How to setup Gitlab on kubernetes
In this article, I will describe all the steps required to setup GitLab CI/CD in kuberntes using kustomize.
We will go through how to run GitLab on Kubernetes when you have related resources postgres
, redis
, minio
, tls certificates
etc already available in your setup.
This is a very common scenario in companies and also for self-hosting that you are already using these services in your environment and prefer to use the same for gitlab.
The all in one production installation may be easily performed with Helm. You can refer to official documentation from gitlab if that is your requirement.
Requirements
You will need the following in order to run gitlab.
- Database : Postgres database is required for gitlab.
- Cache : Redis is used for caching.
- Storage : Minio is used as object storage for
container registry
,gitlab backups
,terraform storage backend
,gitlab artifacts
etc. - Ingress Controller : Nginx ingress is part of installation.
- Persistent Volume : Gitaly will store
repository data
data on disk, for that your kubernetes cluster must have a way of provisioning storage. You can install local path provisioner in your cluster for dynamically provisioning volumes.
- Repositories
Info: You can swap minio with any other object storage i.e S3 by changing connection info secret
Lets get Started
When installing gitlab with helm it generates the configmaps after rendering the templates with parameters, we can manually change these values in configmaps but its a hassle and not convenient.
To make this process easy we will use a tool called subvars which will let us render these values from command line. Install it by following the instructions on github page, we will use it later.
- Download the release with manifests from github alternatively you can clone the repo, if you are cloning the repo remove the
.git
folder afterwards as it creates issues some times when rendering multiple version of the same file with subvars.
1export RELEASE_VER=1.0
2wget -q https://github.com/kha7iq/gitlab-k8s/archive/refs/tags/v${RELEASE_VER}.tar.gz
3tar -xf v${RELEASE_VER}.tar.gz
4cd gitlab-k8s-${RELEASE_VER}
- Lets start by setting the url for gitlab in our kustomization file within ingress-nginx folder. You will find two blocks, one for web-ui and second for registry along with tls-secret-name for https.
1patch: |-
2 - op: replace
3 path: /spec/rules/0/host
4 value: your-gitlab-url.example.com
5 - op: replace
6 path: /spec/tls/0/hosts/0
7 value: your-gitlab-url.example.com
8 - op: replace
9 path: /spec/tls/0/secretName
10 value: example-com-wildcard-secret
- We can create
minio-conn-secret
containing configuration for minio. It will be used for all the enabled S3 buckets except gitlab backups, we will create that separately. Input the information as per your setup and create the kubernetes secret.
- minio.config
1cat << EOF > minio.config
2provider: AWS
3region: us-east-1
4aws_access_key_id: 4wsd6c468c0974006d
5aws_secret_access_key: 5d5e6c468c0974006cdb41bc4ac2ba0d
6aws_signature_version: 4
7host: minio.example.com
8endpoint: "https://minio.example.com"
9path_style: true
10EOF
- Kubernetes secret
1kubectl create secret generic minio-conn-secret \
2--from-file=connection=minio.config --dry-run=client -o yaml >minio-connection-secret.yml
- Next step is to create a secret with mino configuration for gitlab backup storage. Just replace minio endpoint, bucket name, access key & secret key.
1cat << EOF > storage.config
2[default]
3access_key = be59435b326e8b0eaa
4secret_key = 6e0a10bd2253910e1657a21fd1690088
5bucket_location = us-east-1
6host_base = https://minio.example.com
7host_bucket = https://minio.example.com/gitlab-backups
8use_https = True
9default_mime_type = binary/octet-stream
10enable_multipart = True
11multipart_max_chunks = 10000
12multipart_chunk_size_mb = 128
13recursive = True
14recv_chunk = 65536
15send_chunk = 65536
16server_side_encryption = False
17signature_v2 = True
18socket_timeout = 300
19use_mime_magic = False
20verbosity = WARNING
21website_endpoint = https://minio.example.com
22EOF
1kubectl create secret generic storage-config --from-file=config=storage.config \
2--dry-run=client -o yaml > secrets/storage-config.yml
All other secrets can be used as is from repository or you can change all of them following gitlab documentation
-
One of the most important secret is
gitlab-rails-secret
, in case of a disaster where you have to restore gitlab from a backup you must apply the same secret in your cluster as these keys will be used to decrypt the database etc from backup. Make sure you keep this consistent after first install. -
We reached the last part, Its alot of work to change database and other parameters one by one in configmaps. I have implemented some templating for this which can provide all the values vi environment variables and render the manifests with subvars, it will output these to destination folder and replace all the parameters defined as go templates. The values are self explanatory,
GITLAB_GITALY_STORAGE_SIZE
variable is used to specify how much storage is needed for gitaly andGITLAB_STORAGE_CLASS
is the name of storage class.
1GITLAB_URL=gitlab.example.com \
2GITLAB_REGISTRY_URL=registry.example.com \
3GITLAB_PAGES_URL=pages.example.com \
4GITLAB_POSTGRES_HOST=192.168.1.90 \
5GITLAB_POSTGRES_PORT=5432 \
6GITLAB_POSTGRES_USER=gitlab \
7GITLAB_POSTGRES_DB_NAME=gitlabhq_production \
8GITLAB_REDIS_HOST=192.168.1.91:6379 \
9GITLAB_GITALY_STORAGE_SIZE=15Gi \
10GITLAB_STORAGE_CLASS=local-path \
11subvars dir --input gitlab-k8s-1.0 --out dirName
Change into dirName/gitlab-k8s-1.0
you can have a look to confirm if everything is in order before applying this in cluster.
- The final step is to create the namespace
gitlab
and build with kustomize or kubectl. I prefer kustomize but you can also use kubectl with-k
flag.
- Create namespace
1kubectl create namespace gitlab
- Apply the final manifest
1kustomize build gitlab-k8s-1.0/ | kubectl apply -f -
2# or following if you have already changed into directory
3kustomize build . | kubectl apply -f -
4
5# With kubectl
6kubectl apply -k gitlab-k8s-1.0/
7# or following if you have already changed into directory
8kubectl apply -k .
- Head over to the endpoint you have configured for gitlab
https://gitlab.example.com
and login.
- Info:
Default passwords
- Gitlab 'root' user's password
1LAwGTzCebner4Kvd23UMGEOFoGAgEHYDszrsSPfAp6lCW15S4fbvrVrubWsua9PI
- Postgres password configured as secret
1 ZDVhZDgxNWY2NmMzODAwMTliYjdkYjQxNWEwY2UwZGMK