在本地部署的GitLab上连接到MicroK8s,并体验GitLab的Auto DevOps功能(前半部分)
我们提供的是每次都无法通过谷歌搜索找到的小趣闻。
本文是个人观点,与作者所属的任何组织无关。
这个方法在GitLab v14.5中已经被标为不推荐使用,在GitLab v15.0中将无法使用。
基于证书的Kubernetes集成(已废弃)
https://docs.gitlab.com/ee/user/infrastructure/clusters/#certificate-based-kubernetes-integration-deprecated
基于证书的Kubernetes集成(已废弃)
https://docs.gitlab.com/ee/user/infrastructure/clusters/#certificate-based-kubernetes-integration-deprecated
请在以后使用GitLab Kubernetes的代理程序。
有关使用方法,请参阅以下文章:
尝试使用GitLab Kubernetes代理程序(之前称为GitLab Agent for Kubernetes)- Qiita
https://qiita.com/ynott/items/35e9492d0681ea8ac60a
有关使用方法,请参阅以下文章:
尝试使用GitLab Kubernetes代理程序(之前称为GitLab Agent for Kubernetes)- Qiita
https://qiita.com/ynott/items/35e9492d0681ea8ac60a
首先
GitLab提供了与Kubernetes集成的功能,可以方便地进行各种操作。
Kubernetes 集群 | GitLab
https://docs.gitlab.com/ee/user/project/clusters/
但是,存在一个问题。无论是选择GKE还是EKS,都需要相当高的费用。
作为一个仅用于部署应用程序的环境来说,它的费用是昂贵的。
然而,要真正建立Kubernetes也是很困难的。。。。
因此,我们将在虚拟机上运行MicroK8s,并将其与本地的GitLab进行集成。
因为篇幅较长,所以我将其分为前半和后半。后半在这里。
在后半部分,我们将会介绍如何将MicroK8s连接到本地的GitLab,并体验GitLab的自动DevOps功能。
1. 在VMware上启动虚拟机。
随便选择一个 medium 实例运行。
资源配置是:CPU:4核,内存:4GB。
操作系统选择 Ubuntu 18.04 LTS。
2. 运行MicroK8s。
安装 MicroK8s
sudo update && sudo upgrade -y && sudo reboot
sudo install snap && sudo snap install microk8s --classic
sudo usermod -a -G microk8s <ユーザー名>
2-2. 确认MicroK8s的启动状态。
$ microk8s.status
microk8s is running
high-availability: no
datastore master nodes: 127.0.0.1:19001
datastore standby nodes: none
addons:
enabled:
ha-cluster # Configure high availability on the current node
disabled:
ambassador # Ambassador API Gateway and Ingress
cilium # SDN, fast with full network policy
dashboard # The Kubernetes dashboard
dns # CoreDNS
fluentd # Elasticsearch-Fluentd-Kibana logging and monitoring
gpu # Automatic enablement of Nvidia CUDA
helm # Helm 2 - the package manager for Kubernetes
helm3 # Helm 3 - Kubernetes package manager
host-access # Allow Pods connecting to Host services smoothly
ingress # Ingress controller for external access
istio # Core Istio service mesh services
jaeger # Kubernetes Jaeger operator with its simple config
keda # Kubernetes-based Event Driven Autoscaling
knative # The Knative framework on Kubernetes.
kubeflow # Kubeflow for easy ML deployments
linkerd # Linkerd is a service mesh for Kubernetes and other frameworks
rbac # Role-Based Access Control for authorisation
storage # Storage class; allocates storage from host directory
metallb # Loadbalancer for your Kubernetes cluster
metrics-server # K8s Metrics Server for API access to service metrics
multus # Multus CNI enables attaching multiple network interfaces to pods
portainer # Portainer UI for your Kubernetes cluster
prometheus # Prometheus operator for monitoring and logging
registry # Private image registry exposed on localhost:32000
traefik # traefik Ingress controller for external access
用kubectl确认是否可以获取节点
$ microk8s.kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-10-x-y-z Ready <none> 48m v1.17.0
运行microk8s的addon。
以下是需要的必要插件。
由GitLab方面安装Ingress等,因此插件可以最简化。
我认为Dashboard之类的没有问题。
-
- rbac 角色基于的访问控制
-
- DNS 域名系统
-
- 存储
- MetalLB
启用RBAC、DNS和存储。
RBAC和DNS是默认必需的。
存储是为需要PV的应用程序而必需的。
$ sudo microk8s.enable rbac
$ sudo microk8s.enable dns storage
2-3-2. metallb (金属负载均衡).
请在启用时使用a.b.c.d-a.b.c.e的格式指定可以使用的IP地址,Metallb是为Ingress使用的LoadBalancer所必需的。
$ sudo microk8s.enable metallb
Enabling MetalLB
Enter each IP address range delimited by comma (e.g. '10.64.140.43-10.64.140.49,192.168.0.105-192.168.0.111'): 192.168.10.20-192.168.10.30
Applying Metallb manifest
namespace/metallb-system created
secret/memberlist created
podsecuritypolicy.policy/controller created
podsecuritypolicy.policy/speaker created
serviceaccount/controller created
serviceaccount/speaker created
clusterrole.rbac.authorization.k8s.io/metallb-system:controller created
clusterrole.rbac.authorization.k8s.io/metallb-system:speaker created
role.rbac.authorization.k8s.io/config-watcher created
role.rbac.authorization.k8s.io/pod-lister created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:controller created
clusterrolebinding.rbac.authorization.k8s.io/metallb-system:speaker created
rolebinding.rbac.authorization.k8s.io/config-watcher created
rolebinding.rbac.authorization.k8s.io/pod-lister created
daemonset.apps/speaker created
deployment.apps/controller created
configmap/config created
MetalLB is enabled
确认插件是否已启用。
$ microk8s.status
microk8s is running
high-availability: no
datastore master nodes: 127.0.0.1:19001
datastore standby nodes: none
addons:
enabled:
dns # CoreDNS
ha-cluster # Configure high availability on the current node
metallb # Loadbalancer for your Kubernetes cluster
rbac # Role-Based Access Control for authorisation
storage # Storage class; allocates storage from host directory
<以下略>
2-5. (选项) 修改CoreDNS
为了获取公司内部的本地GitLab的IP地址,我想从公司内部DNS获取它,所以我改变了DNS服务器的引用地址。
$ kubectl edit configmaps coredns -n kube-system -o yaml
虽然不太优雅,但我直接重新写了一遍。
data:
Corefile: ".:53 {\n errors\n health {\n lameduck 5s\n }\n ready\n
\ log . {\n class error\n }\n kubernetes cluster.local in-addr.arpa
ip6.arpa {\n pods insecure\n fallthrough in-addr.arpa ip6.arpa\n }\n
\ prometheus :9153\n forward . <社内DNSサーバー> \n cache 30\n loop\n reload\n
\ loadbalance\n}\n"
让我们以以下方式确认是否可以解析DNS。
$ kubectl run busybox --restart=Never --image=busybox:1.28 -- sleep 3600
$ kubectl exec busybox -- nslookup <オンプレGitLab FQDN>
2-6. (选项)通过 kubectl 从外部连接并获取配置
不是必需的,要从GitLab进行连接。
获取kubeconfig。
$ microk8s.config | tee gitlab-microk8s.config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
server: https://10.x.y.z:16443
name: microk8s-cluster
contexts:
- context:
cluster: microk8s-cluster
user: admin
name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: admin
user:
username: admin
password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
获取与GitLab集成所需的信息。
要与GitLab进行协作,需要以下信息。
-
- API网址
-
- CA证书
-
- 服务令牌
- 请分别获取。
3-1. API网址
以下是对2-6中获取的kubeconfig的server部分进行汉语翻译的一种可能选项:
kubeconfig中获取的server部分为https://10.x.y.z:16443的https://10.x.y.z:16443部分。
3-2. CA证书 – CA证书
从kubectl get secrets命令的default-token中获取证书。
$ kubectl get secrets
NAME TYPE DATA AGE
default-token-78r9t kubernetes.io/service-account-token 3 46h
从默认令牌”78r9t”获取证书。
$ kubectl get secret default-token-78r9t -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIJANFqxpnmuSSZMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
<中略>
-----END CERTIFICATE-----
3-3. 服务代币
首先,根据以下清单创建服务账户gitlab以获取服务令牌。
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: gitlab-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: gitlab
namespace: kube-system
将创建的文件使用kubectl apply命令应用。
$ kubectl apply -f gitlab-admin-service-account.yaml
因为创建了服务帐户,所以需要获取令牌。
请将从最后一个token:之后的字符串(例如从eyJhbGciOi到末尾)保存在某个地方。
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab | awk '{print$1}')
Name: gitlab-token-dqjlx
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: gitlab
kubernetes.io/service-account.uid: 7e73e750-4bfc-4718-9ee0-ebe83da58c36
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1103 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjVURFF<以下略>
接下来的部分
