- Have a DigitalOcean Account, right now you can get 100$
- An empty project in your DigitalOcean account
- Familiarity with Kubernetes
- Kubernetes and Helm installed on your system
- In your DigitalOcean account create an empty project and go to
Manage > Kubernetes - Create your Kubernetes cluster with the proper requirements for Gitlab
- Download your config file via the grey button at the bottom of the page when your cluster finishes creating
- Create a floating IP to any droplet and then unassign it
- Install the config file you downloaded in your
.kubedirectory and copy it intoconfig - Test your connection by running
kubectl get node
- Create a tiller namespace
kubectl create namespace tiller - Create a file called
rbac-config.yamlin your.kubedirectory with the following contents
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: tiller
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: tiller- Now run:
kubectl create -f rbac-config.yamland volia! you have your service account
Reference NOTE: We created a tiller namespace instead of using kube-system as this is best practice
openssl genrsa -out ./ca.key.pem 4096cp /etc/ssl/openssl.cnf openssl-with-ca.cnfcat << END >> openssl-with-ca.cnf [ v3_ca ] basicConstraints = critical,CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always ENDopenssl req -key ca.key.pem -new -x509 -days 14 -sha256 -out ca.cert.pem -extensions v3_ca -config openssl-with-ca.cnfopenssl genrsa -out ./tiller.key.pem 4096openssl genrsa -out ./helm.key.pem 4096openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pemopenssl req -key helm.key.pem -new -sha256 -out helm.csr.pemopenssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 14openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem -days 14mkdir $(helm home); cp ca.cert.pem $(helm home)/ca.pem; cp helm.cert.pem $(helm home)/cert.pem; cp helm.key.pem $(helm home)/key.pemhelm init --tiller-namespace tiller --service-account tiller --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem
Reference NOTE: Our instructions are modified for mac-isms
- You're going to use the floating IP address you created earlier
- Create a wildcard DNS Entry
- If you're using terraform your entry may look something like this:
// *.test-gitlab.ops-fabric.com.
resource "google_dns_record_set" "test_gitlab_ops_fabric_com" {
managed_zone = "some zone"
name = "*.test-gitlab.ops-fabric.com"
type = "A"
ttl = 300
rrdatas = ["<FLOATING IP>"] // test-gitlab digital ocean k8s nginx ingress
}
- Get the Helm Gitlab chart:
helm repo add gitlab https://charts.gitlab.io/ - Update your repo:
helm repo update - Now run the install:
helm upgrade --tls --tiller-namespace=tiller --install gitlab gitlab/gitlab --timeout 600 --set global.hosts.domain=test-gitlab.ops-fabric.com --set global.hosts.externalIP=<FLOATING IP> --set certmanager-issuer.email=you@some-domain.com - Now use the Load Balancer IP and change your DNS, find the
gitlab-nginx-ingress-controller LoadBalancerservicekubectl get servicesto get your external IP - You can check the install by
kubectl get pods, once all pods are completed you can go to your gitlab URL and log in
kubectl get secret <name>-gitlab-initial-root-password -ojsonpath={.data.password} | base64 --decode ; echogets you the password androotis the username- Go to your account and change your password
- Have fun with Gitlab