Question

Adding kubernetes cluster to our private gitlab server

Posted October 17, 2018 9.1k views
APIKubernetesInitial Server SetupUbuntu 18.04

Hello, we have a private gitlab server and I am trying to connect a DO kubernetes cluster to our CI/CD. On the setup page, I have the following fields:

Kubernetes cluster name
API URL
CA Certificate
Token
Project namespace (optional, unique)

From the config file generated from the DO kubernetes page, I have the cluster name and CA Certificate. What is the API URL and Token that I must use here?

Thanks,
David

Add a comment
dwidman
By:
dwidman
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
7 answers
sekl October 25, 2018

I figured out how add a DigitalOcean Cluster to GitLab.
The steps I took (set up your kubectl to use your DigitalOcean Cluster first):

create a new namespace
kubectl create namespace gitlabkubesandbox
switch to that new namespace
kubectl config set-context $(kubectl config current-context) --namespace=gitlabkubesandbox
create a service account
kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab
EOF
make the new service account cluster admin
kubectl create clusterrolebinding gitlab-cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=gitlabkubesandbox:gitlab
describe the new service account
kubectl describe serviceAccounts gitlab
get the secret
kubectl describe secret [secret name found in the response form above]
copy the token
start the dashboard
kubectl proxy
open the dashboard in your browser
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
switch to the namespace “gitlabkubesandbox”
go to secrets => the secret from above

Values for GitLab:
Kubernetes cluster name: whatever
API URL: cluster server from the kubeconfig.yml
CA Certificate: ca.crt from the Dashboard
Token: token from the Dashboard
Project namespace: gitlabkubesandbox
Check RBAC-enabled when adding the Cluster to GitLab.

Done!

Reply Report
  • akoutmos November 5, 2018

    Thank you so much for this! Helm Tiller, GitLab Runner and the Ingress installs went through just fine…but it then keeps erroring out on the Prometheus install. Did you experience that as well?

    Reply Report
  • mirandaleandro December 30, 2018

    I have followed these very steps but still getting a very generic error on helm/tiller installation.

    “Something went wrong while installing Helm Tiller

    • Can’t start installation process. ”

    Ideas?

    Thanks,
    Leo

    EDIT: after poking around the docs I figured out that the CA Certificate had to be deciphered into a pem format.
    To do that, I just saved the certificate that we get from in the kubeconfig.yaml to a certificate.base64.txt and the run
    base64 -D certificate.base64.txt > cert.pem

    Reply Report
gintsgints December 14, 2018

For installing Helm, described rights was not enough for me. I have to do this:

### http://centosquestions.com/kubernetes-error-namespaces-gitlab-managed-apps-forbidden-user-systemserviceaccountgitlab-managed-appsgitlab-sa-cannot-get-namespaces-namespace-gitlab-managed-apps/
kubectl create clusterrolebinding permissive-binding --clusterrole=cluster-admin --user=admin --user=kubelet --group=system:serviceaccounts
Reply Report
johndatserakis October 18, 2018

Hey there - would the below two commands help?

# Get server
echo $(kubectl config view | grep server | cut -f 2- -d ":" | tr -d " ")

# Get server token
echo $(kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t')

Just copy what shows in the terminal when you run those. May be applicable to you.

https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy

Reply Report
  • dwidman October 18, 2018

    Hi John, thanks for the help, but not exactly what I need.

    I need the following info about the Kubernetes cluster in OD.

    1. Kubernetes cluster name (I have it from the config) - ok
    2. API URL (no idea what url I will use)
    3. CA Certificate (I have it from the config) - ok
    4. Token (maybe the recipe from John)
    5. Project name - optional, so no problem here.

    Thanks,
    David

    Reply Report
    • johndatserakis October 18, 2018

      Hey do you have kubectl access?

      The first command I shared should get you your cluster API URL.

      Then the second command should get you your Token. Did these commands work? Any error?

      I just set up a cluster and ran them here without issue - maybe I can help further.

      Reply Report
dwidman October 18, 2018

Hi John, thanks for your help.

I am using the OD <beta> kubernetes. I managed to enter on the console and when I run the kubectl config view, everything is empty…

I’m sorry but I don’t have too much experience with Kubernetes.

Thanks,
David

Reply Report
  • johndatserakis October 18, 2018

    No problem! Yup I’m using the same thing (DO’s kubernetes beta).

    Ok - first - have you completed this setup: https://www.digitalocean.com/docs/kubernetes/how-to/connect-with-kubectl/ ?

    Basically you:

    1. Install kubectl locally
    2. Download you config.yml file from the DO management screen (it’ll be named something else)
    3. Run this command kubectl --kubeconfig="cluster1-kubeconfig-dupe.yaml" get nodes. NOTE: cluster1-kubeconfig-dupe.yaml will be named something different in your case so change it in the command.

    If you can get this to work - the below two commands will print your API_URL and Token

    echo $(kubectl --kubeconfig="cluster1-kubeconfig-dupe.yaml" config view | grep server | cut -f 2- -d ":" | tr -d " ")

echo $(kubectl --kubeconfig="cluster1-kubeconfig-dupe.yaml" describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t')
    Reply Report
    • dwidman October 20, 2018

      Hi John,

      using the two commands that you wrote, I managed to get the API url no problem, but for the token, I get the following error:

      Unable to connect to the server: dial tcp 192.168.99.100:8443: i/o timeout

      with a jwt token following it.

      this is the payload data extracted from the jwt token (I changed some of the secret/uid characters for security reasons):
      {
      “iss”: “kubernetes/serviceaccount”,
      “kubernetes.io/serviceaccount/namespace”: “default”,
      “kubernetes.io/serviceaccount/secret.name”: “default-token-t6qga”,
      “kubernetes.io/serviceaccount/service-account.name”: “default”,
      “kubernetes.io/serviceaccount/service-account.uid”: “5d1f391c-d27a-11e8-b073-ea3c81484823”,
      “sub”: “system:serviceaccount:default:default”
      }

      I copied the API url and the original JWT token, with the other data that I already have but when I try to install some applications like Helm Tiller on the OD kubernetes cluster thru our Gitlab server, I get the error:

      “Can’t start installation process.”

      Is there any other detail that you can help to make this work?

      Thanks,
      David

      Reply Report
      • PizzaAficionado October 20, 2018

        Get your secrets:

        kubectl --kubeconfig="REPLACE-NAME-OF-YOUR-CONFIG.yaml" get secrets

        Get the JWT from a secret:

        kubectl --kubeconfig="REPLACE-NAME-OF-YOUR-CONFIG.yaml" describe secrets REPLACE-WITH-THE-NAME-OF-THE-SECRET-YOU-WANT
        Reply Report
PizzaAficionado October 20, 2018
[deleted]
Reply Report
ckoehler99 January 5, 2019

I have create a small project under https://devops.ck99.io/ck/gitlab-kubernetes-setup

This contains a summary in a script “setup.sh” with all the steps discussed here.

Reply Report
primozkocevar March 12, 2019

If you are getting a Kubernetes Error 401 it means your Token is incorrect as it was in my case. Here I was using a token from an API tab in the Dashboard BUT should really create the Token by command line like recommended. After generating a user and a token using kubectl commands and changing the Token the installation of Helm worked perfectly.
Hope it helps!

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help