User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
инструмент_gitlab [2022/06/20 09:00]
val [GitLab CI/CD]
инструмент_gitlab [2024/02/05 18:56]
val [Клиент OpenID]
Line 1: Line 1:
 ====== Инструмент GitLab ====== ====== Инструмент GitLab ======
 +  * [[https://​​wiki/​GitLab - Википедия]]
   * [[https://​​n_21ya2MoKg|Youtube. RomNero. GitLab. Devops система]]   * [[https://​​n_21ya2MoKg|Youtube. RomNero. GitLab. Devops система]]
Line 5: Line 7:
 ===== Установка ===== ===== Установка =====
 +  * RAM от 4Gb
 +==== Если нужен почтовый сервер ====
 +server# time ansible-playbook conf/​ansible/​roles/​mail.yml
 +real    2m57.922s
 +# cat /​etc/​apache2/​ports.conf
 +Listen 81
 +server# service apache2 restart
 +==== Установка из репозитория ====
   * [[https://​​install/​|Install self-managed GitLab]]   * [[https://​​install/​|Install self-managed GitLab]]
   * Доступно из РФ: [[https://​​gitlab/​gitlab-ce]]   * Доступно из РФ: [[https://​​gitlab/​gitlab-ce]]
 +  * [[http://​gate.isp.un/​unix/​Git/​gitlab-ce_16.3.3-ce.0_amd64.deb]]
-  * [[https://​​configure-custom-ssl-to-secure-gitlab-server/​|Configure Custom SSL to Secure GitLab Server]]+<​code>​ 
 +server# apt-get install ​-y curl ca-certificates perl
 +server# curl https://​​install/​repositories/​gitlab/​gitlab-ce/​ | bash
 +server# time EXTERNAL_URL="​http://​server.corpX.un"​ apt-get install gitlab-ce
 +real    38m49.787s ​ !!! Загрузка может прерываться,​ надо повторять команду !!!
 +==== Установка через docker-compose ====
 +  * [[https://​​ee/​install/​docker.html#​install-gitlab-using-docker-compose|Install GitLab using Docker Compose]]
 +  * [[Технология Docker]]
 +  * [[Технология Docker#​docker-compose]]
 +# cat docker-compose.yml
 +version: '​3.6'​
 +  web:
 +    image: '​gitlab/​gitlab-ce:​latest'​
 +    restart: always
 +    hostname: '​server.corpX.un'​
 +    environment:​
 +      GITLAB_ROOT_PASSWORD:​ "​strongpassword"​
 +        external_url '​http://​server.corpX.un'​
 +#        gitlab_rails['​initial_root_password'​] = '​strongpassword'​
 +#        registry_external_url '​http://​server.corpX.un'​
 +#        gitlab_rails['​registry_enabled'​] = true
 +#        gitlab_rails['​registry_host'​] = "​server.corpX.un"​
 +#        gitlab_rails['​registry_port'​] = "​5000"​
 +#        registry['​registry_http_addr'​] = "​server.corpX.un:​5000"​
 +#        prometheus_monitoring['​enable'​] = false
 +#        external_url '​https://​​8443'​
 +#        registry_external_url '​https://​​5050'​
 +    ports:
 +      - '​80:​80'​
 +#      - '​8443:​8443'​
 +      - '​2222:​22'​
 +      - '​5000:​5000'​
 +#      - '​5050:​5050'​
 +    volumes:
 +      - '/​etc/​gitlab:/​etc/​gitlab'​
 +      - '/​srv/​gitlab/​logs:/​var/​log/​gitlab'​
 +      - '/​srv/​gitlab/​data:/​var/​opt/​gitlab'​
 +    shm_size: '​256m'​
 +# ### cat /​etc/​gitlab/​ssl/​{crt,​key}
 +# docker-compose up -d
 +# docker logs root_web_1 -n 10 -f
 +### docker-compose stop
 +### rm -r /​srv/​gitlab/​ /​etc/​gitlab/​
 +===== Подключение =====
 +==== Подключение к Web интерфейсу =====
 +  * http://​server.corpX.un/​
 +==== Подключение через API ====
 +  * Токен доступа:​ Settings -> Access Tokens ([[https://​​ee/​user/​project/​settings/​project_access_tokens.html|Project access tokens]]), в примере достаточно role: Reporter, Scopes: api
 +  * Номер проекта:​ Settings -> General ([[https://​​questions/​39559689/​where-do-i-find-the-project-id-for-the-gitlab-api|Where do I find the project ID for the GitLab API?]])
 +  * [[https://​​questions/​56943327/​how-to-download-a-single-file-from-gitlab|How to download a single file from GitLab?]]
 +root@node1,​2,​3:​~#​ curl "​http://​server.corpX.un/​api/​v4/​projects/​2/​repository/​files/​docker-compose.yml/​raw?​ref=master"​ | tee docker-compose.yml
 +  или, для НЕ публичных проектов
 +root@node1,​2,​3:​~#​ curl --header "​PRIVATE-TOKEN:​ NNNNNNNNNNNNNNNNNNNNN"​ "​http://​server.corpX.un/​api/​v4/​projects/​4/​repository/​files/​docker-compose.yml/​raw?​ref=master"​ | tee docker-compose.yml
 +  * [[Сервис Ansible#​ansible-pull]]
 +client1:​~/​ansible-pull-gpo#​ cat
 +sudo -i
 +export BR=main; bash <(curl -s http://​gate.corp13.un/​api/​v4/​projects/​1/​repository/​files/​​raw?​ref=$BR)
 ===== Настройка ===== ===== Настройка =====
 +==== Файл конфигурации ====
 <​code>​ <​code>​
 # cat /​etc/​gitlab/​gitlab.rb # cat /​etc/​gitlab/​gitlab.rb
 +external_url '​http://​server.corpX.un'​
 </​code>​ </​code>​
-==== GitLab Runner ​====+==== Проверка конфигурации и перезапуск ​====
-  * [[https://​​runner/​install/​linux-manually.html|Install GitLab Runner manually on GNU/Linux]]+<​code>​ 
 +### docker exec -it root_web_1 bash
-  * [[https://​​@ryzmen/​gitlab-fast-pipelines-stages-jobs-c51c829b9aa1|GitLab:​ understanding pipelines, stages, jobs and organising them efficiently for speed and feedback loop]]+gitlab-ctl show-config
 +# time gitlab-ctl reconfigure
 +real    2m34.726s
 +==== GitLab Docker Registry ====
 +  * [[https://​​ee/​administration/​packages/​container_registry.html|The Container Registry is automatically enabled and available on your GitLab domain, port 5050 if you’re using the built-in Let’s Encrypt integration]]
 +  * [[https://​​insecure-gitlab-registry/​|Настройка работы Gitlab с registry без ssl - Sysadmin]]
 +# cat /​etc/​gitlab/​gitlab.rb
 +registry_external_url '​http://​server.corpX.un'​
 +gitlab_rails['​registry_enabled'​] = true
 +gitlab_rails['​registry_host'​] = "​server.corpX.un"​
 +gitlab_rails['​registry_port'​] = "​5000"​
 +registry['​registry_http_addr'​] = "​server.corpX.un:​5000"​
 +  * [[#​Проверка конфигурации и перезапуск]]
 +==== GitLab Grafana ====
 +# cat /​etc/​gitlab/​gitlab.rb
 +grafana['​http_addr'​] = '​'​
 +  * [[#​Проверка конфигурации и перезапуск]]
 +==== GitLab Prometheus ====
 +# cat /​etc/​gitlab/​gitlab.rb
 +prometheus_monitoring['​enable'​] = false
 +  * [[#​Проверка конфигурации и перезапуск]]
 +# time rm -rf /​var/​opt/​gitlab/​prometheus/​data/​*
 +==== Включение TLS ====
 +  * [[https://​​omnibus/​settings/​ssl.html#​configure-https-manually|Configure HTTPS manually]]
 +  * [[https://​​configure-custom-ssl-to-secure-gitlab-server/​|Configure Custom SSL to Secure GitLab Server]]
 +# mkdir /​etc/​gitlab/​ssl/​
 +# cp wild.crt /​etc/​gitlab/​ssl/​$(hostname).crt
 +# cp wild.key /​etc/​gitlab/​ssl/​$(hostname).key
 +# cat /​etc/​gitlab/​gitlab.rb
 +external_url '​https://​server.corpX.un'​
 +# nginx['​ssl_certificate'​] = "/​etc/​gitlab/​ssl/#​{node['​fqdn'​]}.crt"​
 +# nginx['​ssl_certificate_key'​] = "/​etc/​gitlab/​ssl/#​{node['​fqdn'​]}.key"​
 +letsencrypt['​enable'​] = false
 +  * [[#​Проверка конфигурации и перезапуск]]
 +==== Управление пользователями ====
 +=== Внутренние пользователи ===
 +  * Username - login, Name - ФИО
 +# cat /​etc/​gitlab/​initial_root_password
 +  * [[https://​​questions/​60062065/​gitlab-initial-root-password|gitlab initial root password reset]]
 +# gitlab-rake "​gitlab:​password:​reset[root]"​
 +=== Использование LDAP ===
 +  * [[https://​​ee/​administration/​auth/​ldap/​index.html|Integrate LDAP with GitLab]]
 +  * [[Установка и настройка OpenLDAP]]
 +  * [[Хранение учетных записей UNIX в LDAP]] !!! с атрибутом почты и паролем
 +# cat /​etc/​gitlab/​gitlab.rb
 +gitlab_rails['​ldap_enabled'​] = true
 +gitlab_rails['​ldap_servers'​] = YAML.load <<​-'​EOS'​
 +  main:
 +    label: '​LDAP'​
 +    host: '​server.corpX.un'​
 +#    host: '​server2.corpX.un'​
 +    port: 389
 +#    uid: '​uid'​
 +    uid: '​sAMAccountName'​
 +#    bind_dn: '​cn=admin,​dc=corpX,​dc=un'​
 +#    password: '​secret'​
 +    bind_dn: '​cn=Administrator,​cn=Users,​dc=corpX,​dc=un'​
 +    password: '​Pa$$w0rd'​
 +    encryption: '​plain'​
 +#    active_directory:​ false
 +    active_directory:​ true
 +    base: '​dc=corpX,​dc=un'​
 +  * [[#​Проверка конфигурации и перезапуск]]
 +===== GitLab Runner =====
 +==== Установка из пакета ====
 +  * [[https://​​runner/​install/​linux-manually.html|Install GitLab Runner manually on GNU/Linux]]
   * [[https://​​unix/​Git/​gitlab-runner_amd64.deb]] (15.0.0) ​   * [[https://​​unix/​Git/​gitlab-runner_amd64.deb]] (15.0.0) ​
 <​code>​ <​code>​
-root@node2:​~# gitlab-runner ​register +apt install ​gitlab-runner ​  # достаточно для ​shell executor но не отображает команды ci/cd в gitlab
-root@node2:~# cat /​etc/​gitlab-runner/​config.toml+или 
 +# wget http://​gate.isp.un/​unix/​Git/​gitlab-runner_amd64.deb 
 +##2 часа## curl -LJO "​https://​​latest/​deb/​gitlab-runner_amd64.deb"​ 
 +# dpkg -i gitlab-runner_amd64.deb 
 +==== Регистрация ==== 
 +# gitlab-runner register --help 
 +# export CI_SERVER_URL=http://​server.corpX.un 
 +# gitlab-runner register 
 +Enter the GitLab instance URL: http://​server.corpX.un 
 +Enter the registration token: ... 
 +Enter tags for the runner: dhcptest, dhcpdeploy 
 +  или 
 +Enter tags for the runner: openvpn1deploy 
 +Enter an executor: shell 
 +# gitlab-runner register -n --executor "​shell"​ -u http://​server.corp13.un -r "​NNNNNNNNNNNNNNNNNNNNNNNNNNNN"​ 
 +Перезапускать не нужно 
 +# cat /​etc/​gitlab-runner/​config.toml
 log_level = "​debug"​ log_level = "​debug"​
 ... ...
 +# systemctl restart gitlab-runner
 +# gitlab-runner verify
 </​code>​ </​code>​
-  * Технология Docker [[Технология Docker#​Предоставление прав непривилегированным пользователям]]+ 
 +==== Установка в виде контейнера ==== 
 +  * [[https://​​ru/​companies/​cloud4y/​articles/​710782/​|Использование Docker in Docker в GitLab]] 
 <​code>​ <​code>​
-root@node2:~# systemctl start gitlab-runner+gate:~### rm /srv/gitlab-runner/​config/​config.toml 
 +gate:~# docker run -d --name gitlab-runner --restart always \ 
 +  -v /​srv/​gitlab-runner/​config:/​etc/​gitlab-runner \ 
 +  -v /​var/​run/​docker.sock:/​var/​run/​docker.sock \ 
 +  gitlab/​gitlab-runner:​latest
 </​code>​ </​code>​
-==== GitLab CI/CD ====+=== Регистрация DooD === 
 +  * Включаем Docker [[Технология Docker#​Insecure Private Registry]] 
 +gate:~# docker run --rm -v /​srv/​gitlab-runner/​config:/​etc/​gitlab-runner gitlab/​gitlab-runner register \ 
 +  --non-interactive \ 
 +  --url "​http://​server.corpX.un/"​ \ 
 +  --registration-token "​NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN"​ \ 
 +  --executor "​docker"​ \ 
 +  --docker-image "​docker:​stable"​ \ 
 +  --docker-volumes /​var/​run/​docker.sock:/​var/​run/​docker.sock \ 
 +  --description "​dood-runner"​ 
 +=== Регистрация DinD === 
 +  * Можно отключить Docker [[Технология Docker#​Insecure Private Registry]] 
 +gate:~# docker run --rm -v /​srv/​gitlab-runner/​config:/​etc/​gitlab-runner gitlab/​gitlab-runner register \ 
 +  --non-interactive \ 
 +  --url "​http://​server.corpX.un/"​ \ 
 +  --registration-token "​NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN"​ \ 
 +  --executor "​docker"​ \ 
 +  --docker-image "​docker:​stable"​ \ 
 +  --docker-privileged \ 
 +  --description "​dind-runner"​ 
 +gate:~# docker volume ls 
 +gate:~# docker volume inspect ... 
 +===== GitLab CI/CD =====
   * [[https://​​ee/​ci/​examples/#​cicd-templates|CI/​CD templates]]   * [[https://​​ee/​ci/​examples/#​cicd-templates|CI/​CD templates]]
 +  * [[https://​​@ryzmen/​gitlab-fast-pipelines-stages-jobs-c51c829b9aa1|GitLab:​ understanding pipelines, stages, jobs and organising them efficiently for speed and feedback loop]]
 +  * [[https://​​questions/​64725914/​how-to-disable-auto-pipelines-in-gitlab|How to disable auto pipelines in gitlab]]
 +==== Пример shell make ====
 <​code>​ <​code>​
-student@gate:~/dhcp$ cat .gitlab-ci.yml+IDE GitLab->​New File: .gitlab-ci.yml 
 +CI/CD -> Editor -> Configure Pipelines 
 +Build -> Pipeline editor -> Configure Pipelines
 </​code><​code>​ </​code><​code>​
 +#  - build 
 +#  - test 
 +#  - deploy 
   stage: test   stage: test
   script:   script:
Line 53: Line 396:
     - dhcptest     - dhcptest
   stage: deploy   stage: deploy
   script:   script:
Line 60: Line 403:
   tags:   tags:
     - dhcpdeploy     - dhcpdeploy
 +==== Пример shell ansible ====
 +  * [[https://​​blog/​gitlab-ci-limit-branch|Limit Gitlab CI pipelines to specific branches]]
 +  * [[https://​​questions/​52169219/​get-branch-name-in-gitlab-ci|Get Branch name in gitlab ci]]
 +Administrator@Ra-master ~/openvpn1 (test)
 +λ touch .gitlab-ci.yml
 +  или
 +Build -> Pipeline editor -> Configure Pipelines
 </​code><​code>​ </​code><​code>​
-vagrant@node1:~/project1cat .gitlab-ci.yml+deploy_test: 
 +  stage: deploy 
 +  script: 
 +    - echo $(date) "​Deploy TEST openvpn1"​ >> ​/tmp/​Bash.gitlab-ci.log 
 +    - ansible-playbook openvpn1.yaml -i inventory.yaml -e "​variable_host=test_nodes"​ 
 +  tags: 
 +    - openvpn1deploy 
 +  only: 
 +    - test 
 +  stage: deploy 
 +  script: 
 +    - echo $(date) "​Deploy PROD openvpn1"​ >> /tmp/Bash.gitlab-ci.log 
 +    - ansible-playbook openvpn1.yaml -i inventory.yaml 
 +  tags: 
 +    - openvpn1deploy 
 +  only: 
 +#    - master 
 +#    - main 
 +==== Пример shell docker ==== 
 +  * Технология Docker [[Технология Docker#​Предоставление прав непривилегированным пользователям]] 
 +  * [[https://​​ee/​ci/​docker/​using_docker_build.html|Use Docker to build Docker images]] 
 +  * [[https://​​ee/​ci/​variables/​predefined_variables.html|Predefined variables reference]] 
 +  * [[https://​​ee/​ci/​variables/#​add-a-cicd-variable-to-a-project|Add a CI/CD variable to a project]] 
 +# Надо назначить в GitLab (Settings -> CI/CD -> Variables) 
 +export MY_CI_REGISTRY=server.corpX.un:​5000  
 +export MY_CI_REGISTRY_IMAGE=student/​webd 
 +# Можно использовать встроенные CI_REGISTRY и CI_REGISTRY_IMAGE  
 +# поскольку используем этот же проект GitLab как registry 
 +# в GitLab будет устанавлено автоматически 
 +export CI_COMMIT_MESSAGE="​ver 1.2" ​   
 +gitlab-runner@server:​~/​webd$ cat
 </​code><​code>​ </​code><​code>​
-  stage: ​test+ 
 +VER="​$(echo $CI_COMMIT_MESSAGE | sed '​s/​[^a-zA-Z0-9\.]//​g'​)"​ 
 +# need only one time 
 +docker build -t webd webd 
 +#docker build --no-cache -t webd webd 
 +#docker tag webd $CI_REGISTRY_IMAGE:​$VER 
 +#docker tag webd $CI_REGISTRY_IMAGE 
 +# previously need: docker login ... 
 +#docker push $CI_REGISTRY_IMAGE:​$VER 
 +#docker push $CI_REGISTRY_IMAGE 
 +gitlab-runner@server:​~/​webd$ cat .gitlab-ci.yml 
 +  - lintertest 
 +  - build 
 +#  - deploy 
 +  stage: ​lintertest
   script:   script:
-    - echo $(date) "Do a test here" >> /​tmp/​Bash.gitlab-ci.log+    - echo $(date) "Do a test webd here" >> /​tmp/​Bash.gitlab-ci.log
     - shellcheck webd/webd     - shellcheck webd/webd
   tags:   tags:
     - shellcheck     - shellcheck
-  stage: ​deploy+  stage: ​build
   script:   script:
-    - echo $(date) "​Do ​your deploy ​here" >> /​tmp/​Bash.gitlab-ci.log +    - echo $(date) "​Do ​a build webd here" >> /​tmp/​Bash.gitlab-ci.log 
-    - docker-compose up -d+   ​- ​env | tee /​tmp/​Bash.gitlab-ci.log 
 +    ​sh
   tags:   tags:
-    - webddeploy +    - webdbuild
-==== Управление пользователями ====+#deploy1: 
 +#  stage: deploy 
 +#  script: 
 +#    - echo $(date) "Do your deploy webd to k8s here" >> /​tmp/​Bash.gitlab-ci.log 
 +#    - sh 
 +#  tags: 
 +#    - webddeploy
-=== Использование LDAP ===+### OR .gitlab-ci.yml for gowebd-k8s project running from another pipeline ###
-  * [[https://​​ee/​administration/​auth/ldap/index.html|Integrate LDAP with GitLab]] +#deploy1: 
-  * [[Установка и настройка OpenLDAP]] +#  stage: deploy 
-  * [[Хранение учетных записей UNIX в LDAP]] !!! с атрибутом почты и паролем+#  variables:​ 
 +#    HELM_NAMESPACE:​ "​my-ns"​ 
 +#  rules: 
 +#    - if: '​$CI_PIPELINE_SOURCE == "​pipeline"​ && $VER'​ 
 +#  script: 
 +#    - env 
 +#    - envsubst < my-webd-deployment-env.yaml | kubectl apply -f - -n my-ns 
 +#    - helm upgrade -i my-webd webd-chart--set=image.tag=$VER --create-namespace 
 +==== Пример shell Kubernetes ====
 <​code>​ <​code>​
-# cat /etc/​gitlab/​gitlab.rb+gitlab-runner@server:​~/webd$ cp my-webd-deployment.yaml my-webd-deployment-env.yaml 
 +  или 
 +gitlab-runner@server:​~/gowebd-k8s$ scp root@node1:​my-webd-deployment.yaml my-webd-deployment-env.yaml 
 +gitlab-runner@server:​~/​webd$ cat my-webd-deployment-env.yaml
 </​code><​code>​ </​code><​code>​
 ... ...
-gitlab_rails['​ldap_enabled'​] = true +        image: server.corpX.un:​5000/​student/​webd:$VER
- +
-gitlab_rails['​ldap_servers'​] = YAML.load <<​-'​EOS'​ +
-  main: +
-    label: '​LDAP'​ +
-    host: 'server.corpX.un+
-    port389 +
-#    port636 +
-    uid: '​uid'​ +
-    bind_dn: '​cn=admin,​dc=corpX,​dc=un'​ +
-    password: '​secret'​ +
-    encryption: '​plain'​ +
-#    encryption: '​simple_tls'​ +
-    active_directory:​ false +
-    base: '​ou=People,​dc=corpX,​dc=un'​+
 ... ...
 </​code><​code>​ </​code><​code>​
-# gitlab-ctl reconfigure+в GitLab будет устанавлено автоматически 
 +gitlab-runner@gate:​~/​webd$ export CI_COMMIT_MESSAGE="​ver 1.2" 
 +gitlab-runner@gate:​~/​webd$ cat 
 +#alias kubectl='​minikube kubectl --' 
 +kubectl apply -f my-webd-deployment.yaml -n my-ns 
 +#export VER="​$(echo $CI_COMMIT_MESSAGE | sed '​s/​[^a-zA-Z0-9\.]//​g'​)"​ 
 +#envsubst < my-webd-deployment-env.yaml | kubectl apply -f - -n my-ns 
 +kubectl apply -f my-webd-service.yaml -n my-ns 
 +#export HELM_NAMESPACE=my-ns 
 +#helm upgrade --install my-webd webd-chart/ --set=image.tag=$VER --create-namespace 
 +gitlab-runner@server:​~/​$ kubectl describe replicaset.apps/​my-webd-NNNNNNNNNNN -n my-ns
 </​code>​ </​code>​
 +==== Пример CI с использованием контейнеров ====
-==== Сервер OAuth2 ====+  * [[https://​​build-golang-docker-images-with-gitlab-ci-pipelines-2117f8505350|Build Golang Docker images with GitLab CI Pipelines]] 
 +  * [[https://​​building-docker-images-with-gitlab-ci-best-practices/​|Best practices for building docker images with GitLab CI]]
-  * !!! URL без финального "/" !!!+  * [[https://​​questions/​63693061/​how-to-run-a-script-from-file-in-another-project-using-include-in-gitlab-ci|How to run a script from file in another project using include in GitLab CI?]] 
 +  * [[https://​​@captain_sparrow/​gitlab-%D1%82%D1%80%D0%B8%D0%B3%D0%B3%D0%B5%D1%80%D1%8B-%D0%B8-%D0%B4%D0%BB%D1%8F-%D0%BA%D0%B0%D0%BA%D0%B8%D1%85-%D1%82%D0%B5%D1%81%D1%82%D0%BE%D0%B2-%D0%B8%D1%85-%D1%81%D1%82%D0%BE%D0%B8%D1%82-%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D1%8C-afa04f8c78a7|Gitlab триггеры и для каких тестов их стоит использовать?​]] 
 +  * [[https://​​blog/​docker-vs-buildah-vs-kaniko/​|Container Image Build Tools: Docker vs. Buildah vs. kaniko]] 
 +  * [[https://​​ee/​ci/​docker/​using_kaniko.html|Use kaniko to build Docker images]] 
 +  * [[https://​​blog/​a-tale-of-two-container-image-tools-skopeo-and-crane/|A Tale of Two Container Image Tools: Skopeo and Crane]]
 <​code>​ <​code>​
-Admin Area-> Applications-> val-auth-test +student@client1:​~/​gowebd$ cat .gitlab-ci.yml 
-  ​Callback URL +</code><​code>​ 
-  ​TrustedYes+stages: 
 +  - build 
 +  - push 
 +#  - deploy 
 +#  - name: docker:​dind 
 +#    command: 
 +#      [ 
 +#        '​--insecure-registry=server.corpX.un:​5000',​ 
 +#      ] 
 +  - env 
 +#  - docker info 
 +  - echo -n $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY 
 +  stage: build 
 +#  image: 
 +#    name:​kaniko-project/​executor:​v1.9.0-debug 
 +#    entrypoint: [""​] 
 +  script: 
 +    - docker pull $CI_REGISTRY_IMAGE:​latest || true 
 +    ​- > 
 +      docker build 
 +      ​--pull 
 +      --cache-from $CI_REGISTRY_IMAGE:​latest 
 +      . 
 +    - docker push $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA 
 +#    - echo "​{\"​auths\":​{\"​${CI_REGISTRY}\":​{\"​auth\":​\"​$(printf "​%s:​%s"​ "​${CI_REGISTRY_USER}"​ "​${CI_REGISTRY_PASSWORD}"​ | base64 | tr -d '​\n'​)\"​},​\"​$CI_DEPENDENCY_PROXY_SERVER\":​{\"​auth\":​\"​$(printf "​%s:​%s"​ ${CI_DEPENDENCY_PROXY_USER} "​${CI_DEPENDENCY_PROXY_PASSWORD}"​ | base64 | tr -d '​\n'​)\"​}}}"​ > /​kaniko/​.docker/​config.json 
 +#    - /​kaniko/​executor 
 +#      --insecure --skip-tls-verify 
 +#      --context "​${CI_PROJECT_DIR}"​ 
 +#      --dockerfile "​${CI_PROJECT_DIR}/​Dockerfile"​ 
 +#      --destination "​${CI_REGISTRY_IMAGE}:​${CI_COMMIT_SHA}"​ 
 +Push latest: 
 + image: 
 +#    entrypoint: [""​] 
 +  variables:​ 
 +    GIT_STRATEGY:​ none 
 +  stage: push 
 +  only: 
 +    - main 
 +  script: 
 +    - docker pull $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA 
 +    - docker push $CI_REGISTRY_IMAGE:​latest 
 +#    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY 
 +#    - crane --insecure cp $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:​latest 
 +Push tag: 
 +#  image: 
 +#    name:​crane:​debug 
 +#    entrypoint: [""​] 
 +  variables:​ 
 +    GIT_STRATEGY:​ none 
 +  stage: push 
 +  only: 
 +    - tags 
 +  script: 
 +    - docker pull $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA 
 +    - docker push $CI_REGISTRY_IMAGE:​$CI_COMMIT_REF_NAME 
 +#   - crane auth login -u $CI_REGISTRY_USER ​-p $CI_REGISTRY_PASSWORD $CI_REGISTRY 
 + variables: 
 +#    VER: "​$CI_COMMIT_REF_NAME"​ 
 +#  stage: deploy 
 +#  only: 
 +#    - tags 
 +#  trigger: 
 +#    project: student/​gowebd-k8s
 </​code>​ </​code>​
 +===== Сервер OpenID =====
 +  * [[https://​​zmartzone/​mod_auth_openidc/​wiki/​GitLab-OAuth2]]
 +  * [[Сервис HTTP#​Управление доступом к HTTP серверу с использованием OpenID аутентификации]]
 +  * Admin Area-> Applications
 +Name: test-cgi
 +Redirect URI: http://​gate.corp13.un/​cgi-bin/​test-cgi ​ !!! Если URL каталога,​ то без финального "/"​ !!!
 +Trusted: Yes
 +Confidential:​ Yes
 +Scopes: openid
 +Application ID: ...
 +Secret: ...
 +Callback URL = Redirect URI
 +===== Клиент OpenID =====
 +  * [[https://​​ee/​administration/​auth/​oidc.html|You can use GitLab as a client application with OpenID Connect as an OmniAuth provider]]
 +  * [[https://​​gitlab-org/​gitlab/​-/​issues/​196193|use self-signed to integate gitlab with keycloak but see error: certificate verify failed (self signed certificate))]]
 +  * [[https://​​t/​using-keycloak-as-sso-for-gitlab-with-pre-existing-users-no-autocreate/​67833|Using Keycloak as SSO for Gitlab with pre-existing users (no autocreate)]]
 +# cp server.crt /​etc/​gitlab/​trusted-certs/​
 +  или
 +# cp ca.crt /​etc/​gitlab/​trusted-certs/​
 +# cat /​etc/​gitlab/​gitlab.rb
 +gitlab_rails['​omniauth_providers'​] = [
 +  {
 +    name: "​openid_connect",​ # do not change this parameter
 +    label: "​Keycloak",​ # optional label for login button, defaults to "​Openid Connect"​
 +    args: {
 +      name: "​openid_connect",​
 +      scope: ["​openid",​ "​profile",​ "​email"​],​
 +      response_type:​ "​code",​
 +#     ​issuer: ​ "​https://​​realms/​myrealm",​
 +      issuer: ​ "​https://​keycloak.corpX.un/​realms/​corpX",​
 +      client_auth_method:​ "​query",​
 +      discovery: true,
 +      uid_field: "​preferred_username",​
 +      pkce: true,
 +      client_options:​ {
 +#        identifier: "<​YOUR CLIENT ID>",​
 +        identifier: "​any-client",​
 +#        secret: "<​YOUR CLIENT SECRET>",​
 +        secret: "​anystring",​
 +#        redirect_uri:​ "​https://​​users/​auth/​openid_connect/​callback"​
 +        redirect_uri:​ "​https://​gate.corpX.un/​users/​auth/​openid_connect/​callback"​
 +      }
 +    }
 +  }
инструмент_gitlab.txt · Last modified: 2024/06/13 08:39 by val