On group level I have a Kubernetes Cluster configured in GitLab, and I wish to be able to configure a dedicated namespace for staging to use for all my repos, in order to communicate between microservices easily.
In my .gitlab-ci.yml file:
staging:
stage: staging
variables:
APP_NAME: staging-website-frontend
APP_LABEL: staging
DEPLOY_HOST: lanorr.eu
environment:
name: staging
url: http://lanorr.eu/
image: roffe/kubectl:v1.13.0
script:
- kubectl delete --ignore-not-found=true secret gitlab-auth
- kubectl create secret docker-registry gitlab-auth --docker-server=$CI_REGISTRY --docker-username=$KUBE_PULL_USER --docker-password=$KUBE_PULL_PASS
- cat k8s/deployment.yml | envsubst | kubectl apply -f -
only:
- master
I have tried to add - export KUBE_NAMESPACE=staging to the script section, but that didn’t work out as expected.
and my k8s/deployment.yml file:
kind: Service
apiVersion: v1
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "5000"
name: ${APP_NAME}
spec:
selector:
app: ${APP_LABEL}
type: NodePort
ports:
- protocol: TCP
port: 80
targetPort: 5000
---
kind: Deployment
apiVersion: apps/v1beta1
metadata:
name: ${APP_NAME}
labels:
app: ${APP_LABEL}
spec:
replicas: 3
selector:
matchLabels:
app: ${APP_LABEL}
template:
metadata:
labels:
app: ${APP_LABEL}
spec:
imagePullSecrets:
- name: gitlab-auth
containers:
- name: ${APP_NAME}
image: "${DOCKER_IMAGE_TAG}"
ports:
- containerPort: 5000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ${APP_NAME}-ingress
spec:
rules:
- host: ${DEPLOY_HOST}
http:
paths:
- backend:
serviceName: ${APP_NAME}
servicePort: 80
Here I have also tried to add namespace manually and through a ENV_VARIABLE, but without luck… I keep getting the same error, that the ServiceAccount for the GitLab Repo, doesn’t have permission to find services and deployments in this namespace.
The ERROR:
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "/v1, Resource=services", GroupVersionKind: "/v1, Kind=Service"
...
from server for: "STDIN": ingresses.extensions "review-ci-testing-updqhr-la-danesa-web-ingress" is forbidden: User "system:serviceaccount:la-danesa-website-5:la-danesa-website-5-service-account" cannot get resource "ingresses" in API group "extensions" in the namespace "review-ci-testing"
It is a self-hosted gitlab server and a self-hosted and self-managed kubernetes cluster. Everything is working fine except when I attempt to use a custom namespace for my staging deployment.
Do any of you have suggestions how to go about this?