summaryrefslogtreecommitdiff
path: root/doc/user/clusters/agent/ci_cd_tunnel.md
blob: 1f794bac37fbd44510b662d11f440d5097f0fa48 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

---
stage: Configure
group: Configure
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# CI/CD Tunnel

> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327409) in GitLab 14.1.

The CI/CD Tunnel enables users to access Kubernetes clusters from GitLab CI/CD jobs even if there is no network
connectivity between GitLab Runner and a cluster. GitLab Runner does not have to be running in the same cluster.

Only CI/CD jobs set in the configuration project can access one of the configured agents.

Prerequisites:

- A running [`kas` instance](index.md#set-up-the-kubernetes-agent-server).
- A [configuration repository](index.md#define-a-configuration-repository) with an Agent config file
  installed (`.gitlab/agents/<agent-name>/config.yaml`).
- An [Agent record](index.md#create-an-agent-record-in-gitlab).
- The agent is [installed in the cluster](index.md#install-the-agent-into-the-cluster).

To access your cluster from a CI/CD job through the tunnel:

1. In your `.gitlab-ci.yml` add a section that creates a `kubectl` compatible configuration file (`kubecontext`) and use it in one
   or more jobs:

   ```yaml
   variables:
     AGENT_ID: 4 # agent id that you got when you created the agent record
     KUBE_CFG_FILE: "$CI_PROJECT_DIR/.kubeconfig.agent.yaml"

   .kubectl_config: &kubectl_config
     - |
       cat << EOF > "$KUBE_CFG_FILE"
       apiVersion: v1
       kind: Config
       clusters:
       - name: agent
         cluster:
           server: https://kas.gitlab.com/k8s-proxy/
       users:
       - name: agent
         user:
           token: "ci:$AGENT_ID:$CI_JOB_TOKEN"
       contexts:
       - name: agent
         context:
           cluster: agent
           user: agent
       current-context: agent
       EOF

   deploy:
     image:
       name: bitnami/kubectl:latest
       entrypoint: [""]
     script:
     - *kubectl_config
     - kubectl --kubeconfig="$KUBE_CFG_FILE" get pods
   ```

1. Execute `kubectl` commands directly against your cluster with this CI/CD job you just created.

We are working on [creating the configuration file automatically](https://gitlab.com/gitlab-org/gitlab/-/issues/324275)
to simplify the process.
View Lorry Controller Status