From 87a5a4fdb0d83a3ef1c3dafb6e9a26fa7731165f Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Wed, 13 May 2020 18:11:39 -0400 Subject: [PATCH 1/4] Automate self-signed certificate chain creation for GitLab Runner --- .../templates/_self-signed-cert-job.yml | 10 ++++++++++ doc/development/kind/index.md | 15 --------------- examples/kind/values-port-forward.yaml | 4 +++- examples/kind/values-ssl.yaml | 4 +++- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/charts/shared-secrets/templates/_self-signed-cert-job.yml b/charts/shared-secrets/templates/_self-signed-cert-job.yml index 5815668d91..8a5a5ff7e3 100644 --- a/charts/shared-secrets/templates/_self-signed-cert-job.yml +++ b/charts/shared-secrets/templates/_self-signed-cert-job.yml @@ -75,6 +75,16 @@ spec: {{- end }} kubectl --namespace=$namespace label --overwrite \ secret ${certname}-ca {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} + # create certificate chain for GitLab Runner + cat /output/ca.pem /output/wildcard.pem > /tmp/{{ template "gitlab.gitlab.hostname" $ }}.crt + kubectl create secret generic ${certname}-chain \ + --from-file=/tmp/{{ template "gitlab.gitlab.hostname" $ }}.crt || true +{{- if not .Values.global.application.create }} + kubectl --namespace=$namespace label \ + secret ${certname}-chain $(echo '{{ include "gitlab.application.labels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }}' | sed -E 's/=[^ ]*/-/g') +{{- end }} + kubectl --namespace=$namespace label --overwrite \ + secret ${certname}-chain {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} volumeMounts: - name: certs-path mountPath: /output diff --git a/doc/development/kind/index.md b/doc/development/kind/index.md index 7d74e4ef42..383f879285 100644 --- a/doc/development/kind/index.md +++ b/doc/development/kind/index.md @@ -92,21 +92,6 @@ kubectl get secret gitlab-wildcard-tls-ca -ojsonpath='{.data.cfssl_ca}' | base64 Now that the root CA is downloaded, you can add it to your local chain (instructions vary per platform and are readily available online). -#### (Optional) Connect GitLab Runner - -By default, the GitLab Runner pod will not work with the self-signed certificates. To address this: - -```shell -# Download self-signed certificate -kubectl get secret gitlab-wildcard-tls -ojsonpath='{.data.tls\.crt}' | base64 --decode > gitlab.(your host IP).nip.io.crt -# Create certificate chain -cat gitlab.(your host IP).nip.io.ca.pem gitlab.(your host IP).nip.io.crt > chain.crt -# Create secret from self-signed certificate -kubectl create secret generic self-signed-crt --from-file=gitlab.(your host IP).nip.io.crt=chain.crt -``` - -When the pod starts, you can check the logs to confirm that it has successfully registered. - NOTE: **Note:** If you would prefer not to run GitLab Runner at all, you can disable it in the relevant values file: `gitlab-runner.install=false`. diff --git a/examples/kind/values-port-forward.yaml b/examples/kind/values-port-forward.yaml index 7dd757dc17..8e40a25860 100644 --- a/examples/kind/values-port-forward.yaml +++ b/examples/kind/values-port-forward.yaml @@ -20,7 +20,9 @@ gitlab-runner: # Specify self-signed certificate chain so Runner will connect # https://docs.gitlab.com/runner/install/kubernetes.html#providing-a-custom-certificate-for-accessing-gitlab # https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates - certsSecretName: self-signed-crt + # "gitlab-wildcard-tls-chain" assumes your release name is "gitlab". If it is set to something else, + # replace "gitlab" below with your own release name. + certsSecretName: gitlab-wildcard-tls-chain # Allow privileged runners for Docker-in-Docker pipelines runners: privileged: true diff --git a/examples/kind/values-ssl.yaml b/examples/kind/values-ssl.yaml index 708a2bbffa..6f6716c4ae 100644 --- a/examples/kind/values-ssl.yaml +++ b/examples/kind/values-ssl.yaml @@ -28,7 +28,9 @@ gitlab-runner: # Specify self-signed certificate chain so Runner will connect # https://docs.gitlab.com/runner/install/kubernetes.html#providing-a-custom-certificate-for-accessing-gitlab # https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates - certsSecretName: self-signed-crt + # "gitlab-wildcard-tls-chain" assumes your release name is "gitlab". If it is set to something else, + # replace "gitlab" below with your own release name. + certsSecretName: gitlab-wildcard-tls-chain # Allow privileged runners for Docker-in-Docker pipelines runners: privileged: true -- GitLab From 9e5498a5614698f89f1bef2f06071213c0bbb42a Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 21 May 2020 17:29:22 -0400 Subject: [PATCH 2/4] Configure NodePort for gitlab-shell --- charts/nginx/index.md | 1 + charts/nginx/templates/controller-service.yaml | 3 +++ charts/nginx/values.yaml | 2 ++ doc/development/kind/index.md | 6 ++++++ examples/kind/kind-ssl.yaml | 5 +++++ examples/kind/values-ssl.yaml | 3 +++ 6 files changed, 20 insertions(+) diff --git a/charts/nginx/index.md b/charts/nginx/index.md index b9bc791e95..16cc61f314 100644 --- a/charts/nginx/index.md +++ b/charts/nginx/index.md @@ -120,6 +120,7 @@ Parameter | Description | Default `controller.service.type` | type of controller service to create | `LoadBalancer` `controller.service.nodePorts.http` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""` `controller.service.nodePorts.https` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""` +`controller.service.nodePorts.ssh` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 22 | `""` `controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10 `controller.livenessProbe.periodSeconds` | How often to perform the probe | 10 `controller.livenessProbe.timeoutSeconds` | When the probe times out | 5 diff --git a/charts/nginx/templates/controller-service.yaml b/charts/nginx/templates/controller-service.yaml index a2afc31a3d..9015090314 100644 --- a/charts/nginx/templates/controller-service.yaml +++ b/charts/nginx/templates/controller-service.yaml @@ -60,6 +60,9 @@ spec: port: {{ include "gitlab.shell.port" $ | int }} protocol: TCP targetPort: gitlab-shell + {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty .Values.controller.service.nodePorts.ssh))) }} + nodePort: {{ .Values.controller.service.nodePorts.ssh }} + {{- end }} {{- range $key, $value := .Values.tcp }} - name: "{{ $key }}-tcp" port: {{ $key }} diff --git a/charts/nginx/values.yaml b/charts/nginx/values.yaml index 7077323f6d..b923f700b9 100755 --- a/charts/nginx/values.yaml +++ b/charts/nginx/values.yaml @@ -195,9 +195,11 @@ controller: # nodePorts: # http: 32080 # https: 32443 + # ssh: 32022 nodePorts: http: "" https: "" + ssh: "" extraContainers: [] ## Additional containers to be added to the controller pod. diff --git a/doc/development/kind/index.md b/doc/development/kind/index.md index 383f879285..bae7629810 100644 --- a/doc/development/kind/index.md +++ b/doc/development/kind/index.md @@ -95,6 +95,9 @@ Now that the root CA is downloaded, you can add it to your local chain (instruct NOTE: **Note:** If you would prefer not to run GitLab Runner at all, you can disable it in the relevant values file: `gitlab-runner.install=false`. +NOTE: **Note:** +In this configuration, `kind` also exposes GitLab-Shell in the cluster to port 22 locally so you can interact with repositories via SSH. + NOTE: **Note:** If you need to log into the registry with `docker login`, you will need to take additional steps to configure the registry to work with your self-signed certificates. More instructions can be found [here](https://docs.docker.com/registry/deploying/#run-an-externally-accessible-registry) and [here](https://blog.container-solutions.com/adding-self-signed-registry-certs-docker-mac). @@ -111,6 +114,9 @@ helm upgrade --install gitlab gitlab/gitlab -f examples/kind/values-no-ssl.yaml Access GitLab at `http://gitlab.(your host IP).nip.io`. +NOTE: **Note:** +In this configuration, `kind` also exposes GitLab-Shell in the cluster to port 22 locally so you can interact with repositories via SSH. + NOTE: **Note:** If you need to log into the registry with `docker login`, you will need to tell Docker to [trust your insecure registry](https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry). diff --git a/examples/kind/kind-ssl.yaml b/examples/kind/kind-ssl.yaml index c06853ea51..0732eda5bb 100644 --- a/examples/kind/kind-ssl.yaml +++ b/examples/kind/kind-ssl.yaml @@ -8,3 +8,8 @@ nodes: - containerPort: 32443 hostPort: 443 listenAddress: "0.0.0.0" + # containerPort below must match the values file: + # nginx-ingress.controller.service.nodePorts.ssh + - containerPort: 32022 + hostPort: 22 + listenAddress: "0.0.0.0" diff --git a/examples/kind/values-ssl.yaml b/examples/kind/values-ssl.yaml index 6f6716c4ae..22ea54192a 100644 --- a/examples/kind/values-ssl.yaml +++ b/examples/kind/values-ssl.yaml @@ -23,6 +23,9 @@ nginx-ingress: # https port value blow must match the KinD config file: # nodes[0].extraPortMappings[0].containerPort https: 32443 + # ssh port value blow must match the KinD config file: + # nodes[0].extraPortMappings[1].containerPort + ssh: 32022 gitlab-runner: # Specify self-signed certificate chain so Runner will connect -- GitLab From 1095c5c909e5d54a6cb208c2092beea08086ab79 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 21 May 2020 17:31:51 -0400 Subject: [PATCH 3/4] Revert "Automate self-signed certificate chain creation for GitLab Runner" This reverts commit 87a5a4fdb0d83a3ef1c3dafb6e9a26fa7731165f. --- .../templates/_self-signed-cert-job.yml | 10 ---------- doc/development/kind/index.md | 15 +++++++++++++++ examples/kind/values-port-forward.yaml | 4 +--- examples/kind/values-ssl.yaml | 4 +--- 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/charts/shared-secrets/templates/_self-signed-cert-job.yml b/charts/shared-secrets/templates/_self-signed-cert-job.yml index 8a5a5ff7e3..5815668d91 100644 --- a/charts/shared-secrets/templates/_self-signed-cert-job.yml +++ b/charts/shared-secrets/templates/_self-signed-cert-job.yml @@ -75,16 +75,6 @@ spec: {{- end }} kubectl --namespace=$namespace label --overwrite \ secret ${certname}-ca {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} - # create certificate chain for GitLab Runner - cat /output/ca.pem /output/wildcard.pem > /tmp/{{ template "gitlab.gitlab.hostname" $ }}.crt - kubectl create secret generic ${certname}-chain \ - --from-file=/tmp/{{ template "gitlab.gitlab.hostname" $ }}.crt || true -{{- if not .Values.global.application.create }} - kubectl --namespace=$namespace label \ - secret ${certname}-chain $(echo '{{ include "gitlab.application.labels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }}' | sed -E 's/=[^ ]*/-/g') -{{- end }} - kubectl --namespace=$namespace label --overwrite \ - secret ${certname}-chain {{ include "gitlab.standardLabels" . | replace ": " "=" | replace "\r\n" " " | replace "\n" " " }} volumeMounts: - name: certs-path mountPath: /output diff --git a/doc/development/kind/index.md b/doc/development/kind/index.md index bae7629810..845f3db04e 100644 --- a/doc/development/kind/index.md +++ b/doc/development/kind/index.md @@ -92,6 +92,21 @@ kubectl get secret gitlab-wildcard-tls-ca -ojsonpath='{.data.cfssl_ca}' | base64 Now that the root CA is downloaded, you can add it to your local chain (instructions vary per platform and are readily available online). +#### (Optional) Connect GitLab Runner + +By default, the GitLab Runner pod will not work with the self-signed certificates. To address this: + +```shell +# Download self-signed certificate +kubectl get secret gitlab-wildcard-tls -ojsonpath='{.data.tls\.crt}' | base64 --decode > gitlab.(your host IP).nip.io.crt +# Create certificate chain +cat gitlab.(your host IP).nip.io.ca.pem gitlab.(your host IP).nip.io.crt > chain.crt +# Create secret from self-signed certificate +kubectl create secret generic self-signed-crt --from-file=gitlab.(your host IP).nip.io.crt=chain.crt +``` + +When the pod starts, you can check the logs to confirm that it has successfully registered. + NOTE: **Note:** If you would prefer not to run GitLab Runner at all, you can disable it in the relevant values file: `gitlab-runner.install=false`. diff --git a/examples/kind/values-port-forward.yaml b/examples/kind/values-port-forward.yaml index 8e40a25860..7dd757dc17 100644 --- a/examples/kind/values-port-forward.yaml +++ b/examples/kind/values-port-forward.yaml @@ -20,9 +20,7 @@ gitlab-runner: # Specify self-signed certificate chain so Runner will connect # https://docs.gitlab.com/runner/install/kubernetes.html#providing-a-custom-certificate-for-accessing-gitlab # https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates - # "gitlab-wildcard-tls-chain" assumes your release name is "gitlab". If it is set to something else, - # replace "gitlab" below with your own release name. - certsSecretName: gitlab-wildcard-tls-chain + certsSecretName: self-signed-crt # Allow privileged runners for Docker-in-Docker pipelines runners: privileged: true diff --git a/examples/kind/values-ssl.yaml b/examples/kind/values-ssl.yaml index 22ea54192a..a950811c57 100644 --- a/examples/kind/values-ssl.yaml +++ b/examples/kind/values-ssl.yaml @@ -31,9 +31,7 @@ gitlab-runner: # Specify self-signed certificate chain so Runner will connect # https://docs.gitlab.com/runner/install/kubernetes.html#providing-a-custom-certificate-for-accessing-gitlab # https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates - # "gitlab-wildcard-tls-chain" assumes your release name is "gitlab". If it is set to something else, - # replace "gitlab" below with your own release name. - certsSecretName: gitlab-wildcard-tls-chain + certsSecretName: self-signed-crt # Allow privileged runners for Docker-in-Docker pipelines runners: privileged: true -- GitLab From ee3de75834148d07606898f67f7e86eb112a9493 Mon Sep 17 00:00:00 2001 From: Mitchell Nielsen Date: Thu, 21 May 2020 18:32:51 -0400 Subject: [PATCH 4/4] Use gitlab-shell nodeport rather than exposing one from NGINX --- charts/nginx/index.md | 1 - charts/nginx/templates/controller-service.yaml | 3 --- charts/nginx/values.yaml | 2 -- examples/kind/values-no-ssl.yaml | 14 ++++++++++---- examples/kind/values-ssl.yaml | 14 ++++++++++---- 5 files changed, 20 insertions(+), 14 deletions(-) diff --git a/charts/nginx/index.md b/charts/nginx/index.md index 16cc61f314..b9bc791e95 100644 --- a/charts/nginx/index.md +++ b/charts/nginx/index.md @@ -120,7 +120,6 @@ Parameter | Description | Default `controller.service.type` | type of controller service to create | `LoadBalancer` `controller.service.nodePorts.http` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""` `controller.service.nodePorts.https` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""` -`controller.service.nodePorts.ssh` | If `controller.service.type` is `NodePort` and this is non-empty, it sets the nodePort that maps to the Ingress' port 22 | `""` `controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10 `controller.livenessProbe.periodSeconds` | How often to perform the probe | 10 `controller.livenessProbe.timeoutSeconds` | When the probe times out | 5 diff --git a/charts/nginx/templates/controller-service.yaml b/charts/nginx/templates/controller-service.yaml index 9015090314..a2afc31a3d 100644 --- a/charts/nginx/templates/controller-service.yaml +++ b/charts/nginx/templates/controller-service.yaml @@ -60,9 +60,6 @@ spec: port: {{ include "gitlab.shell.port" $ | int }} protocol: TCP targetPort: gitlab-shell - {{- if (and (eq .Values.controller.service.type "NodePort") (not (empty .Values.controller.service.nodePorts.ssh))) }} - nodePort: {{ .Values.controller.service.nodePorts.ssh }} - {{- end }} {{- range $key, $value := .Values.tcp }} - name: "{{ $key }}-tcp" port: {{ $key }} diff --git a/charts/nginx/values.yaml b/charts/nginx/values.yaml index b923f700b9..7077323f6d 100755 --- a/charts/nginx/values.yaml +++ b/charts/nginx/values.yaml @@ -195,11 +195,9 @@ controller: # nodePorts: # http: 32080 # https: 32443 - # ssh: 32022 nodePorts: http: "" https: "" - ssh: "" extraContainers: [] ## Additional containers to be added to the controller pod. diff --git a/examples/kind/values-no-ssl.yaml b/examples/kind/values-no-ssl.yaml index ad8ff8d3cd..031569523c 100644 --- a/examples/kind/values-no-ssl.yaml +++ b/examples/kind/values-no-ssl.yaml @@ -11,7 +11,16 @@ global: certmanager: install: false -# Specify known ports and reduce replicas to 1 +# Specify NodePort for GitLab Shell +gitlab: + gitlab-shell: + service: + type: NodePort + # nodePort value below should match the KinD config file: + # nodes[0].extraPortMappings[1].containerPort + nodePort: 32022 + +# Specify NodePort for NGINX and reduce replicas to 1 nginx-ingress: defaultBackend: replicaCount: 1 @@ -24,9 +33,6 @@ nginx-ingress: # http port value blow must match the KinD config file: # nodes[0].extraPortMappings[0].containerPort http: 32080 - # ssh port value blow must match the KinD config file: - # nodes[0].extraPortMappings[1].containerPort - ssh: 32022 # Allow privileged runners for Docker-in-Docker pipelines gitlab-runner: diff --git a/examples/kind/values-ssl.yaml b/examples/kind/values-ssl.yaml index a950811c57..e6457300c9 100644 --- a/examples/kind/values-ssl.yaml +++ b/examples/kind/values-ssl.yaml @@ -10,7 +10,16 @@ global: certmanager: install: false -# Specify known ports and reduce replicas to 1 +# Specify NodePort for GitLab-Shell +gitlab: + gitlab-shell: + service: + type: NodePort + # nodePort value below should match the KinD config file: + # nodes[0].extraPortMappings[1].containerPort + nodePort: 32022 + +# Specify NodePort for NGINX and reduce replicas to 1 nginx-ingress: defaultBackend: replicaCount: 1 @@ -23,9 +32,6 @@ nginx-ingress: # https port value blow must match the KinD config file: # nodes[0].extraPortMappings[0].containerPort https: 32443 - # ssh port value blow must match the KinD config file: - # nodes[0].extraPortMappings[1].containerPort - ssh: 32022 gitlab-runner: # Specify self-signed certificate chain so Runner will connect -- GitLab