Commit 715b3fc7 authored by danielgruesso's avatar danielgruesso

Update adding existing cluster

parent 05b97dc5
...@@ -86,15 +86,20 @@ To add an existing Kubernetes cluster to your project: ...@@ -86,15 +86,20 @@ To add an existing Kubernetes cluster to your project:
1. Click **Add Kubernetes cluster**. 1. Click **Add Kubernetes cluster**.
1. Click **Add an existing Kubernetes cluster** and fill in the details: 1. Click **Add an existing Kubernetes cluster** and fill in the details:
- **Kubernetes cluster name** (required) - The name you wish to give the cluster. - **Kubernetes cluster name** (required) - The name you wish to give the cluster.
- **Environment scope** (required)- The - **Environment scope** (required) - The
[associated environment](#setting-the-environment-scope) to this cluster. [associated environment](#setting-the-environment-scope) to this cluster.
- **API URL** (required) - - **API URL** (required) -
It's the URL that GitLab uses to access the Kubernetes API. Kubernetes It's the URL that GitLab uses to access the Kubernetes API. Kubernetes
exposes several APIs, we want the "base" URL that is common to all of them, exposes several APIs, we want the "base" URL that is common to all of them,
e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`. e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`.
- **CA certificate** (optional) - - **CA certificate** (requried) - A valid Kubernetes certificate is needed to authenticate to the EKS cluster. We will use the certificate created by default.
If the API is using a self-signed TLS certificate, you'll also need to include - List the secrets with `kubectl get secrets`, and one should named similar to
the `ca.crt` contents here. `default-token-xxxxx`. Copy that token name for use below.
- Get the certificate by running this command:
```sh
kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
```
- **Token** - - **Token** -
GitLab authenticates against Kubernetes using service tokens, which are GitLab authenticates against Kubernetes using service tokens, which are
scoped to a particular `namespace`. scoped to a particular `namespace`.
...@@ -102,36 +107,81 @@ To add an existing Kubernetes cluster to your project: ...@@ -102,36 +107,81 @@ To add an existing Kubernetes cluster to your project:
[`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
privileges.** To create this service account: privileges.** To create this service account:
1. Create a `gitlab` service account in the `default` namespace: 1. Create a file called `eks-admin-service-account.yaml` with contents:
```bash ```yaml
kubectl create -f - <<EOF
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: gitlab name: eks-admin
namespace: default namespace: kube-system
EOF
``` ```
1. Create a cluster role binding to give the `gitlab` service account
`cluster-admin` privileges: 2. Apply the service account to your cluster:
```bash ```bash
kubectl create -f - <<EOF kubectl apply -f eks-admin-service-account.yaml
```
Output:
```bash
serviceaccount "eks-admin" created
```
3. Create a file called `eks-admin-cluster-role-binding.yaml` with contents:
```yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: gitlab-cluster-admin name: eks-admin
subjects:
- kind: ServiceAccount
name: gitlab
namespace: default
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cluster-admin name: cluster-admin
apiGroup: rbac.authorization.k8s.io subjects:
EOF - kind: ServiceAccount
name: eks-admin
namespace: kube-system
``` ```
4. Apply the cluster role binding to your cluster:
```bash
kubectl apply -f eks-admin-cluster-role-binding.yaml
```
Output:
```bash
clusterrolebinding "eks-admin" created
```
5. Retrieve the token for the `eks-admin` service account:
```bash
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')
```
Copy the `<authentication_token>` value from the output:
```yaml
Name: eks-admin-token-b5zv4
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=eks-admin
kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: <authentication_token>
```
NOTE: **Note:** NOTE: **Note:**
For GKE clusters, you will need the For GKE clusters, you will need the
`container.clusterRoleBindings.create` permission to create a cluster `container.clusterRoleBindings.create` permission to create a cluster
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment