Integrating a Microk8s cluster in GitLab
GitLab provides Kubernetes integration out of the box, which means that GitLab CI/CD Pipelines can be used to deploy applications in Kubernetes easily. This guide presents how to integrate a Kubernetes cluster in a GitLab Project and follows Gitlab documentation. For this particular case, the cluster will be that of a Microk8s Kubernetes distribution.
Note: GitLab deprecated the integration of Kubernetes clusters using certificates in version 14
Note 2: This guide involves Microk8s with Kubernetes version 1.18
Once a project has been created ion GitLab, go to the Infrastructure menu of the project in GitLab and click Kubernetes clusters.
Once in the Kubernetes section of the project, click “Integrate with a cluster certificate” And then click the “Connect existing cluster” tab. This leads to the cluster registration page where the connection information needs to be entered.
On this page, the cluster name can be decided by the user. The next field, Environment scope, can left as it is (*). This leaves us with three fields to fill out:
- The API URL of the cluster
- The CA certificate of the cluster
- The service token of the GitLab service account in the cluster
API URL
Microk8s exposes the Kubernetes API on port 16443. Thus, the API URL should be in the form https://<Server IP>:16443
, where <Server IP>
is to be replaced with the IP of the server where the Microk8s cluster is running.
CA Certificate
The CA certificate of the cluster can be retrieved using the following command:
microk8s.kubectl get secret $(microk8s.kubectl get secrets | grep default-token | awk '{print $1}') -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
The command should output the certificate of the cluster in the following form:
-----BEGIN CERTIFICATE-----
MIICwTCCAamgAwIBAgIEMv8+mzANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApJ
bnRlcm1lZENBMB4XDTIwMDYwMjAzNDkzMVoXDTI1MTIzMTAwMDAwMFowETEPMA0G
A1UEAwwGYXNkYXNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Mwr
RKEaDgevx5xFdhNTdmHvC0Q3G2eUr0LECd/WVV7LzIZ0iZIqqMHY/c++IG6IaKRY
nD3zwsxcvxfw1OiqgadexcvrertcvIm5OG60kmuNVyXbw3TyKOxBplC1UaYdKc9f
U7ywp9KY70lxL7jzEEbEEkVhq/EDDUnFII2nhSBYifpcdmoi24NtrwTTjBiO7rg5
GOrifksQykCnZoMzBBedbq4rzB2/vSTWeAeMRE5X0vfArQzvHS6kSWwAPD9tH+1W
8t4vkUI1HQrjPU+Al5oYNaB73oOeG9APZa7TelvwO+h8Lo7rZ+b2TIC9Q4ghiq2D
yEz5Sew0Db5LfaLhSQIDAQABox0wGzAOBgNVHQ8BAf8EBAMCB4AwCQYDVR0TBAIw
ADANBgkqhkiG9w0BAQsFAAOcvbbcvcvdfsfedrDcumDTnemDEAvRmKBHA6+pjadO
PUKYx426qh37Dzf0YQSYIMPZ0DTojs3kahU7QpGziJjGlXRwJsK2HBmFpqTPBxvf
6qfYvzkcicaDUNEcw4xubFLeo6T0r0L9hzsWJ7H9dIP6hYxQ1SnLVJtk/yP1WzyS
kVlnylXsf0mimfkQNfN1I2RJfPjpX6aAq4XereUFbNFXWA7Nl/36YNMSQWoGPps7
Rz7uXOy3p2VS+FsHUmBGDjX5x7koAJbE3+h9xn+bqwkHy3roxHOgI2fxjvARHgsg
58SIFfm6D+9Pisp2ej/gd7uX/k95FzVgnaVDQMoCyC0tPcbcUw==
-----END CERTIFICATE-----
Service Token
Finally, the cluster must be configured so that GitLab can control its resources. This is achieved by creating a service account for GitLab. To do so, the RBAC addon must be enabled in Microk8s:
microk8s enable rbac
The GitLab service account can be created just like any other Kubernetes resource using a manifest file. Thus, create a file named gitlabServiceAccount.yml
with the following content:
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: gitlab-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: gitlab-admin
namespace: kube-system
The resources can be created by running
microk8s.kubectl apply -f gitlabServiceAccount.yml
With the newly created service account, the token can be retrieved using this command:
microk8s.kubectl -n kube-system describe secret $(microk8s.kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')
Which should output the following:
Name: gitlab-admin-token-vfkgn
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: gitlab-admin
kubernetes.io/service-account.uid: a228ee41-df09-46a7-a93f-1b95820d6916Type: kubernetes.io/service-account-tokenData
====
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImZxOEVyWVc4ek92QmFjUUdhck96dmtYNEI0bXg3LWVJWkJjYTFLbnUyVzQifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJnaXRsYWItYWRtaW4tdG9rZW4tdmZrZ24i45sdcvbm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZ2l0bGFiLWFasdasdasdia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTIyOGVlNDEtZGYwOS00NmE3LWE5M2YtMWI5NTgyMGQ2OTE2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmdpdGxhYi1hZG1pbiJ9.BXVVzQPuxDlAalqlcTzjacYUhEPbaTAxQgoM5vqeA7_zjuNMq1EV9bhhfpvVoZUx5KIxcDj0VYJ7rU3IYHiOggCk1Pf7KYieYjMe4b7LMMPUqqA3dSLUGiWH3asdLCa7IKHQ4zbNHzHZxtsHa6VTofZ2GJl3NSuVOzTOXNdEK7DDTF5aBFbzpV3FhMJBzGWb4gJhPlqijFBdndUf9pWf7Umooqg
ca.crt: 1103 bytes
namespace: 11 bytes
Here, simply copy and paste the long string after token into the GitLab configuration page.
Additional options
There are a additional options that can be set using checkboxes at the bottom of the page. Most of those can be left as it is but I recommend unchecking the GitLab-managed cluster option so that namespaces can be managed by the user.
With those steps completed, the only thing left to do is to click save and the cluster should be integrated in GitLab.
Integration complete
With the API URL, CA certificate and Service token properly registered, the cluster is integrated in GitLab for the current project or group. As such, CI pipelines that use the kubectl command will execute the latter while targeting the newly registered cluster.
This article is based on that from the author’s website