I tried to add gitlab-agent to the environment and select the namespace and flux customization there, but I get errors
I'm using the Gitlab hosted version of Self-Manager on Kubernetes.
Install command gitlab-agent
helm upgrade --install h gitlab/gitlab-agent \
--namespace gitlab-agent-h \
--create-namespace \
--set image.tag=v17.2.2 \
--set config.token=token \
--set config.kasAddress=wss://kas.domain.com
Configuration gitlab-agent to path .gitlab/agents/my-agent/config.yaml in repository
user_access:
access_as:
agent: {}
groups:
- id: LearnHub
- id: LearnHub/Frontend
- id: LearnHub/Identity
ci_access:
groups:
- id: LearnHub
- id: LearnHub/Frontend
- id: LearnHub/Identity
Install command flux
flux bootstrap gitlab \
--hostname=gitlab.domain.com \
--owner=Flux-LearnHub \
--repository=Flux \
--branch=main \
--path=clusters/production \
--deploy-token-auth
Adding a repository
flux create source git learnhub-mainpage \
--url=https://gitlab.domain.com/learnhub/frontend/mainpage.git \
--branch=main \
--interval=1m \
--namespace=flux-system \
--username=username \
--password=token
flux create kustomization learnhub-mainpage-kustomization \
--source=GitRepository/learnhub-mainpage.flux-system \
--path="./manifests" \
--prune=true \
--interval=5m \
--namespace=flux-system
And I don’t see Flux customization or namespace in the selection
I tried to manually grant the gitlab-agent cluster admin role for testing
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-agent-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: learnhub-gitlab-agent # name ServiceAccount
namespace: gitlab-agent
And I made sure that gitlab-agent has rights to all namespaces, but still nothing appears in the list, tell me how to fix this.
I also noticed that all requests that access gitlab kas return with error 401, and this specifically applies to those requests for which I created a question.
https://kas.domain.com/k8s-proxy/api/v1/namespaces
https://kas.domain.com/k8s-proxy/apis/kustomize.toolkit.fluxcd.io/v1/namespaces/gitlab-agent/kustomizations
https://kas.domain.com/k8s-proxy/apis/helm.toolkit.fluxcd.io/v2beta1/namespaces/gitlab-agent/helmreleases
General answer
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "GitLab Agent Server: Unauthorized: no valid credentials provided",
"reason": "Unauthorized",
"code": 401
}
In my case there was a problem with separation domains as stated in the answer, the solution of merging the domain above kas.domain.com and gitlab.domain.com into 1 domain helped me. And in this case, the request will correspond to this url.
https://gitlab.domain.com/k8s-proxy/api/v1/namespaces
Instead
https://kas.domain.com/k8s-proxy/api/v1/namespaces
The problem I had was that if I just had 2 ingress that are responsible for gitlab and kas, the web server would access the old domain and get a 404. This was fixed by such parameters when updating gitlab.
--set global.hosts.kas.name=gitlab.domain.com
helm chart kas built into helm chart gitlab
And after the above action, we change the ingress by merging 2 domains into 1 and we get something similar.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitlab-ingress
namespace: gitlab
annotations:
cert-manager.io/issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
rules:
- host: gitlab.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitlab-webservice-default
port:
number: 8181
- path: /k8s-proxy/
pathType: Prefix
backend:
service:
name: gitlab-kas
port:
number: 8154
- path: /kas
pathType: Prefix
backend:
service:
name: gitlab-kas
port:
number: 8150
tls:
- hosts:
- gitlab.domain.com
secretName: gitlab-tls