How to integrate Kubernetes with Gitlab

2020-02-29 03:36发布

问题:

I'm trying to integrate Kubernetes cluster with Gitlab for using the Gitlab Review Apps feature.

  • Kubernetes cluster is created via Rancher 1.6
  • Running the kubectl get all from the kubernetes shell gives
NAME             TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)        AGE
svc/my-service   LoadBalancer   x.x.144.67     x.x.13.89   80:32701/TCP      30d
svc/kubernetes   ClusterIP      10.43.0.1      <none>         443/TCP        30d
  • On the Gitlab CI / CD > Kubernetes page, we need to enter mainly 3 fields:
    1. API URL
    2. CA Certificate
    3. Token

API URL

  • If I'm not wrong, we can get the Kubernetes API URL from Rancher Dashboard > Kubernetes > CLI > Generate Config and copy the server url under cluster
apiVersion: v1
kind: Config
clusters:
- cluster:
    api-version: v1
    insecure-skip-tls-verify: true
    server: "https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"

CA Certificate & Token?

  • Now, the question is, where to get the CA Certificate (pem format) and the Token?

I tried all the ca.crt and token values from all the namespaces from the Kubernetes dashboard, but I'm getting this error on the Gitlab when trying to install Helm Tiller application:

Something went wrong while installing Helm Tiller

Can't start installation process

Here is how my secrets page look like

回答1:

I'm also dying out with kubernetes and GitLab. I've created a couple single-node "clusters" for testing, one with minikube and another via kubeadm.

I answered this question on the GitLab forum but I'm posting my solution below:

API URL

According to the official documentation, the API URL is only https://hostname:port without trailing slash

List secrets

First, I listed the secrets as usual:

$ kubectl get secrets
NAME                           TYPE                                  DATA      AGE
default-token-tpvsd            kubernetes.io/service-account-token   3         2d
k8s-dashboard-sa-token-XXXXX   kubernetes.io/service-account-token   3         1d

Get the service token

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data.token' | base64 -d
eyJhbGci    ... sjcuNA8w

Get the CA certificate

Then I got the CA certificate directly from the JSON output via jq with a custom selector:

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data."ca.crt"' | base64 -d - | tee ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
...        ...        ...        ...        ...        ...      
FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=
-----END CERTIFICATE-----

Verity the CA certificate

With the CA certificate on hand you can verify as usual:

$ openssl x509 -in ca.crt -noout -subject -issuer
subject= /CN=kubernetes
issuer= /CN=kubernetes

$ openssl s_client -showcerts -connect 192.168.100.20:6443 < /dev/null &> apiserver.crt

$ openssl verify -verbose -CAfile ca.crt apiserver.crt
apiserver.crt: OK