如何将Azure AKS Kubernetes群集自签名CA添加到GitLab CI/CD Kubernetes集成中? [英] How to add an Azure AKS Kubernetes Cluster self-signed CA to GitLab CI/CD Kubernetes integration?

问题描述

我正在尝试将Azure AKS Kubernetes群集添加到我的GitLab CI/CD Kubernetes集成中.

I'm trying to add my Azure AKS Kubernetes cluster to my GitLab CI/CD Kubernetes integration.

运行此命令后，可以在我的计算机上的集群上执行kubectl命令:

I can execute kubectl commands on the cluster from my pc, after I ran this command:

az aks get-credentials --resource-group <resource-group-name> --name <kubernetes-cluster-name>

它创建了一个.kube/config文件，其内容如下:

It created a .kube/config file with a content like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <some long base64 string here>
    server: https://<resource-group-name+some-hexadecimal-chars>.hcp.westeurope.azmk8s.io:443
  name: <kubernetes-cluster-name>
contexts:
- context:
    cluster: <kubernetes-cluster-name>
    user: clusterUser_<resource-group-name>_<kubernetes-cluster-name>
  name: <kubernetes-cluster-name>
current-context: <kubernetes-cluster-name>
kind: Config
preferences: {}
users:
- name: clusterUser_<resource-group-name>_<kubernetes-cluster-name>
  user:
    client-certificate-data: <some long base64 string here>
    client-key-data: <some long base64 string here>
    token: <some secret string of hexadecimal chars here>

在GitLab表单中，我必须输入以下字段:

In GitLab form, I have to input these fields:

1. Kubernetes群集名称
2. API URL
3. CA证书-证书颁发机构捆绑包(PEM格式)
4. 令牌
5. 项目名称空间(可选，唯一)

我尝试了这些值:

1. 我将我的<kubernetes-cluster-name>放在天蓝色上与群集名称匹配，在.kube/config文件上与群集名称匹配.
2. 我放置了从.kube/config文件复制的网址https://<resource-group-name+some-hexadecimal-chars>.hcp.westeurope.azmk8s.io:443.
3. 我首先尝试了.kube/config文件中的certificate-authority-data，但是没有用，我已经尝试了.kube/config文件中的所有三个base64字符串，但没有一个起作用.
4. 我放入了.kube/config文件中的令牌.
5. 将此保留为空，因为它是可选的.

1. I put my <kubernetes-cluster-name> to match the name of the cluster on azure and the cluster name on the .kube/config file.
2. I put the url https://<resource-group-name+some-hexadecimal-chars>.hcp.westeurope.azmk8s.io:443 copied from the .kube/config file.
3. I tried first the certificate-authority-data from the .kube/config file, but didn't work and I already tried all three base64 strings from the .kube/config file, none worked.
4. I put the token from the .kube/config file.
5. Leave this empty, as it is optional.

在GitLab中，当我尝试按Install按钮安装Helm Tiller时，出现此错误:

In GitLab, When I try to hit the button Install to install the Helm Tiller, I got this error:

Something went wrong while installing Helm Tiller
Can't start installation process. nested asn1 error

有时我会收到此错误:

Kubernetes error: SSL_connect returned=1 errno=0 state=error: certificate verify failed

自昨天以来，我一直在努力使它正常运行，在Google上搜索了很多它，但是没有找到任何东西.

I'm trying to make this to work since yesterday, had google it a lot and doesn't find anything.

我认为问题出在第三个字段，即CA证书，也许还有其他方法可以从命令行az或kubectl获取此内容.

I think the problem is with this 3rd field, the CA Certificate, maybe there are some other way to get this content from the command line az or kubectl.

这里是否有人已经将Kubernetes从GitLab集成到Azure AKS了?

Are there someone here that already got this Kubernetes integration from GitLab to Azure AKS working?

推荐答案

后来我发现，我正在将.kube/config文件的certificate-authority-data中的base64字符串处理为GitLab的CA Certificate字段中的内容. 添加Kubernetes集群"形式，它是PEM格式，但采用base64编码.

I found out later that the base64 string in the certificate-authority-data of the .kube/config file that I was coping its content into the CA Certificate field of GitLab "Add Kubernetes cluster" form, it is the PEM format, but base64 encoded.

PEM格式已经是证书位的base64编码表示形式，但是中间有一些换行符.整个内容在进入.kube/config之前再次经过base64编码，因此变成了很大的base64单行字符串.

The PEM format already is a base64 encoded representation of the certificate bits, but it has some line breaks in the middle. This whole content is base64 encoded again before it goes to the .kube/config so it is turned into a big base64 single-line string.

我只需要对这个大的单行字符串进行base64解码(我在Chrome的控制台"窗口中使用了JavaScript atob("...."))，是什么使我得到了这样的东西:

I just had to base64 decode this big single-line string (I used the javascript atob("....") in the Chrome's Console window), what gave me something like this:

-----BEGIN CERTIFICATE-----
MIIEyDCCArCgAwIBAgIRAOL3N8oMIwWIxcFTZhTkfgMwDQYJKoZIhvcNAQELBQAw
...
...
...
5gP7yoL1peZ+AWjCgcUVZYiItqrBLpWYDgY9g8btYDUIiWlqkmC0+kBaPfwCtckx
cUp3vlwRITrv0mzrxiQjTLTUpEy7EcD+U6IecA==
-----END CERTIFICATE-----

然后我将这些内容复制到了GitLab的"CA证书"字段中，并且可以正常工作.

Then I just copied this content into the GitLab "CA Certificate" field and it worked.

这篇关于如何将Azure AKS Kubernetes群集自签名CA添加到GitLab CI/CD Kubernetes集成中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！