安装
介绍
Connectors 系统采用模块化架构,包含以下组件:
- Connectors Operator:核心管理组件,负责其他连接器组件的部署和生命周期管理
- ConnectorsCore:必需的核心组件,为所有连接器类型提供基础
- ConnectorsGit:可选组件,支持 Git 服务(GitHub、GitLab 等)
- ConnectorsGitLab:可选组件,支持 GitLab 特有功能(GitLab CLI、增强认证)
- ConnectorsOCI:可选组件,支持容器镜像仓库(Harbor、Distribution 等)
- ConnectorsK8S:可选组件,支持 Kubernetes 集群
- ConnectorsMaven:可选组件,支持 Maven 仓库(如 Maven Central 或 Sonatype Nexus 托管的 Maven 仓库)
- ConnectorsPyPI:可选组件,支持 Python 包仓库(如 PyPI 或 Sonatype Nexus 托管的 Python 仓库)
- ConnectorsNPM:可选组件,支持 Node.js 包仓库(如 npm 或 Sonatype Nexus 托管的 Node.js 仓库)
- ConnectorsHarbor:可选组件,支持 Harbor 容器镜像仓库。
本文档提供 Connectors 系统的安装和配置说明。
前置条件
安装前请确保:
- 已有 Kubernetes 集群
- 已配置 kubectl CLI 与集群通信
- 拥有集群管理员权限
- Connectors Operator 在 ACP Operator Hub 中处于
Ready 状态
安装的 Pod 安全要求
Kubernetes 在命名空间级别强制执行 Pod Security Standards(PSS)。Connectors 系统包含不同权限需求的组件:
注意:如果命名空间配置的策略不足(例如 CSI 组件使用 restricted 或 baseline),CSI 驱动将因特权操作被阻止而无法启动。反之,在不需要的情况下使用 privileged 会扩大命名空间的攻击面。
安装 Connectors Operator
首先安装 Connectors Operator,负责管理所有其他组件的生命周期。
-
创建 Operator 命名空间:
kubectl create namespace connectors-operator
-
应用 Operator 订阅 YAML:
cat <<EOF | kubectl apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
annotations:
cpaas.io/target-namespaces: ""
labels:
catalog: platform
name: connectors-operator
namespace: connectors-operator
spec:
channel: alpha
installPlanApproval: Manual
name: connectors-operator
source: platform
sourceNamespace: cpaas-system
EOF
kubectl wait --for=condition=InstallPlanPending subscription.operators.coreos.com/connectors-operator -n connectors-operator
installplanname=$(kubectl get subscription.operators.coreos.com -n connectors-operator connectors-operator -ojsonpath='{.status.installPlanRef.name}')
kubectl patch installplan -n connectors-operator ${installplanname} --type='merge' -p='{"spec":{"approved":true}}'
-
验证 Operator 是否运行:
kubectl get pods -n connectors-operator
应看到 connectors-operator pod 处于运行状态:
NAME READY STATUS RESTARTS AGE
connectors-operator-controller-manager-xxxxxx-xxxxx 2/2 Running 0 1m
-
验证自定义资源定义(CRDs)是否已创建:
kubectl get crds | grep connectors
应看到包括:
connectorscore.operator.connectors.alauda.io
connectorsgit.operator.connectors.alauda.io
connectorsoci.operator.connectors.alauda.io
安装 ConnectorsCore
Operator 运行后,安装必需的 ConnectorsCore 组件:
-
创建连接器组件命名空间(如果未创建):
kubectl create namespace connectors-system
-
创建 ConnectorsCore 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorscore -n connectors-system
-
等待状态显示 ConnectorsCore 已就绪:
kubectl wait --for=condition=Ready connectorscore/connectors-core -n connectors-system --timeout=300s
-
验证核心 pod 是否运行:
kubectl get pods -n connectors-system
应看到核心组件包括:
NAME READY STATUS RESTARTS AGE
connectors-api-xxxxxx 1/1 Running 0 2m
connectors-controller-manager-xxxxxx 1/1 Running 0 2m
connectors-proxy-xxxxxx 1/1 Running 0 2m
-
验证连接器功能所需的 CRDs 是否安装:
kubectl get crds | grep connectors.alauda.io
应看到:
connectorclasses.connectors.alauda.io
connectors.connectors.alauda.io
安装 ConnectorsGit(可选)
若需支持 Git 服务(如 GitHub、GitLab 等),安装 ConnectorsGit 组件:
-
创建 ConnectorsGit 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGit
metadata:
name: connectors-git
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsgit -n connectors-system
-
等待状态显示 ConnectorsGit 已就绪:
kubectl wait --for=condition=Ready connectorsgit/connectors-git -n connectors-system --timeout=300s
-
验证 Git 插件是否运行:
kubectl get pods -n connectors-system | grep git
应看到:
NAME READY STATUS RESTARTS AGE
connectors-git-plugin-xxxxxx 1/1 Running 0 1m
-
验证 Git ConnectorClass 是否已创建:
kubectl get connectorclass git
应看到:
NAME READY AGE
git True 1m
安装 ConnectorsGitLab(可选)
若需支持 GitLab 特有功能(GitLab CLI、增强认证),安装 ConnectorsGitLab 组件:
-
创建 ConnectorsGitLab 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGitLab
metadata:
name: connectors-gitlab
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsgitlab -n connectors-system
-
等待状态显示 ConnectorsGitLab 已就绪:
kubectl wait --for=condition=Ready connectorsgitlab/connectors-gitlab -n connectors-system --timeout=300s
-
验证 GitLab ConnectorClass 是否已创建:
kubectl get connectorclass gitlab
应看到:
NAME READY AGE
gitlab True 1m
安装 ConnectorsOCI(可选)
若需支持容器镜像仓库,如 Harbor、Distribution 等,安装 ConnectorsOCI 组件:
-
创建 ConnectorsOCI 自定义资源:
ClusterIP 暴露方式:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec: {}
EOF
NodePort 暴露方式:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
expose:
type: NodePort
domain: 192.168.1.123
nodePort:
port: 30000
EOF
Ingress 暴露方式:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
expose:
type: Ingress
domain: connectors.proxy.com
-
监控部署进度:
kubectl get connectorsoci -n connectors-system
-
等待状态显示 ConnectorsOCI 已就绪:
kubectl wait --for=condition=Ready connectorsoci/connectors-oci -n connectors-system --timeout=300s
-
验证 OCI 插件是否运行:
kubectl get pods -n connectors-system | grep oci
-
验证 OCI ConnectorClass 是否已创建:
kubectl get connectorclass oci
安装 ConnectorsK8S(可选)
若需支持与 Kubernetes 集群集成,安装 ConnectorsK8S 组件:
-
创建 ConnectorsK8S 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsK8S
metadata:
name: connectors-k8s
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsk8s -n connectors-system
-
等待状态显示 ConnectorsK8S 已就绪:
kubectl wait --for=condition=Ready connectorsk8s/connectors-k8s -n connectors-system --timeout=300s
-
验证 Kubernetes ConnectorClass 是否就绪:
kubectl get connectorclass k8s
安装 ConnectorsMaven(可选)
若需支持与 Maven 仓库集成,安装 ConnectorsMaven 组件:
-
创建 ConnectorsMaven 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsMaven
metadata:
name: connectors-maven
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsmaven -n connectors-system
-
等待状态显示 ConnectorsMaven 已就绪:
kubectl wait --for=condition=Ready connectorsmaven/connectors-maven -n connectors-system --timeout=300s
-
验证 Maven ConnectorClass 是否就绪:
kubectl get connectorclass maven
安装 ConnectorsPyPI(可选)
若需支持与 PyPI 仓库集成,安装 ConnectorsPyPI 组件:
-
创建 ConnectorsPyPI 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsPyPI
metadata:
name: connectors-pypi
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorspypi -n connectors-system
-
验证 PyPI ConnectorClass 是否就绪:
kubectl get connectorclass pypi
安装 ConnectorsNPM(可选)
若需支持与 NPM 仓库集成,安装 ConnectorsNPM 组件:
-
创建 ConnectorsNPM 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsNPM
metadata:
name: connectors-npm
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsnpm -n connectors-system
-
验证 NPM ConnectorClass 是否就绪:
kubectl get connectorclass npm
安装 ConnectorsHarbor(可选)
若需支持与 Harbor 仓库集成,安装 ConnectorsHarbor 组件:
-
创建 ConnectorsHarbor 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsHarbor
metadata:
name: connectors-harbor
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsharbor -n connectors-system
-
验证 Harbor ConnectorClass 是否就绪:
kubectl get connectorclass harbor
卸载 Connectors
卸载 Connectors 系统时,请按安装的逆序删除组件。
-
先删除可选组件(如果已安装):
# 删除 ConnectorsOCI
kubectl delete connectorsoci --all -n connectors-system
# 删除 ConnectorsGit
kubectl delete connectorsgit --all -n connectors-system
# 删除 ConnectorsGitLab
kubectl delete connectorsgitlab --all -n connectors-system
# 删除 ConnectorsK8S
kubectl delete connectorsk8s --all -n connectors-system
# 删除 ConnectorsMaven
kubectl delete connectorsmaven --all -n connectors-system
# 删除 ConnectorsPyPI
kubectl delete connectorspypi --all -n connectors-system
# 删除 ConnectorsNPM
kubectl delete connectorsnpm --all -n connectors-system
# 删除 ConnectorsHarbor
kubectl delete connectorsharbor --all -n connectors-system
-
删除核心组件:
kubectl delete connectorscore --all -n connectors-system
-
删除 Operator:
kubectl delete -n connectors-operator subscription.operators.coreos.com/connectors-operator
-
删除命名空间:
kubectl delete namespace connectors-system
kubectl delete namespace connectors-operator
自定义配置
您可以自定义连接器组件的部署以更好地适应您的环境。所有连接器组件共享类似的配置结构。
ConnectorsCore 配置
创建 ConnectorsCore 资源时,可以指定自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
# 配置特定工作负载
workloads:
- name: connectors-api
replicas: 2
template:
spec:
containers:
- name: api
imagePullPolicy: Always
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
securityContext:
readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
- name: connectors-controller-manager
replicas: 1
template:
spec:
containers:
- name: manager
resources:
limits:
cpu: 300m
memory: 512Mi
- name: connectors-proxy
replicas: 2
template:
spec:
containers:
- name: proxy
resources:
limits:
cpu: 200m
memory: 256Mi
ConnectorsGit 配置
Git 插件的自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGit
metadata:
name: connectors-git
namespace: connectors-system
spec:
# 配置工作负载
workloads:
- name: connectors-git-plugin
replicas: 2
template:
spec:
containers:
- name: plugin
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
ConnectorsOCI 配置
OCI 插件的自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
# 配置工作负载
workloads:
- name: connectors-oci-plugin
replicas: 2
template:
spec:
containers:
- name: plugin
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
其他配置
对于高级部署,您还可以指定:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
# 指定额外安装的清单
additionalManifests: "<additional manifests>"
# 其他所需配置
故障排查
connectors-csi 未就绪
如果 daemonset/connectors-csi 未就绪,请检查 connectors-csi pod 的事件。
常见错误如下:
Error creating: pods "connectors-csi-d4r6r" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "driver" must not include "SYS_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "socket-dir", "mountpoint-dir", "registration-dir") . . .
这表示命名空间的 Pod 安全级别对 CSI 驱动来说过于严格。
解决方案
- 确保命名空间配置为
privileged Pod 安全级别。
- 使用正确的标签更新命名空间。
- 重启
connectors-csi DaemonSet。
详情请参见 安装的 Pod 安全要求。
