Provide script(s) for end-to-end setup and deployment of the Operator on various platforms
Summary
For completeness, let's look into documenting and/or scripting the full deployment of the GitLab Operator on various platforms like GCP and even KinD. Our installation docs give an overview of installation of prerequisites, but it can be helpful for:
- Developers to have a concrete script to run to generate a testing environment
- End users to see what a full end-to-end setup looks like
We have docs on deploying our Helm Chart to kind, and they reference a couple of values files that configure kind and GitLab to work nicely together.
Most of these steps still apply to the Operator, but there are slight differences we should document.
I went through the process of deploying on KinD while testing !207 (merged), and added my findings below.
High-level notes
- You must generate self-signed certificates. You cannot rely on the
selfsignshared-secrets job due to #103 (closed). - You have to deploy the Runner separately. The Runner is "baked into" our Helm chart, but not the Operator.
Details
Below are the steps I took to get the Operator running on KinD:
$ # First, I needed to ensure I had the newest version of `kind` to work around an error I was running into:
$ GO111MODULE="on" go get sigs.k8s.io/kind@v0.11.1`
$ # Next, we create a kind cluster:
$ ~/go/bin/kind create cluster --config=/path/to/gitlab-chart/examples/kind/kind-ssl.yaml --image=kindest/node:v1.18.19
$ # Install certmanager per our docs:
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
$ # Now we'll generate certificates for GitLab
$ KEY_FILE=gitlab.key CERT_FILE=gitlab.crt HOST=*.(your IP).nip.io
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"
Generating a 2048 bit RSA private key
.....................+++
.....+++
writing new private key to 'gitlab.key'
-----
$ kubectl create secret -n gitlab-system tls custom-gitlab-tls --key=gitlab.key --cert=gitlab.crt
secret/custom-gitlab-tls created
$ # Next we generate certificates for Pages
$ KEY_FILE=pages.key CERT_FILE=pages.crt HOST=*.pages.(your IP).nip.io
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"
Generating a 2048 bit RSA private key
................................................................................................................+++
...............................................+++
writing new private key to 'pages.key'
-----
$ kubectl create secret -n gitlab-system tls custom-pages-tls --key=pages.key --cert=pages.crt
secret/custom-pages-tls created
$ # Now we build the Operator manifest and apply it
$ make build_operator
$ kubectl apply -f .build/operator.yaml
$ # Next, we'll create a GitLab CR and apply it
$ cat mygitlab.yaml
apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
name: gitlab
spec:
chart:
version: "5.1.1"
values:
certmanager:
install: false
global:
hosts:
domain: (your IP).nip.io
pages:
enabled: true
ingress:
configureCertmanager: false
tls:
secretName: custom-gitlab-tls
shell:
port: 32022
gitlab:
gitlab-pages:
ingress:
tls:
# You need to bring your own wildcard SSL certificate which covers
# `*.<pages root domain>`. Create a k8s TLS secret with the name
# `custom-pages-tls` with it.
secretName: custom-pages-tls
gitlab-shell:
minReplicas: 1
maxReplicas: 1
# gitlab-exporter:
# enabled: false # we can't disable this because the Controller currently expects it to exist
webservice:
minReplicas: 1
maxReplicas: 1
nginx-ingress:
controller:
service:
nodePorts:
# https port value below must match the KinD config file:
# nodes[0].extraPortMappings[0].containerPort
https: 32443
replicaCount: 1
minAvailable: 1
defaultBackend:
replicaCount: 1
registry:
hpa:
minReplicas: 1
maxReplicas: 1
$ kubectl apply -f mygitlab.yaml -n gitlab-system
$ # That's it - navigate to `https://gitlab.(your IP).nip.io` and log in with the root password.
$ # If a Runner is required, create a Secret with the selfsigned certificate and then deploy the runner chart (or Operator)
$ kubectl -n gitlab-system create secret generic custom-runner-tls --from-file=gitlab.(your IP).nip.iocrt=gitlab.crt
$ cat runner.values.yaml
gitlabUrl: https://gitlab.(your IP).nip.io/
runnerRegistrationToken: (token from instance)
certsSecretName: custom-runner-tls
rbac:
create: true
$ helm upgrade --install -n gitlab-system gitlab-runner gitlab/gitlab-runner -f runner.values.yamlEdited by Mitchell Nielsen