condition=Ready connectorsgit/connectors-git -n connectors-system --timeout=300s
-
验证 Git plugin 正在运行:
kubectl get pods -n connectors-system | grep git
你应该会看到:
NAME READY STATUS RESTARTS AGE
connectors-git-plugin-xxxxxx 1/1 Running 0 1m
-
验证已创建 Git ConnectorClass:
kubectl get connectorclass git
你应该会看到:
NAME READY AGE
git True 1m
安装 ConnectorsGitHub(可选)
如需增加对 GitHub 集成的支持,请安装 ConnectorsGitHub 组件:
-
创建 ConnectorsGitHub custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGitHub
metadata:
name: connectors-github
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsgithub -n connectors-system
-
等待状态显示 ConnectorsGitHub 已就绪:
kubectl wait --for=condition=Ready connectorsgithub/connectors-github -n connectors-system --timeout=300s
-
验证已创建 GitHub ConnectorClass:
kubectl get connectorclass github
安装 ConnectorsGitLab(可选)
如需增加对 GitLab 特定功能(GitLab CLI、增强身份验证)的支持,请安装 ConnectorsGitLab 组件:
-
创建 ConnectorsGitLab custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGitLab
metadata:
name: connectors-gitlab
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsgitlab -n connectors-system
-
等待状态显示 ConnectorsGitLab 已就绪:
kubectl wait --for=condition=Ready connectorsgitlab/connectors-gitlab -n connectors-system --timeout=300s
-
验证已创建 GitLab ConnectorClass:
kubectl get connectorclass gitlab
你应该会看到:
NAME READY AGE
gitlab True 1m
安装 ConnectorsOCI(可选)
如需增加对容器 registry 的支持,例如 Harbor、Distribution 等,请安装 ConnectorsOCI 组件:
-
创建 ConnectorsOCI custom resource:
虚拟 IP 暴露:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec: {}
EOF
主机端口暴露:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
expose:
type: NodePort
domain: 192.168.1.123
nodePort:
port: 30000
EOF
Ingress 暴露:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
expose:
type: Ingress
domain: connectors.proxy.com
-
监控部署进度:
kubectl get connectorsoci -n connectors-system
-
等待状态显示 ConnectorsOCI 已就绪:
kubectl wait --for=condition=Ready connectorsoci/connectors-oci -n connectors-system --timeout=300s
-
验证 OCI plugin 正在运行:
kubectl get pods -n connectors-system | grep oci
-
验证已创建 OCI ConnectorClass:
kubectl get connectorclass oci
安装 ConnectorsK8S(可选)
如需增加与 Kubernetes 集群集成的支持,请安装 ConnectorsK8S 组件:
-
创建 ConnectorsK8S custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsK8S
metadata:
name: connectors-k8s
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsk8s -n connectors-system
-
等待状态显示 ConnectorsOCI 已就绪:
kubectl wait --for=condition=Ready connectorsk8s/connectors-k8s -n connectors-system --timeout=300s
-
验证 Kubernetes ConnectorClass 已就绪:
kubectl get connectorclass k8s
安装 ConnectorsMaven(可选)
如需增加与 Maven registry 集成的支持,请安装 ConnectorsMaven 组件:
-
创建 ConnectorsMaven custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsMaven
metadata:
name: connectors-maven
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsmaven -n connectors-system
-
等待状态显示 ConnectorsMaven 已就绪:
kubectl wait --for=condition=Ready connectorsmaven/connectors-maven -n connectors-system --timeout=300s
-
验证 Kubernetes ConnectorClass 已就绪:
kubectl get connectorclass maven
安装 ConnectorsPyPI(可选)
如需增加与 PyPI registry 集成的支持,请安装 ConnectorsPyPI 组件:
-
创建 ConnectorsPyPI custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsPyPI
metadata:
name: connectors-pypi
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorspypi -n connectors-system
-
验证 Kubernetes ConnectorClass 已就绪:
kubectl get connectorclass pypi
安装 ConnectorsNPM(可选)
如需增加与 NPM registry 集成的支持,请安装 ConnectorsNPM 组件:
-
创建 ConnectorsNPM custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsNPM
metadata:
name: connectors-npm
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsnpm -n connectors-system
-
验证 NPM ConnectorClass 已就绪:
kubectl get connectorclass npm
安装 ConnectorsHarbor(可选)
如需增加与 Harbor registry 集成的支持,请安装 ConnectorsHarbor 组件:
-
创建 ConnectorsHarbor custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsHarbor
metadata:
name: connectors-harbor
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsharbor -n connectors-system
-
验证 Harbor ConnectorClass 已就绪:
kubectl get connectorclass harbor
如需增加与 SonarQube 和 SonarCloud 平台集成的支持,请安装 ConnectorsSonarQube 组件:
-
创建 ConnectorsSonarQube custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsSonarQube
metadata:
name: connectors-sonarqube
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorssonarqube -n connectors-system
-
验证 SonarQube ConnectorClass 已就绪:
kubectl get connectorclass sonarqube
安装 ConnectorsNexus(可选)
如需增加与 Nexus 仓库集成的支持,请安装 ConnectorsNexus 组件:
-
创建 ConnectorsNexus custom resource:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsNexus
metadata:
name: connectors-nexus
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsnexus -n connectors-system
-
验证 Nexus ConnectorClass 已就绪:
kubectl get connectorclass nexus
卸载 Connectors
要卸载 Connectors 系统,请按照安装的相反顺序移除组件。
-
先删除可选组件(如果已安装):
# 删除 ConnectorsOCI
kubectl delete connectorsoci --all -n connectors-system
# 删除 ConnectorsGit
kubectl delete connectorsgit --all -n connectors-system
# 删除 ConnectorsGitHub
kubectl delete connectorsgithub --all -n connectors-system
# 删除 ConnectorsGitLab
kubectl delete connectorsgitlab --all -n connectors-system
# 删除 ConnectorsK8S
kubectl delete connectorsk8s --all -n connectors-system
# 删除 ConnectorsMaven
kubectl delete connectorsmaven --all -n connectors-system
# 删除 ConnectorsPyPI
kubectl delete connectorspypi --all -n connectors-system
# 删除 ConnectorsNPM
kubectl delete connectorsnpm --all -n connectors-system
# 删除 ConnectorsHarbor
kubectl delete connectorsharbor --all -n connectors-system
# 删除 ConnectorsSonarQube
kubectl delete connectorssonarqube --all -n connectors-system
# 删除 ConnectorsNexus
kubectl delete connectorsnexus --all -n connectors-system
-
删除 core 组件:
kubectl delete connectorscore --all -n connectors-system
-
删除 operator:
kubectl delete -n connectors-operator subscription.operators.coreos.com/connectors-operator
-
删除命名空间:
kubectl delete namespace connectors-system
kubectl delete namespace connectors-operator
自定义配置
你可以自定义 connector 组件的部署,以更好地适配你的环境。所有 connector 组件都共享类似的配置结构。
ConnectorsCore 配置
创建 ConnectorsCore 资源时,你可以指定自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
# 配置特定 workload
workloads:
- name: connectors-api
replicas: 2
template:
spec:
containers:
- name: api
imagePullPolicy: Always
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
securityContext:
readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
- name: connectors-controller-manager
replicas: 1
template:
spec:
containers:
- name: manager
resources:
limits:
cpu: 300m
memory: 512Mi
- name: connectors-proxy
replicas: 2
template:
spec:
containers:
- name: proxy
resources:
limits:
cpu: 200m
memory: 256Mi
ConnectorsGit 配置
Git plugin 的自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGit
metadata:
name: connectors-git
namespace: connectors-system
spec:
# 配置 workload
workloads:
- name: connectors-git-plugin
replicas: 2
template:
spec:
containers:
- name: plugin
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
ConnectorsOCI 配置
OCI plugin 的自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
# 配置 workload
workloads:
- name: connectors-oci-plugin
replicas: 2
template:
spec:
containers:
- name: plugin
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
其他配置
对于高级部署,你还可以指定:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
# 指定要安装的额外 manifests
additionalManifests: "<additional manifests>"
# 根据需要的其他配置
故障排查
connectors-csi 未就绪
如果 daemonset/connectors-csi 未就绪,请检查 connectors-csi pod 的事件。
常见错误如下:
Error creating: pods "connectors-csi-d4r6r" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "driver" must not include "SYS_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "socket-dir", "mountpoint-dir", "registration-dir") . . .
这表示命名空间的 Pod Security 级别对于 CSI driver 来说过于严格。
修复方法
- 确保命名空间配置为
privileged Pod Security 级别。
- 使用正确的 labels 更新命名空间。
- 重启
connectors-csi DaemonSet。
有关详细信息,请参阅 安装的 Pod Security 要求。
