CI_SERVER_TLS_CA_FILE was not set, even after setting up certsSecretName in helm values.yaml
Summary
CI_SERVER_TLS_CA_FILE was not set, even after setting up certsSecretName in helm values.yaml
Steps to reproduce
- Deploy gitlab-runner using helm_release through terraform.
- Then run the sample hello-world script to verify the gitlab-runner created from step1
stages:
- test
hello_world:
stage: test
script:
- echo "Hello World from GitLab CI!".gitlab-ci.yml
Actual behaviorExpected behavior
Pipeline execution must be successful
Relevant logs and/or screenshots
job log
unable to access <git repo>: server certificate failed. CAfile: /builds/gitlabrunner-automation/x.tmp/CI_SERVER_TLS_CA_FILE CRLfile: noneEnvironment description
We are using below helm values to create gitlab runners
locals {
helm_chart_config = local.os_type == "linux" ? (
<<-EOF
concurrent = ${var.gitlab_runner_concurrent}
log_format = "json"
[[runners]]
output_limit = 32768
name = "${module.context_gitlab_runner.name}"
executor = "kubernetes"
[runners.kubernetes]
namespace = "${local.namespace}"
image = "${var.linux_container_version}"
privileged = false
poll_interval = 10
poll_timeout = 600
cpu_request_overwrite_max_allowed = "3"
memory_request_overwrite_max_allowed = "12Gi"
helper_image_flavor = "ubuntu"
service_account = "${var.gitlab_runner_serviceaccount_name}"
[runners.kubernetes.pod_labels]
"azure.workload.identity/use" = "true"
[runners.kubernetes.node_selector]
agentpool = "${var.aks_nodepool_name}"
"kubernetes.io/os" = "linux"
[runners.cache.azure]
AccountName = "${substr(join("", regexall("[a-z0-9]", lower(module.context_gitlab_cache_storage_account.name))), 0, 24)}"
ContainerName = "runners-cache"
StorageDomain = "${local.blob_domain}"
EOF
) : (
<<-EOF
concurrent = ${var.gitlab_runner_concurrent}
log_format = "json"
[[runners]]
output_limit = 32768
name = "${module.context_gitlab_runner.name}"
environment = [
"FF_USE_POWERSHELL_PATH_RESOLVER=true"
]
executor = "kubernetes"
[runners.kubernetes]
namespace = "${local.namespace}"
image = "${var.windows_build_version}"
privileged = false
poll_interval = 10
poll_timeout = 600
cpu_request_overwrite_max_allowed = "3"
memory_request_overwrite_max_allowed = "12Gi"
helper_image_flavor = "windows"
service_account = "${var.gitlab_runner_serviceaccount_name}"
[runners.kubernetes.pod_labels]
"azure.workload.identity/use" = "true"
[runners.kubernetes.node_selector]
agentpool = "${var.aks_nodepool_name}"
"kubernetes.io/os" = "windows"
"kubernetes.io/arch" = "amd64"
"node.kubernetes.io/windows-build" = "${var.windows_build_version}"
Type = "azure"
[runners.cache.azure]
AccountName = "${substr(join("", regexall("[a-z0-9]", lower(module.context_gitlab_cache_storage_account.name))), 0, 24)}"
ContainerName = "runners-cache"
StorageDomain = "${local.blob_domain}"
EOF
)
namespace = "aks-gitlab-runners"
server_host = replace(var.gitlab_uri, "https://", "")
windows_build_version = var.windows_build_version
helm_release_gitlab_runner = {
repository = "https://charts.gitlab.io"
chart = "gitlab-runner"
version = var.gitlab_runner_chart_version
namespace = local.namespace
values = {
nodeSelector = {
"kubernetes.io/os" = "linux",
"agentpool" = "${var.aks_nodepool_name}"
}
serviceAccount = {
create = true
name = var.gitlab_runner_serviceaccount_name
annotations = {
"azure.workload.identity/client-id" = data.azurerm_client_config.current.client_id
}
}
gitlabUrl = var.gitlab_uri
unregisterRunners = true
rbac = {
create = true
rules = [
{
resources = ["pods"]
verbs = ["get", "list", "watch", "create", "patch", "delete"]
},
{
resources = ["secrets"]
verbs = ["get", "list", "watch", "create", "update", "patch", "delete"]
},
{
resources = ["configmaps"]
verbs = ["create", "update", "patch", "delete"]
},
{
resources = ["pods/attach", "pods/exec"]
verbs = ["create", "patch", "delete"]
}
]
}
livenessProbe = {
initialDelaySeconds = 60
periodSeconds = 15
timeoutSeconds = 15
failureThreshold = 6
successThreshold = 1
}
readinessProbe = {
initialDelaySeconds = 30
periodSeconds = 10
timeoutSeconds = 15
failureThreshold = 6
successThreshold = 1
}
runners = {
config = local.helm_chart_config
}
}
}
}
## Fetches runner_token from kubernetes secret
## As phase1, manually creating a secret to store runner-token as a pre-requisite to deploy gitlab runners.
## Hence, hardcoded values for secret name and namespace
data "kubernetes_secret" "gitlab_runner_token" {
metadata {
name = "gitlab-runner-secret"
namespace = "gitlab-runners"
}
}
resource "helm_release" "gitlab_runner" {
depends_on = [
azurerm_kubernetes_cluster_node_pool.this,
azurerm_storage_account.gitlab_runner_cache,
data.kubernetes_secret.gitlab_runner_token,
module.run_command_get_ca_cert]
name = module.context_gitlab_runner.name
repository = local.helm_release_gitlab_runner.repository
chart = local.helm_release_gitlab_runner.chart
version = local.helm_release_gitlab_runner.version
namespace = local.helm_release_gitlab_runner.namespace
create_namespace = true
set = [
{
name = "fullnameOverride"
value = module.context_gitlab_runner.name
},
{
name = "runnerToken"
value = nonsensitive(data.kubernetes_secret.gitlab_runner_token.data["RUNNER_REGISTRATION_TOKEN"])
},
{
name = "runners.name"
value = module.context_gitlab_runner.name
},
{
name = "metrics.enabled"
value = true
},
{
name = "service.enabled"
value = true
},
{
name = "metrics.port"
value = 9252
},
{
name = "certsSecretName"
value = var.runner_cert_secret_name
}
]
values = [
yamlencode(local.helm_release_gitlab_runner.values)
]
}config.toml contents
Add your configuration here