Skip to content

[Controller] Support deploying GitLab Pages

Mitchell Nielsen requested to merge 138-support-pages into master

Deploys Pages resources if enabled via global.pages.enabled.

Closes #138 (closed)

Testing

  1. Deploy the Operator using the image from this branch.

  2. Create a self-signed certificate for Pages:

    $ KEY_FILE=pages.key CERT_FILE=pages.crt HOST=*.pages.yourdomain.com
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"
$ kubectl create secret -n gitlab-system tls custom-pages-tls --key pages.key --cert pages.crt

  3. Create a Secret for Runner to reference the certificate:

    $ kubectl -n gitlab-system create secret generic custom-runner-tls --from-file=gitlab.yourdomain.com.crt=pages.crt

  4. Deploy a CR using the following YAML:

    apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
spec:
  chart:
    version: "5.1.1"
    values:
      certmanager-issuer:
        email: you@youremail.com
      global:
        hosts:
          domain: yourdomain.com
        pages:
          enabled: true
      gitlab:
        gitlab-pages:
          ingress:
            tls:
              # You need to bring your own wildcard SSL certificate which covers
              # `*.<pages root domain>`. Create a k8s TLS secret with the name
              # `custom-pages-tls` with it.
              secretName: custom-pages-tls

  5. Create a project from one of the Pages templates (I used the raw HTML Pages template).

  6. Deploy GitLab Runner (either the Operator or just the Helm chart) and connect a runner to your project. Use the following values:

    # runner.values.yaml
gitlabUrl: https://gitlab.yourdomain.com
runnerRegistrationToken: <yourRunnerToken>
rbac:
  create: true
certsSecretName: custom-runner-tls
    $ helm upgrade --install -n gitlab-system gitlab-runner gitlab/gitlab-runner -f runner.values.yaml

  7. Run the pipeline on master.

  8. Confirm that both Pages jobs passed.

  9. Visit the Pages URL (something like https://root.pages.yourdomain.com/mypagessite/).

image

Notes

  • I started looking into ensuring relevant Pages secrets exist, similar to the approach we took for external Redis. However, the process of checking for existence of Pages secrets (like the primary Secret and the TLS secret) became a bit convoluted, since we only want to check for existence in certain conditions (in the case of the TLS secret, you only want to check if Pages is enabled, Pages Ingress is enabled, and Pages Ingress TLS is enabled - while also considering global settings). I do like the idea of checking for these Secrets, but in this case it's turned out to be a bit more complicated than expected and I wouldn't consider this a required feature for GA. Will leave it for now and we can follow up on this in the future. #193
Edited by Mitchell Nielsen

Merge request reports