Commit b1ef2da4 authored by Evan Read's avatar Evan Read

Merge branch 'docs-code-block-style-7' into 'master'

Fix whitespace in user and misc docs

See merge request gitlab-org/gitlab-ce!30605
parents 5f8a6730 74a8d300
...@@ -181,7 +181,7 @@ sudo -u gitlab_ci -H bundle exec rake backup:show_secrets RAILS_ENV=production ...@@ -181,7 +181,7 @@ sudo -u gitlab_ci -H bundle exec rake backup:show_secrets RAILS_ENV=production
### 2. SQL data and build traces ### 2. SQL data and build traces
Create your final CI data export. If you are converting from MySQL to Create your final CI data export. If you are converting from MySQL to
PostgreSQL, add ` MYSQL_TO_POSTGRESQL=1` to the end of the rake command. When PostgreSQL, add `MYSQL_TO_POSTGRESQL=1` to the end of the rake command. When
the command finishes it will print the path to your data export archive; you the command finishes it will print the path to your data export archive; you
will need this file later. will need this file later.
...@@ -323,11 +323,15 @@ You should also make sure that you can: ...@@ -323,11 +323,15 @@ You should also make sure that you can:
### 2. Check Nginx configuration ### 2. Check Nginx configuration
sudo nginx -t ```sh
sudo nginx -t
```
### 3. Restart Nginx ### 3. Restart Nginx
sudo /etc/init.d/nginx restart ```sh
sudo /etc/init.d/nginx restart
```
### Restore from backup ### Restore from backup
...@@ -352,11 +356,13 @@ The fix for this is to update to Omnibus 7.14 first and then update it to 8.0. ...@@ -352,11 +356,13 @@ The fix for this is to update to Omnibus 7.14 first and then update it to 8.0.
### Permission denied when accessing /var/opt/gitlab/gitlab-ci/builds ### Permission denied when accessing /var/opt/gitlab/gitlab-ci/builds
To fix that issue you have to change builds/ folder permission before doing final backup: To fix that issue you have to change builds/ folder permission before doing final backup:
``` ```
sudo chown -R gitlab-ci:gitlab-ci /var/opt/gitlab/gitlab-ci/builds sudo chown -R gitlab-ci:gitlab-ci /var/opt/gitlab/gitlab-ci/builds
``` ```
Then before executing `ci:migrate` you need to fix builds folder permission: Then before executing `ci:migrate` you need to fix builds folder permission:
``` ```
sudo chown git:git /var/opt/gitlab/gitlab-ci/builds sudo chown git:git /var/opt/gitlab/gitlab-ci/builds
``` ```
...@@ -365,7 +371,7 @@ sudo chown git:git /var/opt/gitlab/gitlab-ci/builds ...@@ -365,7 +371,7 @@ sudo chown git:git /var/opt/gitlab/gitlab-ci/builds
If you were migrating CI database from MySQL to PostgreSQL manually you can see errors during import about missing sequences: If you were migrating CI database from MySQL to PostgreSQL manually you can see errors during import about missing sequences:
```sql ```sql
ALTER SEQUENCE ALTER SEQUENCE
ERROR: relation "ci_builds_id_seq" does not exist ERROR: relation "ci_builds_id_seq" does not exist
ERROR: relation "ci_commits_id_seq" does not exist ERROR: relation "ci_commits_id_seq" does not exist
......
...@@ -34,34 +34,34 @@ For more information on how to use these options check out ...@@ -34,34 +34,34 @@ For more information on how to use these options check out
1. Open `/etc/gitlab/gitlab.rb` with your editor 1. Open `/etc/gitlab/gitlab.rb` with your editor
1. Add the following: 1. Add the following:
```ruby ```ruby
gitlab_rails['rack_attack_git_basic_auth'] = { gitlab_rails['rack_attack_git_basic_auth'] = {
'enabled' => true, 'enabled' => true,
'ip_whitelist' => ["127.0.0.1"], 'ip_whitelist' => ["127.0.0.1"],
'maxretry' => 10, # Limit the number of Git HTTP authentication attempts per IP 'maxretry' => 10, # Limit the number of Git HTTP authentication attempts per IP
'findtime' => 60, # Reset the auth attempt counter per IP after 60 seconds 'findtime' => 60, # Reset the auth attempt counter per IP after 60 seconds
'bantime' => 3600 # Ban an IP for one hour (3600s) after too many auth attempts 'bantime' => 3600 # Ban an IP for one hour (3600s) after too many auth attempts
} }
``` ```
1. Reconfigure GitLab: 1. Reconfigure GitLab:
``` ```
sudo gitlab-ctl reconfigure sudo gitlab-ctl reconfigure
``` ```
The following settings can be configured: The following settings can be configured:
- `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack. - `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack.
- `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a Ruby array. - `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a Ruby array.
CIDR notation is supported in GitLab v12.1 and up. CIDR notation is supported in GitLab v12.1 and up.
For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3", "192.168.0.1/24"]`. For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3", "192.168.0.1/24"]`.
- `maxretry`: The maximum amount of times a request can be made in the - `maxretry`: The maximum amount of times a request can be made in the
specified time. specified time.
- `findtime`: The maximum amount of time that failed requests can count against an IP - `findtime`: The maximum amount of time that failed requests can count against an IP
before it's blacklisted (in seconds). before it's blacklisted (in seconds).
- `bantime`: The total amount of time that a blacklisted IP will be blocked (in - `bantime`: The total amount of time that a blacklisted IP will be blocked (in
seconds). seconds).
**Installations from source** **Installations from source**
...@@ -71,18 +71,18 @@ taken in order to enable protection for your GitLab instance: ...@@ -71,18 +71,18 @@ taken in order to enable protection for your GitLab instance:
1. In `config/application.rb` find and uncomment the following line: 1. In `config/application.rb` find and uncomment the following line:
```ruby ```ruby
config.middleware.use Rack::Attack config.middleware.use Rack::Attack
``` ```
1. Copy `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb` 1. Copy `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb`
1. Open `config/initializers/rack_attack.rb`, review the 1. Open `config/initializers/rack_attack.rb`, review the
`paths_to_be_protected`, and add any other path you need protecting `paths_to_be_protected`, and add any other path you need protecting
1. Restart GitLab: 1. Restart GitLab:
```sh ```sh
sudo service gitlab restart sudo service gitlab restart
``` ```
If you want more restrictive/relaxed throttle rules, edit If you want more restrictive/relaxed throttle rules, edit
`config/initializers/rack_attack.rb` and change the `limit` or `period` values. `config/initializers/rack_attack.rb` and change the `limit` or `period` values.
...@@ -98,28 +98,28 @@ In case you want to remove a blocked IP, follow these steps: ...@@ -98,28 +98,28 @@ In case you want to remove a blocked IP, follow these steps:
1. Find the IPs that have been blocked in the production log: 1. Find the IPs that have been blocked in the production log:
```sh ```sh
grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
``` ```
1. Since the blacklist is stored in Redis, you need to open up `redis-cli`: 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`:
```sh ```sh
/opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket /opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
``` ```
1. You can remove the block using the following syntax, replacing `<ip>` with 1. You can remove the block using the following syntax, replacing `<ip>` with
the actual IP that is blacklisted: the actual IP that is blacklisted:
``` ```
del cache:gitlab:rack::attack:allow2ban:ban:<ip> del cache:gitlab:rack::attack:allow2ban:ban:<ip>
``` ```
1. Confirm that the key with the IP no longer shows up: 1. Confirm that the key with the IP no longer shows up:
``` ```
keys *rack::attack* keys *rack::attack*
``` ```
1. Optionally, add the IP to the whitelist to prevent it from being blacklisted 1. Optionally, add the IP to the whitelist to prevent it from being blacklisted
again (see [settings](#settings)). again (see [settings](#settings)).
...@@ -136,8 +136,8 @@ the load balancer. In that case, you will need to: ...@@ -136,8 +136,8 @@ the load balancer. In that case, you will need to:
1. Whitelist the load balancer's IP address(es) in the Rack Attack [settings](#settings). 1. Whitelist the load balancer's IP address(es) in the Rack Attack [settings](#settings).
1. Reconfigure GitLab: 1. Reconfigure GitLab:
``` ```
sudo gitlab-ctl reconfigure sudo gitlab-ctl reconfigure
``` ```
1. [Remove the block via Redis.](#remove-blocked-ips-from-rack-attack-via-redis) 1. [Remove the block via Redis.](#remove-blocked-ips-from-rack-attack-via-redis)
...@@ -64,13 +64,13 @@ Following [best practices](https://linux-audit.com/using-ed25519-openssh-keys-in ...@@ -64,13 +64,13 @@ Following [best practices](https://linux-audit.com/using-ed25519-openssh-keys-in
you should always favor [ED25519](https://ed25519.cr.yp.to/) SSH keys, since they you should always favor [ED25519](https://ed25519.cr.yp.to/) SSH keys, since they
are more secure and have better performance over the other types. are more secure and have better performance over the other types.
ED25519 SSH keys were introduced in OpenSSH 6.5, ED25519 SSH keys were introduced in OpenSSH 6.5,
so any modern OS should include the option to create them. so any modern OS should include the option to create them.
If for any reason your OS or the GitLab instance you interact with doesn't If for any reason your OS or the GitLab instance you interact with doesn't
support ED25519, you can fallback to RSA. support ED25519, you can fallback to RSA.
NOTE: **Note:** NOTE: **Note:**
Omnibus does not ship with OpenSSH, so it uses the version on your GitLab server. If using Omnibus does not ship with OpenSSH, so it uses the version on your GitLab server. If using
Omnibus, ensure the version of OpenSSH installed is version 6.5 or newer if you want to use ED25519 SSH keys. Omnibus, ensure the version of OpenSSH installed is version 6.5 or newer if you want to use ED25519 SSH keys.
### RSA SSH keys ### RSA SSH keys
...@@ -107,18 +107,18 @@ To create a new SSH key pair: ...@@ -107,18 +107,18 @@ To create a new SSH key pair:
1. Open a terminal on Linux or macOS, or Git Bash / WSL on Windows. 1. Open a terminal on Linux or macOS, or Git Bash / WSL on Windows.
1. Generate a new ED25519 SSH key pair: 1. Generate a new ED25519 SSH key pair:
```bash ```bash
ssh-keygen -t ed25519 -C "email@example.com" ssh-keygen -t ed25519 -C "email@example.com"
``` ```
Or, if you want to use RSA: Or, if you want to use RSA:
```bash ```bash
ssh-keygen -o -t rsa -b 4096 -C "email@example.com" ssh-keygen -o -t rsa -b 4096 -C "email@example.com"
``` ```
The `-C` flag adds a comment in the key in case you have multiple of them The `-C` flag adds a comment in the key in case you have multiple of them
and want to tell which is which. It is optional. and want to tell which is which. It is optional.
1. Next, you will be prompted to input a file path to save your SSH key pair to. 1. Next, you will be prompted to input a file path to save your SSH key pair to.
If you don't already have an SSH key pair and aren't generating a [deploy key](#deploy-keys), If you don't already have an SSH key pair and aren't generating a [deploy key](#deploy-keys),
...@@ -126,21 +126,21 @@ To create a new SSH key pair: ...@@ -126,21 +126,21 @@ To create a new SSH key pair:
<kbd>Enter</kbd>. Using the suggested path will normally allow your SSH client <kbd>Enter</kbd>. Using the suggested path will normally allow your SSH client
to automatically use the SSH key pair with no additional configuration. to automatically use the SSH key pair with no additional configuration.
If you already have an SSH key pair with the suggested file path, you will need If you already have an SSH key pair with the suggested file path, you will need
to input a new file path and [declare what host](#working-with-non-default-ssh-key-pair-paths) to input a new file path and [declare what host](#working-with-non-default-ssh-key-pair-paths)
this SSH key pair will be used for in your `~/.ssh/config` file. this SSH key pair will be used for in your `~/.ssh/config` file.
1. Once the path is decided, you will be prompted to input a password to 1. Once the path is decided, you will be prompted to input a password to
secure your new SSH key pair. It's a best practice to use a password, secure your new SSH key pair. It's a best practice to use a password,
but it's not required and you can skip creating it by pressing but it's not required and you can skip creating it by pressing
<kbd>Enter</kbd> twice. <kbd>Enter</kbd> twice.
If, in any case, you want to add or change the password of your SSH key pair, If, in any case, you want to add or change the password of your SSH key pair,
you can use the `-p` flag: you can use the `-p` flag:
``` ```
ssh-keygen -p -o -f <keyname> ssh-keygen -p -o -f <keyname>
``` ```
Now, it's time to add the newly created public key to your GitLab account. Now, it's time to add the newly created public key to your GitLab account.
...@@ -149,41 +149,40 @@ Now, it's time to add the newly created public key to your GitLab account. ...@@ -149,41 +149,40 @@ Now, it's time to add the newly created public key to your GitLab account.
1. Copy your **public** SSH key to the clipboard by using one of the commands below 1. Copy your **public** SSH key to the clipboard by using one of the commands below
depending on your Operating System: depending on your Operating System:
**macOS:** **macOS:**
```bash ```bash
pbcopy < ~/.ssh/id_ed25519.pub pbcopy < ~/.ssh/id_ed25519.pub
``` ```
**WSL / GNU/Linux (requires the xclip package):** **WSL / GNU/Linux (requires the xclip package):**
```bash ```bash
xclip -sel clip < ~/.ssh/id_ed25519.pub xclip -sel clip < ~/.ssh/id_ed25519.pub
``` ```
**Git Bash on Windows:** **Git Bash on Windows:**
```bash ```bash
cat ~/.ssh/id_ed25519.pub | clip cat ~/.ssh/id_ed25519.pub | clip
``` ```
You can also open the key in a graphical editor and copy it from there, You can also open the key in a graphical editor and copy it from there,
but be careful not to accidentally change anything. but be careful not to accidentally change anything.
NOTE: **Note:** NOTE: **Note:**
If you opted to create an RSA key, the name might differ. If you opted to create an RSA key, the name might differ.
1. Add your **public** SSH key to your GitLab account by: 1. Add your **public** SSH key to your GitLab account by:
1. Clicking your avatar in the upper right corner and selecting **Settings**. 1. Clicking your avatar in the upper right corner and selecting **Settings**.
1. Navigating to **SSH Keys** and pasting your **public** key in the **Key** field. If you: 1. Navigating to **SSH Keys** and pasting your **public** key in the **Key** field. If you:
- Created the key with a comment, this will appear in the **Title** field. - Created the key with a comment, this will appear in the **Title** field.
- Created the key without a comment, give your key an identifiable title like _Work Laptop_ or _Home Workstation_. - Created the key without a comment, give your key an identifiable title like _Work Laptop_ or _Home Workstation_.
1. Click the **Add key** button. 1. Click the **Add key** button.
NOTE: **Note:** NOTE: **Note:**
If you manually copied your public SSH key make sure you copied the entire If you manually copied your public SSH key make sure you copied the entire
key starting with `ssh-ed25519` (or `ssh-rsa`) and ending with your email. key starting with `ssh-ed25519` (or `ssh-rsa`) and ending with your email.
## Testing that everything is set up correctly ## Testing that everything is set up correctly
......
...@@ -27,23 +27,23 @@ The following identity providers are supported: ...@@ -27,23 +27,23 @@ The following identity providers are supported:
- [Group SSO](index.md) needs to be configured. - [Group SSO](index.md) needs to be configured.
- The `scim_group` feature flag must be enabled: - The `scim_group` feature flag must be enabled:
Run the following commands in a Rails console: Run the following commands in a Rails console:
```sh ```sh
# Omnibus GitLab # Omnibus GitLab
gitlab-rails console gitlab-rails console
# Installation from source # Installation from source
cd /home/git/gitlab cd /home/git/gitlab
sudo -u git -H bin/rails console RAILS_ENV=production sudo -u git -H bin/rails console RAILS_ENV=production
``` ```
To enable SCIM for a group named `group_name`: To enable SCIM for a group named `group_name`:
```ruby ```ruby
group = Group.find_by_full_path('group_name') group = Group.find_by_full_path('group_name')
Feature.enable(:group_scim, group) Feature.enable(:group_scim, group)
``` ```
### GitLab configuration ### GitLab configuration
...@@ -85,26 +85,26 @@ You can then test the connection clicking on `Test Connection`. ...@@ -85,26 +85,26 @@ You can then test the connection clicking on `Test Connection`.
1. Map the `userPricipalName` to `emails[type eq "work"].value` and `mailNickname` to 1. Map the `userPricipalName` to `emails[type eq "work"].value` and `mailNickname` to
`userName`. `userName`.
Example configuration: Example configuration:
![Azure's attribute mapping configuration](img/scim_attribute_mapping.png) ![Azure's attribute mapping configuration](img/scim_attribute_mapping.png)
1. Click on **Show advanced options > Edit attribute list for AppName**. 1. Click on **Show advanced options > Edit attribute list for AppName**.
1. Leave the `id` as the primary and only required field. 1. Leave the `id` as the primary and only required field.
NOTE: **Note:** NOTE: **Note:**
`username` should neither be primary nor required as we don't support `username` should neither be primary nor required as we don't support
that field on GitLab SCIM yet. that field on GitLab SCIM yet.
![Azure's attribute advanced configuration](img/scim_advanced.png) ![Azure's attribute advanced configuration](img/scim_advanced.png)
1. Save all the screens and, in the **Provisioning** step, set 1. Save all the screens and, in the **Provisioning** step, set
the `Provisioning Status` to `ON`. the `Provisioning Status` to `ON`.
NOTE: **Note:** NOTE: **Note:**
You can control what is actually synced by selecting the `Scope`. For example, You can control what is actually synced by selecting the `Scope`. For example,
`Sync only assigned users and groups` will only sync the users assigned to `Sync only assigned users and groups` will only sync the users assigned to
the application (`Users and groups`), otherwise it will sync the whole Active Directory. the application (`Users and groups`), otherwise it will sync the whole Active Directory.
Once enabled, the synchronization details and any errors will appear on the Once enabled, the synchronization details and any errors will appear on the
bottom of the **Provisioning** screen, together with a link to the audit logs. bottom of the **Provisioning** screen, together with a link to the audit logs.
......
...@@ -586,9 +586,11 @@ def function(): ...@@ -586,9 +586,11 @@ def function():
print s print s
``` ```
Using 4 spaces ```
is like using Using 4 spaces
3-backtick fences. is like using
3-backtick fences.
```
~~~ ~~~
Tildes are OK too. Tildes are OK too.
......
...@@ -183,29 +183,29 @@ a new set of recovery codes with SSH: ...@@ -183,29 +183,29 @@ a new set of recovery codes with SSH:
1. You will then be prompted to confirm that you want to generate new codes. 1. You will then be prompted to confirm that you want to generate new codes.
Continuing this process invalidates previously saved codes: Continuing this process invalidates previously saved codes:
```sh ```sh
Are you sure you want to generate new two-factor recovery codes? Are you sure you want to generate new two-factor recovery codes?
Any existing recovery codes you saved will be invalidated. (yes/no) Any existing recovery codes you saved will be invalidated. (yes/no)
yes yes
Your two-factor authentication recovery codes are: Your two-factor authentication recovery codes are:
119135e5a3ebce8e 119135e5a3ebce8e
11f6v2a498810dcd 11f6v2a498810dcd
3924c7ab2089c902 3924c7ab2089c902
e79a3398bfe4f224 e79a3398bfe4f224
34bd7b74adbc8861 34bd7b74adbc8861
f061691d5107df1a f061691d5107df1a
169bf32a18e63e7f 169bf32a18e63e7f
b510e7422e81c947 b510e7422e81c947
20dbed24c5e74663 20dbed24c5e74663
df9d3b9403b9c9f0 df9d3b9403b9c9f0
During sign in, use one of the codes above when prompted for your During sign in, use one of the codes above when prompted for your
two-factor code. Then, visit your Profile Settings and add a new device two-factor code. Then, visit your Profile Settings and add a new device
so you do not lose access to your account again. so you do not lose access to your account again.
``` ```
1. Go to the GitLab sign-in page and enter your username/email and password. 1. Go to the GitLab sign-in page and enter your username/email and password.
When prompted for a two-factor code, enter one of the recovery codes obtained When prompted for a two-factor code, enter one of the recovery codes obtained
......
...@@ -40,97 +40,97 @@ then click **Add an existing Kubernetes cluster**. ...@@ -40,97 +40,97 @@ then click **Add an existing Kubernetes cluster**.
A few details from the EKS cluster will be required to connect it to GitLab: A few details from the EKS cluster will be required to connect it to GitLab:
1. **Retrieve the certificate**: A valid Kubernetes certificate is needed to 1. **Retrieve the certificate**: A valid Kubernetes certificate is needed to
authenticate to the EKS cluster. We will use the certificate created by default. authenticate to the EKS cluster. We will use the certificate created by default.
Open a shell and use `kubectl` to retrieve it: Open a shell and use `kubectl` to retrieve it:
- List the secrets with `kubectl get secrets`, and one should named similar to - List the secrets with `kubectl get secrets`, and one should named similar to
`default-token-xxxxx`. Copy that token name for use below. `default-token-xxxxx`. Copy that token name for use below.
- Get the certificate with: - Get the certificate with:
```sh ```sh
kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
```
1. **Create admin token**: A `cluster-admin` token is required to install and
manage Helm Tiller. GitLab establishes mutual SSL auth with Helm Tiller
and creates limited service accounts for each application. To create the
token we will create an admin service account as follows:
2.1. Create a file called `eks-admin-service-account.yaml` with contents:
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: eks-admin
namespace: kube-system
```
2.2. Apply the service account to your cluster:
```bash
kubectl apply -f eks-admin-service-account.yaml
``` ```
Output: 1. **Create admin token**: A `cluster-admin` token is required to install and
manage Helm Tiller. GitLab establishes mutual SSL auth with Helm Tiller
```bash and creates limited service accounts for each application. To create the
serviceaccount "eks-admin" created token we will create an admin service account as follows:
```
2.1. Create a file called `eks-admin-service-account.yaml` with contents:
2.3. Create a file called `eks-admin-cluster-role-binding.yaml` with contents:
```yaml
```yaml apiVersion: v1
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ServiceAccount
kind: ClusterRoleBinding metadata:
metadata: name: eks-admin
name: eks-admin namespace: kube-system
roleRef: ```
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole 2.2. Apply the service account to your cluster:
name: cluster-admin
subjects: ```bash
- kind: ServiceAccount kubectl apply -f eks-admin-service-account.yaml
name: eks-admin ```
namespace: kube-system
``` Output:
2.4. Apply the cluster role binding to your cluster: ```bash
serviceaccount "eks-admin" created
```bash ```
kubectl apply -f eks-admin-cluster-role-binding.yaml
``` 2.3. Create a file called `eks-admin-cluster-role-binding.yaml` with contents:
Output: ```yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
```bash kind: ClusterRoleBinding
clusterrolebinding "eks-admin" created metadata:
``` name: eks-admin
roleRef:
2.5. Retrieve the token for the `eks-admin` service account: apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
```bash name: cluster-admin
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}') subjects:
``` - kind: ServiceAccount
name: eks-admin
Copy the `<authentication_token>` value from the output: namespace: kube-system
```
```yaml
Name: eks-admin-token-b5zv4 2.4. Apply the cluster role binding to your cluster:
Namespace: kube-system
Labels: <none> ```bash
Annotations: kubernetes.io/service-account.name=eks-admin kubectl apply -f eks-admin-cluster-role-binding.yaml
kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8 ```
Type: kubernetes.io/service-account-token Output:
Data ```bash
==== clusterrolebinding "eks-admin" created
ca.crt: 1025 bytes ```
namespace: 11 bytes
token: <authentication_token> 2.5. Retrieve the token for the `eks-admin` service account:
```
```bash
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep eks-admin | awk '{print $1}')
```
Copy the `<authentication_token>` value from the output:
```yaml
Name: eks-admin-token-b5zv4
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=eks-admin
kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: <authentication_token>
```
1. The API server endpoint is also required, so GitLab can connect to the cluster. 1. The API server endpoint is also required, so GitLab can connect to the cluster.
This is displayed on the AWS EKS console, when viewing the EKS cluster details. This is displayed on the AWS EKS console, when viewing the EKS cluster details.
......
...@@ -56,8 +56,8 @@ new Kubernetes cluster to your project: ...@@ -56,8 +56,8 @@ new Kubernetes cluster to your project:
1. Navigate to your project's **Operations > Kubernetes** page. 1. Navigate to your project's **Operations > Kubernetes** page.
NOTE: **Note:** NOTE: **Note:**
You need Maintainer [permissions] and above to access the Kubernetes page. You need Maintainer [permissions] and above to access the Kubernetes page.
1. Click **Add Kubernetes cluster**. 1. Click **Add Kubernetes cluster**.
1. Click **Create with Google Kubernetes Engine**. 1. Click **Create with Google Kubernetes Engine**.
...@@ -97,117 +97,119 @@ To add an existing Kubernetes cluster to your project: ...@@ -97,117 +97,119 @@ To add an existing Kubernetes cluster to your project:
1. Navigate to your project's **Operations > Kubernetes** page. 1. Navigate to your project's **Operations > Kubernetes** page.
NOTE: **Note:** NOTE: **Note:**
You need Maintainer [permissions] and above to access the Kubernetes page. You need Maintainer [permissions] and above to access the Kubernetes page.
1. Click **Add Kubernetes cluster**. 1. Click **Add Kubernetes cluster**.
1. Click **Add an existing Kubernetes cluster** and fill in the details: 1. Click **Add an existing Kubernetes cluster** and fill in the details:
- **Kubernetes cluster name** (required) - The name you wish to give the cluster. - **Kubernetes cluster name** (required) - The name you wish to give the cluster.
- **Environment scope** (required) - The - **Environment scope** (required) - The
[associated environment](#setting-the-environment-scope-premium) to this cluster. [associated environment](#setting-the-environment-scope-premium) to this cluster.
- **API URL** (required) - - **API URL** (required) -
It's the URL that GitLab uses to access the Kubernetes API. Kubernetes It's the URL that GitLab uses to access the Kubernetes API. Kubernetes
exposes several APIs, we want the "base" URL that is common to all of them, exposes several APIs, we want the "base" URL that is common to all of them,
e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`. e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`.
Get the API URL by running this command: Get the API URL by running this command:
```sh ```sh
kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}' kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'
``` ```
- **CA certificate** (required) - A valid Kubernetes certificate is needed to authenticate to the EKS cluster. We will use the certificate created by default.
- List the secrets with `kubectl get secrets`, and one should named similar to - **CA certificate** (required) - A valid Kubernetes certificate is needed to authenticate to the EKS cluster. We will use the certificate created by default.
`default-token-xxxxx`. Copy that token name for use below. - List the secrets with `kubectl get secrets`, and one should named similar to
- Get the certificate by running this command: `default-token-xxxxx`. Copy that token name for use below.
- Get the certificate by running this command:
```sh
kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode ```sh
``` kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
- **Token** - ```
GitLab authenticates against Kubernetes using service tokens, which are
scoped to a particular `namespace`. - **Token** -
**The token used should belong to a service account with GitLab authenticates against Kubernetes using service tokens, which are
[`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) scoped to a particular `namespace`.
privileges.** To create this service account: **The token used should belong to a service account with
[`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
1. Create a file called `gitlab-admin-service-account.yaml` with contents: privileges.** To create this service account:
```yaml 1. Create a file called `gitlab-admin-service-account.yaml` with contents:
apiVersion: v1
kind: ServiceAccount ```yaml
metadata: apiVersion: v1
name: gitlab-admin kind: ServiceAccount
namespace: kube-system metadata:
--- name: gitlab-admin
apiVersion: rbac.authorization.k8s.io/v1beta1 namespace: kube-system
kind: ClusterRoleBinding ---
metadata: apiVersion: rbac.authorization.k8s.io/v1beta1
name: gitlab-admin kind: ClusterRoleBinding
roleRef: metadata:
apiGroup: rbac.authorization.k8s.io name: gitlab-admin
kind: ClusterRole roleRef:
name: cluster-admin apiGroup: rbac.authorization.k8s.io
subjects: kind: ClusterRole
- kind: ServiceAccount name: cluster-admin
name: gitlab-admin subjects:
namespace: kube-system - kind: ServiceAccount
``` name: gitlab-admin
namespace: kube-system
1. Apply the service account and cluster role binding to your cluster: ```
```bash 1. Apply the service account and cluster role binding to your cluster:
kubectl apply -f gitlab-admin-service-account.yaml
``` ```bash
kubectl apply -f gitlab-admin-service-account.yaml
Output: ```
```bash Output:
serviceaccount "gitlab-admin" created
clusterrolebinding "gitlab-admin" created ```bash
``` serviceaccount "gitlab-admin" created
clusterrolebinding "gitlab-admin" created
1. Retrieve the token for the `gitlab-admin` service account: ```
```bash 1. Retrieve the token for the `gitlab-admin` service account:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')
``` ```bash
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')
Copy the `<authentication_token>` value from the output: ```
```yaml Copy the `<authentication_token>` value from the output:
Name: gitlab-admin-token-b5zv4
Namespace: kube-system ```yaml
Labels: <none> Name: gitlab-admin-token-b5zv4
Annotations: kubernetes.io/service-account.name=gitlab-admin Namespace: kube-system
kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8 Labels: <none>
Annotations: kubernetes.io/service-account.name=gitlab-admin
Type: kubernetes.io/service-account-token kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8
Data Type: kubernetes.io/service-account-token
====
ca.crt: 1025 bytes Data
namespace: 11 bytes ====
token: <authentication_token> ca.crt: 1025 bytes
``` namespace: 11 bytes
token: <authentication_token>
NOTE: **Note:** ```
For GKE clusters, you will need the
`container.clusterRoleBindings.create` permission to create a cluster NOTE: **Note:**
role binding. You can follow the [Google Cloud For GKE clusters, you will need the
documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access) `container.clusterRoleBindings.create` permission to create a cluster
to grant access. role binding. You can follow the [Google Cloud
documentation](https://cloud.google.com/iam/docs/granting-changing-revoking-access)
- **GitLab-managed cluster** - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the [Managed clusters section](#gitlab-managed-clusters) for more information. to grant access.
- **Project namespace** (optional) - You don't have to fill it in; by leaving - **GitLab-managed cluster** - Leave this checked if you want GitLab to manage namespaces and service accounts for this cluster. See the [Managed clusters section](#gitlab-managed-clusters) for more information.
it blank, GitLab will create one for you. Also:
- Each project should have a unique namespace. - **Project namespace** (optional) - You don't have to fill it in; by leaving
- The project namespace is not necessarily the namespace of the secret, if it blank, GitLab will create one for you. Also:
you're using a secret with broader permissions, like the secret from `default`. - Each project should have a unique namespace.
- You should **not** use `default` as the project namespace. - The project namespace is not necessarily the namespace of the secret, if
- If you or someone created a secret specifically for the project, usually you're using a secret with broader permissions, like the secret from `default`.
with limited permissions, the secret's namespace and project namespace may - You should **not** use `default` as the project namespace.
be the same. - If you or someone created a secret specifically for the project, usually
with limited permissions, the secret's namespace and project namespace may
be the same.
1. Finally, click the **Create Kubernetes cluster** button. 1. Finally, click the **Create Kubernetes cluster** button.
......
...@@ -24,34 +24,34 @@ To run Knative on Gitlab, you will need: ...@@ -24,34 +24,34 @@ To run Knative on Gitlab, you will need:
1. **Existing GitLab project:** You will need a GitLab project to associate all resources. The simplest way to get started: 1. **Existing GitLab project:** You will need a GitLab project to associate all resources. The simplest way to get started:
- If you are planning on deploying functions, clone the [functions example project](https://gitlab.com/knative-examples/functions) to get started. - If you are planning on deploying functions, clone the [functions example project](https://gitlab.com/knative-examples/functions) to get started.
- If you are planning on deploying a serverless application, clone the sample [Knative Ruby App](https://gitlab.com/knative-examples/knative-ruby-app) to get started. - If you are planning on deploying a serverless application, clone the sample [Knative Ruby App](https://gitlab.com/knative-examples/knative-ruby-app) to get started.
1. **Kubernetes Cluster:** An RBAC-enabled Kubernetes cluster is required to deploy Knative. 1. **Kubernetes Cluster:** An RBAC-enabled Kubernetes cluster is required to deploy Knative.
The simplest way to get started is to add a cluster using [GitLab's GKE integration](../index.md#adding-and-creating-a-new-gke-cluster-via-gitlab). The simplest way to get started is to add a cluster using [GitLab's GKE integration](../index.md#adding-and-creating-a-new-gke-cluster-via-gitlab).
The set of minimum recommended cluster specifications to run Knative is 3 nodes, 6 vCPUs, and 22.50 GB memory. The set of minimum recommended cluster specifications to run Knative is 3 nodes, 6 vCPUs, and 22.50 GB memory.
1. **Helm Tiller:** Helm is a package manager for Kubernetes and is required to install 1. **Helm Tiller:** Helm is a package manager for Kubernetes and is required to install
Knative. Knative.
1. **GitLab Runner:** A runner is required to run the CI jobs that will deploy serverless 1. **GitLab Runner:** A runner is required to run the CI jobs that will deploy serverless
applications or functions onto your cluster. You can install the GitLab Runner applications or functions onto your cluster. You can install the GitLab Runner
onto the existing Kubernetes cluster. See [Installing Applications](../index.md#installing-applications) for more information. onto the existing Kubernetes cluster. See [Installing Applications](../index.md#installing-applications) for more information.
1. **Domain Name:** Knative will provide its own load balancer using Istio. It will provide an 1. **Domain Name:** Knative will provide its own load balancer using Istio. It will provide an
external IP address or hostname for all the applications served by Knative. You will be prompted to enter a external IP address or hostname for all the applications served by Knative. You will be prompted to enter a
wildcard domain where your applications will be served. Configure your DNS server to use the wildcard domain where your applications will be served. Configure your DNS server to use the
external IP address or hostname for that domain. external IP address or hostname for that domain.
1. **`.gitlab-ci.yml`:** GitLab uses [Kaniko](https://github.com/GoogleContainerTools/kaniko) 1. **`.gitlab-ci.yml`:** GitLab uses [Kaniko](https://github.com/GoogleContainerTools/kaniko)
to build the application. We also use [gitlabktl](https://gitlab.com/gitlab-org/gitlabktl) to build the application. We also use [gitlabktl](https://gitlab.com/gitlab-org/gitlabktl)
and [TriggerMesh CLI](https://github.com/triggermesh/tm) CLIs to simplify the and [TriggerMesh CLI](https://github.com/triggermesh/tm) CLIs to simplify the
deployment of services and functions to Knative. deployment of services and functions to Knative.
1. **`serverless.yml`** (for [functions only](#deploying-functions)): When using serverless to deploy functions, the `serverless.yml` file 1. **`serverless.yml`** (for [functions only](#deploying-functions)): When using serverless to deploy functions, the `serverless.yml` file
will contain the information for all the functions being hosted in the repository as well as a reference to the will contain the information for all the functions being hosted in the repository as well as a reference to the
runtime being used. runtime being used.
1. **`Dockerfile`** (for [applications only](#deploying-serverless-applications): Knative requires a 1. **`Dockerfile`** (for [applications only](#deploying-serverless-applications): Knative requires a
`Dockerfile` in order to build your applications. It should be included at the root of your `Dockerfile` in order to build your applications. It should be included at the root of your
project's repo and expose port `8080`. `Dockerfile` is not require if you plan to build serverless functions project's repo and expose port `8080`. `Dockerfile` is not require if you plan to build serverless functions
using our [runtimes](https://gitlab.com/gitlab-org/serverless/runtimes). using our [runtimes](https://gitlab.com/gitlab-org/serverless/runtimes).
1. **Prometheus** (optional): Installing Prometheus allows you to monitor the scale and traffic of your serverless function/application. 1. **Prometheus** (optional): Installing Prometheus allows you to monitor the scale and traffic of your serverless function/application.
See [Installing Applications](../index.md#installing-applications) for more information. See [Installing Applications](../index.md#installing-applications) for more information.
## Installing Knative via GitLab's Kubernetes integration ## Installing Knative via GitLab's Kubernetes integration
...@@ -60,9 +60,9 @@ The minimum recommended cluster size to run Knative is 3-nodes, 6 vCPUs, and 22. ...@@ -60,9 +60,9 @@ The minimum recommended cluster size to run Knative is 3-nodes, 6 vCPUs, and 22.
1. [Add a Kubernetes cluster](../index.md) and [install Helm](../index.md#installing-applications). 1. [Add a Kubernetes cluster](../index.md) and [install Helm](../index.md#installing-applications).
1. Once Helm has been successfully installed, scroll down to the Knative app section. Enter the domain to be used with 1. Once Helm has been successfully installed, scroll down to the Knative app section. Enter the domain to be used with
your application/functions (e.g. `example.com`) and click **Install**. your application/functions (e.g. `example.com`) and click **Install**.
![install-knative](img/install-knative.png) ![install-knative](img/install-knative.png)
1. After the Knative installation has finished, you can wait for the IP address or hostname to be displayed in the 1. After the Knative installation has finished, you can wait for the IP address or hostname to be displayed in the
**Knative Endpoint** field or [retrieve the Istio Ingress Endpoint manually](../#manually-determining-the-external-endpoint). **Knative Endpoint** field or [retrieve the Istio Ingress Endpoint manually](../#manually-determining-the-external-endpoint).
...@@ -77,7 +77,7 @@ The minimum recommended cluster size to run Knative is 3-nodes, 6 vCPUs, and 22. ...@@ -77,7 +77,7 @@ The minimum recommended cluster size to run Knative is 3-nodes, 6 vCPUs, and 22.
if your Knative base domain is `knative.info` then you need to create an A record or CNAME record with domain `*.knative.info` if your Knative base domain is `knative.info` then you need to create an A record or CNAME record with domain `*.knative.info`
pointing the ip address or hostname of the ingress. pointing the ip address or hostname of the ingress.
![dns entry](img/dns-entry.png) ![dns entry](img/dns-entry.png)
NOTE: **Note:** NOTE: **Note:**
You can deploy either [functions](#deploying-functions) or [serverless applications](#deploying-serverless-applications) You can deploy either [functions](#deploying-functions) or [serverless applications](#deploying-serverless-applications)
...@@ -100,54 +100,54 @@ You must do the following: ...@@ -100,54 +100,54 @@ You must do the following:
[add an existing Kubernetes cluster](../index.md#adding-an-existing-kubernetes-cluster). [add an existing Kubernetes cluster](../index.md#adding-an-existing-kubernetes-cluster).
1. Ensure GitLab can manage Knative: 1. Ensure GitLab can manage Knative:
- For a non-GitLab managed cluster, ensure that the service account for the token - For a non-GitLab managed cluster, ensure that the service account for the token
provided can manage resources in the `serving.knative.dev` API group. provided can manage resources in the `serving.knative.dev` API group.
- For a GitLab managed cluster, if you added the cluster in [GitLab 12.1 or later](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30235), - For a GitLab managed cluster, if you added the cluster in [GitLab 12.1 or later](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30235),
then GitLab will already have the required access and you can proceed to the next step. then GitLab will already have the required access and you can proceed to the next step.
Otherwise, you need to manually grant GitLab's service account the ability to manage Otherwise, you need to manually grant GitLab's service account the ability to manage
resources in the `serving.knative.dev` API group. Since every GitLab service account resources in the `serving.knative.dev` API group. Since every GitLab service account
has the `edit` cluster role, the simplest way to do this is with an has the `edit` cluster role, the simplest way to do this is with an
[aggregated ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) [aggregated ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles)
adding rules to the default `edit` cluster role: First, save the following YAML as adding rules to the default `edit` cluster role: First, save the following YAML as
`knative-serving-only-role.yaml`: `knative-serving-only-role.yaml`:
```yaml ```yaml
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
name: knative-serving-only-role name: knative-serving-only-role
labels: labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules: rules:
- apiGroups: - apiGroups:
- serving.knative.dev - serving.knative.dev
resources: resources:
- configurations - configurations
- configurationgenerations - configurationgenerations
- routes - routes
- revisions - revisions
- revisionuids - revisionuids
- autoscalers - autoscalers
- services - services
verbs: verbs:
- get - get
- list - list
- create - create
- update - update
- delete - delete
- patch - patch
- watch - watch
``` ```
Then run the following command: Then run the following command:
```bash ```bash
kubectl apply -f knative-serving-only-role.yaml kubectl apply -f knative-serving-only-role.yaml
``` ```
If you would rather grant permissions on a per service account basis, you can do this If you would rather grant permissions on a per service account basis, you can do this
using a `Role` and `RoleBinding` specific to the service account and namespace. using a `Role` and `RoleBinding` specific to the service account and namespace.
1. Follow the steps to deploy [functions](#deploying-functions) 1. Follow the steps to deploy [functions](#deploying-functions)
or [serverless applications](#deploying-serverless-applications) onto your or [serverless applications](#deploying-serverless-applications) onto your
...@@ -174,8 +174,8 @@ Follow these steps to deploy a function using the Node.js runtime to your Knativ ...@@ -174,8 +174,8 @@ Follow these steps to deploy a function using the Node.js runtime to your Knativ
1. Create a directory that will house the function. In this example we will create a directory called `echo` at the root of the project. 1. Create a directory that will house the function. In this example we will create a directory called `echo` at the root of the project.
1. Create the file that will contain the function code. In this example, our file is called `echo.js` and is located inside the `echo` directory. If your project is: 1. Create the file that will contain the function code. In this example, our file is called `echo.js` and is located inside the `echo` directory. If your project is:
- Public, continue to the next step. - Public, continue to the next step.
- Private, you will need to [create a GitLab deploy token](../../deploy_tokens/index.md#creating-a-deploy-token) with `gitlab-deploy-token` as the name and the `read_registry` scope. - Private, you will need to [create a GitLab deploy token](../../deploy_tokens/index.md#creating-a-deploy-token) with `gitlab-deploy-token` as the name and the `read_registry` scope.
1. `.gitlab-ci.yml`: this defines a pipeline used to deploy your functions. 1. `.gitlab-ci.yml`: this defines a pipeline used to deploy your functions.
It must be included at the root of your repository: It must be included at the root of your repository:
...@@ -193,16 +193,16 @@ Follow these steps to deploy a function using the Node.js runtime to your Knativ ...@@ -193,16 +193,16 @@ Follow these steps to deploy a function using the Node.js runtime to your Knativ
environment: production environment: production
``` ```
This `.gitlab-ci.yml` creates jobs that invoke some predefined commands to This `.gitlab-ci.yml` creates jobs that invoke some predefined commands to
build and deploy your functions to your cluster. build and deploy your functions to your cluster.
`Serverless.gitlab-ci.yml` is a template that allows customization. `Serverless.gitlab-ci.yml` is a template that allows customization.
You can either import it with `include` parameter and use `extends` to You can either import it with `include` parameter and use `extends` to
customize your jobs, or you can inline the entire template by choosing it customize your jobs, or you can inline the entire template by choosing it
from **Apply a template** dropdown when editing the `.gitlab-ci.yml` file through from **Apply a template** dropdown when editing the `.gitlab-ci.yml` file through
the user interface. the user interface.
2. `serverless.yml`: this file contains the metadata for your functions, 1. `serverless.yml`: this file contains the metadata for your functions,
such as name, runtime, and environment. such as name, runtime, and environment.
It must be included at the root of your repository. It must be included at the root of your repository.
...@@ -281,16 +281,17 @@ The sample function can now be triggered from any HTTP client using a simple `PO ...@@ -281,16 +281,17 @@ The sample function can now be triggered from any HTTP client using a simple `PO
1. Using curl (replace the URL on the last line with the URL of your application): 1. Using curl (replace the URL on the last line with the URL of your application):
```bash ```bash
curl \ curl \
--header "Content-Type: application/json" \ --header "Content-Type: application/json" \
--request POST \ --request POST \
--data '{"GitLab":"FaaS"}' \ --data '{"GitLab":"FaaS"}' \
http://functions-echo.functions-1.functions.example.com/ http://functions-echo.functions-1.functions.example.com/
``` ```
2. Using a web-based tool (ie. postman, restlet, etc)
![function execution](img/function-execution.png) 1. Using a web-based tool (ie. postman, restlet, etc)
![function execution](img/function-execution.png)
## Deploying Serverless applications ## Deploying Serverless applications
...@@ -392,259 +393,258 @@ The instructions below relate to installing and running Certbot on a Linux serve ...@@ -392,259 +393,258 @@ The instructions below relate to installing and running Certbot on a Linux serve
[`certbot-auto` wrapper script](https://certbot.eff.org/docs/install.html#certbot-auto). [`certbot-auto` wrapper script](https://certbot.eff.org/docs/install.html#certbot-auto).
On the command line of your server, run the following commands: On the command line of your server, run the following commands:
```sh ```sh
wget https://dl.eff.org/certbot-auto wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto chmod 0755 /usr/local/bin/certbot-auto
/usr/local/bin/certbot-auto --help /usr/local/bin/certbot-auto --help
``` ```
To check the integrity of the `certbot-auto` script, run: To check the integrity of the `certbot-auto` script, run:
```sh ```sh
wget -N https://dl.eff.org/certbot-auto.asc wget -N https://dl.eff.org/certbot-auto.asc
gpg2 --keyserver ipv4.pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2 gpg2 --keyserver ipv4.pool.sks-keyservers.net --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc /usr/local/bin/certbot-auto
``` ```
The output of the last command should look something like: The output of the last command should look something like:
```sh ```sh
gpg: Signature made Mon 10 Jun 2019 06:24:40 PM EDT gpg: Signature made Mon 10 Jun 2019 06:24:40 PM EDT
gpg: using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2 gpg: using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: key 4D17C995CD9775F2 marked as ultimately trusted gpg: key 4D17C995CD9775F2 marked as ultimately trusted
gpg: checking the trustdb gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2027-11-22 gpg: next trustdb check due at 2027-11-22
gpg: Good signature from "Let's Encrypt Client Team <letsencrypt-client@eff.org>" [ultimate] gpg: Good signature from "Let's Encrypt Client Team <letsencrypt-client@eff.org>" [ultimate]
``` ```
1. Run the following command to use Certbot to request a certificate 1. Run the following command to use Certbot to request a certificate
using DNS challenge during authorization: using DNS challenge during authorization:
```sh
./certbot-auto certonly --manual --preferred-challenges dns -d '*.<namespace>.example.com'
```
Where `<namespace>` is the namespace created by GitLab for your serverless project (composed of `<projectname+id>`) and
`example.com` is the domain being used for your project. If you are unsure what the namespace of your project is, navigate
to the **Operations > Serverless** page of your project and inspect
the endpoint provided for your function/app.
![function_endpoint](img/function-endpoint.png)
```sh In the above image, the namespace for the project is `node-function-11909507` and the domain is `knative.info`, thus
./certbot-auto certonly --manual --preferred-challenges dns -d '*.<namespace>.example.com' certificate request line would look like this:
```
```sh
Where `<namespace>` is the namespace created by GitLab for your serverless project (composed of `<projectname+id>`) and ./certbot-auto certonly --manual --preferred-challenges dns -d '*.node-function-11909507.knative.info'
`example.com` is the domain being used for your project. If you are unsure what the namespace of your project is, navigate ```
to the **Operations > Serverless** page of your project and inspect
the endpoint provided for your function/app. The Certbot tool walks you through the steps of validating that you own each domain that you specify by creating TXT records in those domains.
After this process is complete, the output should look something like this:
![function_endpoint](img/function-endpoint.png)
```sh
In the above image, the namespace for the project is `node-function-11909507` and the domain is `knative.info`, thus IMPORTANT NOTES:
certificate request line would look like this: - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/namespace.example.com/fullchain.pem
```sh Your key file has been saved at:
./certbot-auto certonly --manual --preferred-challenges dns -d '*.node-function-11909507.knative.info' /etc/letsencrypt/live/namespace.example/privkey.pem
``` Your cert will expire on 2019-09-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
The Certbot tool walks you through the steps of validating that you own each domain that you specify by creating TXT records in those domains. again. To non-interactively renew *all* of your certificates, run
After this process is complete, the output should look something like this: "certbot-auto renew"
-----BEGIN PRIVATE KEY-----
```sh - Your account credentials have been saved in your Certbot
IMPORTANT NOTES: configuration directory at /etc/letsencrypt. You should make a
- Congratulations! Your certificate and chain have been saved at: secure backup of this folder now. This configuration directory will
/etc/letsencrypt/live/namespace.example.com/fullchain.pem also contain certificates and private keys obtained by Certbot so
Your key file has been saved at: making regular backups of this folder is ideal.
/etc/letsencrypt/live/namespace.example/privkey.pem ```
Your cert will expire on 2019-09-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
-----BEGIN PRIVATE KEY-----
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
```
1. Create certificate and private key files. Using the contents of the files 1. Create certificate and private key files. Using the contents of the files
returned by Certbot, we'll create two files in order to create the returned by Certbot, we'll create two files in order to create the
Kubernetes secret: Kubernetes secret:
Run the following command to see the contents of `fullchain.pem`: Run the following command to see the contents of `fullchain.pem`:
```sh ```sh
sudo cat /etc/letsencrypt/live/node-function-11909507.knative.info/fullchain.pem sudo cat /etc/letsencrypt/live/node-function-11909507.knative.info/fullchain.pem
``` ```
Output should look like this: Output should look like this:
```sh ```sh
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b4ag== 04f294d1eaca42b8692017b4ag==
-----END CERTIFICATE----- -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
K2fcb195768c39e9a94cec2c2e30Qg== K2fcb195768c39e9a94cec2c2e30Qg==
-----END CERTIFICATE----- -----END CERTIFICATE-----
``` ```
Create a file with the name `cert.pem` with the contents of the entire output. Create a file with the name `cert.pem` with the contents of the entire output.
Once `cert.pem` is created, run the following command to see the contents of `privkey.pem`: Once `cert.pem` is created, run the following command to see the contents of `privkey.pem`:
```sh ```sh
sudo cat /etc/letsencrypt/live/namespace.example/privkey.pem sudo cat /etc/letsencrypt/live/namespace.example/privkey.pem
``` ```
Output should look like this: Output should look like this:
```sh ```sh
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 2fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df 04f294d1eaca42b8692017b426d53bbc8fe75f827734f0260710b83a556082df
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6 fcb195768c39e9a94cec2c2e32c59c0aad7a3365c10892e8116b5d83d4096b6
4f294d1eaca42b8692017b4262== 4f294d1eaca42b8692017b4262==
-----END PRIVATE KEY----- -----END PRIVATE KEY-----
``` ```
Create a new file with the name `cert.pk` with the contents of the entire output. Create a new file with the name `cert.pk` with the contents of the entire output.
1. Create a Kubernetes secret to hold your TLS certificate, `cert.pem`, and 1. Create a Kubernetes secret to hold your TLS certificate, `cert.pem`, and
the private key `cert.pk`: the private key `cert.pk`:
NOTE: **Note:** NOTE: **Note:**
Running `kubectl` commands on your cluster requires setting up access to the cluster first. Running `kubectl` commands on your cluster requires setting up access to the cluster first.
For clusters created on GKE, see For clusters created on GKE, see
[GKE Cluster Access](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl). [GKE Cluster Access](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl).
For other platforms, [install `kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/). For other platforms, [install `kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
```sh ```sh
kubectl create --namespace istio-system secret tls istio-ingressgateway-certs \ kubectl create --namespace istio-system secret tls istio-ingressgateway-certs \
--key cert.pk \ --key cert.pk \
--cert cert.pem --cert cert.pem
``` ```
Where `cert.pem` and `cert.pk` are your certificate and private key files. Note that the `istio-ingressgateway-certs` secret name is required. Where `cert.pem` and `cert.pk` are your certificate and private key files. Note that the `istio-ingressgateway-certs` secret name is required.
1. Configure Knative to use the new secret that you created for HTTPS 1. Configure Knative to use the new secret that you created for HTTPS
connections. Run the connections. Run the
following command to open the Knative shared `gateway` in edit mode: following command to open the Knative shared `gateway` in edit mode:
```sh ```sh
kubectl edit gateway knative-ingress-gateway --namespace knative-serving kubectl edit gateway knative-ingress-gateway --namespace knative-serving
``` ```
Update the gateway to include the following tls: section and configuration: Update the gateway to include the following tls: section and configuration:
```sh ```sh
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
``` ```
Example: Example:
```sh ```sh
apiVersion: networking.istio.io/v1alpha3 apiVersion: networking.istio.io/v1alpha3
kind: Gateway kind: Gateway
metadata: metadata:
# ... skipped ... # ... skipped ...
spec: spec:
selector: selector:
istio: ingressgateway istio: ingressgateway
servers: servers:
- hosts: - hosts:
- "*" - "*"
port: port:
name: http name: http
number: 80 number: 80
protocol: HTTP protocol: HTTP
- hosts: - hosts:
- "*" - "*"
port: port:
name: https name: https
number: 443 number: 443
protocol: HTTPS protocol: HTTPS
tls: tls:
mode: SIMPLE mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
``` ```
After your changes are running on your Knative cluster, you can begin using the HTTPS protocol for secure access your deployed Knative services. After your changes are running on your Knative cluster, you can begin using the HTTPS protocol for secure access your deployed Knative services.
In the event a mistake is made during this process and you need to update the cert, you will need to edit the gateway `knative-ingress-gateway` In the event a mistake is made during this process and you need to update the cert, you will need to edit the gateway `knative-ingress-gateway`
to switch back to `PASSTHROUGH` mode. Once corrections are made, edit the file again so the gateway will use the new certificates. to switch back to `PASSTHROUGH` mode. Once corrections are made, edit the file again so the gateway will use the new certificates.
...@@ -241,10 +241,10 @@ The following installation instructions assume you are running Ubuntu: ...@@ -241,10 +241,10 @@ The following installation instructions assume you are running Ubuntu:
Enter <kbd>CTRL</kbd>-<kbd>C</kbd> to quit. Enter <kbd>CTRL</kbd>-<kbd>C</kbd> to quit.
1. Install the certificate from `~/.mitmproxy` to your system: 1. Install the certificate from `~/.mitmproxy` to your system:
```sh ```sh
sudo cp ~/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt sudo cp ~/.mitmproxy/mitmproxy-ca-cert.pem /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt
sudo update-ca-certificates sudo update-ca-certificates
``` ```
If successful, the output should indicate that a certificate was added: If successful, the output should indicate that a certificate was added:
......
...@@ -63,12 +63,12 @@ To display the Deploy Boards for a specific [environment] you should: ...@@ -63,12 +63,12 @@ To display the Deploy Boards for a specific [environment] you should:
1. Have a Kubernetes cluster up and running. 1. Have a Kubernetes cluster up and running.
NOTE: **Running on OpenShift:** NOTE: **Running on OpenShift:**
If you are using OpenShift, ensure that you're using the `Deployment` resource If you are using OpenShift, ensure that you're using the `Deployment` resource
instead of `DeploymentConfiguration`, otherwise the Deploy Boards won't render instead of `DeploymentConfiguration`, otherwise the Deploy Boards won't render
correctly. For more information, read the correctly. For more information, read the
[OpenShift docs](https://docs.openshift.com/container-platform/3.7/dev_guide/deployments/kubernetes_deployments.html#kubernetes-deployments-vs-deployment-configurations) [OpenShift docs](https://docs.openshift.com/container-platform/3.7/dev_guide/deployments/kubernetes_deployments.html#kubernetes-deployments-vs-deployment-configurations)
and [GitLab issue #4584](https://gitlab.com/gitlab-org/gitlab-ee/issues/4584). and [GitLab issue #4584](https://gitlab.com/gitlab-org/gitlab-ee/issues/4584).
1. [Configure GitLab Runner][runners] with the [Docker][docker-exec] or 1. [Configure GitLab Runner][runners] with the [Docker][docker-exec] or
[Kubernetes][kube-exec] executor. [Kubernetes][kube-exec] executor.
...@@ -93,7 +93,7 @@ To display the Deploy Boards for a specific [environment] you should: ...@@ -93,7 +93,7 @@ To display the Deploy Boards for a specific [environment] you should:
To migrate, please apply the required annotations (see above) and To migrate, please apply the required annotations (see above) and
re-deploy your application. re-deploy your application.
![Deploy Boards Kubernetes Label](img/deploy_boards_kubernetes_label.png) ![Deploy Boards Kubernetes Label](img/deploy_boards_kubernetes_label.png)
Once all of the above are set up and the pipeline has run at least once, Once all of the above are set up and the pipeline has run at least once,
navigate to the environments page under **Operations > Environments**. navigate to the environments page under **Operations > Environments**.
......
...@@ -56,9 +56,9 @@ To download a repository using a Deploy Token, you just need to: ...@@ -56,9 +56,9 @@ To download a repository using a Deploy Token, you just need to:
1. Take note of your `username` and `token`. 1. Take note of your `username` and `token`.
1. `git clone` the project using the Deploy Token: 1. `git clone` the project using the Deploy Token:
```sh ```sh
git clone http://<username>:<deploy_token>@gitlab.example.com/tanuki/awesome_project.git git clone http://<username>:<deploy_token>@gitlab.example.com/tanuki/awesome_project.git
``` ```
Replace `<username>` and `<deploy_token>` with the proper values. Replace `<username>` and `<deploy_token>` with the proper values.
......
...@@ -13,15 +13,15 @@ integration services must be enabled. ...@@ -13,15 +13,15 @@ integration services must be enabled.
- Average Memory Usage (MB): - Average Memory Usage (MB):
``` ```
avg(sum(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}) by (job)) without (job) / count(avg(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}) without (job)) /1024/1024 avg(sum(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}) by (job)) without (job) / count(avg(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}) without (job)) /1024/1024
``` ```
- Average CPU Utilization (%): - Average CPU Utilization (%):
``` ```
avg(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}[15m])) by (job)) without (job) / count(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}[15m])) by (pod_name)) avg(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}[15m])) by (job)) without (job) / count(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-([^c].*|c([^a]|a([^n]|n([^a]|a([^r]|r[^y])))).*|)-(.*)",namespace="%{kube_namespace}"}[15m])) by (pod_name))
``` ```
## Configuring Prometheus to monitor for Kubernetes metrics ## Configuring Prometheus to monitor for Kubernetes metrics
...@@ -48,12 +48,12 @@ These metrics expect the [Deployment](https://kubernetes.io/docs/concepts/worklo ...@@ -48,12 +48,12 @@ These metrics expect the [Deployment](https://kubernetes.io/docs/concepts/worklo
- Average Memory Usage (MB) - Average Memory Usage (MB)
``` ```
avg(sum(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}) by (job)) without (job) / count(avg(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}) without (job)) /1024/1024 avg(sum(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}) by (job)) without (job) / count(avg(container_memory_usage_bytes{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}) without (job)) /1024/1024
``` ```
- Average CPU Utilization (%) - Average CPU Utilization (%)
``` ```
avg(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}[15m])) by (job)) without (job) / count(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}[15m])) by (pod_name)) avg(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}[15m])) by (job)) without (job) / count(sum(rate(container_cpu_usage_seconds_total{container_name!="POD",pod_name=~"^%{ci_environment_slug}-canary-(.*)",namespace="%{kube_namespace}"}[15m])) by (pod_name))
``` ```
...@@ -198,7 +198,7 @@ domain name. ...@@ -198,7 +198,7 @@ domain name.
NOTE: **Note:** NOTE: **Note:**
For retrieving artifacts, you can use either the For retrieving artifacts, you can use either the
[URL encoded](../../../api/README.md#namespaced-path-encoding) path of the group [URL encoded](../../../api/README.md#namespaced-path-encoding) path of the group
(e.g., `group%2Fsubgroup`) or the group's ID (e.g., `12`). (e.g., `group%2Fsubgroup`) or the group's ID (e.g., `12`).
### Instance level Maven endpoint ### Instance level Maven endpoint
...@@ -279,59 +279,59 @@ shows how to create a new package each time the `master` branch is updated: ...@@ -279,59 +279,59 @@ shows how to create a new package each time the `master` branch is updated:
Add the server section with the same id you defined in your `pom.xml` file. Add the server section with the same id you defined in your `pom.xml` file.
For example, in our case it's `gitlab-maven`: For example, in our case it's `gitlab-maven`:
```xml ```xml
<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd"> xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">
<servers> <servers>
<server> <server>
<id>gitlab-maven</id> <id>gitlab-maven</id>
<configuration> <configuration>
<httpHeaders> <httpHeaders>
<property> <property>
<name>Job-Token</name> <name>Job-Token</name>
<value>${env.CI_JOB_TOKEN}</value> <value>${env.CI_JOB_TOKEN}</value>
</property> </property>
</httpHeaders> </httpHeaders>
</configuration> </configuration>
</server> </server>
</servers> </servers>
</settings> </settings>
``` ```
1. Make sure your `pom.xml` file includes the following: 1. Make sure your `pom.xml` file includes the following:
```xml ```xml
<repositories> <repositories>
<repository> <repository>
<id>gitlab-maven</id> <id>gitlab-maven</id>
<url>https://gitlab.com/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url> <url>https://gitlab.com/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url>
</repository> </repository>
</repositories> </repositories>
<distributionManagement> <distributionManagement>
<repository> <repository>
<id>gitlab-maven</id> <id>gitlab-maven</id>
<url>https://gitlab.com/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url> <url>https://gitlab.com/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url>
</repository> </repository>
<snapshotRepository> <snapshotRepository>
<id>gitlab-maven</id> <id>gitlab-maven</id>
<url>https://gitlab.com/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url> <url>https://gitlab.com/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url>
</snapshotRepository> </snapshotRepository>
</distributionManagement> </distributionManagement>
``` ```
TIP: **Tip:** TIP: **Tip:**
You can either let Maven utilize the CI environment variables or hardcode your project's ID. You can either let Maven utilize the CI environment variables or hardcode your project's ID.
1. Add a `deploy` job to your `.gitlab-ci.yml` file: 1. Add a `deploy` job to your `.gitlab-ci.yml` file:
```yaml ```yaml
deploy: deploy:
image: maven:3.3.9-jdk-8 image: maven:3.3.9-jdk-8
script: script:
- 'mvn deploy -s ci_settings.xml' - 'mvn deploy -s ci_settings.xml'
only: only:
- master - master
``` ```
1. Push those files to your repository. 1. Push those files to your repository.
......
...@@ -36,111 +36,111 @@ operating systems the steps might be slightly different. Follow the ...@@ -36,111 +36,111 @@ operating systems the steps might be slightly different. Follow the
[CertBot instructions](https://certbot.eff.org/) according to your OS. [CertBot instructions](https://certbot.eff.org/) according to your OS.
1. On your computer, open a terminal and navigate to your repository's 1. On your computer, open a terminal and navigate to your repository's
root directory: root directory:
```bash ```bash
cd path/to/dir cd path/to/dir
``` ```
1. Install CertBot (the tool Let's Encrypt uses to issue certificates): 1. Install CertBot (the tool Let's Encrypt uses to issue certificates):
```bash ```bash
brew install certbot brew install certbot
``` ```
1. Request a certificate for your domain (`example.com`) and 1. Request a certificate for your domain (`example.com`) and
provide an email account (`your@email.com`) to receive notifications: provide an email account (`your@email.com`) to receive notifications:
```bash ```bash
sudo certbot certonly -a manual -d example.com --email your@email.com sudo certbot certonly -a manual -d example.com --email your@email.com
``` ```
Alternatively, you can register without adding an e-mail account, Alternatively, you can register without adding an e-mail account,
but you won't be notified about the certificate expiration's date: but you won't be notified about the certificate expiration's date:
```bash ```bash
sudo certbot certonly -a manual -d example.com --register-unsafely-without-email sudo certbot certonly -a manual -d example.com --register-unsafely-without-email
``` ```
TIP: **Tip:** TIP: **Tip:**
Read through CertBot's documentation on their Read through CertBot's documentation on their
[command line options](https://certbot.eff.org/docs/using.html#certbot-command-line-options). [command line options](https://certbot.eff.org/docs/using.html#certbot-command-line-options).
1. You'll be prompted with a message to agree with their terms. 1. You'll be prompted with a message to agree with their terms.
Press `A` to agree and `Y` to let they log your IP. Press `A` to agree and `Y` to let they log your IP.
CertBot will then prompt you with the following message: CertBot will then prompt you with the following message:
```bash ```bash
Create a file containing just this data: Create a file containing just this data:
Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP.HUGNKk82jlsmOOfphlt8Jy69iuglsn095nxOMH9j3Yb Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP.HUGNKk82jlsmOOfphlt8Jy69iuglsn095nxOMH9j3Yb
And make it available on your web server at this URL: And make it available on your web server at this URL:
http://example.com/.well-known/acme-challenge/Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP http://example.com/.well-known/acme-challenge/Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP
Press Enter to Continue Press Enter to Continue
``` ```
1. **Do not press Enter yet.** Let's Encrypt will need to verify your 1. **Do not press Enter yet.** Let's Encrypt will need to verify your
domain ownership before issuing the certificate. To do so, create 3 domain ownership before issuing the certificate. To do so, create 3
consecutive directories under your website's root: consecutive directories under your website's root:
`/.well-known/acme-challenge/Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP/` `/.well-known/acme-challenge/Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP/`
and add to the last folder an `index.html` file containing the content and add to the last folder an `index.html` file containing the content
referred on the previous prompt message: referred on the previous prompt message:
```bash ```bash
Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP.HUGNKk82jlsmOOfphlt8Jy69iuglsn095nxOMH9j3Yb Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP.HUGNKk82jlsmOOfphlt8Jy69iuglsn095nxOMH9j3Yb
``` ```
Note that this file needs to be accessed under Note that this file needs to be accessed under
`http://example.com/.well-known/acme-challenge/Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP` `http://example.com/.well-known/acme-challenge/Rxnv6WKo95hsuLVX3osmT6LgmzsJKSaK9htlPToohOP`
to allow Let's Encrypt to verify the ownership of your domain, to allow Let's Encrypt to verify the ownership of your domain,
therefore, it needs to be part of the website content under the therefore, it needs to be part of the website content under the
repo's [`public`](index.md#how-it-works) folder. repo's [`public`](index.md#how-it-works) folder.
1. Add, commit, and push the file into your repo in GitLab. Once the pipeline 1. Add, commit, and push the file into your repo in GitLab. Once the pipeline
passes, press **Enter** on your terminal to continue issuing your passes, press **Enter** on your terminal to continue issuing your
certificate. CertBot will then prompt you with the following message: certificate. CertBot will then prompt you with the following message:
```bash ```bash
Waiting for verification... Waiting for verification...
Cleaning up challenges Cleaning up challenges
IMPORTANT NOTES: IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at: - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at: Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-03-12. To obtain a new or tweaked Your cert will expire on 2019-03-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run again. To non-interactively renew *all* of your certificates, run
"certbot renew" "certbot renew"
- If you like Certbot, please consider supporting our work by: - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le Donating to EFF: https://eff.org/donate-le
``` ```
## Add your certificate to GitLab Pages ## Add your certificate to GitLab Pages
Now that your certificate has been issued, let's add it to your Pages site: Now that your certificate has been issued, let's add it to your Pages site:
1. Back at GitLab, navigate to your project's **Settings > Pages**, 1. Back at GitLab, navigate to your project's **Settings > Pages**,
find your domain and click **Details** and **Edit** to add your certificate. find your domain and click **Details** and **Edit** to add your certificate.
1. From your terminal, copy and paste the certificate into the first field 1. From your terminal, copy and paste the certificate into the first field
**Certificate (PEM)**: **Certificate (PEM)**:
```bash ```bash
sudo cat /etc/letsencrypt/live/example.com/fullchain.pem | pbcopy sudo cat /etc/letsencrypt/live/example.com/fullchain.pem | pbcopy
``` ```
1. Copy and paste the private key into the second field **Key (PEM)**: 1. Copy and paste the private key into the second field **Key (PEM)**:
```bash ```bash
sudo cat /etc/letsencrypt/live/example.com/privkey.pem | pbcopy sudo cat /etc/letsencrypt/live/example.com/privkey.pem | pbcopy
``` ```
1. Click **Save changes** to apply them to your website. 1. Click **Save changes** to apply them to your website.
1. Wait a few minutes for the configuration changes to take effect. 1. Wait a few minutes for the configuration changes to take effect.
......
...@@ -45,94 +45,95 @@ started: ...@@ -45,94 +45,95 @@ started:
1. Generate the private/public key pair with the following command, which will 1. Generate the private/public key pair with the following command, which will
spawn a series of questions: spawn a series of questions:
```sh ```sh
gpg --full-gen-key gpg --full-gen-key
``` ```
NOTE: **Note:** NOTE: **Note:**
In some cases like Gpg4win on Windows and other macOS versions, the command In some cases like Gpg4win on Windows and other macOS versions, the command
here may be `gpg --gen-key`. here may be `gpg --gen-key`.
1. The first question is which algorithm can be used. Select the kind you want 1. The first question is which algorithm can be used. Select the kind you want
or press <kbd>Enter</kbd> to choose the default (RSA and RSA): or press <kbd>Enter</kbd> to choose the default (RSA and RSA):
``` ```
Please select what kind of key you want: Please select what kind of key you want:
(1) RSA and RSA (default) (1) RSA and RSA (default)
(2) DSA and Elgamal (2) DSA and Elgamal
(3) DSA (sign only) (3) DSA (sign only)
(4) RSA (sign only) (4) RSA (sign only)
Your selection? 1 Your selection? 1
``` ```
1. The next question is key length. We recommend to choose the highest value 1. The next question is key length. We recommend to choose the highest value
which is `4096`: which is `4096`:
``` ```
RSA keys may be between 1024 and 4096 bits long. RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096 What keysize do you want? (2048) 4096
Requested keysize is 4096 bits Requested keysize is 4096 bits
``` ```
1. Next, you need to specify the validity period of your key. This is something 1. Next, you need to specify the validity period of your key. This is something
subjective, and you can use the default value which is to never expire: subjective, and you can use the default value which is to never expire:
``` ```
Please specify how long the key should be valid. Please specify how long the key should be valid.
0 = key does not expire 0 = key does not expire
<n> = key expires in n days <n> = key expires in n days
<n>w = key expires in n weeks <n>w = key expires in n weeks
<n>m = key expires in n months <n>m = key expires in n months
<n>y = key expires in n years <n>y = key expires in n years
Key is valid for? (0) 0 Key is valid for? (0) 0
Key does not expire at all Key does not expire at all
``` ```
1. Confirm that the answers you gave were correct by typing `y`: 1. Confirm that the answers you gave were correct by typing `y`:
``` ```
Is this correct? (y/N) y Is this correct? (y/N) y
``` ```
1. Enter you real name, the email address to be associated with this key (should 1. Enter you real name, the email address to be associated with this key (should
match a verified email address you use in GitLab) and an optional comment match a verified email address you use in GitLab) and an optional comment
(press <kbd>Enter</kbd> to skip): (press <kbd>Enter</kbd> to skip):
``` ```
GnuPG needs to construct a user ID to identify your key. GnuPG needs to construct a user ID to identify your key.
Real name: Mr. Robot Real name: Mr. Robot
Email address: <your_email> Email address: <your_email>
Comment: Comment:
You selected this USER-ID: You selected this USER-ID:
"Mr. Robot <your_email>" "Mr. Robot <your_email>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
``` ```
1. Pick a strong password when asked and type it twice to confirm. 1. Pick a strong password when asked and type it twice to confirm.
1. Use the following command to list the private GPG key you just created: 1. Use the following command to list the private GPG key you just created:
``` ```
gpg --list-secret-keys --keyid-format LONG <your_email> gpg --list-secret-keys --keyid-format LONG <your_email>
``` ```
Replace `<your_email>` with the email address you entered above. Replace `<your_email>` with the email address you entered above.
1. Copy the GPG key ID that starts with `sec`. In the following example, that's 1. Copy the GPG key ID that starts with `sec`. In the following example, that's
`30F2B65B9246B6CA`: `30F2B65B9246B6CA`:
``` ```
sec rsa4096/30F2B65B9246B6CA 2017-08-18 [SC] sec rsa4096/30F2B65B9246B6CA 2017-08-18 [SC]
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
uid [ultimate] Mr. Robot <your_email> uid [ultimate] Mr. Robot <your_email>
ssb rsa4096/B7ABC0813E4028C0 2017-08-18 [E] ssb rsa4096/B7ABC0813E4028C0 2017-08-18 [E]
``` ```
1. Export the public key of that ID (replace your key ID from the previous step): 1. Export the public key of that ID (replace your key ID from the previous step):
``` ```
gpg --armor --export 30F2B65B9246B6CA gpg --armor --export 30F2B65B9246B6CA
``` ```
1. Finally, copy the public key and [add it in your profile settings](#adding-a-gpg-key-to-your-account) 1. Finally, copy the public key and [add it in your profile settings](#adding-a-gpg-key-to-your-account)
...@@ -146,17 +147,17 @@ You can add a GPG key in your profile's settings: ...@@ -146,17 +147,17 @@ You can add a GPG key in your profile's settings:
1. On the upper right corner, click on your avatar and go to your **Settings**. 1. On the upper right corner, click on your avatar and go to your **Settings**.
![Settings dropdown](../../../profile/img/profile_settings_dropdown.png) ![Settings dropdown](../../../profile/img/profile_settings_dropdown.png)
1. Navigate to the **GPG keys** tab and paste your _public_ key in the 'Key' 1. Navigate to the **GPG keys** tab and paste your _public_ key in the 'Key'
box. box.
![Paste GPG public key](img/profile_settings_gpg_keys_paste_pub.png) ![Paste GPG public key](img/profile_settings_gpg_keys_paste_pub.png)
1. Finally, click on **Add key** to add it to GitLab. You will be able to see 1. Finally, click on **Add key** to add it to GitLab. You will be able to see
its fingerprint, the corresponding email address and creation date. its fingerprint, the corresponding email address and creation date.
![GPG key single page](img/profile_settings_gpg_keys_single_key.png) ![GPG key single page](img/profile_settings_gpg_keys_single_key.png)
## Associating your GPG key with Git ## Associating your GPG key with Git
...@@ -166,29 +167,29 @@ key to use. ...@@ -166,29 +167,29 @@ key to use.
1. Use the following command to list the private GPG key you just created: 1. Use the following command to list the private GPG key you just created:
```sh ```sh
gpg --list-secret-keys --keyid-format LONG <your_email> gpg --list-secret-keys --keyid-format LONG <your_email>
``` ```
Replace `<your_email>` with the email address you entered above. Replace `<your_email>` with the email address you entered above.
1. Copy the GPG key ID that starts with `sec`. In the following example, that's 1. Copy the GPG key ID that starts with `sec`. In the following example, that's
`30F2B65B9246B6CA`: `30F2B65B9246B6CA`:
``` ```
sec rsa4096/30F2B65B9246B6CA 2017-08-18 [SC] sec rsa4096/30F2B65B9246B6CA 2017-08-18 [SC]
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
uid [ultimate] Mr. Robot <your_email> uid [ultimate] Mr. Robot <your_email>
ssb rsa4096/B7ABC0813E4028C0 2017-08-18 [E] ssb rsa4096/B7ABC0813E4028C0 2017-08-18 [E]
``` ```
1. Tell Git to use that key to sign the commits: 1. Tell Git to use that key to sign the commits:
```sh ```sh
git config --global user.signingkey 30F2B65B9246B6CA git config --global user.signingkey 30F2B65B9246B6CA
``` ```
Replace `30F2B65B9246B6CA` with your GPG key ID. Replace `30F2B65B9246B6CA` with your GPG key ID.
1. (Optional) If Git is using `gpg` and you get errors like `secret key not available` 1. (Optional) If Git is using `gpg` and you get errors like `secret key not available`
or `gpg: signing failed: secret key not available`, run the following command to or `gpg: signing failed: secret key not available`, run the following command to
...@@ -206,9 +207,9 @@ commits: ...@@ -206,9 +207,9 @@ commits:
1. Commit like you used to, the only difference is the addition of the `-S` flag: 1. Commit like you used to, the only difference is the addition of the `-S` flag:
``` ```
git commit -S -m "My commit msg" git commit -S -m "My commit msg"
``` ```
1. Enter the passphrase of your GPG key when asked. 1. Enter the passphrase of your GPG key when asked.
1. Push to GitLab and check that your commits [are verified](#verifying-commits). 1. Push to GitLab and check that your commits [are verified](#verifying-commits).
...@@ -227,13 +228,13 @@ git config --global commit.gpgsign true ...@@ -227,13 +228,13 @@ git config --global commit.gpgsign true
"Verified" or "Unverified", depending on the verification status of the GPG "Verified" or "Unverified", depending on the verification status of the GPG
signature. signature.
![Signed and unsigned commits](img/project_signed_and_unsigned_commits.png) ![Signed and unsigned commits](img/project_signed_and_unsigned_commits.png)
1. By clicking on the GPG badge, details of the signature are displayed. 1. By clicking on the GPG badge, details of the signature are displayed.
![Signed commit with verified signature](img/project_signed_commit_verified_signature.png) ![Signed commit with verified signature](img/project_signed_commit_verified_signature.png)
![Signed commit with verified signature](img/project_signed_commit_unverified_signature.png) ![Signed commit with verified signature](img/project_signed_commit_unverified_signature.png)
## Revoking a GPG key ## Revoking a GPG key
......
...@@ -54,50 +54,50 @@ removed from the repository. ...@@ -54,50 +54,50 @@ removed from the repository.
1. Navigate to your repository: 1. Navigate to your repository:
``` ```
cd my_repository/ cd my_repository/
``` ```
1. Change to the branch you want to remove the big file from: 1. Change to the branch you want to remove the big file from:
``` ```
git checkout master git checkout master
``` ```
1. Create a commit removing the large file from the branch, if it still exists: 1. Create a commit removing the large file from the branch, if it still exists:
``` ```
git rm path/to/big_file.mpg git rm path/to/big_file.mpg
git commit -m 'Remove unneeded large file' git commit -m 'Remove unneeded large file'
``` ```
1. Rewrite history: 1. Rewrite history:
``` ```
bfg --delete-files path/to/big_file.mpg bfg --delete-files path/to/big_file.mpg
``` ```
An object map file will be written to `object-id-map.old-new.txt`. Keep it An object map file will be written to `object-id-map.old-new.txt`. Keep it
around - you'll need it for the final step! around - you'll need it for the final step!
1. Force-push the changes to GitLab: 1. Force-push the changes to GitLab:
``` ```
git push --force-with-lease origin master git push --force-with-lease origin master
``` ```
If this step fails, someone has changed the `master` branch while you were If this step fails, someone has changed the `master` branch while you were
rewriting history. You could restore the branch and re-run BFG to preserve rewriting history. You could restore the branch and re-run BFG to preserve
their changes, or use `git push --force` to overwrite their changes. their changes, or use `git push --force` to overwrite their changes.
1. Navigate to **Project > Settings > Repository > Repository Cleanup**: 1. Navigate to **Project > Settings > Repository > Repository Cleanup**:
![Repository settings cleanup form](img/repository_cleanup.png) ![Repository settings cleanup form](img/repository_cleanup.png)
Upload the `object-id-map.old-new.txt` file and press **Start cleanup**. Upload the `object-id-map.old-new.txt` file and press **Start cleanup**.
This will remove any internal git references to the old commits, and run This will remove any internal git references to the old commits, and run
`git gc` against the repository. You will receive an email once it has `git gc` against the repository. You will receive an email once it has
completed. completed.
NOTE: **Note:** NOTE: **Note:**
This process will remove some copies of the rewritten commits from GitLab's This process will remove some copies of the rewritten commits from GitLab's
...@@ -110,32 +110,32 @@ purposes! ...@@ -110,32 +110,32 @@ purposes!
1. Navigate to your repository: 1. Navigate to your repository:
``` ```
cd my_repository/ cd my_repository/
``` ```
1. Change to the branch you want to remove the big file from: 1. Change to the branch you want to remove the big file from:
``` ```
git checkout master git checkout master
``` ```
1. Use `filter-branch` to remove the big file: 1. Use `filter-branch` to remove the big file:
``` ```
git filter-branch --force --tree-filter 'rm -f path/to/big_file.mpg' HEAD git filter-branch --force --tree-filter 'rm -f path/to/big_file.mpg' HEAD
``` ```
1. Instruct Git to purge the unwanted data: 1. Instruct Git to purge the unwanted data:
``` ```
git reflog expire --expire=now --all && git gc --prune=now --aggressive git reflog expire --expire=now --all && git gc --prune=now --aggressive
``` ```
1. Lastly, force push to the repository: 1. Lastly, force push to the repository:
``` ```
git push --force origin master git push --force origin master
``` ```
Your repository should now be below the size limit. Your repository should now be below the size limit.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment