如何将 Kubernetes 与 Gitlab 集成 [英] How to integrate Kubernetes with Gitlab
问题描述
我正在尝试将 Kubernetes 集群与 Gitlab 集成以使用 Gitlab Review Apps 功能.
- Kubernetes 集群是通过 Rancher 1.6 创建的
- 从 kubernetes shell 运行
kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEsvc/我的服务负载均衡器 x.x.144.67 x.x.13.89 80:32701/TCP 30dsvc/kubernetes ClusterIP 10.43.0.1 <无>443/TCP 30d
- 在Gitlab的
CI/CD
>Kubernetes
页面,我们主要需要输入3个字段:- API 网址
- CA 证书
- 令牌
API 网址
- 如果我没记错的话,我们可以从
Rancher Dashboard
>Kubernetes
>CLI
>Generate 获取Kubernetes API URL配置
并复制cluster
下的
server
urlapiVersion: v1种类:配置集群:- 簇:api 版本:v1insecure-skip-tls-verify: 真服务器:https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"
CA 证书 &令牌?
- 现在的问题是,从哪里获得 CA 证书(pem 格式)和令牌?
我尝试了 Kubernetes 仪表板中所有命名空间中的所有 ca.crt
和 token
值,但在尝试安装时在 Gitlab 上出现此错误Helm Tiller
应用:
安装 Helm Tiller 时出现问题无法开始安装过程
这是我的秘密页面的样子
我也厌倦了 kubernetes 和 GitLab.我创建了几个用于测试的单节点集群",一个带有 minikube
和另一个通过 kubeadm代码>
.
我在 GitLab 论坛 但我在下面发布了我的解决方案:
API 网址
根据官方文档,API URL 只是 https://hostname:port
没有尾部斜杠
列出秘密
首先,我像往常一样列出了秘密:
$ kubectl 获取机密名称 类型 数据 年龄default-token-tpvsd kubernetes.io/service-account-token 3 2dk8s-dashboard-sa-token-XXXXX kubernetes.io/service-account-token 3 1d
获取服务令牌
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX |jq -r '.data.token' |base64 -deyJhbGci ... sjcuNA8w
获取CA证书
然后我通过带有自定义选择器的 jq 直接从 JSON 输出中获得了 CA 证书:
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX |jq -r '.data."ca.crt"' |base64 -d - |tee ca.crt-----开始认证-----MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl……………………FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=-----结束证书-----
验证 CA 证书
手头有 CA 证书,您可以像往常一样验证
:
$ openssl x509 -in ca.crt -noout -subject -issuer主题=/CN=kubernetes发行者=/CN=kubernetes$ openssl s_client -showcerts -connect 192.168.100.20:6443 </dev/null &>apiserver.crt$ openssl verify -verbose -CAfile ca.crt apiserver.crtapiserver.crt:好的
I'm trying to integrate Kubernetes cluster with Gitlab for using the Gitlab Review Apps feature.
- Kubernetes cluster is created via Rancher 1.6
- Running the
kubectl get all
from the kubernetes shell gives
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/my-service LoadBalancer x.x.144.67 x.x.13.89 80:32701/TCP 30d svc/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 30d
- On the Gitlab
CI / CD
>Kubernetes
page, we need to enter mainly 3 fields:- API URL
- CA Certificate
- Token
API URL
- If I'm not wrong, we can get the Kubernetes API URL from
Rancher Dashboard
>Kubernetes
>CLI
>Generate Config
and copy theserver
url undercluster
apiVersion: v1 kind: Config clusters: - cluster: api-version: v1 insecure-skip-tls-verify: true server: "https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"
CA Certificate & Token?
- Now, the question is, where to get the CA Certificate (pem format) and the Token?
I tried all the ca.crt
and token
values from all the namespaces from the Kubernetes dashboard, but I'm getting this error on the Gitlab when trying to install Helm Tiller
application:
Something went wrong while installing Helm Tiller Can't start installation process
Here is how my secrets page look like
I'm also dying out with kubernetes and GitLab. I've created a couple single-node "clusters" for testing, one with minikube
and another via kubeadm
.
I answered this question on the GitLab forum but I'm posting my solution below:
API URL
According to the official documentation, the API URL is only https://hostname:port
without trailing slash
List secrets
First, I listed the secrets as usual:
$ kubectl get secrets
NAME TYPE DATA AGE
default-token-tpvsd kubernetes.io/service-account-token 3 2d
k8s-dashboard-sa-token-XXXXX kubernetes.io/service-account-token 3 1d
Get the service token
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data.token' | base64 -d
eyJhbGci ... sjcuNA8w
Get the CA certificate
Then I got the CA certificate directly from the JSON output via jq with a custom selector:
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data."ca.crt"' | base64 -d - | tee ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
... ... ... ... ... ...
FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=
-----END CERTIFICATE-----
Verity the CA certificate
With the CA certificate on hand you can verify
as usual:
$ openssl x509 -in ca.crt -noout -subject -issuer
subject= /CN=kubernetes
issuer= /CN=kubernetes
$ openssl s_client -showcerts -connect 192.168.100.20:6443 < /dev/null &> apiserver.crt
$ openssl verify -verbose -CAfile ca.crt apiserver.crt
apiserver.crt: OK
这篇关于如何将 Kubernetes 与 Gitlab 集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!