Gitlab with Kubernetes

Getting EasyRSA

The easyrsa directory is there to house a PKI used for certifying the various servers used in this project.

You must first install or download the EasyRSA package. On macOS with Homebrew you can do so with the following commands:

brew install easy-rsa

Other platforms may have their own packaging system equivalents, however please note that this documentation is based on EasyRSA version 3 or better. In general, you can find the distribution for EasyRSA on its Github releases page. You need to set the EASYRSA_PKI variable in your environment to point to the easyrsa directory before running the easyrsa command to ensure that the generated PKI is placed there:

# Linux.
export EASYRSA_PKI=$(readlink -f easyrsa)

# macOS.
export EASYRSA_PKI="$(pwd -P)/easyrsa"

# Windows/PowerShell.
$env:EASYRSA_PKI = Resolve-Path easyrsa

Generating Certificates

Follow the steps below to generate a certificate authority and the required certificates. Those are for UNIX-like operating systems. Ensure that the EASYRSA_PKI environment variable is set up correctly.

# Initialise the PKI directory.
easyrsa init-pki

# Initialise the CA.
# You will be prompted to enter a password for the CA root certificate. Remember it.
easyrsa build-ca

# Generate a signing request for the Gitlab instance.
# Enter a memorable password when prompted.
easyrsa gen-req

# Sign the request.
# Enter the CA root certificate password when prompted.
easyrsa sign-req server

# Generate a signing request for the Harbor instance.
# Enter a memorable password when prompted.
easyrsa gen-req

# Sign the request.
# Enter the CA root certificate password when prompted.
easyrsa sign-req server

# Decrypt the private keys for the issued certificates for later use in Gitlab and Harbor setup.
openssl rsa -in easyrsa/private/ -out easyrsa/private/
openssl rsa -in easyrsa/private/ -out easyrsa/private/
chmod 0600 easyrsa/private/
chmod 0600 easyrsa/private/

# Copy the certificates in place for the provisioning of VMs.
cp easyrsa/ca.crt vagrant-k8s/provisioning/roles/k8s/files/ca.crt
cp easyrsa/ca.crt vagrant-gitlab/provisioning/roles/common/files/ca.crt
cp easyrsa/private/ vagrant-gitlab/provisioning/roles/common/files/
cp easyrsa/issued/ vagrant-gitlab/provisioning/roles/common/files/
# Harbor
cp easyrsa/private/ harbor/config/ssl/certs/
cp easyrsa/issued/ harbor/config/ssl/certs/

Note on Vagrant Providers

You must install Vagrant on the host machine for any of this to work.

The configuration implies you are using Oracle VirtualBox. If you are using a different provider you must set the environment variable PROVIDER. Example follows below.

# To use the default VirtualBox provider.
vagrant up

# To use the Parallels provider on macOS.
# Before first use ensure you have installed the plugin.
vagrant plugin install vagrant-parallels
# Set the environment variable.
export PROVIDER=parallels
vagrant up

Bring Up a Deployment

First, create the Kubernetes cluster by running the appropriate vagrant up command(s) in the vagrant-k8s directory. Please see the file in the vagrant-k8s directory for information on how to use the deployment.

Provided Kubernetes is up and functioning correctly, create the Gitlab and the runner VMs. To do so, run vagrant up in the vagrant-gitlab directory.