Reputation: 3913
How to integrate Kubernetes with Gitlab
I'm trying to integrate Kubernetes cluster with Gitlab for using the Gitlab Review Apps feature.
- Kubernetes cluster is created via Rancher 1.6
- Running the
kubectl get allfrom the kubernetes shell gives
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/my-service LoadBalancer x.x.144.67 x.x.13.89 80:32701/TCP 30d svc/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 30d
- On the Gitlab
CI / CD>Kubernetespage, we need to enter mainly 3 fields:- API URL
- CA Certificate
- Token
API URL
- If I'm not wrong, we can get the Kubernetes API URL from
Rancher Dashboard>Kubernetes>CLI>Generate Configand copy theserverurl undercluster
apiVersion: v1 kind: Config clusters: - cluster: api-version: v1 insecure-skip-tls-verify: true server: "https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"
CA Certificate & Token?
- Now, the question is, where to get the CA Certificate (pem format) and the Token?
I tried all the ca.crt and token values from all the namespaces from the Kubernetes dashboard, but I'm getting this error on the Gitlab when trying to install Helm Tiller application:
Something went wrong while installing Helm Tiller Can't start installation process
Here is how my secrets page look like
Upvotes: 5
Views: 5311
Answers (1)
Reputation: 319
I'm also dying out with kubernetes and GitLab. I've created a couple single-node "clusters" for testing, one with minikube and another via kubeadm.
I answered this question on the GitLab forum but I'm posting my solution below:
API URL
According to the official documentation, the API URL is only https://hostname:port without trailing slash
List secrets
First, I listed the secrets as usual:
$ kubectl get secrets
NAME TYPE DATA AGE
default-token-tpvsd kubernetes.io/service-account-token 3 2d
k8s-dashboard-sa-token-XXXXX kubernetes.io/service-account-token 3 1d
Get the service token
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data.token' | base64 -d
eyJhbGci ... sjcuNA8w
Get the CA certificate
Then I got the CA certificate directly from the JSON output via jq with a custom selector:
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data."ca.crt"' | base64 -d - | tee ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
... ... ... ... ... ...
FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=
-----END CERTIFICATE-----
Verity the CA certificate
With the CA certificate on hand you can verify as usual:
$ openssl x509 -in ca.crt -noout -subject -issuer
subject= /CN=kubernetes
issuer= /CN=kubernetes
$ openssl s_client -showcerts -connect 192.168.100.20:6443 < /dev/null &> apiserver.crt
$ openssl verify -verbose -CAfile ca.crt apiserver.crt
apiserver.crt: OK
Upvotes: 17
Related Questions
- Gitlab pipeline, kubernetes runner - How to configure
- How do I configure my Kubernetes cluster to work with Gitlab CI?
- Run Kubernetes in a docker container in GitLab runner?
- GitLab Container to GKE (Kubernetes) deployment
- Gitlab CI on Kubernetes Cluster (Openstack)
- gitlab installation on top of kubernetes
- GitLab 9.x Kubernetes Integration
- How to connect Gitlab and on-premise Kubernetes cluster
- GitLab CI pipeline with multi-container kubernetes pod
- Is it possible to use Kubernetes for Gitlab build runners and how?