Custom certificates are not used/usable in Helm chart 0.1.45
When deploying the latest gitlab-runner chart with custom certificates, registration fails. I found no way to analyze what's happening to get an hint on what the issue is.
Steps to reproduce
Create a secret containing the CA and Server certificate Reference the secret as described here Deploy the Helm chart
Registration fails with
Registration attempt 12 of 30 Runtime platform arch=amd64 os=linux pid=151 revision=8bb608ff version=11.7.0 WARNING: Running in user-mode. WARNING: The user-mode requires you to manually start builds processing: WARNING: $ gitlab-runner run WARNING: Use sudo for system-mode: WARNING: $ sudo gitlab-runner... ERROR: Registering runner... failed runner=zD8dZ6Qy status=couldn't execute POST against https://xxx/api/v4/runners: Post https://xxx/api/v4/runners: x509: certificate signed by unknown authority PANIC: Failed to register this runner. Perhaps you are having network problems
Registration should work
Relevant logs and/or screenshots
Not much to display here. The analysis is complicated since I can't check the /etc/gitlab-runner/certs folder in the pod. The gitlab-runner folder is only readable by root user :
$ kubectl exec -it gitlab-runner-1-gitlab-runner-7cb4c98f5b-q7vxv -- ls -l /etc/ total 216 ... -rw-r--r-- 1 root root 89 Jun 7 2018 fstab drwx------ 3 root root 4096 Feb 6 15:40 gitlab-runner -rw-r--r-- 1 root root 710 Jan 22 11:29 group -rw-r--r-- 1 root root 697 Jun 7 2018 group- ...
When on the pod, there's no way to su as root to go checking in the folder
bash-4.4$ su root su: must be suid to work properly
The certificates are correctly set in the secret :
$ kubectl describe secret xxx-certificate Name: xxx-certificate Namespace: gitlab-runner Labels: <none> Annotations: <none> Type: Opaque Data ==== xxx_Internal_xx_Root_CA.crt: 2033 bytes xxx_Internal_xx_Server_CA.crt: 2225 bytes
The configuration is done in the values.yaml:
## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use ## Provide resource name for a Kubernetes Secret Object in the same namespace, ## this is used to populate the /etc/gitlab-runner/certs directory ## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates ## certsSecretName: xxx-certificate
Custom installation on a kubernetes cluster.
Used GitLab Runner version
helm list --tiller-namespace gitlab-runner NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE gitlab-runner-1 1 Wed Feb 6 16:53:43 2019 DEPLOYED gitlab-runner-0.1.45 11.7.0 gitlab-runner