1, from Kubernetes obtain ServiceAccount token
Service Account yes Kubernetes Programs for running in a cluster , Called when service discovery occurs API Account number of , Account number token Will be mounted directly to Pod
in , It can be used directly by the program ,ServiceAccount To run in Pod The process in provides an identity
If kubernetes It's on ServiceAccount, Then it will be in each namespace A default default Of sa. I use the default here default.
step :
(1) Log in to kubernetes In the cluster , Using commands
kubectl get -n uase-iot-dev secret
uase-iot-dev It's your namespace
Then use the kubectl get -n uase-iot-dev secret default-token-v0jdt -o yaml
Check and get it token, But this one token It's a process base64 Encrypted , So we have to token decrypt
echo token | base64 -d
Save the decryption results , It will be used later
2, get Kubernetes CA certificate
Sign in kubernetes colony , stay /etc/kubernetes/pki Under the table of contents , There is one ca.crt The document is kubernetes Certificate for
The format of the certificate is as follows :
-----BEGIN CERTIFICATE-----
[REDACATED]
-----END CERTIFICATE-----
3, stay gitlab Integration in kubernetes
Sign in gitlab, Choose your project , Select on the left Settings Under the Integrations, Pull down to find it kubernetes, Click to enter
Then enter the following :
API URL:kubernetes Clustered API URL, kubernetes API Server Public address
CA Certificate:kubernetes Of CA certificate
Project namespace (optional/unique):kubernetes Namespace for
Token: Previously obtained token,base64 Decoded
then save changes that will do
4, add to .gitlab-ci.yml To project
Add in project root .gitlab-ci.yml configuration file , This file is the script for writing automated deployment , Including dozen jar package , Mirror image , Auto deploy to kubernetes
stay deploy-huang-test stage ,image yes registry.gitlab.com/gitlab-examples/kubernetes-deploy Mirror image of , In the picture above, we pulled it down and uploaded it to our private server
In the configuration file ${} It's all in gitlab Configured in , stay Setting Under the CI/CD Medium Secret variables
5, to service account to grant authorization
We use service account It's default default, It does not have any permissions by default , We need to empower him , Otherwise, the following error will be reported :
Error from server (Forbidden)
Authorization steps :
Sign in kubernetes colony , Execute the following command :
kubectl create rolebinding default-edit --clusterrole=edit
--serviceaccount=uase-iot-dev:default --namespace=uase-iot-dev
uase-iot-dev It's your namespace
such default We have the right to execute our deployment scripts
The results are as follows :
6, Mistakes encountered
(1)Unable to connect to the server: x509: certificate signed by unknown
authority
I came across this mistake because of a wrong certificate , The certificate I used was previously obtained token There are ca certificate , So I reported this mistake . The correct certificate is in /etc/kubernetes/pki Directory ca.crt.
(2)Error from server (Forbidden): error when creating
"gitlabci/deployment.yml": User "system:serviceaccount:uase-iot-dev:default"
This mistake is because it was not given default to grant authorization
Technology
Daily Recommendation