Gitlab 與Kubernetes 整合

介紹

目前是在使用 Gitlab 做代碼控管,也用 Gitlab-CI Runner 做 CI,現在想要更進一步做到 CD 的部分 ( 最少在 DEV 環境裡面,目標所使用的平台是 Kubernetes

整合開始

  1. 建立一個測試用的 repo,然後整理放入 gitlab-ci.yml 檔案
test:  
  image: alpine
  tags:
    - docker
  environment:
    name: dev
    url: http://cmweb-dev.paradise-soft.com.tw
  script:
    - apk add --no-cache curl
    - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
    - chmod +x ./kubectl
    - mv ./kubectl /usr/local/bin/kubectl
    - kubectl version
    - kubectl get pods
  1. 在 Gitlab project 下選擇 CI/CD -> Kubernetes,選擇建立自建的 kubernetes,總共需要五個資訊來設定整合,這五項資訊要從 K8S 來獲取
    • Kubernetes cluster name
    • API URL
    • CA Certificate
    • Token
    • Project namespace (optional, unique)
API URL
# 獲取Endpoint
> kubectl get endpoints kubernetes -o json | jq -r '.subsets[0].ports[0].name + "://" + .subsets[0].addresses[0].ip + ":" + (.subsets[0].ports[0].port | tostring)'
https://10.200.252.181:6443

# 另一種可以試試看這種 
> kubectl get endpoints kubernetes
NAME         ENDPOINTS            AGE  
kubernetes   10.200.252.181:6443   95d  
  1. 建立一個帳號給 Gitlab,建立一個新的文件 ( gitlab-account.yml)
---
apiVersion: v1  
kind: ServiceAccount  
metadata:  
  name: gitlab
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1  
kind: ClusterRoleBinding  
metadata:  
  name: gitlab
  namespace: default
subjects:  
  - kind: ServiceAccount
    name: gitlab
    namespace: default
roleRef:  
  kind: ClusterRole
  name: cluster-admin
> kubectl apply -f 02-account.yml
serviceaccount/opendata created  
  1. 找出秘鑰的名稱
kubectl get serviceaccount gitlab -o json | jq -r '.secrets[0].name'  

這邊是 gitlab-token-9tmc2

  1. 找出金鑰
kubectl get secret gitlab-token-9tmc2 -o json | jq -r '.data["ca.crt"]' | base64 -d  

這邊獲得是

-----BEGIN CERTIFICATE-----
MIICyDCCAbCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl  
cm5ldGVzMB4XDTE5MDEwNzA1MzU0N1oXDTI5MDEwNDA1MzU0N1owFTETMBEGA1UE  
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdC  
HVm8hsTy+2qvk2LyYYKtBZyYSYVTeP9U5g15adoGogYK61DoyajNY2H8QIpsE6v+  
QeIQz091gtC7qU9P/C2f8joTRC8nQMDyisN42XQELCpiZaGUvM3S32m3yyvXa2F7  
5r/KamFCQeEMGvyymBmrwHpeRTs14o6VReI85BOP34jrQH17PDzeBBFptKrW280Z  
g/E8bQBEH97mSZvc5GmphOikuUWCdbKOufxCXszO+5jObfu8XKpQwWU6zeO8usTT  
QKI0gDbKfgPg+N1lnJdRUC3UkQ6TOvVTAX2mNwqUGs+xfgBTHALLIFIqxHHuemoq  
ymz3gCeXy1Efu0BfoR0CAwEAAaMjMCEwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB  
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGVADoftcNHLR6q3j4A79aFiyH2w
M0yMZuaKA60o+i3GSNnqrBEOcPTrKwCiZiyS/LcypmixetW8yNRtnNqpP+m3UJKl  
/nOcbXdCkZkSBmuUQCavBKU6UXg/iPVlComhlGBIJ6pxm97QDfRy9mFXc1IOfhm2
dzEaUvFJ2b7qlqY1yz7yp1l02nJuo8QwxAaUK2EONAvCON6nyz4bEo/NzVGiHlI+  
QxRBj+wWaj2SS1M8Ynj/cd7QsYsURH0z9JBLtnKc83Phmat5Bhk7fFLkKap7ECrL  
Zhg0RT32FanWQxPA9C9TucEbfOpMl7JBanITI3SLFb9MmwF6R0bJXlRYEG8=  
-----END CERTIFICATE-----
  1. 找出 Token
kubectl get secret gitlab-token-9tmc2 -o json | jq -r '.data.token' | base64 -d  

這邊獲得

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImdpdGxhYi10b2tlbi05dG1jMiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJnaXRsYWIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhNDBhYjkwZS0xZjlmLTExZTktOGU5Ny0wMDUwNTY4NWE3MTAiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpnaXRsYWIifQ.S7_7Y4Dz3FroeS8_xdanDuL8rnfJfYdAIjiDQHIvZD7M2yLf_YyUmYQ2w04mnL3G1C_xcaGyMfJrDP-jnhjpAnCla1mRllJ6GimrPl6CIn4RdwZa2_EprnX18gs0PIW4szmzY8mJl3gKB0LNOiRL5mUJw7Wc0GEnAMFQXY7pSERK09j6DYLPqz2Znaca50ifv_W2C82zWMZdx_fm4M8k03lHu0HIZyfmtIJ1rpICeZfbxiwh5pAJaeUwxaKHyiwxpA3IbpxiXUAtUc4jjj-48fheNZ1ignWh_sxSMZTU7oU-GmpLYydZ1UdG4sI-FumO8fUryTm73sEUFduO0cA6BQ  
  1. 最後重跑 CI,理論上應該會要成功