Skip to content

Instantly share code, notes, and snippets.

@CrashenX

CrashenX/kube_gitlab.md

Forked from kacieh80/kube_gitlab.md
Last active October 14, 2021 17:23
Show Gist options
  • Save CrashenX/1cf17e103c6ba5d404613d426cb8f8b6 to your computer and use it in GitHub Desktop.
Save CrashenX/1cf17e103c6ba5d404613d426cb8f8b6 to your computer and use it in GitHub Desktop.
Download ZIP
Install Kubernetes on Digital Ocean and run Gitlab
Raw
kube_gitlab.md

Installing Gitlab with DigitalOcean and Kubernetes

Prerequisites

Create a Kubernetes Cluster

  • In your DigitalOcean account create an empty project and go to Manage > Kubernetes
  • Create your Kubernetes cluster with the proper requirements for Gitlab
  • Download your config file via the grey button at the bottom of the page when your cluster finishes creating
  • Create a floating IP to any droplet and then unassign it (NOTE: Gitlab helm chart requires this but then doesn't use it, so you might be able to skip this step and just give Gitlab helm chart a bogus IP)

Connect to your Kubernetes Cluster

  • Install the config file you downloaded in your .kube directory and copy it into config
  • Test your connection by running kubectl get node

Set Up RBAC

  • Create a tiller namespace kubectl create namespace tiller
  • Create a file called rbac-config.yaml in your .kube directory with the following contents
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: tiller
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: tiller
  • Now run: kubectl create -f rbac-config.yaml and volia! you have your service account

Reference NOTE: We created a tiller namespace instead of using kube-system as this is best practice

Install TLS

openssl genrsa -out ./ca.key.pem 4096
cp /etc/ssl/openssl.cnf openssl-with-ca.cnf
cat << END >> openssl-with-ca.cnf
 [ v3_ca ]
 basicConstraints = critical,CA:TRUE
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer:always
END
openssl req -key ca.key.pem -new -x509 -days 14 -sha256 -out ca.cert.pem -extensions v3_ca -config openssl-with-ca.cnf -subj "/C=US/ST=New York/L=New York/O=DigitalOcean/OU=Systems/CN=digitalocean.com"
openssl genrsa -out ./tiller.key.pem 4096
openssl genrsa -out ./helm.key.pem 4096
openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem -subj "/C=US/ST=New York/L=New York/O=DigitalOcean/OU=Systems/CN=digitalocean.com"
openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem -subj "/C=US/ST=New York/L=New York/O=DigitalOcean/OU=Systems/CN=digitalocean.com"
openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 14
openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem  -days 14
mkdir $(helm home); cp ca.cert.pem $(helm home)/ca.pem; cp helm.cert.pem $(helm home)/cert.pem; cp helm.key.pem $(helm home)/key.pem
helm init --tiller-namespace tiller --service-account tiller --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem

Reference NOTE: Our instructions are modified for mac-isms

Install Gitlab

  • You're going to use the floating IP address you created earlier
  • Create a wildcard DNS Entry
  • If you're using terraform your entry may look something like this:
// *.test-gitlab.example.com.
resource "google_dns_record_set" "test_gitlab_example_com" {
   managed_zone = "some zone"
   name = "*.<SUB-DOMAIN>"
   type = "A"
   ttl = 300
   rrdatas = ["<FLOATING IP>"] // test-gitlab digital ocean k8s nginx ingress
}
  • Get the Helm Gitlab chart: helm repo add gitlab https://charts.gitlab.io/
  • Update your repo: helm repo update
  • Now run the install: helm upgrade --tls --tiller-namespace=tiller --install gitlab gitlab/gitlab --timeout 600 --set global.hosts.domain=<SUB-DOMAIN> --set global.hosts.externalIP=<FLOATING IP> --set [email protected]
    • N.B., Make sure you can create at least 5 new volumes (i.e. your volume limit - number of volumes you have >= 5) or things will hang waiting on volume creation kubectl describe pvc
  • Now use the Load Balancer IP and change your DNS, find the gitlab-nginx-ingress-controller LoadBalancer service kubectl get services to get your external IP
  • You can check the install by kubectl get pods, once all pods are completed you can go to your gitlab URL and log in

Reference

Log In To Gitlab

  • kubectl get secret <name>-gitlab-initial-root-password -ojsonpath={.data.password} | base64 --decode ; echo gets you the password and root is the username
  • Go to your account and change your password
  • Have fun with Gitlab
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment