Gitlab

Introduction

Purpose

References

• Tutorial: Create and run your first GitLab CI/CD pipeline

Installing gitlab

Deploy the GitLab Helm chart

• Deploy the GitLab Helm chart
• GitLab Helm chart deployment options
• Setup gitlab on minikube using helm3
• GitLab on minikube
• name resolve helpers
  • PSA : Earlier I mentioned nip.io for DNS. Do not use it, the owner of the company passed away
  • nip.io & sslip.io
  • traefik.me runs a custom DNS server on the public Internet.
    • When your computer looks up a traefik.me domain, the traefik.me DNS server extracts the IP address from the domain and sends it back in the response.
• Let's Encrypt - Encryption for Everybody

Minimal helm installation

• helm upgrade --install gitlab gitlab/gitlab -f https://gitlab.com/charts/gitlab/raw/master/examples/values-minikube-minimum.yaml --timeout 600s --set global.hosts.domain=$(minikube ip).traefik.me --set global.hosts.externalIP=$(minikube ip)
• kubectl get secret gitlab-wildcard-tls-ca -ojsonpath='{.data.cfssl_ca}' | base64 --decode > gitlab.192.168.49.2.traefik.me.ca.pem
• wait 8-10 min for everything to get installed
  • kubectl get pods
• curl https://gitlab.192.168.49.2.traefik.me/
  • successfull response: curl: (60) SSL certificate problem: unable to get local issuer certificate
• kubectl get secret gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo
  • Generates the root password
    • 0xQClXt0dQebybcpMMLtVYcN9Ajn9PhGhdUneRcLeteNF31CqeVyMnoU0rXiW51y

Add gitlab runner

• GitLab Runners inMiniKube

• Registering runners

• Install GitLab Runner

• TODO Read: Get started with GitLab Runner

• Create the runner token on the gitlab server

  • login as root
  • click the 'Admin' button at the bottom of the right pane
  • click 'CI/CD' in the right pane
  • Click 'Runners'
  • Click 'Create instance runner' in the top right
    • tags: k8s
    • Enable Run untagges jobs
    • Runner description: My first runner
    • Maximum job timeout: ?
  • Click 'Create runner' button

--token glrt-KhhyY1iYqBp2GvR13w7qbW86MQp0OjEKdToxCw.01.121dpwqf0

helm repo add gitlab https://charts.gitlab.io
helm repo update

• create a secret with the gitlab root cert
  • kubectl create secret generic gitlab-ca --from-file=gitlab.192.168.49.2.traefik.me.crt=${HOME}/gitlab.192.168.49.2.traefik.me.ca.pem --namespace=gitlabrunner
    • Create a Kubernetes secret
  • kubectl create secret generic gitlab-ca --from-file=ca.crt=${HOME}/gitlab.192.168.49.2.traefik.me.ca.pem --namespace=gitlabrunner

values.yaml - offical values.yaml file

gitlabUrl: https://gitlab.192.168.49.2.traefik.me
certsSecretName: gitlab-ca
runnerRegistrationToken: "glrt-KhhyY1iYqBp2GvR13w7qbW86MQp0OjEKdToxCw.01.121dpwqf0"
rbac:
    create: true
runners:
    privileged: true

• TODO see if I can run this without privileged: true

• helm install --namespace gitlabrunner --create-namespace -f values.yaml gitlab-runner gitlab/gitlab-runner

$ helm install --namespace gitlabrunner --create-namespace -f  ~/tmp/gitlab_runner_values.yaml gitlab-runner gitlab/gitlab-runner
NAME: gitlab-runner
LAST DEPLOYED: Thu Aug  7 15:28:28 2025
NAMESPACE: gitlabrunner
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Your GitLab Runner should now be registered against the GitLab instance reachable at: "https://gitlab.192.168.49.2.traefik.me"

Runner namespace "gitlabrunner" was found in runners.config template.

#############################################################################################
## WARNING: You enabled `rbac` without specifying if a service account should be created.  ##
## Please set `serviceAccount.create` to either `true` or `false`.                         ##
## For backwards compatibility a service account will be created.                          ##
#############################################################################################

• helm --namespace gitlabrunner get all gitlab-runner

Troubleshooting gitlab-runner

• kubectl get secret gitlab-ca -n gitlabrunner -o jsonpath="{.data.ca.crt}" | base64 -d | openssl x509 -text -noout

Remove

helm uninstall gitlab-runner --namespace gitlabrunner kg delete secret gitlab-ca

docker run --rm -it -v ~/.kube/config:/root/.kube/config quay.io/derailed/k9s

Maximum installation

• minikube start
• minikube addons enable ingress
• kubectl config current-context
• kubectl get nodes
• create a Let’s Encrypt account?

helm repo add gitlab https://charts.gitlab.io/
helm repo update
helm upgrade --install gitlab gitlab/gitlab \
  --timeout 600s \
  --set global.hosts.domain=$(minikube ip).traefik.me \
  --set global.hosts.externalIP=$(minikube ip) \
  --set [email protected]

• global.hosts.domain - Domain name that will be used for all publicly exposed services.
  • TODO what does that mean?
• global.hosts.externalIP - global.hosts.externalIP
  • TODO what does that mean?
• certmanager-issuer.email - Email for Let’s Encrypt account

Installing a docker gitlab

gitlab docker

1. sudo mkdir -p /srv/gitlab
2. sudo chown ${USERNAME}:${USERNAME} /srv/gitlab
3. export GITLAB_HOME=/srv/gitlab
4. sudo docker run --detach
   --hostname gitlab.example.com
   --publish 443:443 --publish 80:80 --publish 22:22
   --name gitlab
   --restart always
   --volume $GITLAB_HOME/config:/etc/gitlab
   --volume $GITLAB_HOME/logs:/var/log/gitlab
   --volume $GITLAB_HOME/data:/var/opt/gitlab
   gitlab/gitlab-ce:latest

root password at: /etc/gitlab/initial_root_password

Install GitLab Runner

• Install GitLab Runner

create the docker image

Register the runner on the gitlab server

• login to gitlab as an admin

• click 'Admin Area' in the bottom of the left pane.

• click 'Runners' under 'CI/CD'

• fill out the information, click 'create'

  • when you click create for some reason it tries to reach example.gitlab.com ????
  • in the browser bar change the 'gitlab.example.com' part to the address of your gitlab server

• on the client

  • ssh-keygen -t rsa -b 2048
  • gitlab-runner register --url http://172.17.0.2 --token glrt-QhEwbZeBJhMiifAK2ae-
  • choose an executor
    • try ssh
      • address: 172.17.0.3
      • port: 22
      • ssh user: gitlab-runner
      • password: SuperSecret
        • why on earth doesn't it use ssh-id?
      • Path to ssh id: /home/gitlab-runner/.ssh/id_rsa.pub
        • is this on the runner or the server?
  • ssh-keyscan -H 172.17.0.2 >/home/gitlab-runner/.ssh/known_hosts
  • gitlab-runner run

/home/gitlab-runner/.gitlab-runner/config.toml

concurrent = 1
check_interval = 0
shutdown_timeout = 0

[session_server]
  session_timeout = 1800

[runners](/henk52/knowledgesharing/wiki/runners)
  name = "first-runner"
  url = "http://172.17.0.2"
  id = 2
  token = "glrt-QhEwbZeBJhMiifAK2ae-"
  token_obtained_at = 2024-08-04T11:37:50Z
  token_expires_at = 0001-01-01T00:00:00Z
  executor = "ssh"
  [runners.custom_build_dir]
  [runners.cache]
    MaxUploadedArchiveSize = 0
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.ssh]
    user = "gitlab-runner"
    password = "SuperSecret"
    host = "172.17.0.3"
    port = "22"
    identity_file = "/home/gitlab-runner/.ssh/id_rsa"

registration token, deprecated in 15.6

• sudo gitlab-runner register --url http://gitlab.example.com/ --registration-token J5orBtNsggdjYohmcvx3

Introduciton to gitlab

• GitLab CI CD Tutorial for Beginners [Crash Course]

  • gitlab-cicd-crash-course

• .gitlab-cy.yml

logging