Cluster-wide GitLab Agent (GitOps)

[bittner]

GitLab is about to remove certificate-based Kubernetes integration starting with May this year (or later). They are encouraging customers to install the GitLab Agent is their clusters instead.

Will APPUiO Cloud have a (global) GitLab Agent for every customer to use out-of-the-box? Or can / should we request the installation of an isolated instance for every project?

[bittner]

Side note: According to an (unofficial) information of a GitLab representative the Kubernetes Agent falls a bit behind expectations and is not yet en par feature-wise with GitLab's certificate-based Kubernetes integration. They name ArgoCD as a mature alternative while GitLab plays catch-up with their relatively small Auto-DevOps and Kubernetes team.

Hence, as long as it's not about integration with the GitLab UI, whether it's ArgoCD or GitLab's Kubernetes Agent, a plug-and-play GitOps infrastructure would be an awesome feature of APPUiO Cloud.

[tobru]

We recently released a blog post, describing how to use APPUiO Cloud in GitLab without the agent: https://www.vshn.ch/blog/agent-less-gitlab-integration-with-openshift/

[ccremer]

You will have to install the agent on your own.

When I look at the Helm chart https://gitlab.com/gitlab-org/charts/gitlab-agent/-/tree/main it creates a ClusterRoleBinding by default, which is not going to work on APPUiO Cloud zones. You'll have to set --set rbac.create=false when installing with Helm.
After that, you'll have to manually grant namespace-admin permissions for the Agent's service account, e.g. oc policy add-role-to-user admin -z gitlab-agent --rolebinding-name gitlab-agent (SA name might be different).

Going a step further, you should be able to grant cross-project access to the service account. you could do this by repeating the command above in the other namespaces and then edit the generated RoleBinding so that the subject is referring the service account from the agent's namespace. Repeat this for every namespace that you want to manage and you have 1 agent installation for multiple namespaces. Also see https://docs.appuio.cloud/user/how-to/manage-projects-and-namespaces.html#_creating_namespaces so that the agent's ServiceAccount can create new namespaces. It's just not a cluster-wide installation, but let's say, a "organization-wide" one.
(Disclaimer: I haven't actually tested this idea)

[akosma]

I just tried this, and it works 100%. The GitLab agent installs without issue (setting the rbac.create=false parameter), and a pipeline on GitLab.com can deploy normally. Also, a separate APPUiO Cloud project, after modification of the RoleBinding, works. I will document the approach in the APPUiO Cloud docs today.

[akosma]

appuio/appuio-cloud-docs#121