Skip to content

Custom certificates are not used/usable in Helm chart 0.1.45

Summary

When deploying the latest gitlab-runner chart with custom certificates, registration fails. I found no way to analyze what's happening to get an hint on what the issue is.

Steps to reproduce

Create a secret containing the CA and Server certificate Reference the secret as described here Deploy the Helm chart

Actual behavior

Registration fails with

Registration attempt 12 of 30
Runtime platform                                    arch=amd64 os=linux pid=151 revision=8bb608ff version=11.7.0
WARNING: Running in user-mode.                     
WARNING: The user-mode requires you to manually start builds processing: 
WARNING: $ gitlab-runner run                       
WARNING: Use sudo for system-mode:                 
WARNING: $ sudo gitlab-runner...                   
                                                   
ERROR: Registering runner... failed                 runner=zD8dZ6Qy status=couldn't execute POST against https://xxx/api/v4/runners: Post https://xxx/api/v4/runners: x509: certificate signed by unknown authority
PANIC: Failed to register this runner. Perhaps you are having network problems

Expected behavior

Registration should work

Relevant logs and/or screenshots

Not much to display here. The analysis is complicated since I can't check the /etc/gitlab-runner/certs folder in the pod. The gitlab-runner folder is only readable by root user :

$ kubectl exec -it gitlab-runner-1-gitlab-runner-7cb4c98f5b-q7vxv -- ls -l /etc/
total 216
...
-rw-r--r--    1 root     root            89 Jun  7  2018 fstab
drwx------    3 root     root          4096 Feb  6 15:40 gitlab-runner
-rw-r--r--    1 root     root           710 Jan 22 11:29 group
-rw-r--r--    1 root     root           697 Jun  7  2018 group-
...

When on the pod, there's no way to su as root to go checking in the folder

bash-4.4$ su root
su: must be suid to work properly

The certificates are correctly set in the secret :

$ kubectl describe secret xxx-certificate
Name:         xxx-certificate
Namespace:    gitlab-runner
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
xxx_Internal_xx_Root_CA.crt:    2033 bytes
xxx_Internal_xx_Server_CA.crt:  2225 bytes

The configuration is done in the values.yaml:

## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
## Provide resource name for a Kubernetes Secret Object in the same namespace,
## this is used to populate the /etc/gitlab-runner/certs directory
## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates
##
certsSecretName: xxx-certificate

Environment description

Custom installation on a kubernetes cluster.

Used GitLab Runner version

helm list --tiller-namespace gitlab-runner
NAME           	REVISION	UPDATED                 	STATUS  	CHART               	APP VERSION	NAMESPACE    
gitlab-runner-1	1       	Wed Feb  6 16:53:43 2019	DEPLOYED	gitlab-runner-0.1.45	11.7.0     	gitlab-runner