Add an ENTRYPOINT script to the helper image Dockerfiles to add CA certificates (!2058) · Merge requests · GitLab.org / gitlab-runner

Pedro Pombeiro requested to merge helper-image-custom-ca into master May 05, 2020

What does this MR do?

Adds an ENTRYPOINT script to the helper image Dockerfiles so that a certificate can be installed from a well known path (/etc/gitlab-runner/certs/ca.crt).
Adds a FF_RESET_HELPER_IMAGE_ENTRYPOINT (to be removed in %14.0 with #26679 (closed))

The dockerfiles/build/entrypoint script itself was copied from the Runner images (alpine/ubuntu).

Why was this MR needed?

See #3371 (closed) and #3417 (closed)

How to test this MR?

Add a extra_hosts = ["localhost:<YOUR IP ADDRESS HERE>"] entry under your [runners.docker] section to point to your host IP address. You can find the value with ifconfig en0.
Create and install a root CA using mkcert
1. mkcert -install
Create a private key pair for localhost using mkcert
1. mkcert -key-file ~/.minio/certs/private.key -cert-file ~/.minio/certs/public.crt localhost 127.0.0.1 ::1
2. cat "`mkcert -CAROOT`/rootCA.pem" >> ~/.minio/certs/public.crt
Start a Minio local server instance: minio -server /tmp/cache
Create a test project with the same content as https://gitlab.com/pedropombeiro/playground/-/blob/34cf081efb5ac98cdd9d9fe74fee20f8ee0b4c9d/.gitlab-ci.yml

Configure a runner with the following config.toml configuration:

executor = "docker"
builds_dir = "/tmp/builds"
[runners.custom_build_dir]
  enabled = true
[runners.cache]
  [runners.cache.s3]
    ServerAddress = "localhost:9000"
    AccessKey = "minioadmin"
    SecretKey = "minioadmin"
    BucketName = "runner"

Are there points in the code the reviewer needs to double check?

Linux

docker run --rm -v "$PWD/certs/ca.crt:/etc/gitlab-runner/certs/ca.crt:ro" gitlab/gitlab-runner-helper:x86_64-8b81ba6e sh -c "apk add openssl && awk -v cmd='openssl x509 -noout -subject' '    /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt"

This command maps a volume to /etc/gitlab-runner/certs/ca.crt and passes a command to the container to install openssl and list all the installed certificates to demonstrate that the certificate generated by mkcert was installed:

MinIO test

Playground build with standard image (no entrypoint):
Playground build with new local image (with entrypoint installing cert):

Windows

Running the new Dockerfile with a file in `C:\etc\gitlab-runner\certs\ca.crt` and a CMD (`cmd /S /C dir`):

PS C:\GitLab-Runner> docker run --rm -v "C:\GitLab-Runner\certs:C:\etc\gitlab-runner\certs:ro" gitlab/gitlab-runner-helper:x86_64-01dc54f9-servercore1809 cmd /S /C dir
Adding CA certificate... 


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\CA 

Thumbprint                                Subject
----------                                -------                               
5BA8132CA9DA46E5D3C0326915EF5CC804976563  CN=mkcert pedropombeiro@pedros-mac... 


 Volume in drive C has no label. 
 Volume Serial Number is A8F8-4541

 Directory of C:\

05/06/2020  06:05 AM               101 entrypoint.cmd
05/06/2020  06:06 AM    <DIR>          etc
05/06/2020  06:03 AM               211 install-ca-cert.ps1
09/15/2018  02:42 AM             5,510 License.txt
05/05/2020  09:08 AM    <DIR>          Program Files
01/02/2019  03:32 PM    <DIR>          Program Files (x86)
01/02/2019  03:34 PM    <DIR>          Users
05/05/2020  09:08 AM    <DIR>          Windows
               3 File(s)          5,822 bytes
               5 Dir(s)  21,286,785,024 bytes free
PS C:\GitLab-Runner>

Running the new Dockerfile without a file in `C:\etc\gitlab-runner\certs\ca.crt` and with a CMD (`cmd /S /C dir C:\`):

PS C:\GitLab-Runner> docker run --rm gitlab/gitlab-runner-helper:x86_64-01dc54f9-servercore1809 cmd /S /C dir C:\
 Volume in drive C has no label. 
 Volume Serial Number is A8F8-4541

 Directory of C:\

05/06/2020  06:05 AM               101 entrypoint.cmd
05/06/2020  06:11 AM    <DIR>          etc
05/06/2020  06:03 AM               211 install-ca-cert.ps1
09/15/2018  02:42 AM             5,510 License.txt
05/05/2020  09:08 AM    <DIR>          Program Files
01/02/2019  03:32 PM    <DIR>          Program Files (x86)
01/02/2019  03:34 PM    <DIR>          Users
05/05/2020  09:08 AM    <DIR>          Windows
               3 File(s)          5,822 bytes
               5 Dir(s)  21,287,186,432 bytes free
PS C:\GitLab-Runner>

Running the official Dockerfile with a CMD (`cmd /S /C dir C:\`):

PS C:\GitLab-Runner> docker run --rm gitlab/gitlab-runner-helper:x86_64-latest-servercore1809 cmd /S /C dir C:\
 Volume in drive C has no label. 
 Volume Serial Number is A8F8-4541

 Directory of C:\

09/15/2018  02:42 AM             5,510 License.txt
01/20/2020  01:27 AM    <DIR>          Program Files
01/02/2019  03:32 PM    <DIR>          Program Files (x86)
01/02/2019  03:34 PM    <DIR>          Users
01/20/2020  01:25 AM    <DIR>          Windows
               1 File(s)          5,510 bytes
               4 Dir(s)  21,298,606,080 bytes free
PS C:\GitLab-Runner>

Does this MR meet the acceptance criteria?

Documentation created/updated
Added tests for this feature/bug
In case of conflicts with master - branch was rebased

What are the relevant issue numbers?

#3371 (closed) #3417 (closed)

Edited Aug 10, 2020 by Steve Xuereb

Add an ENTRYPOINT script to the helper image Dockerfiles to add CA certificates