Search code examples
kubernetesdeploymentgitlab-cikubernetes-helm

How to deploy on minikube from Gitlab and Helm

I'm trying to deploy a java spring project on my local minikube using gitlab-ci pipeline.. but I keep getting

ERROR: Job failed (system failure): prepare environment: setting up credentials: secrets is forbidden: User "system:serviceaccount:maverick:default" cannot create resource "secrets" in API group "" in the namespace "maverick". Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information

I've installed gitlab-runner on the "maverick" namespace

apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-runner
  namespace: maverick
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gitlab-runner
  namespace: maverick
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["pods/attach"]
    verbs: ["list", "get", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "get", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["list", "get", "watch", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gitlab-runner
  namespace: maverick
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: maverick
subjects:
- namespace: maverick
  kind: ServiceAccount
  name: gitlab-runner

and the values

gitlabUrl: https://gitlab.com/
runnerRegistrationToken: ".... my token .... "

runners:
  privileged: false
  tags: k8s
  serviceAccountName: gitlab-runner

My gitlab-ci.yml is like this:

docker-build-job:
  stage: docker-build
  image: $MAVEN_IMAGE
  script:
    - mvn jib:build -Djib.to.image=${CI_REGISTRY_IMAGE}:latest -Djib.to.auth.username=${CI_REGISTRY_USER} -Djib.to.auth.password=${CI_REGISTRY_PASSWORD}

deploy-job:
  image: alpine/helm:3.2.1
  stage: deploy
  tags:
    - k8s
  script:
    - helm upgrade ${APP_NAME} ./charts --install --values=./charts/values.yaml --namespace ${APP_NAME}
  rules:
    - if: $CI_COMMIT_BRANCH == 'master'
      when: always

And the chart folder has the deployment.yaml like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: maverick
  namespace: maverick
spec:
  replicas: 1
  selector:
    matchLabels:
      app: maverick
  template:
    metadata:
      labels:
        app: maverick
    spec:
      containers:
        - name: maverick
          image: registry.gitlab.com/gfalco77/maverick:latest
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8001
      imagePullSecrets:
        - name: registry-credentials
---
apiVersion: v1
kind: Service
metadata:
  name: maverick
spec:
  ports:
    - name: maverick
      port: 8001
      targetPort: 8001
      protocol: TCP
  selector:
    app: maverick

There's also a registry-credentials which I created according to https://chris-vermeulen.com/using-gitlab-registry-with-kubernetes/ and they are installed in the maverick namespace

apiVersion: v1
kind: Secret
metadata:
  name: registry-credentials
  namespace: maverick
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: .. base64 creds ..

I can see the gitlab-runner has the permissions on apigroup "" for create.. but still it seems it can't download the image from the registry maybe, not sure what is wrong?

Thanks in advance

Solution

  • Problem solved adding the following ClusterRole and ClusterRoleBinding, especially the second one with name "default" After this the job in gitlab continues and then tries to use the user system:serviceaccount:maverick:gitlab-runner , but it fails on something else I need to figure out

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "get", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["pods/attach"]
    verbs: ["list", "get", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "watch", "get", "create", "delete", "update"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["list", "get", "watch", "create", "delete", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-role
subjects:
  - kind: ServiceAccount
    name: gitlab-runner
    namespace: maverick
roleRef: # referring to your ClusterRole
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: default
    namespace: maverick