Gitlab对接Kubernetes集群

默认已经安装好k8s集群了

➜  ~ kubectl get node -o wide
NAME               STATUS   ROLES    AGE     VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE                       KERNEL-VERSION         CONTAINER-RUNTIME
hk2.vps.godu.dev   Ready    master   10m     v1.14.2   10.147.20.41   <none>        Debian GNU/Linux 9 (stretch)   4.19.0-0.bpo.5-amd64   docker://18.6.3
hk3.vps.godu.dev   Ready    <none>   9m9s    v1.14.3   10.147.20.42   <none>        Ubuntu 18.04.2 LTS             4.15.0-47-generic      docker://18.6.3
hk4.vps.godu.dev   Ready    <none>   9m37s   v1.14.2   10.147.20.43   <none>        Debian GNU/Linux 9 (stretch)   4.19.0-0.bpo.5-amd64   docker://18.6.3

Gitlab准备工作

需要在管理面板配置网络设置(设置-网络外发请求)

Gitlab默认是不允许来自钩子和服务的对本地网络的请求。因为k8s集群和Gitlab在同一局域网内,故需启用此功能。

添加Kubernetes集群集成

Kubernetes 集群名称(默认: kubernetes)

➜  ~ kubectl config get-contexts

CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin
          minikube                      minikube     minikube

Kube API地址

➜  ~ kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'
https://10.147.20.41:6443

如果初始化有指定--apiserver-cert-extra-sans=k8s.ns.godu.dev

其地址可以使用https://k8s.ns.godu.dev:6443

CA证书

  1. 获取默认默认secrets,名字类似default-token-xxxxx
  2. 获取证书
➜  ~ kubectl get secret
NAME                  TYPE                                  DATA   AGE
default-token-59p47   kubernetes.io/service-account-token   3      30m
➜  ~ kubectl get secret default-token-59p47 -o jsonpath="{['data']['ca\.crt']}" | base64 --decode

Token

  • 1. 创建service account(gitlab-admin-service-account.yaml)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-admin
  namespace: kube-system
kubectl apply -f gitlab-admin-service-account.yaml
  • 2. 创建 cluster role(gitlab-admin-cluster-role-binding.yaml)
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: gitlab-admin
  namespace: kube-system
kubectl apply -f gitlab-admin-cluster-role-binding.yaml
  • 3. 获取Token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')

Name:         gitlab-admin-token-mhhlj
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: gitlab-admin
              kubernetes.io/service-account.uid: b81a1c7d-8ab3-11e9-81d8-00163e068ecc

Type:  kubernetes.io/service-account-token

Data
====
namespace:  11 bytes
token:      <authentication_token>
ca.crt:     1025 bytes

基础域配置

*.k8s.godu.dev 3600     A 10.147.20.41

推荐阅读