TLS configuration for docker:dind in 19.03
I read the GitLab announcement about Docker 19.03. An issue was described.
I verified I experienced this issue
Two options are suggested to resolve the issue
Turning off TLS does resolves the issue
## in a .gitlab-ci.yml file
my job:
# ...
variables:
# ...
DOCKER_TLS_CERTDIR: ""
## ... or in provided values to this helm chart
runners:
env:
DOCKER_TLS_CERTDIR: ""
But how to turn on TLS with the gitlab-runner chart?
In short, I think what I need is to understand how to do the following through this Helm chart:
I currently think it isn't possible to configure the runner through this helm chart to enable TLS in the way described. Partially perhaps due to an inability to specify mounts etc as discussed in #71 (closed), but also perhaps partially because of the inability to configure the config.toml file. Hmm...
Relevant links
- https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/master/templates/configmap.yaml#L49-55
- https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-enabled
Implementation input
It may make sense to allow arbitrary configuration the config.toml
through the Helm values. This can be done using the some Helm templating tricks involving fromYaml
and toToml
for example. Currently for example, this is your config.toml
that is built up to be a a string passed to a configmap that's mounted for consumption.
# excerpt from templates/configmap.yaml
config.toml: |
concurrent = {{ .Values.concurrent }}
check_interval = {{ .Values.checkInterval }}
log_level = {{ default "info" .Values.logLevel | quote }}
{{- if .Values.metrics.enabled }}
listen_address = '[::]:9252'
I suggest providing an option for something like this, as it would allow for various functionality without it being part of the chart itself even though it has become part of the runner binary...
# from suggested templates/configmap.yaml
{{- $config := dict }}
{{- $_ := set $config "concurrent" .Values.concurrent }}
{{- $_ := set $config "check_interval" .Values.checkInterval }}
{{- $_ := set $config "log_level" (default "info" .Values.logLevel | quote) }}
{{- if .Values.metrics.enabled }}
{{- $_ := set $config "listen_address" '[::]:9252' }}
{{- end }}
{{- if hasKey .Values "configToml" }}
{{- $_ := merge $config (.Values.configToml | fromToml) }}
{{- end }}
config.toml: |
{{- $config | toToml | nindent 4 }}
# from suggested values.yaml
## configToml can be passed a multiline string with valid TOML
## that will be merged into the default config.toml file created
## NOTE: Looking at https://docs.gitlab.com/runner/configuration/advanced-configuration.html
## I find myself confused what will happen if we write for example:
##
## [[runners]]
## [runners.kubernetes]
## volumes = ["/certs/client"]
##
## The confusion I have resides in the fact that we seem to create an item in the `runners` list
## because of all our environment variables, but if we do like this, will we create another one
## or configure the existing one? I'd need to know more about the gitlab-runner binary for this
## latter configuration I think.
##
## Aha this is very relevant:
## https://docs.gitlab.com/runner/register/#runners-configuration-template-file
# configToml: |
# disable_cache = false
# volumes = ["/certs/client", "/cache"]