tls-ca-file is not used for accessing S3 cache

Summary

We are using tls-ca-file set in [[runners]] section. This seems to work fine for cloning and artifact pull/push with GitLab instance and registry access. But it doesn't work for S3 cache as I get x509: certificate signed by unknown authority.
tls-ca-file should be also used for cache access. Simply, because it is internal step like cloning or artifacts push/pull.

The steps specified in https://docs.gitlab.com/runner/configuration/tls-self-signed.html#trusting-the-certificate-for-the-other-cicd-stages seems to duplicate the tls-ca-file, but cache pull/push isn't really a CI/CD stage as per well-known CI/CD naming convention and as defined in .gitlab-ci.yml. So the name and description of that section is misleading.

When used the Job output has a lot of

Updating CA certificates...
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
WARNING: ca-cert-ca.pem does not contain exactly one certificate or CRL: skipping

This output isn't present when using the tls-ca-file option and makes reading the Job output harder.

We are using GitLab Runners on VMs (RPM install) with Docker executor.

It seems that using the volumes option as described in the docs, doesn't work when helper_image is specified in [runners.docker] section.

Steps to reproduce

Configure S3 cache using local S3 compatible storage with certificate signed with custom CA. The same CA is used to sign the GitLab certificate and it is included in the /etc/gitlab-runner/ssl/ca.crt configured in config.toml

.gitlab-ci.yml

stages:
    - createcache
    - testcache

cache:
    paths:
        - cachedfile

write:
    stage: createcache
    script:
        - cat cachedfile ||true
        - echo "in cache $CI_JOB_ID" > cachedfile

read:
    stage: testcache
    script:
        - cat cachedfile

Actual behavior

FATAL: Get https://_reducted_/_reducted_/project/66/default?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=[FILTERED]&X-Amz-Date=20201005T055923Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=[FILTERED] x509: certificate signed by unknown authority

Expected behavior

Cache is pulled/pushed.

Relevant logs and/or screenshots

Environment description

config.toml contents

[[runners]]
  name = "_reducted_"
  url = "_reducted_"
  token = "_reducted_"
  tls-ca-file = "/etc/gitlab-runner/ssl/ca.crt"
  executor = "docker"
  environment = ["DOCKER_TLS_CERTDIR=", "DOCKER_DRIVER=overlay2"]
  [runners.custom_build_dir]
  [runners.docker]
    image = "_reducted_"
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache"]
    shm_size = 0
  [runners.cache]
    Type = "s3"
    Path = ""
    Shared = true
    [runners.cache.s3]
      ServerAddress = "_reducted_"
      AccessKey = "_reducted_"
      SecretKey = "_reducted_"
      BucketName = "_reducted_"
      Insecure = false
    [runners.cache.gcs]

And also if I configure it like this:

volumes = ["/cache", "/etc/gitlab-runner/ssl/ca.crt:/etc/gitlab-runner/certs/ca.crt:ro"]
helper_image = "docker.io/gitlab/gitlab-runner-helper:x86_64-v${CI_RUNNER_VERSION}"

Used GitLab Runner version

$ gitlab-runner --version
Version:      13.4.1
Git revision: e95f89a0
Git branch:   13-4-stable
GO version:   go1.13.8
Built:        2020-09-25T20:03:43+0000
OS/Arch:      linux/amd64

Possible fixes