如何将Kubernetes与Gitlab集成
我正在尝试将Kubernetes集群与Gitlab集成在一起,以使用Gitlab Review Apps功能.
I'm trying to integrate Kubernetes cluster with Gitlab for using the Gitlab Review Apps feature.
- Kubernetes集群是通过Rancher 1.6创建的
- 从kubernetes shell运行
kubectl get all给出
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
svc/my-service LoadBalancer x.x.144.67 x.x.13.89 80:32701/TCP 30d
svc/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 30d
- 在Gitlab
CI / CD>Kubernetes页面上,我们主要需要输入3个字段:- On the Gitlab
CI / CD>Kubernetespage, we need to enter mainly 3 fields:- API URL
- CA证书
- 令牌
- 如果我没记错的话,我们可以从
Rancher Dashboard>Kubernetes>CLI>Generate Config获取Kubernetes API URL,然后将serverURL复制到cluster下.
- If I'm not wrong, we can get the Kubernetes API URL from
Rancher Dashboard>Kubernetes>CLI>Generate Configand copy theserverurl undercluster
apiVersion: v1 kind: Config clusters: - cluster: api-version: v1 insecure-skip-tls-verify: true server: "https://x.x.122.197:8080/r/projects/1a7/kubernetes:6443"CA证书和令牌?
- 现在,问题是,从哪里获得CA证书(pem格式)和令牌?
我从Kubernetes仪表板尝试了所有命名空间中的所有
ca.crt和token值,但是在尝试安装Helm Tiller应用程序时,我在Gitlab上遇到此错误:I tried all the
ca.crtandtokenvalues from all the namespaces from the Kubernetes dashboard, but I'm getting this error on the Gitlab when trying to installHelm Tillerapplication:Something went wrong while installing Helm Tiller Can't start installation process这是我的机密页面的样子
Here is how my secrets page look like
- On the Gitlab
我也正在消磨kubernetes和GitLab.我创建了几个用于测试的单节点集群",其中一个使用 minikube 和另一个通过 kubeadm .
I'm also dying out with kubernetes and GitLab. I've created a couple single-node "clusters" for testing, one with minikube and another via kubeadm.
我在 GitLab论坛,但我在下面发布了我的解决方案:
I answered this question on the GitLab forum but I'm posting my solution below:
根据官方文档,API URL仅https://hostname:port不带斜杠
According to the official documentation, the API URL is only https://hostname:port without trailing slash
首先,我像往常一样列出了机密:
First, I listed the secrets as usual:
$ kubectl get secrets
NAME TYPE DATA AGE
default-token-tpvsd kubernetes.io/service-account-token 3 2d
k8s-dashboard-sa-token-XXXXX kubernetes.io/service-account-token 3 1d
获取服务令牌
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data.token' | base64 -d
eyJhbGci ... sjcuNA8w
获取CA证书
然后我使用自定义选择器通过jq直接从JSON输出中获取了CA证书:
Get the CA certificate
Then I got the CA certificate directly from the JSON output via jq with a custom selector:
$ kubectl -o json get secret k8s-dashboard-sa-token-XXXXX | jq -r '.data."ca.crt"' | base64 -d - | tee ca.crt
-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
... ... ... ... ... ...
FT55iMtPtFqAOnoYBCiLH6oT6Z1ACxduxPZA/EeQmTUoRJG8joczI0V1cnY=
-----END CERTIFICATE-----
验证CA证书
有了CA证书,您可以照常verify:
$ openssl x509 -in ca.crt -noout -subject -issuer
subject= /CN=kubernetes
issuer= /CN=kubernetes
$ openssl s_client -showcerts -connect 192.168.100.20:6443 < /dev/null &> apiserver.crt
$ openssl verify -verbose -CAfile ca.crt apiserver.crt
apiserver.crt: OK