본문 바로가기
Kubernetes/CI-CD

Giblab

by 여행을 떠나자! 2021. 9. 17.

2021.03.20


1. GitLab ?
- GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and continuous integration and deployment pipeline features.
- GitLab license
   ✓ GitLab Community Edition (MIT License) vs GitLab Enterprise Edition (EE) license
       https://about.gitlab.com/install/ce-or-ee/
   ✓ GitLab Community Edition is open source, with an MIT Expat license.
   ✓ GitLab Enterprise Edition : Trial, Free, Premium, Ultimate
- GitLab cloud native Helm Chart
        https://docs.gitlab.com/charts/


2. Environments
- gitlab Helm chart 4.9.4, gitlab 13.9.4

- Kubernetes 1.16.15

 

 

 

3. GitLab 구성시 고려 사항
- 사전 준비 사항
   ✓ Domain name  (필수)
       free service : x.x.x.x.sllip.io, x.x.x.x.nip.io 사용
       kt (사내) : 보안성 검토 완료 후 xxx.kt.co.kr 도메인 발급 (무료)
   ✓ 추가 IP 주소 확보 (선택) - Service type용, https 설정 / Gitlab CI 기능 사용 시 필요


- Version control 기능
   ✓ http 지원 
        Web Client 및 VCS Client 지원 (ex. PyCharm, Sourcetree, git command)
        gitlab-nginx-ingress-controller의 service type은 LoadBalancer, NodePort 설정 가능

   ✓ https 지원
        TLS Certificate - cert-manager와 Let’s Encrypt를 이용하여 Certificate 자동 발급 (공인 IP, LoadBalancer 필수)
        KT GTH 사외망의 방화벽 설정은 Inbound any를 허용하지 않음. 따라서 Certificate를 발급 받을 수 없음
            minikube에서 불가 (metallb 지원 그러나 IP Pool은 사설 IP 주소로 설정하기 때문에 Let’s Encrypt에서 검증 불가)
        self-signed certificate - Web Client (Chrome 미지원, Firefox 지원), VCS Client 미지원 (PyCharm, Sourcetree)

 

- Gitlab CI (Auto DevOps pipeline) 기능
   ✓ http 미지원
   ✓ https 지원 : self-signed certificate 미 지원 (gitlab-runner pod 미 동작)

 

 

4. GitLab Install
https://docs.gitlab.com/charts/installation/

- 설치

$ helm repo add gitlab https://charts.gitlab.io/
$ helm repo update
$ helm search repo gitlab
NAME                   CHART VERSION  APP VERSION  DESCRIPTION
gitlab/gitlab          4.9.4          13.9.4       Web-based Git-repository manager with wiki and ...
gitlab/gitlab-omnibus  0.1.37                      GitLab Omnibus all-in-one bundle
gitlab/gitlab-runner   0.26.0         13.9.0       GitLab Runner
…
$ helm inspect values gitlab/gitlab --version 4.9.4 > gitlab-values.yaml
$ vi gitlab-values.yaml
…
$
$ helm install gitlab gitlab/gitlab --create-namespace --namespace gitlab --values gitlab-values.yaml --version 4.9.4
NAME: gitlab
LAST DEPLOYED: Sat Mar 20 16:44:42 2021
NAMESPACE: gitlab
STATUS: deployed
REVISION: 1
NOTES:
NOTICE: The resource requests have increased for the Webservice and Sidekiq charts.
    For more information on Webservice resources, see https://docs.gitlab.com/charts/charts/gitlab/webservice/index.html#resources
    For more information on Sidekiq resources, see https://docs.gitlab.com/charts/charts/gitlab/sidekiq/index.html#resource
    Related merge request: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1634

    To restore the original resource specifications:
    --set gitlab.sidekiq.resources.requests.cpu=50m
    --set gitlab.sidekiq.resources.requests.memory=650M
    --set gitlab.webservice.resources.requests.memory=1.5G

NOTICE: You've installed GitLab Runner without the ability to use 'docker in docker'.
The GitLab Runner chart (gitlab/gitlab-runner) is deployed without the `privileged` flag by default for security purposes. This can be changed by setting `gitlab-runner.runners.privileged` to `true`. Before doing so, please read the GitLab Runner chart's documentation on why we
chose not to enable this by default. See https://docs.gitlab.com/runner/install/kubernetes.html#running-docker-in-docker-containers-with-gitlab-runners

Help us improve the install experience, let us know how we did with a 1 minute survey:
https://gitlab.fra1.qualtrics.com/jfe/form/SV_6kVqZANThUQ1bZb?installation=helm&release=13-9
$

- 설치 확인

$ helm list -n gitlab
NAME      NAMESPACE   REVISION    UPDATED                                 STATUS      CHART           APP VERSION
gitlab    gitlab      1           2021-03-20 16:44:42.564628909 +0900 KST deployed    gitlab-4.9.4    13.9.4
$ k get svc -n gitlab
NAME                              TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                          AGE
gitlab-cert-manager               ClusterIP      10.101.73.27     <none>          9402/TCP                         25m
gitlab-gitaly                     ClusterIP      None             <none>          8075/TCP,9236/TCP                25m
gitlab-gitlab-exporter            ClusterIP      10.106.65.230    <none>          9168/TCP                         25m
gitlab-gitlab-shell               ClusterIP      10.107.109.113   <none>          22/TCP                           25m
gitlab-minio-svc                  ClusterIP      10.108.148.226   <none>          9000/TCP                         25m
gitlab-nginx-ingress-controller   LoadBalancer   10.109.176.173   14.52.244.138   80:31681/TCP,443:32274/TCP,...   25m
…
$ k get pod -n gitlab
NAME                                                   READY   STATUS       RESTARTS   AGE
gitlab-cainjector-5d5cd7646b-pzn7f                     1/1     Running      0          27m
gitlab-cert-manager-78ffbc8b9f-8fwfx                   1/1     Running      0          27m
gitlab-gitaly-0                                        1/1     Running      0          27m
gitlab-gitlab-exporter-fb96697b6-26pg2                 1/1     Running      0          27m
gitlab-gitlab-runner-7d46c6f4bd-g98lx                  1/1     Running      6          27m
gitlab-gitlab-shell-76d4b88769-cfm98                   1/1     Running      0          27m
gitlab-gitlab-shell-76d4b88769-mcjh7                   1/1     Running      0          27m
gitlab-issuer-1-44hc7                                  0/1     Completed    0          27m
gitlab-migrations-1-hs8gc                              0/1     Completed    0          27m
gitlab-minio-6dd7d96ddb-m7tk5                          1/1     Running      0          27m
gitlab-minio-create-buckets-1-76hld                    0/1     Completed    0          27m
gitlab-nginx-ingress-controller-7fc8cbf49d-8lz68       1/1     Running      0          27m
gitlab-nginx-ingress-controller-7fc8cbf49d-x7qtf       1/1     Running      0          27m
gitlab-nginx-ingress-default-backend-7ff88b95f-gmjmt   1/1     Running      0          27m
gitlab-postgresql-0                                    2/2     Running      0          27m
gitlab-prometheus-server-6cfb57f575-fkrfp              2/2     Running      0          27m
gitlab-redis-master-0                                  2/2     Running      0          27m
gitlab-registry-75f6f87cf4-5x7qv                       1/1     Running      0          27m
gitlab-registry-75f6f87cf4-vjr5n                       1/1     Running      0          27m
gitlab-sidekiq-all-in-1-v1-59f774cf75-hh67n            1/1     Running      0          27m
gitlab-task-runner-8697696b97-hq67q                    1/1     Running      0          27m
gitlab-webservice-default-69cf7b47d4-55hw4             2/2     Running      0          27m
gitlab-webservice-default-69cf7b47d4-qjphg             2/2     Running      0          27m
$ k get pvc -n gitlab
NAME                               STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS             AGE
data-gitlab-postgresql-0           Bound    pvc-c5b0bf7f-e770-4cc0-b652-0acaaa6e5a75   8Gi        RWO            rook-ceph-block-sc-iap   27m
gitlab-minio                       Bound    pvc-25ea72ac-8e3b-417e-a0e2-4c2951fedf97   10Gi       RWO            rook-ceph-block-sc-iap   27m
gitlab-prometheus-server           Bound    pvc-9cc97b72-1b19-4901-9315-ad78f0d81c0c   8Gi        RWO            rook-ceph-block-sc-iap   27m
redis-data-gitlab-redis-master-0   Bound    pvc-6ca20ac4-47d9-418f-a2b0-a62e5e0f7374   8Gi        RWO            rook-ceph-block-sc-iap   27m
repo-data-gitlab-gitaly-0          Bound    pvc-23e70c27-0af8-41d9-b7e7-3ea2ff3c3acd   50Gi       RWO            rook-ceph-block-sc-iap   27m
$
$ k get ingresses.extensions -n gitlab
NAME                        HOSTS                             ADDRESS         PORTS     AGE
gitlab-minio                minio.14.52.244.138.sslip.io      14.52.244.138   80, 443   16m
gitlab-registry             registry.14.52.244.138.sslip.io   14.52.244.138   80, 443   16m
gitlab-webservice-default   gitlab.14.52.244.138.sslip.io     14.52.244.138   80, 443   16m
$ k describe ingress gitlab-webservice-default -n gitlab
Name:             gitlab-webservice-default
Namespace:        gitlab
Address:          14.52.244.138
Default backend:  default-http-backend:80 (<none>)
TLS:
  gitlab-gitlab-tls terminates gitlab.14.52.244.138.sslip.io
Rules:
  Host                           Path  Backends
  ----                           ----  --------
  gitlab.14.52.244.138.sslip.io
                                 /                 gitlab-webservice-default:8181 (10.244.14.240:8181,10.244.15.74:8181)
                                 /admin/sidekiq/   gitlab-webservice-default:8080 (10.244.14.240:8080,10.244.15.74:8080)
…
$ k describe ingress gitlab-minio -n gitlab | grep Rules -A4
Rules:
  Host                             Path  Backends
  ----                             ----  --------
  minio.14.52.244.138.sslip.io
                                   /   gitlab-minio-svc:9000 (10.244.14.242:9000)
$ k describe ingress gitlab-registry -n gitlab | grep Rules -A4
Rules:
  Host                             Path  Backends
  ----                             ----  --------
  registry.14.52.244.138.sslip.io
                                   /   gitlab-registry:5000 (10.244.14.239:5000,10.244.15.75:5000)
$

 

 

5. TLS 설정
- Option 1: cert-manager and Let’s Encrypt 
   https://docs.gitlab.com/charts/installation/tls.html#option-1-cert-manager-and-lets-encrypt
   자세한 내용은 "Cert-manager with LetsEncrypt" 문서 2장 참조
   설치 명령어: 
       $ helm install gitlab gitlab/gitlab --set certmanager-issuer.email=you@example.com

 

- Option 4: Use auto-generated self-signed wildcard certificate
   https://docs.gitlab.com/charts/installation/tls.html#option-4-use-auto-generated-self-signed-wildcard-certificate
   This can be useful in environments where Let’s Encrypt is not an option, but security via SSL is still desired.
   The gitlab-runner chart does not function properly with self-signed certificates. We recommend disabling it, as shown below.
    ✓ 설치 명령어: 
        $ helm install gitlab gitlab/gitlab \
          --set certmanager.install=false --set global.ingress.configureCertmanager=false \
          --set gitlab-runner.install=false
    ✓ 설치 결과:
        자동 생성된 self-signed certificate의 CN(Common Name)이 ingress.local로 설정 되어 있음 (gitlab.192.168.64.25.sslip.io 설정 필요)
        PyCharm 에러 메세지 (Get from VCS): 
           unable to access 'https://ysjeon71@gitlab.192.168.64.25.sslip.io/gitlab/testdev.git/': 

           SSL certificate problem: unable to get local issuer certificate

- Option 3: Use individual certificate per service
   https://docs.gitlab.com/charts/installation/tls.html#option-3-use-individual-certificate-per-service
    ✓ 설치 명령어: 
        $ kubectl create secret generic gitlab-gitlab-tls -n gitlab --from-file=tls.crt=gitlab.crt --from-file=tls.key=gitlab.key
        $ kubectl create secret generic gitlab-minio-tls -n gitlab --from-file=tls.crt=minio.crt --from-file=tls.key=minio.key
        $ kubectl create secret generic gitlab-registry-tls -n gitlab --from-file=tls.crt=registry.crt --from-file=tls.key=registry.key
        $ helm install gitlab gitlab/gitlab \
           --set certmanager.install=false \
           --set global.ingress.configureCertmanager=false \
           --set global.ingress.tls.enabled=true \
           --set gitlab.webservice.ingress.tls.secretName=gitlab-gitlab-tls \
           --set registry.ingress.tls.secretName=gitlab-registry-tls  \
           --set minio.ingress.tls.secretName=gitlab-minio-tls

 

 

6. Create Users and Projects 설정
a. log in GitLab
- http://14.52.244.138.sslip.io
   Username: root
   Password: 
       $ kubectl get secret gitlab-gitlab-initial-root-password -n gitlab -ojsonpath='{.data.password}' | base64 --decode ; echo
       VMrR4VjVrfzQcrs3iNDSRcHeKzF4fxzJzLhM9W5mgUKZlhhNZL4Gjw62QfrrD3K7
       $

b. Create users
https://docs.gitlab.com/ee/user/profile/account/create_accounts.html#create-users-in-admin-area
- User 생성 #1
   User 추가 (Admin Area > Overview > Users > New user)

   암호 설정
       Admin Area > Overview > Users >  2FA Disabled > Edit (“암호 설정할 Name”) > Password

- User 생성 #2
   “Register now” 선택

   필드 입력 후 “Register” 선택

- 승인 
   Administrator(root) login 
   Admin Area > Overview > Users > 2FA Disabled > “승인할 Name” 선택 > Approve

c. Create groups
- Group 생성 (메뉴: + > New group)
   Group name: test-dev
   Visibility level: Private
- Group Members 변경 (몌뉴: Groups > Your groups > test-dev > Members > Invite member)
   GitLab member or Email address: ysjeon71
   Choose a role permission: Developer

'Kubernetes > CI-CD' 카테고리의 다른 글

CI/CD 적용 가이드 #2 (CI 편)  (0) 2021.09.26
CI/CD 적용 가이드 #1 (개요)  (0) 2021.09.26
Jenkins  (0) 2021.09.18
Harbor  (0) 2021.09.18
Argo CD  (0) 2021.09.16

댓글