This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
инструмент_gitlab [2022/05/17 10:30] val [Использование LDAP] |
инструмент_gitlab [2024/04/16 08:14] val [Установка из пакета] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Инструмент GitLab ====== | ====== Инструмент GitLab ====== | ||
+ | |||
+ | * [[https://ru.wikipedia.org/wiki/GitLab - Википедия]] | ||
* [[https://youtu.be/n_21ya2MoKg|Youtube. RomNero. GitLab. Devops система]] | * [[https://youtu.be/n_21ya2MoKg|Youtube. RomNero. GitLab. Devops система]] | ||
Line 5: | Line 7: | ||
===== Установка ===== | ===== Установка ===== | ||
+ | |||
+ | * RAM от 4Gb | ||
+ | |||
+ | ==== Если нужен почтовый сервер ==== | ||
+ | |||
+ | <code> | ||
+ | server# time ansible-playbook conf/ansible/roles/mail.yml | ||
+ | real 2m57.922s | ||
+ | |||
+ | # cat /etc/apache2/ports.conf | ||
+ | </code><code> | ||
+ | ... | ||
+ | Listen 81 | ||
+ | ... | ||
+ | </code><code> | ||
+ | server# service apache2 restart | ||
+ | </code><code> | ||
+ | http://server.corpX.un:81/mail/ | ||
+ | </code> | ||
+ | |||
+ | ==== Установка из репозитория ==== | ||
* [[https://about.gitlab.com/install/|Install self-managed GitLab]] | * [[https://about.gitlab.com/install/|Install self-managed GitLab]] | ||
+ | * Доступно из РФ: [[https://packages.gitlab.com/gitlab/gitlab-ce]] | ||
+ | * [[http://gate.isp.un/unix/Git/gitlab-ce_16.3.3-ce.0_amd64.deb]] | ||
+ | |||
+ | <code> | ||
+ | server# apt-get install -y curl ca-certificates perl | ||
+ | |||
+ | server# curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | bash | ||
+ | |||
+ | server# time EXTERNAL_URL="http://$(hostname)" apt-get install gitlab-ce | ||
+ | ... | ||
+ | real 38m49.787s !!! Загрузка может прерываться, надо повторять команду !!! | ||
+ | .. | ||
+ | </code> | ||
+ | |||
+ | ==== Установка через docker-compose ==== | ||
+ | |||
+ | * [[https://docs.gitlab.com/ee/install/docker.html#install-gitlab-using-docker-compose|Install GitLab using Docker Compose]] | ||
+ | * [[Технология Docker]] | ||
+ | * [[Технология Docker#docker-compose]] | ||
+ | |||
+ | <code> | ||
+ | # cat docker-compose.yml | ||
+ | </code><code> | ||
+ | version: '3.6' | ||
+ | services: | ||
+ | web: | ||
+ | image: 'gitlab/gitlab-ce:latest' | ||
+ | # image: 'gitlab/gitlab-ce:16.7.4-ce.0' | ||
+ | restart: always | ||
+ | hostname: 'server.corpX.un' | ||
+ | environment: | ||
+ | GITLAB_ROOT_PASSWORD: "strongpassword" | ||
+ | GITLAB_OMNIBUS_CONFIG: | | ||
+ | prometheus_monitoring['enable'] = false | ||
+ | gitlab_rails['registry_enabled'] = true | ||
+ | gitlab_rails['registry_host'] = "server.corpX.un" | ||
+ | external_url 'http://server.corpX.un' | ||
+ | registry_external_url 'http://server.corpX.un' | ||
+ | gitlab_rails['registry_port'] = "5000" | ||
+ | registry['registry_http_addr'] = "server.corpX.un:5000" | ||
+ | # external_url 'https://server.corpX.un' | ||
+ | # registry_external_url 'https://server.corpX.un:5000' | ||
+ | # gitlab_rails['registry_port'] = "5050" | ||
+ | # registry['registry_http_addr'] = "server.corpX.un:5050" | ||
+ | ports: | ||
+ | - '80:80' | ||
+ | # - '443:443' | ||
+ | - '2222:22' | ||
+ | - '5000:5000' | ||
+ | volumes: | ||
+ | - '/etc/gitlab:/etc/gitlab' | ||
+ | - '/srv/gitlab/logs:/var/log/gitlab' | ||
+ | - '/srv/gitlab/data:/var/opt/gitlab' | ||
+ | shm_size: '256m' | ||
+ | </code><code> | ||
+ | # ### cat /etc/gitlab/ssl/gitlab.bmstu.ru.{crt,key} | ||
+ | |||
+ | # docker-compose up -d | ||
+ | |||
+ | # docker logs root_web_1 -n 10 -f | ||
+ | |||
+ | ### docker-compose stop | ||
+ | ### rm -r /srv/gitlab/ /etc/gitlab/ | ||
+ | </code> | ||
+ | |||
+ | ===== Подключение ===== | ||
+ | |||
+ | ==== Подключение к Web интерфейсу ===== | ||
+ | |||
+ | * http://server.corpX.un/ | ||
+ | |||
+ | ==== Подключение через API ==== | ||
+ | |||
+ | * Токен доступа: Settings -> Access Tokens ([[https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html|Project access tokens]]), в примере достаточно role: Reporter, Scopes: api | ||
+ | * Номер проекта: Settings -> General ([[https://stackoverflow.com/questions/39559689/where-do-i-find-the-project-id-for-the-gitlab-api|Where do I find the project ID for the GitLab API?]]) | ||
+ | * [[https://stackoverflow.com/questions/56943327/how-to-download-a-single-file-from-gitlab|How to download a single file from GitLab?]] | ||
+ | |||
+ | <code> | ||
+ | root@node1,2,3:~# curl "http://server.corpX.un/api/v4/projects/2/repository/files/docker-compose.yml/raw?ref=master" | tee docker-compose.yml | ||
+ | |||
+ | или, для НЕ публичных проектов | ||
+ | root@node1,2,3:~# curl --header "PRIVATE-TOKEN: NNNNNNNNNNNNNNNNNNNNN" "http://server.corpX.un/api/v4/projects/4/repository/files/docker-compose.yml/raw?ref=master" | tee docker-compose.yml | ||
+ | </code> | ||
+ | |||
+ | * [[Сервис Ansible#ansible-pull]] | ||
+ | |||
+ | <code> | ||
+ | client1:~/ansible-pull-gpo# cat readme.md | ||
+ | </code><code> | ||
+ | sudo -i | ||
+ | |||
+ | export BR=main; bash <(curl -s http://gate.corp13.un/api/v4/projects/1/repository/files/start.sh/raw?ref=$BR) | ||
+ | </code> | ||
+ | ===== Настройка ===== | ||
+ | |||
+ | ==== Файл конфигурации ==== | ||
+ | <code> | ||
+ | # cat /etc/gitlab/gitlab.rb | ||
+ | </code><code> | ||
+ | ... | ||
+ | external_url 'http://server.corpX.un' | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | ==== Проверка конфигурации и перезапуск ==== | ||
+ | |||
+ | <code> | ||
+ | ### docker exec -it root_web_1 bash | ||
+ | |||
+ | # gitlab-ctl show-config | ||
+ | |||
+ | # time gitlab-ctl reconfigure | ||
+ | ... | ||
+ | real 2m34.726s | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | ==== GitLab Docker Registry ==== | ||
+ | |||
+ | * [[https://docs.gitlab.com/ee/administration/packages/container_registry.html|The Container Registry is automatically enabled and available on your GitLab domain, port 5050 if you’re using the built-in Let’s Encrypt integration]] | ||
+ | * [[https://sysadmintalks.ru/insecure-gitlab-registry/|Настройка работы Gitlab с registry без ssl - Sysadmin]] | ||
+ | <code> | ||
+ | # cat /etc/gitlab/gitlab.rb | ||
+ | </code><code> | ||
+ | ... | ||
+ | registry_external_url 'http://server.corpX.un' | ||
+ | gitlab_rails['registry_enabled'] = true | ||
+ | gitlab_rails['registry_host'] = "server.corpX.un" | ||
+ | gitlab_rails['registry_port'] = "5000" | ||
+ | registry['registry_http_addr'] = "server.corpX.un:5000" | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * [[#Проверка конфигурации и перезапуск]] | ||
+ | ==== GitLab Grafana ==== | ||
+ | <code> | ||
+ | # cat /etc/gitlab/gitlab.rb | ||
+ | </code><code> | ||
+ | ... | ||
+ | grafana['http_addr'] = '0.0.0.0' | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * [[#Проверка конфигурации и перезапуск]] | ||
+ | ==== GitLab Prometheus ==== | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/gitlab/gitlab.rb | ||
+ | </code><code> | ||
+ | ... | ||
+ | prometheus_monitoring['enable'] = false | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * [[#Проверка конфигурации и перезапуск]] | ||
+ | |||
+ | <code> | ||
+ | # time rm -rf /var/opt/gitlab/prometheus/data/* | ||
+ | </code> | ||
+ | |||
+ | ==== Включение TLS ==== | ||
+ | * [[https://docs.gitlab.com/omnibus/settings/ssl.html#configure-https-manually|Configure HTTPS manually]] | ||
* [[https://www.techbeatly.com/configure-custom-ssl-to-secure-gitlab-server/|Configure Custom SSL to Secure GitLab Server]] | * [[https://www.techbeatly.com/configure-custom-ssl-to-secure-gitlab-server/|Configure Custom SSL to Secure GitLab Server]] | ||
- | ===== Управление пользователями ===== | + | <code> |
+ | mkdir /etc/gitlab/ssl/ | ||
+ | |||
+ | cp wild.crt -v /etc/gitlab/ssl/$(hostname).crt | ||
+ | cp wild.key -v /etc/gitlab/ssl/$(hostname).key | ||
+ | |||
+ | # cat /etc/gitlab/gitlab.rb | ||
+ | </code><code> | ||
+ | ... | ||
+ | external_url 'https://server.corpX.un' | ||
+ | ... | ||
+ | # nginx['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}.crt" | ||
+ | # nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key" | ||
+ | ... | ||
+ | letsencrypt['enable'] = false | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * [[#Проверка конфигурации и перезапуск]] | ||
+ | |||
+ | ==== Управление пользователями ==== | ||
+ | |||
+ | === Внутренние пользователи === | ||
+ | |||
+ | * Username - login, Name - ФИО | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/gitlab/initial_root_password | ||
+ | </code> | ||
+ | |||
+ | * [[https://stackoverflow.com/questions/60062065/gitlab-initial-root-password|gitlab initial root password reset]] | ||
+ | |||
+ | <code> | ||
+ | # gitlab-rake "gitlab:password:reset[root]" | ||
+ | </code> | ||
- | ==== Использование LDAP ==== | + | === Использование LDAP === |
+ | * [[https://docs.gitlab.com/ee/administration/auth/ldap/index.html|Integrate LDAP with GitLab]] | ||
* [[Установка и настройка OpenLDAP]] | * [[Установка и настройка OpenLDAP]] | ||
* [[Хранение учетных записей UNIX в LDAP]] !!! с атрибутом почты и паролем | * [[Хранение учетных записей UNIX в LDAP]] !!! с атрибутом почты и паролем | ||
Line 27: | Line 247: | ||
label: 'LDAP' | label: 'LDAP' | ||
host: 'server.corpX.un' | host: 'server.corpX.un' | ||
+ | # host: 'server2.corpX.un' | ||
port: 389 | port: 389 | ||
- | uid: 'uid' | + | # uid: 'uid' |
- | bind_dn: 'cn=admin,dc=corpX,dc=un' | + | uid: 'sAMAccountName' |
- | password: 'secret' | + | # bind_dn: 'cn=admin,dc=corpX,dc=un' |
+ | # password: 'secret' | ||
+ | bind_dn: 'cn=Administrator,cn=Users,dc=corpX,dc=un' | ||
+ | password: 'Pa$$w0rd' | ||
encryption: 'plain' | encryption: 'plain' | ||
- | active_directory: false | + | # active_directory: false |
- | base: 'ou=People,dc=corpX,dc=un' | + | active_directory: true |
+ | base: 'dc=corpX,dc=un' | ||
+ | EOS | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * [[#Проверка конфигурации и перезапуск]] | ||
+ | ===== GitLab Runner ===== | ||
+ | |||
+ | ==== Установка из пакета ==== | ||
+ | |||
+ | * [[https://docs.gitlab.com/runner/install/linux-manually.html|Install GitLab Runner manually on GNU/Linux]] | ||
+ | * [[https://val.bmstu.ru/unix/Git/gitlab-runner_amd64.deb]] (15.0.0) | ||
+ | |||
+ | <code> | ||
+ | # wget http://gate.isp.un/unix/Git/gitlab-runner_amd64.deb | ||
+ | |||
+ | ##2 часа## curl -LJO "https://gitlab-runner-downloads.s3.amazonaws.com/latest/deb/gitlab-runner_amd64.deb" | ||
+ | |||
+ | # dpkg -i gitlab-runner_amd64.deb | ||
+ | </code> | ||
+ | ==== Регистрация ==== | ||
+ | <code> | ||
+ | # gitlab-runner register --help | ||
+ | |||
+ | # export CI_SERVER_URL=http://server.corpX.un | ||
+ | |||
+ | # gitlab-runner register | ||
+ | ... | ||
+ | Enter the GitLab instance URL: http://server.corpX.un | ||
+ | Enter the registration token: ... | ||
+ | ... | ||
+ | Enter tags for the runner: dhcptest, dhcpdeploy | ||
+ | или | ||
+ | Enter tags for the runner: openvpn1deploy | ||
+ | ... | ||
+ | Enter an executor: shell | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | или | ||
+ | |||
+ | <code> | ||
+ | # gitlab-runner register -n --executor "shell" -u http://server.corpX.un -r "NNNNNNNNNNNNNNNNNNNNNNNNNNNN" | ||
+ | </code> | ||
+ | |||
+ | Перезапускать не нужно | ||
+ | |||
+ | <code> | ||
+ | # cat /etc/gitlab-runner/config.toml | ||
+ | log_level = "debug" | ||
... | ... | ||
</code><code> | </code><code> | ||
- | # gitlab-ctl reconfigure | + | # systemctl restart gitlab-runner |
+ | |||
+ | # gitlab-runner verify | ||
</code> | </code> | ||
- | ===== Сервер OAuth2 ===== | + | ==== Установка в виде контейнера ==== |
- | * !!! URL без финального "/" !!! | + | * [[https://habr.com/ru/companies/cloud4y/articles/710782/|Использование Docker in Docker в GitLab]] |
<code> | <code> | ||
- | Admin Area-> Applications-> val-auth-test | + | gate:~### docker stop gitlab-runner; docker rm gitlab-runner |
- | Callback URL: https://val.bmstu.ru/auth-test | + | gate:~### rm /srv/gitlab-runner/config/config.toml |
- | Trusted: Yes | + | |
+ | gate:~# docker run -d --name gitlab-runner --restart always \ | ||
+ | -v /srv/gitlab-runner/config:/etc/gitlab-runner \ | ||
+ | -v /var/run/docker.sock:/var/run/docker.sock \ | ||
+ | gitlab/gitlab-runner:latest | ||
</code> | </code> | ||
+ | |||
+ | === Регистрация DooD === | ||
+ | |||
+ | * Включаем Docker [[Технология Docker#Insecure Private Registry]] | ||
+ | |||
+ | <code> | ||
+ | gate:~# docker run --rm -v /srv/gitlab-runner/config:/etc/gitlab-runner gitlab/gitlab-runner register \ | ||
+ | --non-interactive \ | ||
+ | --url "http://server.corpX.un/" \ | ||
+ | --registration-token "NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN" \ | ||
+ | --executor "docker" \ | ||
+ | --docker-image "docker:stable" \ | ||
+ | --docker-volumes /var/run/docker.sock:/var/run/docker.sock \ | ||
+ | --description "dood-runner" | ||
+ | </code> | ||
+ | |||
+ | === Регистрация DinD === | ||
+ | |||
+ | * Можно отключить Docker [[Технология Docker#Insecure Private Registry]] | ||
+ | |||
+ | <code> | ||
+ | gate:~# docker run --rm -v /srv/gitlab-runner/config:/etc/gitlab-runner gitlab/gitlab-runner register \ | ||
+ | --non-interactive \ | ||
+ | --url "http://server.corpX.un/" \ | ||
+ | --registration-token "NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN" \ | ||
+ | --executor "docker" \ | ||
+ | --docker-image "docker:stable" \ | ||
+ | --docker-privileged \ | ||
+ | --description "dind-runner" | ||
+ | </code><code> | ||
+ | gate:~# docker volume ls | ||
+ | |||
+ | gate:~# docker volume inspect ... | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ===== GitLab CI/CD ===== | ||
+ | |||
+ | * [[https://docs.gitlab.com/ee/ci/examples/#cicd-templates|CI/CD templates]] | ||
+ | * [[https://medium.com/@ryzmen/gitlab-fast-pipelines-stages-jobs-c51c829b9aa1|GitLab: understanding pipelines, stages, jobs and organising them efficiently for speed and feedback loop]] | ||
+ | * [[https://stackoverflow.com/questions/64725914/how-to-disable-auto-pipelines-in-gitlab|How to disable auto pipelines in gitlab]] | ||
+ | |||
+ | ==== Пример shell make ==== | ||
+ | |||
+ | <code> | ||
+ | IDE GitLab->New File: .gitlab-ci.yml | ||
+ | |||
+ | или | ||
+ | |||
+ | CI/CD -> Editor -> Configure Pipelines | ||
+ | |||
+ | или | ||
+ | |||
+ | Build -> Pipeline editor -> Configure Pipelines | ||
+ | </code><code> | ||
+ | #stages: | ||
+ | # - build | ||
+ | # - test | ||
+ | # - deploy | ||
+ | |||
+ | test1-job: | ||
+ | stage: test | ||
+ | script: | ||
+ | - echo $(date) "Do test dhcpd" >> /tmp/Bash.gitlab-ci.log | ||
+ | - make test | ||
+ | tags: | ||
+ | - dhcptest | ||
+ | |||
+ | deploy1-job: | ||
+ | stage: deploy | ||
+ | script: | ||
+ | - echo $(date) "Do deploy dhcpd" >> /tmp/Bash.gitlab-ci.log | ||
+ | - sudo make install | ||
+ | tags: | ||
+ | - dhcpdeploy | ||
+ | </code> | ||
+ | |||
+ | ==== Пример shell ansible ==== | ||
+ | |||
+ | * [[https://asyncdrink.com/blog/gitlab-ci-limit-branch|Limit Gitlab CI pipelines to specific branches]] | ||
+ | * [[https://stackoverflow.com/questions/52169219/get-branch-name-in-gitlab-ci|Get Branch name in gitlab ci]] | ||
+ | |||
+ | <code> | ||
+ | Administrator@Ra-master ~/openvpn1 (test) | ||
+ | λ touch .gitlab-ci.yml | ||
+ | или | ||
+ | Build -> Pipeline editor -> Configure Pipelines | ||
+ | </code><code> | ||
+ | deploy_test: | ||
+ | stage: deploy | ||
+ | script: | ||
+ | - echo $(date) "Deploy TEST openvpn1" >> /tmp/Bash.gitlab-ci.log | ||
+ | - ansible-playbook openvpn1.yaml -i inventory.yaml -e "variable_host=test_nodes" | ||
+ | tags: | ||
+ | - openvpn1deploy | ||
+ | only: | ||
+ | - test | ||
+ | |||
+ | deploy_prod: | ||
+ | stage: deploy | ||
+ | script: | ||
+ | - echo $(date) "Deploy PROD openvpn1" >> /tmp/Bash.gitlab-ci.log | ||
+ | - ansible-playbook openvpn1.yaml -i inventory.yaml | ||
+ | tags: | ||
+ | - openvpn1deploy | ||
+ | only: | ||
+ | # - master | ||
+ | # - main | ||
+ | </code> | ||
+ | |||
+ | ==== Пример shell docker ==== | ||
+ | |||
+ | * Технология Docker [[Технология Docker#Предоставление прав непривилегированным пользователям]] | ||
+ | |||
+ | * [[https://docs.gitlab.com/ee/ci/docker/using_docker_build.html|Use Docker to build Docker images]] | ||
+ | * [[https://docs.gitlab.com/ee/ci/variables/predefined_variables.html|Predefined variables reference]] | ||
+ | * [[https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-project|Add a CI/CD variable to a project]] | ||
+ | |||
+ | |||
+ | <code> | ||
+ | # Надо назначить в GitLab (Settings -> CI/CD -> Variables) | ||
+ | export MY_CI_REGISTRY=server.corpX.un:5000 | ||
+ | export MY_CI_REGISTRY_IMAGE=student/webd | ||
+ | # Можно использовать встроенные CI_REGISTRY и CI_REGISTRY_IMAGE | ||
+ | # поскольку используем этот же проект GitLab как registry | ||
+ | |||
+ | # в GitLab будет устанавлено автоматически | ||
+ | export CI_COMMIT_MESSAGE="ver 1.2" | ||
+ | </code> | ||
+ | |||
+ | <code> | ||
+ | gitlab-runner@server:~/webd$ cat build.sh | ||
+ | </code><code> | ||
+ | #!/bin/sh | ||
+ | |||
+ | VER="$(echo $CI_COMMIT_MESSAGE | sed 's/[^a-zA-Z0-9\.]//g')" | ||
+ | |||
+ | # need only one time | ||
+ | # docker login -u $MY_CI_REGISTRY_USER -p $MY_CI_REGISTRY_PASSWORD $MY_CI_REGISTRY | ||
+ | # docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY | ||
+ | |||
+ | docker build -t webd webd | ||
+ | #docker build --no-cache -t webd webd | ||
+ | |||
+ | docker tag webd $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE:$VER | ||
+ | docker tag webd $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE | ||
+ | #docker tag webd $CI_REGISTRY_IMAGE:$VER | ||
+ | #docker tag webd $CI_REGISTRY_IMAGE | ||
+ | |||
+ | # previously need: docker login ... | ||
+ | |||
+ | docker push $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE:$VER | ||
+ | docker push $MY_CI_REGISTRY/$MY_CI_REGISTRY_IMAGE | ||
+ | #docker push $CI_REGISTRY_IMAGE:$VER | ||
+ | #docker push $CI_REGISTRY_IMAGE | ||
+ | </code><code> | ||
+ | gitlab-runner@server:~/webd$ cat .gitlab-ci.yml | ||
+ | </code><code> | ||
+ | stages: | ||
+ | - lintertest | ||
+ | - build | ||
+ | # - deploy | ||
+ | |||
+ | lintertest1: | ||
+ | stage: lintertest | ||
+ | script: | ||
+ | - echo $(date) "Do a test webd here" >> /tmp/Bash.gitlab-ci.log | ||
+ | - shellcheck webd/webd | ||
+ | tags: | ||
+ | - shellcheck | ||
+ | |||
+ | build1: | ||
+ | stage: build | ||
+ | script: | ||
+ | - echo $(date) "Do a build webd here" >> /tmp/Bash.gitlab-ci.log | ||
+ | # - env | tee /tmp/Bash.gitlab-ci.log | ||
+ | - sh build.sh | ||
+ | tags: | ||
+ | - webdbuild | ||
+ | |||
+ | #deploy1: | ||
+ | # stage: deploy | ||
+ | # script: | ||
+ | # - echo $(date) "Do your deploy webd to k8s here" >> /tmp/Bash.gitlab-ci.log | ||
+ | # - sh deploy.sh | ||
+ | # tags: | ||
+ | # - webddeploy | ||
+ | |||
+ | ### OR .gitlab-ci.yml for gowebd-k8s project running from another pipeline ### | ||
+ | |||
+ | #deploy1: | ||
+ | # stage: deploy | ||
+ | # variables: | ||
+ | # HELM_NAMESPACE: "my-ns" | ||
+ | # rules: | ||
+ | # - if: '$CI_PIPELINE_SOURCE == "pipeline" && $VER' | ||
+ | # script: | ||
+ | # - env | ||
+ | # - envsubst < my-webd-deployment-env.yaml | kubectl apply -f - -n my-ns | ||
+ | # - helm upgrade -i my-webd webd-chart/ --set=image.tag=$VER --create-namespace | ||
+ | </code> | ||
+ | |||
+ | ==== Пример shell Kubernetes ==== | ||
+ | |||
+ | <code> | ||
+ | gitlab-runner@server:~/webd$ cp my-webd-deployment.yaml my-webd-deployment-env.yaml | ||
+ | или | ||
+ | gitlab-runner@server:~/gowebd-k8s$ scp root@node1:my-webd-deployment.yaml my-webd-deployment-env.yaml | ||
+ | |||
+ | gitlab-runner@server:~/webd$ cat my-webd-deployment-env.yaml | ||
+ | </code><code> | ||
+ | ... | ||
+ | image: server.corpX.un:5000/student/webd:$VER | ||
+ | ... | ||
+ | </code><code> | ||
+ | # в GitLab будет устанавлено автоматически | ||
+ | gitlab-runner@gate:~/webd$ export CI_COMMIT_MESSAGE="ver 1.2" | ||
+ | |||
+ | gitlab-runner@gate:~/webd$ cat deploy.sh | ||
+ | </code><code> | ||
+ | #!/bin/sh | ||
+ | |||
+ | #alias kubectl='minikube kubectl --' | ||
+ | |||
+ | kubectl apply -f my-webd-deployment.yaml -n my-ns | ||
+ | |||
+ | #export VER="$(echo $CI_COMMIT_MESSAGE | sed 's/[^a-zA-Z0-9\.]//g')" | ||
+ | |||
+ | #envsubst < my-webd-deployment-env.yaml | kubectl apply -f - -n my-ns | ||
+ | |||
+ | kubectl apply -f my-webd-service.yaml -n my-ns | ||
+ | |||
+ | |||
+ | #export HELM_NAMESPACE=my-ns | ||
+ | #helm upgrade --install my-webd webd-chart/ --set=image.tag=$VER --create-namespace | ||
+ | </code><code> | ||
+ | gitlab-runner@server:~/$ kubectl describe replicaset.apps/my-webd-NNNNNNNNNNN -n my-ns | ||
+ | </code> | ||
+ | ==== Пример CI с использованием контейнеров ==== | ||
+ | |||
+ | * [[https://akyriako.medium.com/build-golang-docker-images-with-gitlab-ci-pipelines-2117f8505350|Build Golang Docker images with GitLab CI Pipelines]] | ||
+ | * [[https://blog.callr.tech/building-docker-images-with-gitlab-ci-best-practices/|Best practices for building docker images with GitLab CI]] | ||
+ | |||
+ | * [[https://stackoverflow.com/questions/63693061/how-to-run-a-script-from-file-in-another-project-using-include-in-gitlab-ci|How to run a script from file in another project using include in GitLab CI?]] | ||
+ | * [[https://medium.com/@captain_sparrow/gitlab-%D1%82%D1%80%D0%B8%D0%B3%D0%B3%D0%B5%D1%80%D1%8B-%D0%B8-%D0%B4%D0%BB%D1%8F-%D0%BA%D0%B0%D0%BA%D0%B8%D1%85-%D1%82%D0%B5%D1%81%D1%82%D0%BE%D0%B2-%D0%B8%D1%85-%D1%81%D1%82%D0%BE%D0%B8%D1%82-%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D1%8C-afa04f8c78a7|Gitlab триггеры и для каких тестов их стоит использовать?]] | ||
+ | |||
+ | * [[https://earthly.dev/blog/docker-vs-buildah-vs-kaniko/|Container Image Build Tools: Docker vs. Buildah vs. kaniko]] | ||
+ | * [[https://docs.gitlab.com/ee/ci/docker/using_kaniko.html|Use kaniko to build Docker images]] | ||
+ | * [[https://eng.d2iq.com/blog/a-tale-of-two-container-image-tools-skopeo-and-crane/|A Tale of Two Container Image Tools: Skopeo and Crane]] | ||
+ | |||
+ | <code> | ||
+ | student@client1:~/gowebd$ cat .gitlab-ci.yml | ||
+ | </code><code> | ||
+ | stages: | ||
+ | - build | ||
+ | - push | ||
+ | # - deploy | ||
+ | |||
+ | #variables: | ||
+ | # DOCKER_TLS_CERTDIR: "" | ||
+ | |||
+ | #services: | ||
+ | # - name: docker:dind | ||
+ | # command: | ||
+ | # [ | ||
+ | # '--insecure-registry=server.corpX.un:5000', | ||
+ | # ] | ||
+ | |||
+ | before_script: | ||
+ | - env | ||
+ | # - docker info | ||
+ | - echo -n $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY | ||
+ | |||
+ | Build: | ||
+ | stage: build | ||
+ | # image: | ||
+ | # name: gcr.io/kaniko-project/executor:v1.9.0-debug | ||
+ | # entrypoint: [""] | ||
+ | script: | ||
+ | - docker pull $CI_REGISTRY_IMAGE:latest || true | ||
+ | - > | ||
+ | docker build | ||
+ | --pull | ||
+ | --cache-from $CI_REGISTRY_IMAGE:latest | ||
+ | --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA | ||
+ | . | ||
+ | - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA | ||
+ | |||
+ | # - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"},\"$CI_DEPENDENCY_PROXY_SERVER\":{\"auth\":\"$(printf "%s:%s" ${CI_DEPENDENCY_PROXY_USER} "${CI_DEPENDENCY_PROXY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json | ||
+ | # - /kaniko/executor | ||
+ | # --insecure --skip-tls-verify | ||
+ | # --context "${CI_PROJECT_DIR}" | ||
+ | # --dockerfile "${CI_PROJECT_DIR}/Dockerfile" | ||
+ | # --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}" | ||
+ | |||
+ | Push latest: | ||
+ | # image: | ||
+ | # name: gcr.io/go-containerregistry/crane:debug | ||
+ | # entrypoint: [""] | ||
+ | variables: | ||
+ | GIT_STRATEGY: none | ||
+ | stage: push | ||
+ | only: | ||
+ | - main | ||
+ | script: | ||
+ | - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA | ||
+ | - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest | ||
+ | - docker push $CI_REGISTRY_IMAGE:latest | ||
+ | |||
+ | # - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY | ||
+ | # - crane --insecure cp $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest | ||
+ | |||
+ | Push tag: | ||
+ | # image: | ||
+ | # name: gcr.io/go-containerregistry/crane:debug | ||
+ | # entrypoint: [""] | ||
+ | variables: | ||
+ | GIT_STRATEGY: none | ||
+ | stage: push | ||
+ | only: | ||
+ | - tags | ||
+ | script: | ||
+ | - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA | ||
+ | - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME | ||
+ | - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME | ||
+ | |||
+ | # - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY | ||
+ | # - crane --insecure cp $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME | ||
+ | |||
+ | #Deploy: | ||
+ | # variables: | ||
+ | # VER: "$CI_COMMIT_REF_NAME" | ||
+ | # stage: deploy | ||
+ | # only: | ||
+ | # - tags | ||
+ | # trigger: | ||
+ | # project: student/gowebd-k8s | ||
+ | </code> | ||
+ | ===== Сервер OpenID ===== | ||
+ | |||
+ | * [[https://github.com/zmartzone/mod_auth_openidc/wiki/GitLab-OAuth2]] | ||
+ | * [[Сервис HTTP#Управление доступом к HTTP серверу с использованием OpenID аутентификации]] | ||
+ | * Admin Area-> Applications | ||
+ | |||
+ | <code> | ||
+ | Name: test-cgi | ||
+ | Redirect URI: http://gate.corp13.un/cgi-bin/test-cgi !!! Если URL каталога, то без финального "/" !!! | ||
+ | Trusted: Yes | ||
+ | Confidential: Yes | ||
+ | Scopes: openid | ||
+ | |||
+ | Application ID: ... | ||
+ | Secret: ... | ||
+ | Callback URL = Redirect URI | ||
+ | </code> | ||
+ | |||
+ | ===== Клиент OpenID ===== | ||
+ | |||
+ | * [[https://docs.gitlab.com/ee/administration/auth/oidc.html|You can use GitLab as a client application with OpenID Connect as an OmniAuth provider]] | ||
+ | * [[https://gitlab.com/gitlab-org/gitlab/-/issues/196193|use self-signed to integate gitlab with keycloak but see error: certificate verify failed (self signed certificate))]] | ||
+ | * [[https://forum.gitlab.com/t/using-keycloak-as-sso-for-gitlab-with-pre-existing-users-no-autocreate/67833|Using Keycloak as SSO for Gitlab with pre-existing users (no autocreate)]] | ||
+ | |||
+ | <code> | ||
+ | # cp server.crt /etc/gitlab/trusted-certs/ | ||
+ | или | ||
+ | # cp ca.crt /etc/gitlab/trusted-certs/ | ||
+ | |||
+ | # cat /etc/gitlab/gitlab.rb | ||
+ | </code><code> | ||
+ | ... | ||
+ | gitlab_rails['omniauth_providers'] = [ | ||
+ | { | ||
+ | name: "openid_connect", # do not change this parameter | ||
+ | label: "Keycloak", # optional label for login button, defaults to "Openid Connect" | ||
+ | args: { | ||
+ | name: "openid_connect", | ||
+ | scope: ["openid", "profile", "email"], | ||
+ | response_type: "code", | ||
+ | # issuer: "https://keycloak.example.com/realms/myrealm", | ||
+ | issuer: "https://keycloak.corpX.un/realms/corpX", | ||
+ | client_auth_method: "query", | ||
+ | discovery: true, | ||
+ | uid_field: "preferred_username", | ||
+ | pkce: true, | ||
+ | client_options: { | ||
+ | # identifier: "<YOUR CLIENT ID>", | ||
+ | identifier: "any-client", | ||
+ | # secret: "<YOUR CLIENT SECRET>", | ||
+ | secret: "anystring", | ||
+ | # redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" | ||
+ | redirect_uri: "https://gate.corpX.un/users/auth/openid_connect/callback" | ||
+ | } | ||
+ | } | ||
+ | } | ||
+ | ] | ||
+ | ... | ||
+ | </code> | ||
+ | |||
+ | * [[#Проверка конфигурации и перезапуск]] | ||
+ | * User -> Profile -> Account -> Select a service to sign in with -> Keycloak | ||
+ |