User Tools

Site Tools


инструмент_gitlab

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
инструмент_gitlab [2022/06/07 14:00]
val [Установка]
инструмент_gitlab [2024/03/12 16:25] (current)
val [Регистрация]
Line 1: Line 1:
 ====== Инструмент GitLab ====== ====== Инструмент GitLab ======
 +
 +  * [[https://​ru.wikipedia.org/​wiki/​GitLab - Википедия]]
  
   * [[https://​youtu.be/​n_21ya2MoKg|Youtube. RomNero. GitLab. Devops система]]   * [[https://​youtu.be/​n_21ya2MoKg|Youtube. RomNero. GitLab. Devops система]]
Line 5: Line 7:
  
 ===== Установка ===== ===== Установка =====
 +
 +  * RAM от 4Gb
 +
 +==== Если нужен почтовый сервер ====
 +
 +<​code>​
 +server# time ansible-playbook conf/​ansible/​roles/​mail.yml
 +real    2m57.922s
 +
 +# cat /​etc/​apache2/​ports.conf
 +</​code><​code>​
 +...
 +Listen 81
 +...
 +</​code><​code>​
 +server# service apache2 restart
 +</​code><​code>​
 +http://​server.corpX.un:​81/​mail/​
 +</​code>​
 +
 +==== Установка из репозитория ====
  
   * [[https://​about.gitlab.com/​install/​|Install self-managed GitLab]]   * [[https://​about.gitlab.com/​install/​|Install self-managed GitLab]]
   * Доступно из РФ: [[https://​packages.gitlab.com/​gitlab/​gitlab-ce]]   * Доступно из РФ: [[https://​packages.gitlab.com/​gitlab/​gitlab-ce]]
 +  * [[http://​gate.isp.un/​unix/​Git/​gitlab-ce_16.3.3-ce.0_amd64.deb]]
 +
 +<​code>​
 +server# apt-get install -y curl ca-certificates perl
 +
 +server# curl https://​packages.gitlab.com/​install/​repositories/​gitlab/​gitlab-ce/​script.deb.sh | bash
 +
 +server# time EXTERNAL_URL="​http://​server.corpX.un"​ apt-get install gitlab-ce
 +...
 +real    38m49.787s ​ !!! Загрузка может прерываться,​ надо повторять команду !!!
 +..
 +</​code>​
 +
 +==== Установка через docker-compose ====
 +
 +  * [[https://​docs.gitlab.com/​ee/​install/​docker.html#​install-gitlab-using-docker-compose|Install GitLab using Docker Compose]]
 +  * [[Технология Docker]]
 +  * [[Технология Docker#​docker-compose]]
 +
 +<​code>​
 +# cat docker-compose.yml
 +</​code><​code>​
 +version: '​3.6'​
 +services:
 +  web:
 +    image: '​gitlab/​gitlab-ce:​latest'​
 +#    image: '​gitlab/​gitlab-ce:​16.7.4-ce.0'​
 +    restart: always
 +    hostname: '​server.corpX.un'​
 +    environment:​
 +      GITLAB_ROOT_PASSWORD:​ "​strongpassword"​
 +      GITLAB_OMNIBUS_CONFIG:​ |
 +        prometheus_monitoring['​enable'​] = false
 +        gitlab_rails['​registry_enabled'​] = true
 +        gitlab_rails['​registry_host'​] = "​server.corpX.un"​
 +        external_url '​http://​server.corpX.un'​
 +        registry_external_url '​http://​server.corpX.un'​
 +        gitlab_rails['​registry_port'​] = "​5000"​
 +        registry['​registry_http_addr'​] = "​server.corpX.un:​5000"​
 +#        external_url '​https://​server.corpX.un'​
 +#        registry_external_url '​https://​server.corpX.un:​5000'​
 +#        gitlab_rails['​registry_port'​] = "​5050"​
 +#        registry['​registry_http_addr'​] = "​server.corpX.un:​5050"​
 +    ports:
 +      - '​80:​80'​
 +#      - '​443:​443'​
 +      - '​2222:​22'​
 +      - '​5000:​5000'​
 +    volumes:
 +      - '/​etc/​gitlab:/​etc/​gitlab'​
 +      - '/​srv/​gitlab/​logs:/​var/​log/​gitlab'​
 +      - '/​srv/​gitlab/​data:/​var/​opt/​gitlab'​
 +    shm_size: '​256m'​
 +</​code><​code>​
 +# ### cat /​etc/​gitlab/​ssl/​gitlab.bmstu.ru.{crt,​key}
 +
 +# docker-compose up -d
 +
 +# docker logs root_web_1 -n 10 -f
 +
 +### docker-compose stop
 +### rm -r /​srv/​gitlab/​ /​etc/​gitlab/​
 +</​code>​
 +
 +===== Подключение =====
 +
 +==== Подключение к Web интерфейсу =====
 +
 +  * http://​server.corpX.un/​
 +
 +==== Подключение через API ====
 +
 +  * Токен доступа:​ Settings -> Access Tokens ([[https://​docs.gitlab.com/​ee/​user/​project/​settings/​project_access_tokens.html|Project access tokens]]), в примере достаточно role: Reporter, Scopes: api
 +  * Номер проекта:​ Settings -> General ([[https://​stackoverflow.com/​questions/​39559689/​where-do-i-find-the-project-id-for-the-gitlab-api|Where do I find the project ID for the GitLab API?]])
 +  * [[https://​stackoverflow.com/​questions/​56943327/​how-to-download-a-single-file-from-gitlab|How to download a single file from GitLab?]]
 +
 +<​code>​
 +root@node1,​2,​3:​~#​ curl "​http://​server.corpX.un/​api/​v4/​projects/​2/​repository/​files/​docker-compose.yml/​raw?​ref=master"​ | tee docker-compose.yml
 +
 +  или, для НЕ публичных проектов
 +root@node1,​2,​3:​~#​ curl --header "​PRIVATE-TOKEN:​ NNNNNNNNNNNNNNNNNNNNN"​ "​http://​server.corpX.un/​api/​v4/​projects/​4/​repository/​files/​docker-compose.yml/​raw?​ref=master"​ | tee docker-compose.yml
 +</​code>​
 +
 +  * [[Сервис Ansible#​ansible-pull]]
 +
 +<​code>​
 +client1:​~/​ansible-pull-gpo#​ cat readme.md
 +</​code><​code>​
 +sudo -i
 +
 +export BR=main; bash <(curl -s http://​gate.corp13.un/​api/​v4/​projects/​1/​repository/​files/​start.sh/​raw?​ref=$BR)
 +</​code>​
 +===== Настройка =====
 +
 +==== Файл конфигурации ====
 +<​code>​
 +# cat /​etc/​gitlab/​gitlab.rb
 +</​code><​code>​
 +...
 +external_url '​http://​server.corpX.un'​
 +...
 +</​code>​
 +
 +==== Проверка конфигурации и перезапуск ====
 +
 +<​code>​
 +### docker exec -it root_web_1 bash
 +
 +# gitlab-ctl show-config
 +
 +# time gitlab-ctl reconfigure
 +...
 +real    2m34.726s
 +...
 +</​code>​
 +
 +==== GitLab Docker Registry ====
 +
 +  * [[https://​docs.gitlab.com/​ee/​administration/​packages/​container_registry.html|The Container Registry is automatically enabled and available on your GitLab domain, port 5050 if you’re using the built-in Let’s Encrypt integration]]
 +  * [[https://​sysadmintalks.ru/​insecure-gitlab-registry/​|Настройка работы Gitlab с registry без ssl - Sysadmin]]
 +<​code>​
 +# cat /​etc/​gitlab/​gitlab.rb
 +</​code><​code>​
 +...
 +registry_external_url '​http://​server.corpX.un'​
 +gitlab_rails['​registry_enabled'​] = true
 +gitlab_rails['​registry_host'​] = "​server.corpX.un"​
 +gitlab_rails['​registry_port'​] = "​5000"​
 +registry['​registry_http_addr'​] = "​server.corpX.un:​5000"​
 +...
 +</​code>​
 +
 +  * [[#​Проверка конфигурации и перезапуск]]
 +==== GitLab Grafana ====
 +<​code>​
 +# cat /​etc/​gitlab/​gitlab.rb
 +</​code><​code>​
 +...
 +grafana['​http_addr'​] = '​0.0.0.0'​
 +...
 +</​code>​
 +
 +  * [[#​Проверка конфигурации и перезапуск]]
 +==== GitLab Prometheus ====
 +
 +<​code>​
 +# cat /​etc/​gitlab/​gitlab.rb
 +</​code><​code>​
 +...
 +prometheus_monitoring['​enable'​] = false
 +...
 +</​code>​
 +
 +  * [[#​Проверка конфигурации и перезапуск]]
 +
 +<​code>​
 +# time rm -rf /​var/​opt/​gitlab/​prometheus/​data/​*
 +</​code>​
 +
 +==== Включение TLS ====
  
 +  * [[https://​docs.gitlab.com/​omnibus/​settings/​ssl.html#​configure-https-manually|Configure HTTPS manually]]
   * [[https://​www.techbeatly.com/​configure-custom-ssl-to-secure-gitlab-server/​|Configure Custom SSL to Secure GitLab Server]]   * [[https://​www.techbeatly.com/​configure-custom-ssl-to-secure-gitlab-server/​|Configure Custom SSL to Secure GitLab Server]]
  
-===== Управление пользователями =====+<​code>​ 
 +mkdir /​etc/​gitlab/​ssl/​ 
 + 
 +cp wild.crt -v /​etc/​gitlab/​ssl/​$(hostname).crt 
 +cp wild.key -v /​etc/​gitlab/​ssl/​$(hostname).key 
 + 
 +# cat /​etc/​gitlab/​gitlab.rb 
 +</​code><​code>​ 
 +... 
 +external_url '​https://​server.corpX.un'​ 
 +... 
 +# nginx['​ssl_certificate'​] ​"/​etc/​gitlab/​ssl/#​{node['​fqdn'​]}.crt"​ 
 +# nginx['​ssl_certificate_key'​] = "/​etc/​gitlab/​ssl/#​{node['​fqdn'​]}.key"​ 
 +... 
 +letsencrypt['​enable'​] = false 
 +... 
 +</​code>​ 
 + 
 +  * [[#​Проверка конфигурации и перезапуск]] 
 + 
 +==== Управление пользователями ==== 
 + 
 +=== Внутренние пользователи ​=== 
 + 
 +  * Username - login, Name - ФИО 
 + 
 +<​code>​ 
 +# cat /​etc/​gitlab/​initial_root_password 
 +</​code>​ 
 + 
 +  * [[https://​stackoverflow.com/​questions/​60062065/​gitlab-initial-root-password|gitlab initial root password reset]] 
 + 
 +<​code>​ 
 +# gitlab-rake "​gitlab:​password:​reset[root]"​ 
 +</​code>​
  
-==== Использование LDAP ====+=== Использование LDAP ===
  
   * [[https://​docs.gitlab.com/​ee/​administration/​auth/​ldap/​index.html|Integrate LDAP with GitLab]]   * [[https://​docs.gitlab.com/​ee/​administration/​auth/​ldap/​index.html|Integrate LDAP with GitLab]]
Line 29: Line 247:
     label: '​LDAP'​     label: '​LDAP'​
     host: '​server.corpX.un'​     host: '​server.corpX.un'​
 +#    host: '​server2.corpX.un'​
     port: 389     port: 389
-#    ​port636 +#    ​uid'​uid'​ 
-    uid: 'uid+    uid: 'sAMAccountName
-    bind_dn: '​cn=admin,​dc=corpX,​dc=un'​ +   ​bind_dn:​ '​cn=admin,​dc=corpX,​dc=un'​ 
-    password: '​secret'​+   ​password:​ '​secret
 +    bind_dn: '​cn=Administrator,​cn=Users,​dc=corpX,​dc=un'​ 
 +    password: '​Pa$$w0rd'
     encryption: '​plain'​     encryption: '​plain'​
-#    ​encryption'​simple_tls'​ +#    ​active_directoryfalse 
-    active_directory: ​false +    active_directory: ​true 
-    base: 'ou=People,dc=corpX,​dc=un'​+    base: '​dc=corpX,​dc=un'​ 
 +EOS 
 +... 
 +</​code>​ 
 + 
 +  * [[#​Проверка конфигурации и перезапуск]] 
 +===== GitLab Runner ===== 
 + 
 +==== Установка из пакета ==== 
 + 
 +  * [[https://​docs.gitlab.com/​runner/​install/​linux-manually.html|Install GitLab Runner manually on GNU/​Linux]] 
 +  * [[https://​val.bmstu.ru/​unix/​Git/​gitlab-runner_amd64.deb]] (15.0.0)  
 + 
 +<​code>​ 
 +# apt install gitlab-runner ​  # достаточно для shell executor но не отображает команды ci/cd в gitlab 
 + 
 +или 
 + 
 +# wget http://​gate.isp.un/​unix/​Git/​gitlab-runner_amd64.deb 
 +##2 часа## curl -LJO "​https://​gitlab-runner-downloads.s3.amazonaws.com/​latest/​deb/​gitlab-runner_amd64.deb"​ 
 +# dpkg -i gitlab-runner_amd64.deb 
 +</​code>​ 
 +==== Регистрация ==== 
 +<​code>​ 
 +# gitlab-runner register --help 
 + 
 +# export CI_SERVER_URL=http://​server.corpX.un 
 + 
 +# gitlab-runner register 
 +... 
 +Enter the GitLab instance URL: http://​server.corpX.un 
 +Enter the registration token: ... 
 +... 
 +Enter tags for the runner: dhcptest, dhcpdeploy 
 +  или 
 +Enter tags for the runner: openvpn1deploy 
 +... 
 +Enter an executor: shell 
 +... 
 +</​code>​ 
 + 
 +или 
 + 
 +<​code>​ 
 +# gitlab-runner register -n --executor "​shell"​ -u http://​server.corpX.un -r "​NNNNNNNNNNNNNNNNNNNNNNNNNNNN"​ 
 +</​code>​ 
 + 
 +Перезапускать не нужно 
 + 
 +<​code>​ 
 +# cat /​etc/​gitlab-runner/​config.toml 
 +log_level = "​debug"​
 ... ...
 </​code><​code>​ </​code><​code>​
-# gitlab-ctl reconfigure+systemctl restart ​gitlab-runner 
 + 
 +# gitlab-runner verify
 </​code>​ </​code>​
  
-===== Сервер ​OAuth2 =====+==== Установка в виде контейнера ====
  
-  * !!! URL без финального "/"​ !!!+  * [[https://​habr.com/​ru/​companies/​cloud4y/​articles/​710782/​|Использование Docker in Docker в GitLab]]
  
 <​code>​ <​code>​
-Admin Area-> Applications-> val-auth-test +gate:~### docker stop gitlab-runner; docker rm gitlab-runner 
-  ​Callback URL: https://val.bmstu.ru/auth-test +gate:~### rm /srv/gitlab-runner/​config/​config.toml 
-  ​TrustedYes+ 
 +gate:~# docker run -d --name gitlab-runner --restart always \ 
 +  ​-v /​srv/​gitlab-runner/​config:/etc/gitlab-runner \ 
 +  -v /​var/​run/​docker.sock:/var/​run/​docker.sock \ 
 +  ​gitlab/​gitlab-runner:latest
 </​code>​ </​code>​
 +
 +=== Регистрация DooD ===
 +
 +  * Включаем Docker [[Технология Docker#​Insecure Private Registry]]
 +
 +<​code>​
 +gate:~# docker run --rm -v /​srv/​gitlab-runner/​config:/​etc/​gitlab-runner gitlab/​gitlab-runner register \
 +  --non-interactive \
 +  --url "​http://​server.corpX.un/"​ \
 +  --registration-token "​NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN"​ \
 +  --executor "​docker"​ \
 +  --docker-image "​docker:​stable"​ \
 +  --docker-volumes /​var/​run/​docker.sock:/​var/​run/​docker.sock \
 +  --description "​dood-runner"​
 +</​code>​
 +
 +=== Регистрация DinD ===
 +
 +  * Можно отключить Docker [[Технология Docker#​Insecure Private Registry]]
 +
 +<​code>​
 +gate:~# docker run --rm -v /​srv/​gitlab-runner/​config:/​etc/​gitlab-runner gitlab/​gitlab-runner register \
 +  --non-interactive \
 +  --url "​http://​server.corpX.un/"​ \
 +  --registration-token "​NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN"​ \
 +  --executor "​docker"​ \
 +  --docker-image "​docker:​stable"​ \
 +  --docker-privileged \
 +  --description "​dind-runner"​
 +</​code><​code>​
 +gate:~# docker volume ls
 +
 +gate:~# docker volume inspect ...
 +</​code>​
 +
 +
 +===== GitLab CI/CD =====
 +
 +  * [[https://​docs.gitlab.com/​ee/​ci/​examples/#​cicd-templates|CI/​CD templates]]
 +  * [[https://​medium.com/​@ryzmen/​gitlab-fast-pipelines-stages-jobs-c51c829b9aa1|GitLab:​ understanding pipelines, stages, jobs and organising them efficiently for speed and feedback loop]]
 +  * [[https://​stackoverflow.com/​questions/​64725914/​how-to-disable-auto-pipelines-in-gitlab|How to disable auto pipelines in gitlab]]
 +
 +==== Пример shell make ====
 +
 +<​code>​
 +IDE GitLab->​New File: .gitlab-ci.yml
 +
 +или
 +
 +CI/CD -> Editor -> Configure Pipelines
 +
 +или
 +
 +Build -> Pipeline editor -> Configure Pipelines
 +</​code><​code>​
 +#stages:
 +#  - build
 +#  - test
 +#  - deploy
 +
 +test1-job:
 +  stage: test
 +  script:
 +    - echo $(date) "Do test dhcpd" >> /​tmp/​Bash.gitlab-ci.log
 +    - make test
 +  tags:
 +    - dhcptest
 +
 +deploy1-job:​
 +  stage: deploy
 +  script:
 +    - echo $(date) "Do deploy dhcpd" >> /​tmp/​Bash.gitlab-ci.log
 +    - sudo make install
 +  tags:
 +    - dhcpdeploy
 +</​code>​
 +
 +==== Пример shell ansible ====
 +
 +  * [[https://​asyncdrink.com/​blog/​gitlab-ci-limit-branch|Limit Gitlab CI pipelines to specific branches]]
 +  * [[https://​stackoverflow.com/​questions/​52169219/​get-branch-name-in-gitlab-ci|Get Branch name in gitlab ci]]
 +
 +<​code>​
 +Administrator@Ra-master ~/openvpn1 (test)
 +λ touch .gitlab-ci.yml
 +  или
 +Build -> Pipeline editor -> Configure Pipelines
 +</​code><​code>​
 +deploy_test:​
 +  stage: deploy
 +  script:
 +    - echo $(date) "​Deploy TEST openvpn1"​ >> /​tmp/​Bash.gitlab-ci.log
 +    - ansible-playbook openvpn1.yaml -i inventory.yaml -e "​variable_host=test_nodes"​
 +  tags:
 +    - openvpn1deploy
 +  only:
 +    - test
 +
 +deploy_prod:​
 +  stage: deploy
 +  script:
 +    - echo $(date) "​Deploy PROD openvpn1"​ >> /​tmp/​Bash.gitlab-ci.log
 +    - ansible-playbook openvpn1.yaml -i inventory.yaml
 +  tags:
 +    - openvpn1deploy
 +  only:
 +#    - master
 +#    - main
 +</​code>​
 +
 +==== Пример shell docker ====
 +
 +  * Технология Docker [[Технология Docker#​Предоставление прав непривилегированным пользователям]]
 +
 +  * [[https://​docs.gitlab.com/​ee/​ci/​docker/​using_docker_build.html|Use Docker to build Docker images]]
 +  * [[https://​docs.gitlab.com/​ee/​ci/​variables/​predefined_variables.html|Predefined variables reference]]
 +  * [[https://​docs.gitlab.com/​ee/​ci/​variables/#​add-a-cicd-variable-to-a-project|Add a CI/CD variable to a project]]
 +
 +
 +<​code>​
 +# Надо назначить в GitLab (Settings -> CI/CD -> Variables)
 +export MY_CI_REGISTRY=server.corpX.un:​5000 ​
 +export MY_CI_REGISTRY_IMAGE=student/​webd
 +# Можно использовать встроенные CI_REGISTRY и CI_REGISTRY_IMAGE ​
 +# поскольку используем этот же проект GitLab как registry
 +
 +# в GitLab будет устанавлено автоматически
 +export CI_COMMIT_MESSAGE="​ver 1.2" ​  
 +</​code>​
 +
 +<​code>​
 +gitlab-runner@server:​~/​webd$ cat build.sh
 +</​code><​code>​
 +#!/bin/sh
 +
 +VER="​$(echo $CI_COMMIT_MESSAGE | sed '​s/​[^a-zA-Z0-9\.]//​g'​)"​
 +
 +# need only one time
 +# docker login -u $MY_CI_REGISTRY_USER -p $MY_CI_REGISTRY_PASSWORD $MY_CI_REGISTRY
 +# docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
 +
 +docker build -t webd webd
 +#docker build --no-cache -t webd webd
 +
 +docker tag webd $MY_CI_REGISTRY/​$MY_CI_REGISTRY_IMAGE:​$VER
 +docker tag webd $MY_CI_REGISTRY/​$MY_CI_REGISTRY_IMAGE
 +#docker tag webd $CI_REGISTRY_IMAGE:​$VER
 +#docker tag webd $CI_REGISTRY_IMAGE
 +
 +# previously need: docker login ...
 +
 +docker push $MY_CI_REGISTRY/​$MY_CI_REGISTRY_IMAGE:​$VER
 +docker push $MY_CI_REGISTRY/​$MY_CI_REGISTRY_IMAGE
 +#docker push $CI_REGISTRY_IMAGE:​$VER
 +#docker push $CI_REGISTRY_IMAGE
 +</​code><​code>​
 +gitlab-runner@server:​~/​webd$ cat .gitlab-ci.yml
 +</​code><​code>​
 +stages:
 +  - lintertest
 +  - build
 +#  - deploy
 +
 +lintertest1:​
 +  stage: lintertest
 +  script:
 +    - echo $(date) "Do a test webd here" >> /​tmp/​Bash.gitlab-ci.log
 +    - shellcheck webd/webd
 +  tags:
 +    - shellcheck
 +
 +build1:
 +  stage: build
 +  script:
 +    - echo $(date) "Do a build webd here" >> /​tmp/​Bash.gitlab-ci.log
 +#    - env | tee /​tmp/​Bash.gitlab-ci.log
 +    - sh build.sh
 +  tags:
 +    - webdbuild
 +
 +#deploy1:
 +#  stage: deploy
 +#  script:
 +#    - echo $(date) "Do your deploy webd to k8s here" >> /​tmp/​Bash.gitlab-ci.log
 +#    - sh deploy.sh
 +#  tags:
 +#    - webddeploy
 +
 +### OR .gitlab-ci.yml for gowebd-k8s project running from another pipeline ###
 +
 +#deploy1:
 +#  stage: deploy
 +#  variables:
 +#    HELM_NAMESPACE:​ "​my-ns"​
 +#  rules:
 +#    - if: '​$CI_PIPELINE_SOURCE == "​pipeline"​ && $VER'
 +#  script:
 +#    - env
 +#    - envsubst < my-webd-deployment-env.yaml | kubectl apply -f - -n my-ns
 +#    - helm upgrade -i my-webd webd-chart/ --set=image.tag=$VER --create-namespace
 +</​code>​
 +
 +==== Пример shell Kubernetes ====
 +
 +<​code>​
 +gitlab-runner@server:​~/​webd$ cp my-webd-deployment.yaml my-webd-deployment-env.yaml
 +  или
 +gitlab-runner@server:​~/​gowebd-k8s$ scp root@node1:​my-webd-deployment.yaml my-webd-deployment-env.yaml
 +
 +gitlab-runner@server:​~/​webd$ cat my-webd-deployment-env.yaml
 +</​code><​code>​
 +...
 +        image: server.corpX.un:​5000/​student/​webd:​$VER
 +...
 +</​code><​code>​
 +# в GitLab будет устанавлено автоматически
 +gitlab-runner@gate:​~/​webd$ export CI_COMMIT_MESSAGE="​ver 1.2"
 +
 +gitlab-runner@gate:​~/​webd$ cat deploy.sh
 +</​code><​code>​
 +#!/bin/sh
 +
 +#alias kubectl='​minikube kubectl --'
 +
 +kubectl apply -f my-webd-deployment.yaml -n my-ns
 +
 +#export VER="​$(echo $CI_COMMIT_MESSAGE | sed '​s/​[^a-zA-Z0-9\.]//​g'​)"​
 +
 +#envsubst < my-webd-deployment-env.yaml | kubectl apply -f - -n my-ns
 +
 +kubectl apply -f my-webd-service.yaml -n my-ns
 +
 +
 +#export HELM_NAMESPACE=my-ns
 +#helm upgrade --install my-webd webd-chart/ --set=image.tag=$VER --create-namespace
 +</​code><​code>​
 +gitlab-runner@server:​~/​$ kubectl describe replicaset.apps/​my-webd-NNNNNNNNNNN -n my-ns
 +</​code>​
 +==== Пример CI с использованием контейнеров ====
 +
 +  * [[https://​akyriako.medium.com/​build-golang-docker-images-with-gitlab-ci-pipelines-2117f8505350|Build Golang Docker images with GitLab CI Pipelines]]
 +  * [[https://​blog.callr.tech/​building-docker-images-with-gitlab-ci-best-practices/​|Best practices for building docker images with GitLab CI]]
 +
 +  * [[https://​stackoverflow.com/​questions/​63693061/​how-to-run-a-script-from-file-in-another-project-using-include-in-gitlab-ci|How to run a script from file in another project using include in GitLab CI?]]
 +  * [[https://​medium.com/​@captain_sparrow/​gitlab-%D1%82%D1%80%D0%B8%D0%B3%D0%B3%D0%B5%D1%80%D1%8B-%D0%B8-%D0%B4%D0%BB%D1%8F-%D0%BA%D0%B0%D0%BA%D0%B8%D1%85-%D1%82%D0%B5%D1%81%D1%82%D0%BE%D0%B2-%D0%B8%D1%85-%D1%81%D1%82%D0%BE%D0%B8%D1%82-%D0%B8%D1%81%D0%BF%D0%BE%D0%BB%D1%8C%D0%B7%D0%BE%D0%B2%D0%B0%D1%82%D1%8C-afa04f8c78a7|Gitlab триггеры и для каких тестов их стоит использовать?​]]
 +
 +  * [[https://​earthly.dev/​blog/​docker-vs-buildah-vs-kaniko/​|Container Image Build Tools: Docker vs. Buildah vs. kaniko]]
 +  * [[https://​docs.gitlab.com/​ee/​ci/​docker/​using_kaniko.html|Use kaniko to build Docker images]]
 +  * [[https://​eng.d2iq.com/​blog/​a-tale-of-two-container-image-tools-skopeo-and-crane/​|A Tale of Two Container Image Tools: Skopeo and Crane]]
 +
 +<​code>​
 +student@client1:​~/​gowebd$ cat .gitlab-ci.yml
 +</​code><​code>​
 +stages:
 +  - build
 +  - push
 +#  - deploy
 +
 +#variables:
 +#  DOCKER_TLS_CERTDIR:​ ""​
 +
 +#services:
 +#  - name: docker:dind
 +#    command:
 +#      [
 +#        '​--insecure-registry=server.corpX.un:​5000',​
 +#      ]
 +
 +before_script:​
 +  - env
 +#  - docker info
 +  - echo -n $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
 +
 +Build:
 +  stage: build
 +#  image:
 +#    name: gcr.io/​kaniko-project/​executor:​v1.9.0-debug
 +#    entrypoint: [""​]
 +  script:
 +    - docker pull $CI_REGISTRY_IMAGE:​latest || true
 +    - >
 +      docker build
 +      --pull
 +      --cache-from $CI_REGISTRY_IMAGE:​latest
 +      --tag $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA
 +      .
 +    - docker push $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA
 +
 +#    - echo "​{\"​auths\":​{\"​${CI_REGISTRY}\":​{\"​auth\":​\"​$(printf "​%s:​%s"​ "​${CI_REGISTRY_USER}"​ "​${CI_REGISTRY_PASSWORD}"​ | base64 | tr -d '​\n'​)\"​},​\"​$CI_DEPENDENCY_PROXY_SERVER\":​{\"​auth\":​\"​$(printf "​%s:​%s"​ ${CI_DEPENDENCY_PROXY_USER} "​${CI_DEPENDENCY_PROXY_PASSWORD}"​ | base64 | tr -d '​\n'​)\"​}}}"​ > /​kaniko/​.docker/​config.json
 +#    - /​kaniko/​executor
 +#      --insecure --skip-tls-verify
 +#      --context "​${CI_PROJECT_DIR}"​
 +#      --dockerfile "​${CI_PROJECT_DIR}/​Dockerfile"​
 +#      --destination "​${CI_REGISTRY_IMAGE}:​${CI_COMMIT_SHA}"​
 +
 +Push latest:
 +#  image:
 +#    name: gcr.io/​go-containerregistry/​crane:​debug
 +#    entrypoint: [""​]
 +  variables:
 +    GIT_STRATEGY:​ none
 +  stage: push
 +  only:
 +    - main
 +  script:
 +    - docker pull $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA
 +    - docker tag $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:​latest
 +    - docker push $CI_REGISTRY_IMAGE:​latest
 +
 +#    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
 +#    - crane --insecure cp $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:​latest
 +
 +Push tag:
 +#  image:
 +#    name: gcr.io/​go-containerregistry/​crane:​debug
 +#    entrypoint: [""​]
 +  variables:
 +    GIT_STRATEGY:​ none
 +  stage: push
 +  only:
 +    - tags
 +  script:
 +    - docker pull $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA
 +    - docker tag $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:​$CI_COMMIT_REF_NAME
 +    - docker push $CI_REGISTRY_IMAGE:​$CI_COMMIT_REF_NAME
 +
 +#   - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
 +#   - crane --insecure cp $CI_REGISTRY_IMAGE:​$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:​$CI_COMMIT_REF_NAME
 +
 +#Deploy:
 +#  variables:
 +#    VER: "​$CI_COMMIT_REF_NAME"​
 +#  stage: deploy
 +#  only:
 +#    - tags
 +#  trigger:
 +#    project: student/​gowebd-k8s
 +</​code>​
 +===== Сервер OpenID =====
 +
 +  * [[https://​github.com/​zmartzone/​mod_auth_openidc/​wiki/​GitLab-OAuth2]]
 +  * [[Сервис HTTP#​Управление доступом к HTTP серверу с использованием OpenID аутентификации]]
 +  * Admin Area-> Applications
 +
 +<​code>​
 +Name: test-cgi
 +Redirect URI: http://​gate.corp13.un/​cgi-bin/​test-cgi ​ !!! Если URL каталога,​ то без финального "/"​ !!!
 +Trusted: Yes
 +Confidential:​ Yes
 +Scopes: openid
 +
 +Application ID: ...
 +Secret: ...
 +Callback URL = Redirect URI
 +</​code>​
 +
 +===== Клиент OpenID =====
 +
 +  * [[https://​docs.gitlab.com/​ee/​administration/​auth/​oidc.html|You can use GitLab as a client application with OpenID Connect as an OmniAuth provider]]
 +  * [[https://​gitlab.com/​gitlab-org/​gitlab/​-/​issues/​196193|use self-signed to integate gitlab with keycloak but see error: certificate verify failed (self signed certificate))]]
 +  * [[https://​forum.gitlab.com/​t/​using-keycloak-as-sso-for-gitlab-with-pre-existing-users-no-autocreate/​67833|Using Keycloak as SSO for Gitlab with pre-existing users (no autocreate)]]
 +
 +<​code>​
 +# cp server.crt /​etc/​gitlab/​trusted-certs/​
 +  или
 +# cp ca.crt /​etc/​gitlab/​trusted-certs/​
 +
 +# cat /​etc/​gitlab/​gitlab.rb
 +</​code><​code>​
 +...
 +gitlab_rails['​omniauth_providers'​] = [
 +  {
 +    name: "​openid_connect",​ # do not change this parameter
 +    label: "​Keycloak",​ # optional label for login button, defaults to "​Openid Connect"​
 +    args: {
 +      name: "​openid_connect",​
 +      scope: ["​openid",​ "​profile",​ "​email"​],​
 +      response_type:​ "​code",​
 +#     ​issuer: ​ "​https://​keycloak.example.com/​realms/​myrealm",​
 +      issuer: ​ "​https://​keycloak.corpX.un/​realms/​corpX",​
 +      client_auth_method:​ "​query",​
 +      discovery: true,
 +      uid_field: "​preferred_username",​
 +      pkce: true,
 +      client_options:​ {
 +#        identifier: "<​YOUR CLIENT ID>",​
 +        identifier: "​any-client",​
 +#        secret: "<​YOUR CLIENT SECRET>",​
 +        secret: "​anystring",​
 +#        redirect_uri:​ "​https://​gitlab.example.com/​users/​auth/​openid_connect/​callback"​
 +        redirect_uri:​ "​https://​gate.corpX.un/​users/​auth/​openid_connect/​callback"​
 +      }
 +    }
 +  }
 +]
 +...
 +</​code>​
 +
 +  * [[#​Проверка конфигурации и перезапуск]]
 +  * User -> Profile -> Account -> Select a service to sign in with -> Keycloak
 +
инструмент_gitlab.1654599642.txt.gz · Last modified: 2022/06/07 14:00 by val