Adding kubernetes cluster to our private gitlab server

October 17, 2018 6.9k views
Ubuntu 18.04 Initial Server Setup Kubernetes API

Hello, we have a private gitlab server and I am trying to connect a DO kubernetes cluster to our CI/CD. On the setup page, I have the following fields:

Kubernetes cluster name
API URL
CA Certificate
Token
Project namespace (optional, unique)

From the config file generated from the DO kubernetes page, I have the cluster name and CA Certificate. What is the API URL and Token that I must use here?

Thanks,
David

7 Answers

I figured out how add a DigitalOcean Cluster to GitLab.
The steps I took (set up your kubectl to use your DigitalOcean Cluster first):

create a new namespace
kubectl create namespace gitlabkubesandbox
switch to that new namespace
kubectl config set-context $(kubectl config current-context) --namespace=gitlabkubesandbox
create a service account
kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab
EOF

make the new service account cluster admin
kubectl create clusterrolebinding gitlab-cluster-admin-binding --clusterrole=cluster-admin --serviceaccount=gitlabkubesandbox:gitlab
describe the new service account
kubectl describe serviceAccounts gitlab
get the secret
kubectl describe secret [secret name found in the response form above]
copy the token
start the dashboard
kubectl proxy
open the dashboard in your browser
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
switch to the namespace “gitlabkubesandbox”
go to secrets => the secret from above

Values for GitLab:
Kubernetes cluster name: whatever
API URL: cluster server from the kubeconfig.yml
CA Certificate: ca.crt from the Dashboard
Token: token from the Dashboard
Project namespace: gitlabkubesandbox
Check RBAC-enabled when adding the Cluster to GitLab.

Done!

  • Thank you so much for this! Helm Tiller, GitLab Runner and the Ingress installs went through just fine…but it then keeps erroring out on the Prometheus install. Did you experience that as well?

  • I have followed these very steps but still getting a very generic error on helm/tiller installation.

    “Something went wrong while installing Helm Tiller

    • Can’t start installation process. ”

    Ideas?

    Thanks,
    Leo

    EDIT: after poking around the docs I figured out that the CA Certificate had to be deciphered into a pem format.
    To do that, I just saved the certificate that we get from in the kubeconfig.yaml to a certificate.base64.txt and the run
    base64 -D certificate.base64.txt > cert.pem

For installing Helm, described rights was not enough for me. I have to do this:

### http://centosquestions.com/kubernetes-error-namespaces-gitlab-managed-apps-forbidden-user-systemserviceaccountgitlab-managed-appsgitlab-sa-cannot-get-namespaces-namespace-gitlab-managed-apps/
kubectl create clusterrolebinding permissive-binding --clusterrole=cluster-admin --user=admin --user=kubelet --group=system:serviceaccounts

Hey there - would the below two commands help?

# Get server
echo $(kubectl config view | grep server | cut -f 2- -d ":" | tr -d " ")

# Get server token
echo $(kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t')

Just copy what shows in the terminal when you run those. May be applicable to you.

https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-kubectl-proxy

  • Hi John, thanks for the help, but not exactly what I need.

    I need the following info about the Kubernetes cluster in OD.

    1. Kubernetes cluster name (I have it from the config) - ok
    2. API URL (no idea what url I will use)
    3. CA Certificate (I have it from the config) - ok
    4. Token (maybe the recipe from John)
    5. Project name - optional, so no problem here.

    Thanks,
    David

    • Hey do you have kubectl access?

      The first command I shared should get you your cluster API URL.

      Then the second command should get you your Token. Did these commands work? Any error?

      I just set up a cluster and ran them here without issue - maybe I can help further.

Hi John, thanks for your help.

I am using the OD <beta> kubernetes. I managed to enter on the console and when I run the kubectl config view, everything is empty…

I’m sorry but I don’t have too much experience with Kubernetes.

Thanks,
David

  • No problem! Yup I’m using the same thing (DO’s kubernetes beta).

    Ok - first - have you completed this setup: https://www.digitalocean.com/docs/kubernetes/how-to/connect-with-kubectl/ ?

    Basically you:

    1. Install kubectl locally
    2. Download you config.yml file from the DO management screen (it’ll be named something else)
    3. Run this command kubectl --kubeconfig="cluster1-kubeconfig-dupe.yaml" get nodes. NOTE: cluster1-kubeconfig-dupe.yaml will be named something different in your case so change it in the command.

    If you can get this to work - the below two commands will print your API_URL and Token

    echo $(kubectl --kubeconfig="cluster1-kubeconfig-dupe.yaml" config view | grep server | cut -f 2- -d ":" | tr -d " ")
    
    echo $(kubectl --kubeconfig="cluster1-kubeconfig-dupe.yaml" describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t')
    
    • Hi John,

      using the two commands that you wrote, I managed to get the API url no problem, but for the token, I get the following error:

      Unable to connect to the server: dial tcp 192.168.99.100:8443: i/o timeout

      with a jwt token following it.

      this is the payload data extracted from the jwt token (I changed some of the secret/uid characters for security reasons):
      {
      “iss”: “kubernetes/serviceaccount”,
      “kubernetes.io/serviceaccount/namespace”: “default”,
      “kubernetes.io/serviceaccount/secret.name”: “default-token-t6qga”,
      “kubernetes.io/serviceaccount/service-account.name”: “default”,
      “kubernetes.io/serviceaccount/service-account.uid”: “5d1f391c-d27a-11e8-b073-ea3c81484823”,
      “sub”: “system:serviceaccount:default:default”
      }

      I copied the API url and the original JWT token, with the other data that I already have but when I try to install some applications like Helm Tiller on the OD kubernetes cluster thru our Gitlab server, I get the error:

      “Can’t start installation process.”

      Is there any other detail that you can help to make this work?

      Thanks,
      David

      • Get your secrets:

        kubectl --kubeconfig="REPLACE-NAME-OF-YOUR-CONFIG.yaml" get secrets
        

        Get the JWT from a secret:

        kubectl --kubeconfig="REPLACE-NAME-OF-YOUR-CONFIG.yaml" describe secrets REPLACE-WITH-THE-NAME-OF-THE-SECRET-YOU-WANT
        

I have create a small project under https://devops.ck99.io/ck/gitlab-kubernetes-setup

This contains a summary in a script “setup.sh” with all the steps discussed here.

If you are getting a Kubernetes Error 401 it means your Token is incorrect as it was in my case. Here I was using a token from an API tab in the Dashboard BUT should really create the Token by command line like recommended. After generating a user and a token using kubectl commands and changing the Token the installation of Helm worked perfectly.
Hope it helps!

Have another answer? Share your knowledge.