No "certificates" initContainer in "gitlab-runner" deployment
Summary
We make use of the custom CA functionality, which can be configured as:
global:
certificates:
customCAs:
- secret: my-custom-ca-cert
keys:
- ca.crt
When this value is set, the CA cert is mounted as a volume on various containers, all of which use an initContainer
to register the cert. This is not the case for the "gitlab-runner" deployment. Without additional modification, the "gitlab-runner" deployment will fail with an x509 error (certificate not trusted)
The following partial YAML config shows what we needed to add in order to the the runner to join correctly:
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab-gitlab-runner
...
spec:
...
template:
...
spec:
...
containers:
- name: gitlab-gitlab-runner
...
volumeMounts:
- mountPath: /etc/ssl/certs/
name: etc-ssl-certs
readOnly: true
- mountPath: /etc/pki/ca-trust/extracted/pem
name: etc-pki-ca-trust-extracted-pem
initContainers:
- env: null
image: registry.gitlab.com/gitlab-org/build/cng/alpine-certificates:20191127-r2@sha256:367d437d024d7647432d67fb2442e3e5723af5930bad77d3535f4f8f4f8630d9
name: certificates
resources:
requests:
cpu: 50m
volumeMounts:
- mountPath: /etc/ssl/certs
name: etc-ssl-certs
readOnly: false
- mountPath: /etc/pki/ca-trust/extracted/pem
name: etc-pki-ca-trust-extracted-pem
readOnly: false
- mountPath: /usr/local/share/ca-certificates
name: custom-ca-certificates
readOnly: true
volumes:
...
- emptyDir:
medium: Memory
name: etc-ssl-certs
- emptyDir:
medium: Memory
name: etc-pki-ca-trust-extracted-pem
- name: custom-ca-certificates
projected:
defaultMode: 288
sources:
- secret:
items:
- key: ca.crt
path: ca.crt
name: gitlab
- secret:
name: gitlab-wildcard-tls-ca
Versions
- Chart: 6.8.1
- Platform:
- Cloud: AKS
- Kubernetes: (
kubectl version
)- Client: 1.25.5
- Server: 1.25.5
- Helm: (
helm version
)- Client: 3.11.1