Sign in Subscribe
k8s

Gitlab 與Kubernetes 整合

Jason lee

2 min read

介紹

目前是在使用 Gitlab 做代碼控管,也用 Gitlab-CI Runner 做 CI,現在想要更進一步做到 CD 的部分 ( 最少在 DEV 環境裡面,目標所使用的平台是 Kubernetes 1.13)

整合開始

  1. 建立一個測試用的 repo,然後整理放入 gitlab-ci.yml 檔案
test:
  image: alpine
  tags:
    - docker
  environment:
    name: dev
    url: http://jasonsoft.com.tw
  script:
    - apk add --no-cache curl
    - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
    - chmod +x ./kubectl
    - mv ./kubectl /usr/local/bin/kubectl
    - kubectl version
    - kubectl get pods

上面的 environment 是必須的但值不太重要

  1. 在 Gitlab project 下選擇 Operations -> Kubernetes,選擇建立自建的 kubernetes,總共需要五個資訊來設定整合,這五項資訊要從 K8S 來獲取
  • Kubernetes cluster name
  • API URL
  • CA Certificate
  • Token
  • Project namespace (optional, unique)
Gitlab 填寫資訊
# 獲取Endpoint
> kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].name + "://" + .subsets[0].addresses[0].ip + ":" + (.subsets[0].ports[0].port | tostring)'
https://10.200.252.181:6443

# 另一種可以試試看這種 
> kubectl get endpoints kubernetes
NAME         ENDPOINTS            AGE
kubernetes   10.200.252.181:6443   95d
  1. 建立一個帳號給 Gitlab,建立一個新的文件 ( gitlab-admin-service-account.yaml )
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: gitlab-admin
  namespace: kube-system

> kubectl apply -f gitlab-admin-service-account.yaml
serviceaccount "gitlab-admin" created
clusterrolebinding "gitlab-admin" created
  1. 找出的名稱
kubectl get secrets

應該會有一個類似是 default-token-xxxxx

  1. 找出金鑰
kubectl get secret gitlab-token-9tmc2 -o json | jq -r '.data["ca.crt"]' | base64 -d

這邊獲得是

-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTE5MDEwNzA1MzU0N1oXDTI5MDEwNDA1MzU0N1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdC
HVm8hsTy+2qvk2LyYYKtBZyYSYVTeP9U5g15adoGogYK61DoyajNY2H8QIpsE6v+
QeIQz091gtC7qU9P/C2f8joTRC8nQMDyisN42XQELCpiZaGUvM3S32m3yyvXa2F7
5r/KamFCQeEMGvyymBmrwHpeRTs14o6VReI85BOP34jrQH17PDzeBBFptKrW280Z
g/E8bQBEH97mSZvc5GmphOikuUWCdbKOufxCXszO+5jObfu8XKpQwWU6zeO8usTT
QKI0gDbKfgPg+N1lnJdRUC3UkQ6TOvVTAX2mNwqUGs+xfgBTHALLIFIqxHHuemoq
ymz3gCeXy1Efu0BfoR0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGVADoftcNHLR6q3j4A79aFiyH2w
M0yMZuaKA60o+i3GSNnqrBEOcPTrKwCiZiyS/LcypmixetW8yNRtnNqpP+m3UJKl
/nOcbXdCkZkSBmuUQCavBKU6UXg/iPVlComhlGBIJ6pxm97QDfRy9mFXc1IOfhm2
dzEaUvFJ2b7qlqY1yz7yp1l02nJuo8QwxAaUK2EONAvCON6nyz4bEo/NzVGiHlI+
QxRBj+wWaj2SS1M8Ynj/cd7QsYsURH0z9JBLtnKc83Phmat5Bhk7fFLkKap7ECrL
Zhg0RT32FanWQxPA9C9TucEbfOpMl7JBanITI3SLFb9MmwF6R0bJXlRYEG8=
-----END CERTIFICATE-----
  1. 找出 Token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')

這邊獲得

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGxhYi10b2tlbi05dG1jMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJnaXRsYWIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhNDBhYjkwZS0xZjlmLTExZTktOGU5Ny0wMDUwNTY4NWE3MTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpnaXRsYWIifQ.S7_7Y4Dz3FroeS8_xdanDuL8rnfJfYdAIjiDQHIvZD7M2yLf_YyUmYQ2w04mnL3G1C_xcaGyMfJrDP-jnhjpAnCla1mRllJ6GimrPl6CIn4RdwZa2_EprnX18gs0PIW4szmzY8mJl3gKB0LNOiRL5mUJw7Wc0GEnAMFQXY7pSERK09j6DYLPqz2Znaca50ifv_W2C82zWMZdx_fm4M8k03lHu0HIZyfmtIJ1rpICeZfbxiwh5pAJaeUwxaKHyiwxpA3IbpxiXUAtUc4jjj-48fheNZ1ignWh_sxSMZTU7oU-GmpLYydZ1UdG4sI-FumO8fUryTm73sEUFduO0cA6BQ
  1. 需要授權
kubectl create clusterrolebinding --user system:serviceaccount:XXXX --clusterrole cluster-admin gitlab-XXXXX-admin
  1. 最後重跑 CI,理論上應該會要成功

Reference:
https://docs.gitlab.com/ee/user/project/clusters/add_remove_clusters.html#add-existing-cluster

http://centosquestions.com/kubernetes-error-namespaces-gitlab-managed-apps-forbidden-user-systemserviceaccountgitlab-managed-appsgitlab-sa-cannot-get-namespaces-namespace-gitlab-managed-apps/

Sign up for more like this.

Enter your email
Subscribe