Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to integrate Kubernetes with Gitlab

Tags:

gitlab

kubernetes

gitlab-ci

rancher

I'm trying to integrate Kubernetes cluster with Gitlab for using the Gitlab Review Apps feature.

  • Kubernetes cluster is created via Rancher 1.6
  • Running the kubectl get all from the kubernetes shell gives
NAME             TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)        AGE
svc/my-service   LoadBalancer   x.x.144.67     x.x.13.89   80:32701/TCP      30d
svc/kubernetes   ClusterIP      10.43.0.1      <none>         443/TCP        30d
  • On the Gitlab CI / CD > Kubernetes page, we need to enter mainly 3 fields:
    1. API URL
    2. CA Certificate
    3. Token

API URL

  • If I'm not wrong, we can get the Kubernetes API URL from Rancher Dashboard > Kubernetes > CLI > Generate Config and copy the server url under cluster 
apiVersion: v1
kind: Config
clusters:
- cluster:
    api-version: v1
    insecure-skip-tls-verify: true
    server: "https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"

CA Certificate & Token?

  • Now, the question is, where to get the CA Certificate (pem format) and the Token?

I tried all the ca.crt and token values from all the namespaces from the Kubernetes dashboard, but I'm getting this error on the Gitlab when trying to install Helm Tiller application:

Something went wrong while installing Helm Tiller

Can't start installation process

Here is how my secrets page look like enter image description here

like image 993
Kartik Rokde Avatar asked May 17 '18 06:05

Kartik Rokde

People also ask

How does GitLab integrate with EKS?

Access GitLab Kubernetes Integration Page by clicking on the ”Kubernetes” menu for groups and Operations > Kubernetes menu for projects and click the “Add Kubernetes Cluster” button. Select “Amazon EKS” in the options provided under the “Create new cluster on EKS” tab.

What is GitLab Kubernetes agent?

The GitLab Agent for Kubernetes ( agentk ) is an active in-cluster component for solving GitLab and Kubernetes integration tasks in a secure and cloud-native way. The agentk communicates to the GitLab Agent Server (KAS) to perform GitOps operations.

How do I run GitLab runner in Kubernetes?

First, declare a new Namespace called gitlab-runner. After we create the new Namespace, we add the authentication roles to the Kubernetes cluster for the Runner. Below are the ServiceAccount, Role, and RoleBinding for the Runner. Copy this configuration into a file called gitlab-runner-service-account.

1 Answers

I'm also dying out with kubernetes and GitLab. I've created a couple single-node "clusters" for testing, one with minikube and another via kubeadm.

I answered this question on the GitLab forum but I'm posting my solution below:

API URL

According to the official documentation, the API URL is only https://hostname:port without trailing slash

List secrets

First, I listed the secrets as usual:

$ kubectl get secrets
NAME                           TYPE                                  DATA      AGE
default-token-tpvsd            kubernetes.io/service-account-token   3         2d
k8s-dashboard-sa-token-XXXXX   kubernetes.io/service-account-token   3         1d

Get the service token

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data.token' | base64 -d
eyJhbGci    ... sjcuNA8w

Get the CA certificate

Then I got the CA certificate directly from the JSON output via jq with a custom selector:

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data."ca.crt"' | base64 -d - | tee ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
...        ...        ...        ...        ...        ...      
FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=
-----END CERTIFICATE-----

Verity the CA certificate

With the CA certificate on hand you can verify as usual:

$ openssl x509 -in ca.crt -noout -subject -issuer
subject= /CN=kubernetes
issuer= /CN=kubernetes

$ openssl s_client -showcerts -connect 192.168.100.20:6443 < /dev/null &> apiserver.crt

$ openssl verify -verbose -CAfile ca.crt apiserver.crt
apiserver.crt: OK
like image 197
tonejito Avatar answered Oct 19 '22 09:10

tonejito
Sign in to Comment

Related questions

How to get client IP address from inside a Azure Kubernetes with a LoadBalancer service
Configure Ingress controller to forward custom http headers
How to access PersistentVolume files on docker-for-desktop?
What is the default memory allocated for a pod
How to get the id of the run from within a component?
Kubernetes: How to pass pipe character in readiness probe command
pods is forbidden: User "system:serviceaccount:kubernetes-dashboard:admin-user" cannot list resource "pods" in API group "" in the namespace "default"
Error: UPGRADE FAILED: failed to replace object: Service "api" is invalid: spec.clusterIP: Invalid value: "": field is immutable
Kubernetes: How to set boolean type variable in configMap
1 pod has unbound immediate PersistentVolumeClaims on Minikube
Docker container with non-root user deployed in Google Container Engine can not write to mounted GCE Persistent disk
Kubernetes simple authentication
how to change existing kubernetes aws cluster with kops (change nodes type)
NodePort services not available on all nodes
How to add flag to Kubernetes controller manager
Kubernetes, VolumeMounts a file, not a directory
How to have multiple kubernetes config and change quicky between them
How to fix "Http11NioProtocol: Error reading request, ignored"
Minikube won't work after Ubuntu upgrade to 19.10
Kubernetes Ingress: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!