-
Notifications
You must be signed in to change notification settings - Fork 2
GitLabQuickNotes
ganster-q1 edited this page Jan 28, 2026
·
6 revisions
- Deploy the GitLab Helm chart
- GitLab Helm chart deployment options
- Setup gitlab on minikube using helm3
- GitLab on minikube
- name resolve helpers
- PSA : Earlier I mentioned nip.io for DNS. Do not use it, the owner of the company passed away
- nip.io & sslip.io
-
traefik.me runs a custom DNS server on the public Internet.
- When your computer looks up a traefik.me domain, the traefik.me DNS server extracts the IP address from the domain and sends it back in the response.
- Let's Encrypt - Encryption for Everybody
helm upgrade --install gitlab gitlab/gitlab -f https://gitlab.com/charts/gitlab/raw/master/examples/values-minikube-minimum.yaml --timeout 600s --set global.hosts.domain=$(minikube ip).traefik.me --set global.hosts.externalIP=$(minikube ip)kubectl get secret gitlab-wildcard-tls-ca -ojsonpath='{.data.cfssl_ca}' | base64 --decode > gitlab.192.168.49.2.traefik.me.ca.pem- wait 8-10 min for everything to get installed
- kubectl get pods
-
curl https://gitlab.192.168.49.2.traefik.me/- successfull response:
curl: (60) SSL certificate problem: unable to get local issuer certificate
- successfull response:
- kubectl get secret gitlab-gitlab-initial-root-password -ojsonpath='{.data.password}' | base64 --decode ; echo
- Generates the root password
- 0xQClXt0dQebybcpMMLtVYcN9Ajn9PhGhdUneRcLeteNF31CqeVyMnoU0rXiW51y
- Generates the root password
-
TODO Read: Get started with GitLab Runner
-
Create the runner token on the gitlab server
- login as root
- click the 'Admin' button at the bottom of the right pane
- click 'CI/CD' in the right pane
- Click 'Runners'
- Click 'Create instance runner' in the top right
- tags: k8s
- Enable Run untagges jobs
- Runner description: My first runner
- Maximum job timeout: ?
- Click 'Create runner' button
--token glrt-KhhyY1iYqBp2GvR13w7qbW86MQp0OjEKdToxCw.01.121dpwqf0
helm repo add gitlab https://charts.gitlab.io
helm repo update- create a secret with the gitlab root cert
- kubectl create secret generic gitlab-ca --from-file=gitlab.192.168.49.2.traefik.me.crt=${HOME}/gitlab.192.168.49.2.traefik.me.ca.pem --namespace=gitlabrunner
- kubectl create secret generic gitlab-ca --from-file=ca.crt=${HOME}/gitlab.192.168.49.2.traefik.me.ca.pem --namespace=gitlabrunner
values.yaml - offical values.yaml file
gitlabUrl: https://gitlab.192.168.49.2.traefik.me
certsSecretName: gitlab-ca
runnerRegistrationToken: "glrt-KhhyY1iYqBp2GvR13w7qbW86MQp0OjEKdToxCw.01.121dpwqf0"
rbac:
create: true
runners:
privileged: true-
TODO see if I can run this without privileged: true
-
helm install --namespace gitlabrunner --create-namespace -f values.yaml gitlab-runner gitlab/gitlab-runner
$ helm install --namespace gitlabrunner --create-namespace -f ~/tmp/gitlab_runner_values.yaml gitlab-runner gitlab/gitlab-runner
NAME: gitlab-runner
LAST DEPLOYED: Thu Aug 7 15:28:28 2025
NAMESPACE: gitlabrunner
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Your GitLab Runner should now be registered against the GitLab instance reachable at: "https://gitlab.192.168.49.2.traefik.me"
Runner namespace "gitlabrunner" was found in runners.config template.
#############################################################################################
## WARNING: You enabled `rbac` without specifying if a service account should be created. ##
## Please set `serviceAccount.create` to either `true` or `false`. ##
## For backwards compatibility a service account will be created. ##
#############################################################################################
- helm --namespace gitlabrunner get all gitlab-runner
- kubectl get secret gitlab-ca -n gitlabrunner -o jsonpath="{.data.ca.crt}" | base64 -d | openssl x509 -text -noout
helm uninstall gitlab-runner --namespace gitlabrunner kg delete secret gitlab-ca
docker run --rm -it -v ~/.kube/config:/root/.kube/config quay.io/derailed/k9s
- minikube start
- minikube addons enable ingress
- kubectl config current-context
- kubectl get nodes
- create a Let’s Encrypt account?
helm repo add gitlab https://charts.gitlab.io/
helm repo update
helm upgrade --install gitlab gitlab/gitlab \
--timeout 600s \
--set global.hosts.domain=$(minikube ip).traefik.me \
--set global.hosts.externalIP=$(minikube ip) \
--set certmanager-issuer.email=me@example.com- global.hosts.domain - Domain name that will be used for all publicly exposed services.
- TODO what does that mean?
- global.hosts.externalIP - global.hosts.externalIP
- TODO what does that mean?
- certmanager-issuer.email - Email for Let’s Encrypt account
- sudo mkdir -p /srv/gitlab
- sudo chown ${USERNAME}:${USERNAME} /srv/gitlab
- export GITLAB_HOME=/srv/gitlab
- sudo docker run --detach
--hostname gitlab.example.com
--publish 443:443 --publish 80:80 --publish 22:22
--name gitlab
--restart always
--volume $GITLAB_HOME/config:/etc/gitlab
--volume $GITLAB_HOME/logs:/var/log/gitlab
--volume $GITLAB_HOME/data:/var/opt/gitlab
gitlab/gitlab-ce:latest
root password at: /etc/gitlab/initial_root_password
-
login to gitlab as an admin
-
click 'Admin Area' in the bottom of the left pane.
-
click 'Runners' under 'CI/CD'
-
fill out the information, click 'create'
- when you click create for some reason it tries to reach example.gitlab.com ????
- in the browser bar change the 'gitlab.example.com' part to the address of your gitlab server
-
on the client
- ssh-keygen -t rsa -b 2048
gitlab-runner register --url http://172.17.0.2 --token glrt-QhEwbZeBJhMiifAK2ae--
choose an executor
- try ssh
- address: 172.17.0.3
- port: 22
- ssh user: gitlab-runner
- password: SuperSecret
- why on earth doesn't it use ssh-id?
- Path to ssh id: /home/gitlab-runner/.ssh/id_rsa.pub
- is this on the runner or the server?
- try ssh
- ssh-keyscan -H 172.17.0.2 >/home/gitlab-runner/.ssh/known_hosts
- gitlab-runner run
/home/gitlab-runner/.gitlab-runner/config.toml
concurrent = 1
check_interval = 0
shutdown_timeout = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "first-runner"
url = "http://172.17.0.2"
id = 2
token = "glrt-QhEwbZeBJhMiifAK2ae-"
token_obtained_at = 2024-08-04T11:37:50Z
token_expires_at = 0001-01-01T00:00:00Z
executor = "ssh"
[runners.custom_build_dir]
[runners.cache]
MaxUploadedArchiveSize = 0
[runners.cache.s3]
[runners.cache.gcs]
[runners.cache.azure]
[runners.ssh]
user = "gitlab-runner"
password = "SuperSecret"
host = "172.17.0.3"
port = "22"
identity_file = "/home/gitlab-runner/.ssh/id_rsa"sudo gitlab-runner register --url http://gitlab.example.com/ --registration-token J5orBtNsggdjYohmcvx3
-
- 'compliance center' is under the 'secure' entry for the Group.
-
How do we enroll a project in the compliance framework? Do we mannually add it to the framwork via the compliance center?
- find it under the repo in the left pane: Deploye -> Package registry
#!/usr/bin/bash
# ./base_image/upload_package.sh eza 0.23.4 eza ~/tmp/eza
# Expected return value: {"message":"201 Created"}%
TOKEN_FILE="${HOME}/.tokens/gitlab_macau_setup_api"
PROJECT_ID="TODO_COMPANY_ID"
REPO_NAME="TODO_REPO_NAME"
PACKAGE_NAME=$1
PACKAGE_VERSION="$2"
PACKAGE_FILENAME="$3"
UPLOAD_FILENAME="$4"
if [[ -z "$4" ]]; then
echo "!!! parameters missing, please use:"
echo " $0 PACKAGE_NAME PACKAGE_VERSION PACKAGE_FILENAME UPLOAD_FILENAME"
exit 1
fi
if [[ -z "${GITLAB_TOKEN}" ]]; then
echo "III GITLAB_TOKEN read from ENV"
if [[ -f "${TOKEN_FILE}" ]];then
GITLAB_TOKEN=$(head -1 "${TOKEN_FILE}")
echo "III GITLAB_TOKEN read from ${TOKEN_FILE}"
else
echo "!!! GITLAB_TOKEN env var not set and file does not exist: ${TOKEN_FILE}"
exit 1
fi
fi
curl --header "PRIVATE-TOKEN: $GITLAB_TOKEN" --upload-file "${UPLOAD_FILENAME}" "https://gitlab.com/api/v4/projects/${PROJECT_ID}%2F${REPO_NAME}/packages/generic/${PACKAGE_NAME}/${PACKAGE_VERSION}/${PACKAGE_FILENAME}"- Token name: macau_setup_api
- Token description: Used for package registry access.
- Expiration date: ?
- Select a role: Developer