如何将Kubernetes与Gitlab集成 [英] How to integrate Kubernetes with Gitlab

问题描述

我正在尝试将Kubernetes集群与Gitlab集成在一起，以使用Gitlab Review Apps功能.

I'm trying to integrate Kubernetes cluster with Gitlab for using the Gitlab Review Apps feature.

• Kubernetes集群是通过Rancher 1.6创建的
• 从kubernetes shell运行kubectl get all给出

NAME             TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)        AGE
svc/my-service   LoadBalancer   x.x.144.67     x.x.13.89   80:32701/TCP      30d
svc/kubernetes   ClusterIP      10.43.0.1      <none>         443/TCP        30d

• 在Gitlab CI / CD> Kubernetes页面上，我们主要需要输入3个字段:
  • On the Gitlab CI / CD > Kubernetes page, we need to enter mainly 3 fields:
    1. API URL
    2. CA证书
    3. 令牌

  • 如果我没记错的话，我们可以从Rancher Dashboard> Kubernetes> CLI> Generate Config获取Kubernetes API URL，然后将server URL复制到cluster
  下.
  • If I'm not wrong, we can get the Kubernetes API URL from Rancher Dashboard > Kubernetes > CLI > Generate Config and copy the server url under cluster

  apiVersion: v1
  kind: Config
  clusters:
  - cluster:
      api-version: v1
      insecure-skip-tls-verify: true
      server: "https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"
  

  CA证书和令牌?

  • 现在，问题是，从哪里获得CA证书(pem格式)和令牌?

  我从Kubernetes仪表板尝试了所有命名空间中的所有ca.crt和token值，但是在尝试安装Helm Tiller应用程序时，我在Gitlab上遇到此错误:

  I tried all the ca.crt and token values from all the namespaces from the Kubernetes dashboard, but I'm getting this error on the Gitlab when trying to install Helm Tiller application:

  Something went wrong while installing Helm Tiller
  
  Can't start installation process
  

  这是我的机密页面的样子

  Here is how my secrets page look like

  推荐答案

  我也正在消磨kubernetes和GitLab.我创建了几个用于测试的单节点集群"，其中一个使用 minikube 和另一个通过 kubeadm .

  I'm also dying out with kubernetes and GitLab. I've created a couple single-node "clusters" for testing, one with minikube and another via kubeadm.

  我在 GitLab论坛，但我在下面发布了我的解决方案:

  I answered this question on the GitLab forum but I'm posting my solution below:

  根据官方文档，API URL仅https://hostname:port不带斜杠

  According to the official documentation, the API URL is only https://hostname:port without trailing slash

  首先，我像往常一样列出了机密:

  First, I listed the secrets as usual:

  $ kubectl get secrets
  NAME                           TYPE                                  DATA      AGE
  default-token-tpvsd            kubernetes.io/service-account-token   3         2d
  k8s-dashboard-sa-token-XXXXX   kubernetes.io/service-account-token   3         1d
  

  获取服务令牌

  $ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data.token' | base64 -d
  eyJhbGci    ... sjcuNA8w
  

  获取CA证书

  然后我使用自定义选择器通过jq直接从JSON输出中获取了CA证书:

  Get the CA certificate

  Then I got the CA certificate directly from the JSON output via jq with a custom selector:

  $ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data."ca.crt"' | base64 -d - | tee ca.crt
  -----BEGIN CERTIFICATE-----
  MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
  ...        ...        ...        ...        ...        ...      
  FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=
  -----END CERTIFICATE-----
  

  验证CA证书

  有了CA证书，您可以照常verify:

  $ openssl x509 -in ca.crt -noout -subject -issuer
  subject= /CN=kubernetes
  issuer= /CN=kubernetes
  
  $ openssl s_client -showcerts -connect 192.168.100.20:6443 < /dev/null &> apiserver.crt
  
  $ openssl verify -verbose -CAfile ca.crt apiserver.crt
  apiserver.crt: OK
  

  这篇关于如何将Kubernetes与Gitlab集成的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！