Auto DevOps deploy fails on ensure_namespace - "x509: certificate signed by unknown authority"

Summary

Running Kubernetes on Google Cloud via Google Container Engine. Clusters setup on GC use self-signed certificates, and typically use the GC IAM service accounts for authentication. This is likely causing the issue.

Steps to reproduce

Run an auto devops deployment on Google Cloud wired up to GC Container Engine (kubernetes).

What is the current bug behavior?

What is the expected correct behavior?

The deployment succeeds.

Relevant logs and/or screenshots

deployment step output:

Running with gitlab-runner 10.0.2 (a9a76a50)
  on server-optic-nexus (21590677)
Using Kubernetes namespace: gitlab
Using Kubernetes executor with image alpine:latest ...
Waiting for pod gitlab/runner-21590677-project-56-concurrent-0r2q3v to be running, status is Pending
Waiting for pod gitlab/runner-21590677-project-56-concurrent-0r2q3v to be running, status is Pending
Running on runner-21590677-project-56-concurrent-0r2q3v via server-optic-nexus...
Cloning repository...
Cloning into '/chris.eaton/test'...
Checking out 0240bfd2 as master...
Skipping Git submodules setup
Downloading artifacts for codequality (252)...
Downloading artifacts from coordinator... ok        id=252 responseStatus=200 OK token=CzdnWp28
$ # Auto DevOps variables and functions # collapsed multi-line command
$ check_kube_domain
$ install_dependencies
fetch http://dl-cdn.alpinelinux.org/alpine/v3.6/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.6/community/x86_64/APKINDEX.tar.gz
(1/17) Installing ncurses-terminfo-base (6.0_p20170930-r0)
(2/17) Installing ncurses-terminfo (6.0_p20170930-r0)
(3/17) Installing ncurses-libs (6.0_p20170930-r0)
(4/17) Installing readline (6.3.008-r5)
(5/17) Installing bash (4.3.48-r1)
Executing bash-4.3.48-r1.post-install
(6/17) Installing ca-certificates (20161130-r2)
(7/17) Installing libssh2 (1.8.0-r1)
(8/17) Installing libcurl (7.56.0-r0)
(9/17) Installing curl (7.56.0-r0)
(10/17) Installing expat (2.2.0-r1)
(11/17) Installing pcre (8.41-r0)
(12/17) Installing git (2.13.5-r0)
(13/17) Installing gzip (1.8-r0)
(14/17) Installing libcrypto1.0 (1.0.2k-r0)
(15/17) Installing libssl1.0 (1.0.2k-r0)
(16/17) Installing openssl (1.0.2k-r0)
(17/17) Installing tar (1.29-r1)
Executing busybox-1.26.2-r5.trigger
Executing ca-certificates-20161130-r2.trigger
OK: 38 MiB in 28 packages
Connecting to github.com (192.30.255.113:443)
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (52.216.17.160:443)
glibc-2.23-r3.apk      9% |**                             |   271k  0:00:09 ETA
glibc-2.23-r3.apk     55% |*****************              |  1609k  0:00:01 ETA
glibc-2.23-r3.apk    100% |*******************************|  2874k  0:00:00 ETA

(1/1) Installing glibc (2.23-r3)
OK: 42 MiB in 29 packages
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  9 15.5M    9 1582k    0     0  1582k      0  0:00:10 --:--:--  0:00:10 4548k
100 15.5M  100 15.5M    0     0  15.5M      0  0:00:01  0:00:01 --:--:-- 14.5M
Client: &version.Version{SemVer:"v2.6.1", GitCommit:"bbc1f71dc03afc5f00c6ac84b9308f8ecb4f39ac", GitTreeState:"clean"}
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
 22 49.8M   22 11.3M    0     0  11.3M      0  0:00:04 --:--:--  0:00:04 33.6M
100 49.8M  100 49.8M    0     0  49.8M      0  0:00:01 --:--:--  0:00:01 88.7M
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:27:35Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
$ download_chart
Creating /root/.helm 
Creating /root/.helm/repository 
Creating /root/.helm/repository/cache 
Creating /root/.helm/repository/local 
Creating /root/.helm/plugins 
Creating /root/.helm/starters 
Creating /root/.helm/cache/archive 
Creating /root/.helm/repository/repositories.yaml 
$HELM_HOME has been configured at /root/.helm.
Not installing Tiller due to 'client-only' flag having been set
Happy Helming!
"gitlab" has been added to your repositories
Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "local" chart repository (http://127.0.0.1:8879/charts):
	Get http://127.0.0.1:8879/charts/index.yaml: dial tcp 127.0.0.1:8879: getsockopt: connection refused
...Successfully got an update from the "stable" chart repository
...Successfully got an update from the "gitlab" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 1 charts
Downloading postgresql from repo https://kubernetes-charts.storage.googleapis.com/
Deleting outdated charts
Hang tight while we grab the latest from your chart repositories...
...Unable to get an update from the "local" chart repository (http://127.0.0.1:8879/charts):
	Get http://127.0.0.1:8879/charts/index.yaml: dial tcp 127.0.0.1:8879: getsockopt: connection refused
...Successfully got an update from the "stable" chart repository
...Successfully got an update from the "gitlab" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 1 charts
Downloading postgresql from repo https://kubernetes-charts.storage.googleapis.com/
Deleting outdated charts
$ ensure_namespace
Unable to connect to the server: x509: certificate signed by unknown authority
Unable to connect to the server: x509: certificate signed by unknown authority
ERROR: Job failed: error executing remote command: command terminated with non-zero exit code: Error executing in Docker Container: 1

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:         Debian 8.9
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.3.5p376
Gem Version:    2.6.13
Bundler Version:1.13.7
Rake Version:   12.0.0
Redis Version:  3.2.5
Git Version:    2.13.5
Sidekiq Version:5.0.4
Go Version:     unknown

GitLab information
Version:        10.0.3-ee
Revision:       eff7821
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
DB Version:     9.6.3
URL:            omitted
HTTP Clone URL: omitted/some-group/some-project.git
SSH Clone URL:  git@omitted:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: google_oauth2


GitLab Shell
Version:        5.9.0
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab Shell ...

GitLab Shell version >= 5.9.0 ? ... OK (5.9.0)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
17/1 ... ok
4/2 ... ok
17/3 ... ok
2/4 ... ok
2/5 ... ok
2/6 ... ok
16/8 ... ok
15/9 ... ok
16/14 ... ok
16/17 ... ok
13/18 ... ok
16/19 ... ok
2/20 ... ok
4/23 ... ok
16/24 ... repository is empty
2/25 ... ok
22/26 ... ok
2/30 ... ok
13/31 ... ok
15/32 ... repository is empty
21/35 ... ok
21/37 ... ok
2/41 ... ok
21/42 ... ok
21/43 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Reply by email is disabled in config/gitlab.yml
Checking LDAP ...


LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
17/1 ... yes
4/2 ... yes
17/3 ... yes
2/4 ... yes
2/5 ... yes
2/6 ... yes
16/8 ... yes
15/9 ... yes
16/14 ... yes
16/17 ... yes
13/18 ... yes
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
16/19 ... yes
2/20 ... yes
4/23 ... yes
16/24 ... yes
2/25 ... yes
22/26 ... yes
2/30 ... yes
13/31 ... yes
15/32 ... yes
21/35 ... yes
21/37 ... yes
2/41 ... yes
21/42 ... yes
21/43 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.3 ? ... yes (2.3.5)
Git version >= 2.7.3 ? ... yes (2.13.5)