如何将 Kubernetes 与 Gitlab 集成 [英] How to integrate Kubernetes with Gitlab

查看:50
本文介绍了如何将 Kubernetes 与 Gitlab 集成的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试将 Kubernetes 集群与 Gitlab 集成以使用 Gitlab Review Apps 功能.

  • Kubernetes 集群是通过 Rancher 1.6 创建的
  • 从 kubernetes shell 运行 kubectl get all
<块引用>

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEsvc/我的服务负载均衡器 x.x.144.67 x.x.13.89 80:32701/TCP 30dsvc/kubernetes ClusterIP 10.43.0.1 <无>443/TCP 30d

  • 在Gitlab的CI/CD>Kubernetes页面,我们主要需要输入3个字段:

    1. API 网址
    2. CA 证书
    3. 令牌

API 网址

  • 如果我没记错的话,我们可以从Rancher Dashboard > Kubernetes > CLI > Generate 获取Kubernetes API URL配置并复制cluster
    • 下的server url
<块引用>

apiVersion: v1种类:配置集群:- 簇:api 版本:v1insecure-skip-tls-verify: 真服务器:https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"

CA 证书 &令牌?

  • 现在的问题是,从哪里获得 CA 证书(pem 格式)和令牌?

我尝试了 Kubernetes 仪表板中所有命名空间中的所有 ca.crttoken 值,但在尝试安装时在 Gitlab 上出现此错误Helm Tiller 应用:

<块引用>

安装 Helm Tiller 时出现问题无法开始安装过程

这是我的秘密页面的样子

解决方案

我也厌倦了 kubernetes 和 GitLab.我创建了几个用于测试的单节点集群",一个带有 minikube 和另一个通过 kubeadm.

我在 GitLab 论坛 但我在下面发布了我的解决方案:

API 网址

根据官方文档,API URL 只是 https://hostname:port 没有尾部斜杠

列出秘密

首先,我像往常一样列出了秘密:

$ kubectl 获取机密名称 类型 数据 年龄default-token-tpvsd kubernetes.io/service-account-token 3 2dk8s-dashboard-sa-token-XXXXX kubernetes.io/service-account-token 3 1d

获取服务令牌

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX |jq -r '.data.token' |base64 -deyJhbGci ... sjcuNA8w

获取CA证书

然后我通过带有自定义选择器的 jq 直接从 JSON 输出中获得了 CA 证书:

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX |jq -r '.data."ca.crt"' |base64 -d - |tee ca.crt-----开始认证-----MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl……………………FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=-----结束证书-----

验证 CA 证书

手头有 CA 证书,您可以像往常一样验证:

$ openssl x509 -in ca.crt -noout -subject -issuer主题=/CN=kubernetes发行者=/CN=kubernetes$ openssl s_client -showcerts -connect 192.168.100.20:6443 </dev/null &>apiserver.crt$ openssl verify -verbose -CAfile ca.crt apiserver.crtapiserver.crt:好的

I'm trying to integrate Kubernetes cluster with Gitlab for using the Gitlab Review Apps feature.

  • Kubernetes cluster is created via Rancher 1.6
  • Running the kubectl get all from the kubernetes shell gives

NAME             TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)        AGE
svc/my-service   LoadBalancer   x.x.144.67     x.x.13.89   80:32701/TCP      30d
svc/kubernetes   ClusterIP      10.43.0.1      <none>         443/TCP        30d

  • On the Gitlab CI / CD > Kubernetes page, we need to enter mainly 3 fields:

    1. API URL
    2. CA Certificate
    3. Token

API URL

  • If I'm not wrong, we can get the Kubernetes API URL from Rancher Dashboard > Kubernetes > CLI > Generate Config and copy the server url under cluster

apiVersion: v1
kind: Config
clusters:
- cluster:
    api-version: v1
    insecure-skip-tls-verify: true
    server: "https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"

CA Certificate & Token?

  • Now, the question is, where to get the CA Certificate (pem format) and the Token?

I tried all the ca.crt and token values from all the namespaces from the Kubernetes dashboard, but I'm getting this error on the Gitlab when trying to install Helm Tiller application:

Something went wrong while installing Helm Tiller

Can't start installation process

Here is how my secrets page look like

解决方案

I'm also dying out with kubernetes and GitLab. I've created a couple single-node "clusters" for testing, one with minikube and another via kubeadm.

I answered this question on the GitLab forum but I'm posting my solution below:

API URL

According to the official documentation, the API URL is only https://hostname:port without trailing slash

List secrets

First, I listed the secrets as usual:

$ kubectl get secrets
NAME                           TYPE                                  DATA      AGE
default-token-tpvsd            kubernetes.io/service-account-token   3         2d
k8s-dashboard-sa-token-XXXXX   kubernetes.io/service-account-token   3         1d

Get the service token

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data.token' | base64 -d
eyJhbGci    ... sjcuNA8w

Get the CA certificate

Then I got the CA certificate directly from the JSON output via jq with a custom selector:

$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data."ca.crt"' | base64 -d - | tee ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
...        ...        ...        ...        ...        ...      
FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=
-----END CERTIFICATE-----

Verity the CA certificate

With the CA certificate on hand you can verify as usual:

$ openssl x509 -in ca.crt -noout -subject -issuer
subject= /CN=kubernetes
issuer= /CN=kubernetes

$ openssl s_client -showcerts -connect 192.168.100.20:6443 < /dev/null &> apiserver.crt

$ openssl verify -verbose -CAfile ca.crt apiserver.crt
apiserver.crt: OK

这篇关于如何将 Kubernetes 与 Gitlab 集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆