GitLab CI Microk8s integration

5/25/2020

GitLab CI Microk8s integration

Note: This guide applies for Kubernetes versions prior to 1.24. Moreover, Kubernetes integration in GitLab is now achieved via the GitLab agent for Kubernetes. This guide is meant for legacy support.

GitLab provides Kubernetes integration out of the box, which means that GitLab CI/CD Pipelines can be used to deploy applications in Kubernetes easily. This guide presents how to integrate a Kubernetes cluster in a GitLab Project and follows Gitlab documentation. For this particular case, the cluster will be that of a Microk8s Kubernetes distribution.

Once a project has been created ion GitLab, go to the Operations menu of the project in GitLab and click Kubernetes.

Once in the Kubernetes section of the project, click "Add Kubernetes cluster" And then click the "Add Existing Cluster" tab.

Apart from giving a name of your choice to the cluster, three pieces of information are required to register a kubernetes cluster in GitLab:

The API URL of the cluster
The CA certificate of the cluster
The service token of the GitLab service account in the cluster

API URL

The API port of a Microk8s cluster is 16443. Thus, the API URL should be in the form https://<Server IP>:16443, where <Server IP> is to be replaced with the IP of the server where the Microk8s cluster is running.

CA certificate

The CA certificate of the cluster can be retrieved using the following command:

microk8s.kubectl get secret $(microk8s.kubectl get secrets | grep default-token | awk '{print $1}') -o jsonpath="{['data']['ca\.crt']}" | base64 --decode

The command should output the certificate of the cluster in the following form:

Service token

Finally, the service token can be obtained by creating a service account for GitLab in the Kubernetes cluster. This requires RBAC to be enabled in the Kubernetes cluster. For Microk8s, RBAC can be enabled easily using

microk8s enable rbac

The GitLab service account can be created just like any other Kubernetes resource using a manifest file. Thus, create a file named gitlabserviceaccount.yml with the following content

apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: gitlab-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: gitlab-admin
  namespace: kube-system

The resources can be created by running

microk8s.kubectl apply -f gitlab_service_account.yml

With the newly created service account, the token can be retrieved using this command:

microk8s.kubectl -n kube-system describe secret $(microk8s.kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')

Which should output the following

Name:         gitlab-admin-token-xwb79
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: gitlab-admin
              kubernetes.io/service-account.uid: 6b9a089a-0b55-4546-947c-8954507a754d

Type:  kubernetes.io/service-account-token

Data
====
token:      eyJhbGciO893mlaKlas73ASm3...30cvPbicVMm98asdSDD9uFas29OASJeUBQ
ca.crt:     1103 bytes
namespace:  11 bytes

Here, simply copy and paste the long string after token into the GitLab configuration page.

With those steps completed, the only thing left to do is to click save and the cluster should be integrated in GitLab.