customCAs not getting mounted to containers, gitlab-runner in a crashloop with TLS failure trying to register the running
Summary
According to this document, the needed certificate related helm chart values need to be specified under the 'global' level, however based on the raw values file it looks like they should be placed at the same level as 'global'. In any case, whether I specify at one location or the other, or at both locations, the customCA is not getting mounted on the gitlab runner resulting in a crashloop.
Steps to reproduce
A new cleanly deployed gitlab using the gitlab helm chart.
Configuration used
gitlab:
# disable gitlab-provided addons we already have
certmanager:
install: false
nginx-ingress:
enabled: false
prometheus:
install: false
# required for deployment to work with argocd
upgradeCheck:
enabled: false
global:
# edition: ce
hosts:
domain: non.k.home.net
https: true
ingress:
class: nginx
annotations:
cert-manager.io/cluster-issuer: vault-issuer
configureCertmanager: "false"
certificates:
customCAs:
- secret: ca-bundle
keys:
- ca.crt
certificates:
customCAs:
- secret: ca-bundle
keys:
- ca.crt
certmanager-issuer:
email: work@around.com
gitlab-runner:
enabled: true
Current behavior
gitlab-runner is a crash loop because of TLS failure, to resolve the onprem cert needs to be mounted within the pod. I have a secret with the cert in it, and have specified as instructed according to documentation.
Expected behavior
Expecting the onprem cert to be mounted in the gitlab-runner pod allowing it to finish initialization, register, and not crash.
Versions
- Chart: 7.9.2
- Platform:
- Self-hosted: Tanzu
- Kubernetes:
- Client: v1.28.4
- Server: v1.26.5
- Helm:
- Client: v3.13.2+g2a2fb3b
Relevant logs
Merging configuration from template file "/configmaps/config.template.toml"
WARNING: Support for registration tokens and runner parameters in the 'register' command has been deprecated in GitLab Runner 15.6 and will be replaced with support for authentication tokens. For more information, see https://docs.gitlab.com/ee/ci/runners/new_creation_workflow
ERROR: Registering runner... failed runner=qgmcpk0r status=couldn't execute POST against https://gitlab.non.k.home.net/api/v4/runners: Post "https://gitlab.non.k.home.net/api/v4/runners": tls: failed to verify certificate: x509: certificate signed by unknown authority
PANIC: Failed to register the runner.
Quit