CI URL used instead of clone URL when setting git TLS configuration
Summary
When the GitLab CI server is reachable on different a URL than the git repositories are, GitLab Runner sets the wrong git variables for configuring the TLS certificate(s) to use. Instead of the URL of the git repository (clone_url
in config.toml
) it uses the one of the GitLab CI server (url
in config.toml
). This causes TLS verification to fail.
After a quick peek into abstract.go:writeGitSSLConfig()
my guess would be that it needs to use build.GetRemoteURL()
(like writeCloneCmd()
does) to derive host
instead of using build.Runner.URL
as it currently does.
Steps to reproduce
- Set up a GitLab server providing the CI server on a different port than the git repositories and using a TLS certificate signed by an internal CA.
- Set up a host for GitLab runner with the internal CA in the system-default certificate store.
- Set up GitLab Runner, providing matching
--url
and--clone-url
values. - Try to clone a project without setting
GIT_SSL_NO_VERIFY: "true"
in.gitlab-ci.yml
. UseCI_DEBUG_TRACE: "true"
to see what's going on.
In the example output below http://gitlab.example.com:1234/gitlab/ci
is the GitLab CI server URL and https://gitlab.example.com/gitlab
is the git repository base URL. The project is myproject
in group mygroup
.
Actual behavior
[...]
++ git config --global http.http://gitlab.example.com:1234.sslCAInfo /builds/gitlab/mygroup/myproject.tmp/CI_SERVER_TLS_CA_FILE
[...]
++ git remote set-url origin https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/gitlab/mygroup/myproject.git
++ git fetch origin --prune '+refs/heads/*:refs/remotes/origin/*' '+refs/tags/*:refs/tags/*'
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/gitlab/mygroup/myproject.git/': SSL certificate problem: unable to get local issuer certificate
[...]
Expected behavior
[...]
++ git config --global http.https://gitlab.example.com.sslCAInfo /builds/gitlab/mygroup/myproject.tmp/CI_SERVER_TLS_CA_FILE
[...]
++ git remote set-url origin https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.example.com/gitlab/mygroup/myproject.git
++ git fetch origin --prune '+refs/heads/*:refs/remotes/origin/*' '+refs/tags/*:refs/tags/*'
From https://gitlab.example.com/gitlab/mygroup/myrepo
+ 1234abcd...5678dcba wip-tls-docker-experiment -> origin/wip-tls-docker-experiment (forced update)
[...]
Environment description
Custom installation using the Docker executor.
Used GitLab Runner version
Version: 11.1.0
Git revision: 081978aa
Git branch:
GO version: go1.8.7
Built: 2018-07-22T07:24:46+00:00
OS/Arch: linux/amd64