Vault integration doesn't use the certs in `/home/gitlab-runner/.gitlab-runner/certs`
Summary
I'm actually not sure if it's a bug or a feature proposal. Currently GitLab Runner is the one that is connecting to Vault to try to get the secret stored there: https://docs.gitlab.com/ee/ci/secrets/#use-vault-secrets-in-a-ci-job
If Vault is using a self-signed certificate, the job will fail even though we added the certificate in /home/gitlab-runner/.gitlab-runner/certs.
Based on my test, I have to add the certificate in the system certificate authority file: /etc/ssl/certs/ca-certificates.crt so that the Vault integration would work.
Steps to reproduce
- Configure Vault with a self-signed certificate.
- Configure GitLab Runner to use this certificate: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates
- Try to use a Vault secret in a job: https://docs.gitlab.com/ee/ci/secrets/#use-vault-secrets-in-a-ci-job
.gitlab-ci.yml
variables:
VAULT_SERVER_URL: https://<snipped>:8000/
job:
secrets:
DATABASE_PASSWORD:
vault: production/db/password
script:
- echo "$DATABASE_PASSWORD"Actual behavior
Job fails with an error: x509: certificate signed by unknown authority
Expected behavior
GitLab Runner should be able to connect to Vault properly.
Relevant logs and/or screenshots
job log
Running with gitlab-runner 13.6.0 (8fa89735)
on gitlab-runner-gitlab-runner-d9fbff44-hk4bx kDb7tzYm
Resolving secrets
00:01
Resolving secret "DATABASE_PASSWORD"...
Using "vault" secret resolver...
ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: checking Vault server health: Get https://<snipped>:8000/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299: x509: certificate signed by unknown authorityEnvironment description
config.toml contents
Add your configuration here