Append system store to CI_SERVER_TLS_CA_FILE with gitlab-runner-helper
Initially proposed by @T4cC0re at https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/14874#note_829500693
If GitLab uses HTTPs, GitLab Runner prepares a CAChain (Certificate Authority Chain; a chain of TLS certificates between the website's one and a ROOT CA) basing on GitLab's TLS certificate. This CAChain is next provided for Git as the one to trust.
Why it's done like that is described in more details at https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/14874#note_829377879 and further in that thread.
In short: it's done to support cases when GitLab uses a self-signed or custom-CA-signed TLS certificate.
This behavior creates however a limitation - configuring sslCAInfo
for a specific HTTPs endpoint forces Git to trust this and only this CA store. Even if there are other CAs - default and optionally custom ones - in the system store.
This creates problems when clone_url
is pointing to an endpoint with a different certificate (which may happen in some cases).
For gitlab-runner-helper
- which also loads the CAChain from file pointed by CI_SERVER_TLS_CA_FILE
- this is "fixed" by appending the system store certificates (note: this doesn't yet work on Windows but there seem to be a workaround and it should be fixed in Go 1.18). Thanks to that remote cache and artifacts requests are executed without problems.
Git however doesn't append anything. It uses sslCAInfo
store as it was provided.
As we already have a code that appends the certificates, we should create a simple gitlab-runner-helper
command that would:
- read the CA data from a given file,
- append the system store data to it,
- write the updated data to the same file.
This command should be then called for each step script just after the variables are created. Such solution would be backward compatible but would allow to re-use the job environment's system store to match other certificates (which would solve at least some cases).
Implementation Proposal
- {placeholder}
- {placeholder}
- {placeholder}
- {placeholder}