Unable to skip TLS verification
Hello,
I am currently trying to deploy the gitlab-runner helm chart in our VPC(not AWS VPC just using the term for reference) within the cloud provider. In order to access the on-prem gitlab server I was told to use the http_proxy. That proxy has a specific rule which all of the connections to the specific port, say 8181 proxies from could vpc subnet into the companies actual subnet.
Thus my values.yaml looks something like:
gitlabUrl: https://git.ourcompany.de:8181/
envVars:
- name: HTTP_PROXY
value: "http://proxy.ourcompanycloud.de:8888"
- name: HTTPS_PROXY
value: "http://proxy.ourcompanycloud.de:8888"
- name: http_proxy
value: "http://proxy.ourcompanycloud.de:8888"
- name: https_proxy
value: "http://proxy.ourcompanycloud.de:8888"
concurrent: 3
nameOverride: k8s
resources:
requests:
memory: 128Mi
cpu: 100m
limits:
memory: 256Mi
cpu: 200m
rbac:
create: true
runners:
config: |
[[runners]]
builds_dir = "/tmp/builds"
...
Once I disable the http tls verification in curl ( the -k flag), i can access the endpoint of my companies gitlab with the
Curl call
curl -vvk https://git.ourcompany.de:8181/api/v4/version
* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,0.0.0.0,10.0.0.3,10.0.0.5,dockerhost.local'
* Uses proxy env variable https_proxy == 'http://proxy.ourcompanycloud.de:8888'
* Trying 10.0.0.5:8888...
* Connected to proxy.ourcompanycloud.de (10.0.0.5) port 8888 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to git.ourcompany.de:8181
> CONNECT git.ourcompany.de:8181 HTTP/1.1
> Host: git.ourcompany.de:8181
> User-Agent: curl/7.74.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=DE; ST=Bavaria; O=Ourcompany; CN=*.hub.ourcompany.de
* start date: Jun 20 16:52:38 2023 GMT
* expire date: Nov 1 16:52:38 2024 GMT
* issuer: C=DE; ST=Bavaria; L=Munich; O=ourcompanycloud; CN=ourcompanycloud.de; emailAddress=cloud@ourcompany.de
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /api/v4/version HTTP/1.1
> Host: git.ourcompany.de:8181
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< server: nginx
< date: Fri, 14 Jul 2023 16:05:25 GMT
< content-type: application/json
< content-length: 30
< cache-control: no-cache
< vary: Origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-gitlab-meta: {"correlation_id":"01H5AJCQN3YX9F5PTH0MHQ1D2K","version":"1"}
< x-request-id: 01H5AJCQN3YX9F5PTH0MHQ1D2K
< x-runtime: 0.025832
<
* Connection #0 to host proxy.ourcompanycloud.de left intact
{"message":"401 Unauthorized"}
As expected, without any token the requrest reached the gitlab instance, and recieves the HTTP 401 response code.
However, if trying to force the gitlab runner to somehow skip the TLS verification... so far I could not have found any solution, to skip the fact that proxy used, provides its own cert, created for
CN=*.hub.ourcompany.de
which does not match the expected hostname
git.ourcompany.de
See runner registration
kubectl exec -n deployment-tools local-xxx-gitlab-runner-k8s-55fb9bb548-tqj2f -it -- /bin/sh
/ $ gitlab-runner register --url https://git.ourcompany.de:8181 --token glrt-a9b1cdeDmjGVfmnPCxjz
Runtime platform arch=amd64 os=linux pid=87 revision=b72e108d version=16.1.0
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
Enter the GitLab instance URL (for example, https://gitlab.com/): [https://git.ourcompany.de:8181]:
ERROR: Verifying runner... failed runner=z9s1sugDm status=couldn't execute POST against https://git.ourcompany.de:8181/api/v4/runners/verify: Post "https://git.ourcompany.de:8181/api/v4/runners/verify": x509: certificate is valid for .hub.ourcompany.de, www..hub.ourcompany.de, not git.ourcompany.de
PANIC: Failed to verify the runner.
/ $ command terminated with exit code 137
I was "happy" to find, you have explicitly removed the option for skipping the tls_verify a number of years ago in this commit - here
And am just curious if you could advise me any workaround, as this is a project runner, and most likely the whole infrastructure would not be changed just based on the need of one companies project.
Thanks a lot in advance!