2021.03.20
1. GitLab ?
- GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and continuous integration and deployment pipeline features.
- GitLab license
✓ GitLab Community Edition (MIT License) vs GitLab Enterprise Edition (EE) license
https://about.gitlab.com/install/ce-or-ee/
✓ GitLab Community Edition is open source, with an MIT Expat license.
✓ GitLab Enterprise Edition : Trial, Free, Premium, Ultimate
- GitLab cloud native Helm Chart
https://docs.gitlab.com/charts/
2. Environments
- gitlab Helm chart 4.9.4, gitlab 13.9.4
- Kubernetes 1.16.15
3. GitLab 구성시 고려 사항
- 사전 준비 사항
✓ Domain name (필수)
free service : x.x.x.x.sllip.io, x.x.x.x.nip.io 사용
kt (사내) : 보안성 검토 완료 후 xxx.kt.co.kr 도메인 발급 (무료)
✓ 추가 IP 주소 확보 (선택) - Service type용, https 설정 / Gitlab CI 기능 사용 시 필요
- Version control 기능
✓ http 지원
Web Client 및 VCS Client 지원 (ex. PyCharm, Sourcetree, git command)
gitlab-nginx-ingress-controller의 service type은 LoadBalancer, NodePort 설정 가능
✓ https 지원
TLS Certificate - cert-manager와 Let’s Encrypt를 이용하여 Certificate 자동 발급 (공인 IP, LoadBalancer 필수)
KT GTH 사외망의 방화벽 설정은 Inbound any를 허용하지 않음. 따라서 Certificate를 발급 받을 수 없음
minikube에서 불가 (metallb 지원 그러나 IP Pool은 사설 IP 주소로 설정하기 때문에 Let’s Encrypt에서 검증 불가)
self-signed certificate - Web Client (Chrome 미지원, Firefox 지원), VCS Client 미지원 (PyCharm, Sourcetree)
- Gitlab CI (Auto DevOps pipeline) 기능
✓ http 미지원
✓ https 지원 : self-signed certificate 미 지원 (gitlab-runner pod 미 동작)
4. GitLab Install
- https://docs.gitlab.com/charts/installation/
- 설치
$ helm repo add gitlab https://charts.gitlab.io/
$ helm repo update
$ helm search repo gitlab
NAME CHART VERSION APP VERSION DESCRIPTION
gitlab/gitlab 4.9.4 13.9.4 Web-based Git-repository manager with wiki and ...
gitlab/gitlab-omnibus 0.1.37 GitLab Omnibus all-in-one bundle
gitlab/gitlab-runner 0.26.0 13.9.0 GitLab Runner
…
$ helm inspect values gitlab/gitlab --version 4.9.4 > gitlab-values.yaml
$ vi gitlab-values.yaml
…
$
$ helm install gitlab gitlab/gitlab --create-namespace --namespace gitlab --values gitlab-values.yaml --version 4.9.4
NAME: gitlab
LAST DEPLOYED: Sat Mar 20 16:44:42 2021
NAMESPACE: gitlab
STATUS: deployed
REVISION: 1
NOTES:
NOTICE: The resource requests have increased for the Webservice and Sidekiq charts.
For more information on Webservice resources, see https://docs.gitlab.com/charts/charts/gitlab/webservice/index.html#resources
For more information on Sidekiq resources, see https://docs.gitlab.com/charts/charts/gitlab/sidekiq/index.html#resource
Related merge request: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1634
To restore the original resource specifications:
--set gitlab.sidekiq.resources.requests.cpu=50m
--set gitlab.sidekiq.resources.requests.memory=650M
--set gitlab.webservice.resources.requests.memory=1.5G
NOTICE: You've installed GitLab Runner without the ability to use 'docker in docker'.
The GitLab Runner chart (gitlab/gitlab-runner) is deployed without the `privileged` flag by default for security purposes. This can be changed by setting `gitlab-runner.runners.privileged` to `true`. Before doing so, please read the GitLab Runner chart's documentation on why we
chose not to enable this by default. See https://docs.gitlab.com/runner/install/kubernetes.html#running-docker-in-docker-containers-with-gitlab-runners
Help us improve the install experience, let us know how we did with a 1 minute survey:
https://gitlab.fra1.qualtrics.com/jfe/form/SV_6kVqZANThUQ1bZb?installation=helm&release=13-9
$
- 설치 확인
$ helm list -n gitlab
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
gitlab gitlab 1 2021-03-20 16:44:42.564628909 +0900 KST deployed gitlab-4.9.4 13.9.4
$ k get svc -n gitlab
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gitlab-cert-manager ClusterIP 10.101.73.27 <none> 9402/TCP 25m
gitlab-gitaly ClusterIP None <none> 8075/TCP,9236/TCP 25m
gitlab-gitlab-exporter ClusterIP 10.106.65.230 <none> 9168/TCP 25m
gitlab-gitlab-shell ClusterIP 10.107.109.113 <none> 22/TCP 25m
gitlab-minio-svc ClusterIP 10.108.148.226 <none> 9000/TCP 25m
gitlab-nginx-ingress-controller LoadBalancer 10.109.176.173 14.52.244.138 80:31681/TCP,443:32274/TCP,... 25m
…
$ k get pod -n gitlab
NAME READY STATUS RESTARTS AGE
gitlab-cainjector-5d5cd7646b-pzn7f 1/1 Running 0 27m
gitlab-cert-manager-78ffbc8b9f-8fwfx 1/1 Running 0 27m
gitlab-gitaly-0 1/1 Running 0 27m
gitlab-gitlab-exporter-fb96697b6-26pg2 1/1 Running 0 27m
gitlab-gitlab-runner-7d46c6f4bd-g98lx 1/1 Running 6 27m
gitlab-gitlab-shell-76d4b88769-cfm98 1/1 Running 0 27m
gitlab-gitlab-shell-76d4b88769-mcjh7 1/1 Running 0 27m
gitlab-issuer-1-44hc7 0/1 Completed 0 27m
gitlab-migrations-1-hs8gc 0/1 Completed 0 27m
gitlab-minio-6dd7d96ddb-m7tk5 1/1 Running 0 27m
gitlab-minio-create-buckets-1-76hld 0/1 Completed 0 27m
gitlab-nginx-ingress-controller-7fc8cbf49d-8lz68 1/1 Running 0 27m
gitlab-nginx-ingress-controller-7fc8cbf49d-x7qtf 1/1 Running 0 27m
gitlab-nginx-ingress-default-backend-7ff88b95f-gmjmt 1/1 Running 0 27m
gitlab-postgresql-0 2/2 Running 0 27m
gitlab-prometheus-server-6cfb57f575-fkrfp 2/2 Running 0 27m
gitlab-redis-master-0 2/2 Running 0 27m
gitlab-registry-75f6f87cf4-5x7qv 1/1 Running 0 27m
gitlab-registry-75f6f87cf4-vjr5n 1/1 Running 0 27m
gitlab-sidekiq-all-in-1-v1-59f774cf75-hh67n 1/1 Running 0 27m
gitlab-task-runner-8697696b97-hq67q 1/1 Running 0 27m
gitlab-webservice-default-69cf7b47d4-55hw4 2/2 Running 0 27m
gitlab-webservice-default-69cf7b47d4-qjphg 2/2 Running 0 27m
$ k get pvc -n gitlab
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
data-gitlab-postgresql-0 Bound pvc-c5b0bf7f-e770-4cc0-b652-0acaaa6e5a75 8Gi RWO rook-ceph-block-sc-iap 27m
gitlab-minio Bound pvc-25ea72ac-8e3b-417e-a0e2-4c2951fedf97 10Gi RWO rook-ceph-block-sc-iap 27m
gitlab-prometheus-server Bound pvc-9cc97b72-1b19-4901-9315-ad78f0d81c0c 8Gi RWO rook-ceph-block-sc-iap 27m
redis-data-gitlab-redis-master-0 Bound pvc-6ca20ac4-47d9-418f-a2b0-a62e5e0f7374 8Gi RWO rook-ceph-block-sc-iap 27m
repo-data-gitlab-gitaly-0 Bound pvc-23e70c27-0af8-41d9-b7e7-3ea2ff3c3acd 50Gi RWO rook-ceph-block-sc-iap 27m
$
$ k get ingresses.extensions -n gitlab
NAME HOSTS ADDRESS PORTS AGE
gitlab-minio minio.14.52.244.138.sslip.io 14.52.244.138 80, 443 16m
gitlab-registry registry.14.52.244.138.sslip.io 14.52.244.138 80, 443 16m
gitlab-webservice-default gitlab.14.52.244.138.sslip.io 14.52.244.138 80, 443 16m
$ k describe ingress gitlab-webservice-default -n gitlab
Name: gitlab-webservice-default
Namespace: gitlab
Address: 14.52.244.138
Default backend: default-http-backend:80 (<none>)
TLS:
gitlab-gitlab-tls terminates gitlab.14.52.244.138.sslip.io
Rules:
Host Path Backends
---- ---- --------
gitlab.14.52.244.138.sslip.io
/ gitlab-webservice-default:8181 (10.244.14.240:8181,10.244.15.74:8181)
/admin/sidekiq/ gitlab-webservice-default:8080 (10.244.14.240:8080,10.244.15.74:8080)
…
$ k describe ingress gitlab-minio -n gitlab | grep Rules -A4
Rules:
Host Path Backends
---- ---- --------
minio.14.52.244.138.sslip.io
/ gitlab-minio-svc:9000 (10.244.14.242:9000)
$ k describe ingress gitlab-registry -n gitlab | grep Rules -A4
Rules:
Host Path Backends
---- ---- --------
registry.14.52.244.138.sslip.io
/ gitlab-registry:5000 (10.244.14.239:5000,10.244.15.75:5000)
$
5. TLS 설정
- Option 1: cert-manager and Let’s Encrypt
https://docs.gitlab.com/charts/installation/tls.html#option-1-cert-manager-and-lets-encrypt
자세한 내용은 "Cert-manager with LetsEncrypt" 문서 2장 참조
설치 명령어:
$ helm install gitlab gitlab/gitlab --set certmanager-issuer.email=you@example.com
- Option 4: Use auto-generated self-signed wildcard certificate
https://docs.gitlab.com/charts/installation/tls.html#option-4-use-auto-generated-self-signed-wildcard-certificate
This can be useful in environments where Let’s Encrypt is not an option, but security via SSL is still desired.
The gitlab-runner chart does not function properly with self-signed certificates. We recommend disabling it, as shown below.
✓ 설치 명령어:
$ helm install gitlab gitlab/gitlab \
--set certmanager.install=false --set global.ingress.configureCertmanager=false \
--set gitlab-runner.install=false
✓ 설치 결과:
자동 생성된 self-signed certificate의 CN(Common Name)이 ingress.local로 설정 되어 있음 (gitlab.192.168.64.25.sslip.io 설정 필요)
PyCharm 에러 메세지 (Get from VCS):
unable to access 'https://ysjeon71@gitlab.192.168.64.25.sslip.io/gitlab/testdev.git/':
SSL certificate problem: unable to get local issuer certificate
- Option 3: Use individual certificate per service
https://docs.gitlab.com/charts/installation/tls.html#option-3-use-individual-certificate-per-service
✓ 설치 명령어:
$ kubectl create secret generic gitlab-gitlab-tls -n gitlab --from-file=tls.crt=gitlab.crt --from-file=tls.key=gitlab.key
$ kubectl create secret generic gitlab-minio-tls -n gitlab --from-file=tls.crt=minio.crt --from-file=tls.key=minio.key
$ kubectl create secret generic gitlab-registry-tls -n gitlab --from-file=tls.crt=registry.crt --from-file=tls.key=registry.key
$ helm install gitlab gitlab/gitlab \
--set certmanager.install=false \
--set global.ingress.configureCertmanager=false \
--set global.ingress.tls.enabled=true \
--set gitlab.webservice.ingress.tls.secretName=gitlab-gitlab-tls \
--set registry.ingress.tls.secretName=gitlab-registry-tls \
--set minio.ingress.tls.secretName=gitlab-minio-tls
6. Create Users and Projects 설정
a. log in GitLab
- http://14.52.244.138.sslip.io
Username: root
Password:
$ kubectl get secret gitlab-gitlab-initial-root-password -n gitlab -ojsonpath='{.data.password}' | base64 --decode ; echo
VMrR4VjVrfzQcrs3iNDSRcHeKzF4fxzJzLhM9W5mgUKZlhhNZL4Gjw62QfrrD3K7
$
b. Create users
- https://docs.gitlab.com/ee/user/profile/account/create_accounts.html#create-users-in-admin-area
- User 생성 #1
User 추가 (Admin Area > Overview > Users > New user)
암호 설정
Admin Area > Overview > Users > 2FA Disabled > Edit (“암호 설정할 Name”) > Password
- User 생성 #2
“Register now” 선택
필드 입력 후 “Register” 선택
- 승인
Administrator(root) login
Admin Area > Overview > Users > 2FA Disabled > “승인할 Name” 선택 > Approve
c. Create groups
- Group 생성 (메뉴: + > New group)
Group name: test-dev
Visibility level: Private
- Group Members 변경 (몌뉴: Groups > Your groups > test-dev > Members > Invite member)
GitLab member or Email address: ysjeon71
Choose a role permission: Developer
'Kubernetes > CI-CD' 카테고리의 다른 글
CI/CD 적용 가이드 #2 (CI 편) (0) | 2021.09.26 |
---|---|
CI/CD 적용 가이드 #1 (개요) (0) | 2021.09.26 |
Jenkins (0) | 2021.09.18 |
Harbor (0) | 2021.09.18 |
Argo CD (0) | 2021.09.16 |
댓글