安装
介绍
Connectors 系统采用模块化架构,包含以下组件:
- Connectors Operator:核心管理组件,负责其他连接器组件的部署和生命周期管理
- ConnectorsCore:必需的核心组件,为所有连接器类型提供基础
- ConnectorsGit:可选组件,支持 Git 服务(GitHub、GitLab 等)
- ConnectorsGitLab:可选组件,支持 GitLab 特有功能(GitLab CLI、增强认证)
- ConnectorsOCI:可选组件,支持容器镜像仓库(Harbor、Distribution 等)
- ConnectorsK8S:可选组件,支持 Kubernetes 集群
- ConnectorsMaven:可选组件,支持 Maven 仓库(如 Maven Central 或 Sonatype Nexus 托管的 Maven 仓库)
- ConnectorsPyPI:可选组件,支持 Python 包仓库(如 PyPI 或 Sonatype Nexus 托管的 Python 仓库)
- ConnectorsNPM:可选组件,支持 Node.js 包仓库(如 npm 或 Sonatype Nexus 托管的 Node.js 仓库)
- ConnectorsHarbor:可选组件,支持 Harbor 容器镜像仓库
- ConnectorsSonarQube:可选组件,支持 SonarQube 和 SonarCloud 平台的代码质量分析
本文档提供 Connectors 系统的安装和配置说明。
前提条件
安装前请确保:
- 已有一个 kubernetes 集群
- 已配置 kubectl CLI 以连接集群
- 拥有集群管理员权限
- Connectors Operator 在 ACP Operator Hub 中状态为
Ready
安装的 Pod 安全要求
Kubernetes 在命名空间级别强制执行 Pod Security Standards(PSS)。Connectors 系统包含不同权限需求的组件:
注意:如果命名空间配置了不够的策略(如 CSI 组件使用 restricted 或 baseline),CSI 驱动将因特权操作被阻止而无法启动。反之,在不需要时使用 privileged 会扩大命名空间的攻击面。
安装 Connectors Operator
首先安装 Connectors Operator,管理所有其他组件的生命周期。
-
创建 Operator 命名空间:
kubectl create namespace connectors-operator
-
应用 Operator 订阅 YAML:
cat <<EOF | kubectl apply -f -
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
annotations:
cpaas.io/target-namespaces: ""
labels:
catalog: platform
name: connectors-operator
namespace: connectors-operator
spec:
channel: alpha
installPlanApproval: Manual
name: connectors-operator
source: platform
sourceNamespace: cpaas-system
EOF
kubectl wait --for=condition=InstallPlanPending subscription.operators.coreos.com/connectors-operator -n connectors-operator
installplanname=$(kubectl get subscription.operators.coreos.com -n connectors-operator connectors-operator -ojsonpath='{.status.installPlanRef.name}')
kubectl patch installplan -n connectors-operator ${installplanname} --type='merge' -p='{"spec":{"approved":true}}'
-
验证 Operator 是否运行:
kubectl get pods -n connectors-operator
应看到 connectors-operator pod 处于运行状态:
NAME READY STATUS RESTARTS AGE
connectors-operator-controller-manager-xxxxxx-xxxxx 2/2 Running 0 1m
-
验证自定义资源定义(CRDs)是否已创建:
kubectl get crds | grep connectors
应看到包括:
connectorscore.operator.connectors.alauda.io
connectorsgit.operator.connectors.alauda.io
connectorsoci.operator.connectors.alauda.io
安装 ConnectorsCore
Operator 运行后,安装必需的 ConnectorsCore 组件:
-
创建连接器组件命名空间(如果尚未创建):
kubectl create namespace connectors-system
-
创建 ConnectorsCore 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorscore -n connectors-system
-
等待状态显示 ConnectorsCore 已就绪:
kubectl wait --for=condition=Ready connectorscore/connectors-core -n connectors-system --timeout=300s
-
验证核心 Pod 是否运行:
kubectl get pods -n connectors-system
应看到核心组件包括:
NAME READY STATUS RESTARTS AGE
connectors-api-xxxxxx 1/1 Running 0 2m
connectors-controller-manager-xxxxxx 1/1 Running 0 2m
connectors-proxy-xxxxxx 1/1 Running 0 2m
-
验证连接器功能所需的 CRDs 是否安装:
kubectl get crds | grep connectors.alauda.io
应看到:
connectorclasses.connectors.alauda.io
connectors.connectors.alauda.io
安装 ConnectorsGit(可选)
若需支持 Git 服务(如 GitHub、GitLab 等),安装 ConnectorsGit 组件:
-
创建 ConnectorsGit 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGit
metadata:
name: connectors-git
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsgit -n connectors-system
-
等待状态显示 ConnectorsGit 已就绪:
kubectl wait --for=condition=Ready connectorsgit/connectors-git -n connectors-system --timeout=300s
-
验证 Git 插件是否运行:
kubectl get pods -n connectors-system | grep git
应看到:
NAME READY STATUS RESTARTS AGE
connectors-git-plugin-xxxxxx 1/1 Running 0 1m
-
验证 Git ConnectorClass 是否已创建:
kubectl get connectorclass git
应看到:
NAME READY AGE
git True 1m
安装 ConnectorsGitLab(可选)
若需支持 GitLab 特有功能(GitLab CLI、增强认证),安装 ConnectorsGitLab 组件:
-
创建 ConnectorsGitLab 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGitLab
metadata:
name: connectors-gitlab
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsgitlab -n connectors-system
-
等待状态显示 ConnectorsGitLab 已就绪:
kubectl wait --for=condition=Ready connectorsgitlab/connectors-gitlab -n connectors-system --timeout=300s
-
验证 GitLab ConnectorClass 是否已创建:
kubectl get connectorclass gitlab
应看到:
NAME READY AGE
gitlab True 1m
安装 ConnectorsOCI(可选)
若需支持容器镜像仓库(如 Harbor、Distribution 等),安装 ConnectorsOCI 组件:
-
创建 ConnectorsOCI 自定义资源:
ClusterIP 暴露方式:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec: {}
EOF
NodePort 暴露方式:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
expose:
type: NodePort
domain: 192.168.1.123
nodePort:
port: 30000
EOF
Ingress 暴露方式:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
expose:
type: Ingress
domain: connectors.proxy.com
-
监控部署进度:
kubectl get connectorsoci -n connectors-system
-
等待状态显示 ConnectorsOCI 已就绪:
kubectl wait --for=condition=Ready connectorsoci/connectors-oci -n connectors-system --timeout=300s
-
验证 OCI 插件是否运行:
kubectl get pods -n connectors-system | grep oci
-
验证 OCI ConnectorClass 是否已创建:
kubectl get connectorclass oci
安装 ConnectorsK8S(可选)
若需支持 Kubernetes 集群集成,安装 ConnectorsK8S 组件:
-
创建 ConnectorsK8S 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsK8S
metadata:
name: connectors-k8s
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsk8s -n connectors-system
-
等待状态显示 ConnectorsK8S 已就绪:
kubectl wait --for=condition=Ready connectorsk8s/connectors-k8s -n connectors-system --timeout=300s
-
验证 Kubernetes ConnectorClass 是否就绪:
kubectl get connectorclass k8s
安装 ConnectorsMaven(可选)
若需支持 Maven 仓库集成,安装 ConnectorsMaven 组件:
-
创建 ConnectorsMaven 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsMaven
metadata:
name: connectors-maven
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsmaven -n connectors-system
-
等待状态显示 ConnectorsMaven 已就绪:
kubectl wait --for=condition=Ready connectorsmaven/connectors-maven -n connectors-system --timeout=300s
-
验证 Maven ConnectorClass 是否就绪:
kubectl get connectorclass maven
安装 ConnectorsPyPI(可选)
若需支持 PyPI 仓库集成,安装 ConnectorsPyPI 组件:
-
创建 ConnectorsPyPI 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsPyPI
metadata:
name: connectors-pypi
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorspypi -n connectors-system
-
验证 PyPI ConnectorClass 是否就绪:
kubectl get connectorclass pypi
安装 ConnectorsNPM(可选)
若需支持 NPM 仓库集成,安装 ConnectorsNPM 组件:
-
创建 ConnectorsNPM 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsNPM
metadata:
name: connectors-npm
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsnpm -n connectors-system
-
验证 NPM ConnectorClass 是否就绪:
kubectl get connectorclass npm
安装 ConnectorsHarbor(可选)
若需支持 Harbor 仓库集成,安装 ConnectorsHarbor 组件:
-
创建 ConnectorsHarbor 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsHarbor
metadata:
name: connectors-harbor
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorsharbor -n connectors-system
-
验证 Harbor ConnectorClass 是否就绪:
kubectl get connectorclass harbor
若需支持 SonarQube 和 SonarCloud 平台集成,安装 ConnectorsSonarQube 组件:
-
创建 ConnectorsSonarQube 自定义资源:
cat <<EOF | kubectl apply -f -
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsSonarQube
metadata:
name: connectors-sonarqube
namespace: connectors-system
spec: {}
EOF
-
监控部署进度:
kubectl get connectorssonarqube -n connectors-system
-
验证 SonarQube ConnectorClass 是否就绪:
kubectl get connectorclass sonarqube
卸载 Connectors
卸载 Connectors 系统时,请按安装的逆序删除组件。
-
先删除可选组件(如果已安装):
# 删除 ConnectorsOCI
kubectl delete connectorsoci --all -n connectors-system
# 删除 ConnectorsGit
kubectl delete connectorsgit --all -n connectors-system
# 删除 ConnectorsGitLab
kubectl delete connectorsgitlab --all -n connectors-system
# 删除 ConnectorsK8S
kubectl delete connectorsk8s --all -n connectors-system
# 删除 ConnectorsMaven
kubectl delete connectorsmaven --all -n connectors-system
# 删除 ConnectorsPyPI
kubectl delete connectorspypi --all -n connectors-system
# 删除 ConnectorsNPM
kubectl delete connectorsnpm --all -n connectors-system
# 删除 ConnectorsHarbor
kubectl delete connectorsharbor --all -n connectors-system
# 删除 ConnectorsSonarQube
kubectl delete connectorssonarqube --all -n connectors-system
-
删除核心组件:
kubectl delete connectorscore --all -n connectors-system
-
删除 Operator:
kubectl delete -n connectors-operator subscription.operators.coreos.com/connectors-operator
-
删除命名空间:
kubectl delete namespace connectors-system
kubectl delete namespace connectors-operator
自定义配置
您可以自定义连接器组件的部署以更好地适应您的环境。所有连接器组件共享类似的配置结构。
ConnectorsCore 配置
创建 ConnectorsCore 资源时,可以指定自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
# 配置特定工作负载
workloads:
- name: connectors-api
replicas: 2
template:
spec:
containers:
- name: api
imagePullPolicy: Always
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 256Mi
securityContext:
readOnlyRootFilesystem: true
nodeSelector:
kubernetes.io/os: linux
- name: connectors-controller-manager
replicas: 1
template:
spec:
containers:
- name: manager
resources:
limits:
cpu: 300m
memory: 512Mi
- name: connectors-proxy
replicas: 2
template:
spec:
containers:
- name: proxy
resources:
limits:
cpu: 200m
memory: 256Mi
ConnectorsGit 配置
Git 插件的自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGit
metadata:
name: connectors-git
namespace: connectors-system
spec:
# 配置工作负载
workloads:
- name: connectors-git-plugin
replicas: 2
template:
spec:
containers:
- name: plugin
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
ConnectorsOCI 配置
OCI 插件的自定义配置:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
# 配置工作负载
workloads:
- name: connectors-oci-plugin
replicas: 2
template:
spec:
containers:
- name: plugin
resources:
limits:
cpu: 300m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
其他配置
对于高级部署,您还可以指定:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
# 指定额外安装的清单
additionalManifests: "<additional manifests>"
# 其他所需配置
高可用部署
生产环境建议以高可用(HA)配置部署 Connectors 系统,以确保服务连续性和容错能力。
配置副本数
您可以通过组件 spec 中的 workloads 字段增加每个工作负载的副本数,实现高可用。生产环境建议每个工作负载至少配置 2 个副本,以保证节点故障或滚动更新期间的服务连续性。
以下是各主要连接器组件的具体示例:
ConnectorsCore
ConnectorsCore 包含三个主要工作负载:API 服务器、控制器管理器和代理。高可用时,均配置多副本:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
workloads:
- name: connectors-api
replicas: 2
- name: connectors-controller-manager
replicas: 2
- name: connectors-proxy
replicas: 2
一段时间后,connectors-core 组件的所有 Pod 副本数均为 2,connectors-csi 除外。
$ kubectl get pod -n connectors-system
NAME READY STATUS RESTARTS AGE
connectors-api-58fc8b45c4-9n8hc 1/1 Running 0 67s
connectors-api-58fc8b45c4-12da7 1/1 Running 0 67s
connectors-controller-manager-548659cdff-1d2dd 1/1 Running 0 35s
connectors-controller-manager-548659cdff-s7gnn 1/1 Running 0 35s
connectors-proxy-64bb994cd9-jbp2l 1/1 Running 0 61s
connectors-proxy-64bb994cd9-dfade 1/1 Running 0 61s
ConnectorsGit
ConnectorsGit 运行单个插件部署以集成 Git 服务器:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsGit
metadata:
name: connectors-git
namespace: connectors-system
spec:
workloads:
- name: connectors-git-plugin
replicas: 2
一段时间后,connectors-git 组件的所有 Pod 副本数均为 2。
$ kubectl get pod -n connectors-system
NAME READY STATUS RESTARTS AGE
connectors-git-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
connectors-git-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
ConnectorsOCI
ConnectorsOCI 运行单个插件部署,处理 OCI 仓库集成:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsOCI
metadata:
name: connectors-oci
namespace: connectors-system
spec:
workloads:
- name: connectors-oci-plugin
replicas: 2
一段时间后,connectors-oci 组件的所有 Pod 副本数均为 2。
$ kubectl get pod -n connectors-system
NAME READY STATUS RESTARTS AGE
connectors-oci-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
connectors-oci-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
ConnectorsMaven
ConnectorsMaven 运行单个插件部署以集成 Maven 仓库:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsMaven
metadata:
name: connectors-maven
namespace: connectors-system
spec:
workloads:
- name: connectors-maven-plugin
replicas: 2
一段时间后,connectors-maven 组件的所有 Pod 副本数均为 2。
$ kubectl get pod -n connectors-system
NAME READY STATUS RESTARTS AGE
connectors-maven-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
connectors-maven-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
ConnectorsHarbor
ConnectorsHarbor 运行单个插件部署以支持 Harbor 特性:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsHarbor
metadata:
name: connectors-harbor
namespace: connectors-system
spec:
workloads:
- name: connectors-harbor-plugin
replicas: 2
一段时间后,connectors-harbor 组件的所有 Pod 副本数均为 2。
$ kubectl get pod -n connectors-system
NAME READY STATUS RESTARTS AGE
connectors-harbor-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
connectors-harbor-plugin-84985b9d7d-vllp6 1/1 Running 0 67s
无工作负载的组件
其他连接器组件没有 Deployment 工作负载,因此无需配置副本数。
内置 Pod 反亲和性
系统内置了 Pod 反亲和性规则,确保副本分布在不同节点。默认使用 preferredDuringSchedulingIgnoredDuringExecution,权重为 100,意味着调度器会尽量将 Pod 安排在不同节点,但如果没有其他选项,也会安排在同一节点。
此默认配置确保:
- Pod 尽可能分布在不同节点
- 集群节点有限时仍可调度
- 节点不可用时自动故障转移
自定义亲和性规则
如果默认亲和性规则不满足需求,可通过 workloads 配置覆盖。template.spec.affinity 字段允许指定自定义亲和性规则。
对于多可用区集群,可以配置区域感知调度,将 Pod 分布在不同可用区。以下示例使用 requiredDuringSchedulingIgnoredDuringExecution 强制跨区域分布,结合 preferredDuringSchedulingIgnoredDuringExecution 优先在同一区域内不同节点分布:
apiVersion: operator.connectors.alauda.io/v1alpha1
kind: ConnectorsCore
metadata:
name: connectors-core
namespace: connectors-system
spec:
workloads:
- name: connectors-api
replicas: 3
template:
spec:
affinity:
podAntiAffinity:
# 硬性要求:Pod 必须分布在不同区域
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
control-plane: api
app.kubernetes.io/name: connectors
topologyKey: topology.kubernetes.io/zone
# 软性要求:优先在同一区域内不同节点分布
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
control-plane: api
app.kubernetes.io/name: connectors
topologyKey: kubernetes.io/hostname
该配置确保:
- Pod 严格分布在不同可用区(硬性要求)
- 同一区域内优先分布在不同节点(软性要求)
- 提供区域级和节点级的容灾能力
故障排查
connectors-csi 未就绪
如果 daemonset/connectors-csi 未就绪,请检查 connectors-csi Pod 的事件。常见错误如下:
Error creating: pods "connectors-csi-d4r6r" is forbidden: violates PodSecurity "baseline:latest": non-default capabilities (container "driver" must not include "SYS_ADMIN" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "socket-dir", "mountpoint-dir", "registration-dir") . . .
这表示命名空间的 Pod 安全级别对 CSI 驱动过于严格。
解决方法
- 确保命名空间配置为
privileged Pod 安全级别
- 更新命名空间标签
- 重启
connectors-csi DaemonSet
详情请参见 安装的 Pod 安全要求。
