Commit b4de23a6 authored by Evan Read's avatar Evan Read

Merge branch 'docs-add-existing-cluster-fixup' into 'master'

Docs: Improve add existing cluster section

See merge request gitlab-org/gitlab-ce!26266
parents 66054aeb 882b6479
...@@ -101,14 +101,20 @@ To add an existing Kubernetes cluster to your project: ...@@ -101,14 +101,20 @@ To add an existing Kubernetes cluster to your project:
It's the URL that GitLab uses to access the Kubernetes API. Kubernetes It's the URL that GitLab uses to access the Kubernetes API. Kubernetes
exposes several APIs, we want the "base" URL that is common to all of them, exposes several APIs, we want the "base" URL that is common to all of them,
e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`. e.g., `https://kubernetes.example.com` rather than `https://kubernetes.example.com/api/v1`.
Get the API URL by running this command:
```sh
kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'
```
- **CA certificate** (required) - A valid Kubernetes certificate is needed to authenticate to the EKS cluster. We will use the certificate created by default. - **CA certificate** (required) - A valid Kubernetes certificate is needed to authenticate to the EKS cluster. We will use the certificate created by default.
- List the secrets with `kubectl get secrets`, and one should named similar to - List the secrets with `kubectl get secrets`, and one should named similar to
`default-token-xxxxx`. Copy that token name for use below. `default-token-xxxxx`. Copy that token name for use below.
- Get the certificate by running this command: - Get the certificate by running this command:
```sh ```sh
kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode
``` ```
- **Token** - - **Token** -
GitLab authenticates against Kubernetes using service tokens, which are GitLab authenticates against Kubernetes using service tokens, which are
scoped to a particular `namespace`. scoped to a particular `namespace`.
...@@ -124,23 +130,7 @@ To add an existing Kubernetes cluster to your project: ...@@ -124,23 +130,7 @@ To add an existing Kubernetes cluster to your project:
metadata: metadata:
name: gitlab-admin name: gitlab-admin
namespace: kube-system namespace: kube-system
``` ---
2. Apply the service account to your cluster:
```bash
kubectl apply -f gitlab-admin-service-account.yaml
```
Output:
```bash
serviceaccount "gitlab-admin" created
```
3. Create a file called `gitlab-admin-cluster-role-binding.yaml` with contents:
```yaml
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
...@@ -155,41 +145,42 @@ To add an existing Kubernetes cluster to your project: ...@@ -155,41 +145,42 @@ To add an existing Kubernetes cluster to your project:
namespace: kube-system namespace: kube-system
``` ```
4. Apply the cluster role binding to your cluster: 1. Apply the service account and cluster role binding to your cluster:
```bash ```bash
kubectl apply -f gitlab-admin-cluster-role-binding.yaml kubectl apply -f gitlab-admin-service-account.yaml
``` ```
Output: Output:
```bash ```bash
serviceaccount "gitlab-admin" created
clusterrolebinding "gitlab-admin" created clusterrolebinding "gitlab-admin" created
``` ```
5. Retrieve the token for the `gitlab-admin` service account: 1. Retrieve the token for the `gitlab-admin` service account:
```bash ```bash
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}') kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}')
``` ```
Copy the `<authentication_token>` value from the output: Copy the `<authentication_token>` value from the output:
```yaml ```yaml
Name: gitlab-admin-token-b5zv4 Name: gitlab-admin-token-b5zv4
Namespace: kube-system Namespace: kube-system
Labels: <none> Labels: <none>
Annotations: kubernetes.io/service-account.name=gitlab-admin Annotations: kubernetes.io/service-account.name=gitlab-admin
kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8 kubernetes.io/service-account.uid=bcfe66ac-39be-11e8-97e8-026dce96b6e8
Type: kubernetes.io/service-account-token Type: kubernetes.io/service-account-token
Data Data
==== ====
ca.crt: 1025 bytes ca.crt: 1025 bytes
namespace: 11 bytes namespace: 11 bytes
token: <authentication_token> token: <authentication_token>
``` ```
NOTE: **Note:** NOTE: **Note:**
For GKE clusters, you will need the For GKE clusters, you will need the
...@@ -212,14 +203,6 @@ To add an existing Kubernetes cluster to your project: ...@@ -212,14 +203,6 @@ To add an existing Kubernetes cluster to your project:
After a couple of minutes, your cluster will be ready to go. You can now proceed After a couple of minutes, your cluster will be ready to go. You can now proceed
to install some [pre-defined applications](#installing-applications). to install some [pre-defined applications](#installing-applications).
To determine the:
- API URL, run `kubectl cluster-info | grep 'Kubernetes master' | awk '/http/ {print $NF}'`.
- Token:
1. List the secrets by running: `kubectl get secrets`. Note the name of the secret you need the token for.
1. Get the token for the appropriate secret by running: `kubectl get secret <SECRET_NAME> -o jsonpath="{['data']['token']}" | base64 --decode`.
- CA certificate, run `kubectl get secret <secret name> -o jsonpath="{['data']['ca\.crt']}" | base64 --decode`.
## Security implications ## Security implications
CAUTION: **Important:** CAUTION: **Important:**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment