improvements to runner/TLS documentation

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Label this issue

When it's necessary to supply root certificate(s) for private CAs, the steps required to get the runner to handshake, the git client to handshake and (for the docker executor) the pull from a container registry to work are not clear cut, and the three TLS clients do not behave consistently.

It maybe necessary to include pre_build_script in config.toml

pre_build_script = """

cp /etc/docker/certs.d/registry.gitlab.com/* /usr/local/share/ca-certificates

update-ca-certificates --fresh > /dev/null

"""

Verify scenarios such as

• GitLab is signed by a private root, the container registry is public (and trusted via the Linux bundle) Pass in the private root and ensure the runner, git, and container registry clients can all handshake successfully.
• If a bundle is passed in, rather than a single root, do the clients handle both/all roots?
• There's a size limit when passing roots in for the container registry.
• My recollection from previous tickets is that one of the clients (git or container registry) will only use a supplied root, and then ignores the public roots in the OS.
• Check this page is linked in from the runner register doc
• tlsctl. Uses same client stack as runner.
  • is in the helper image?
  • see what problems its a good fit for tackling
• testssl.sh
• error about IP SANs comment

Ticket:

• 154430
• 152119

Agent: Ben Prescott