Gitlab agent fails to register
Environment
Kubernetes 1.23
Gitlab CE 15.5 installed in same cluster as a StatefulSet (no Helm)
Gitlab access through nginx IngressController
Configuration
Agent ConfigMap :
config:
token: "<Gitlab provided token>"
kasAddress: "wss://gitlab.fr.mydomain.com/-/kubernetes-agent/"
caCert: |
-----BEGIN CERTIFICATE-----
[My Root CA]
-----END CERTIFICATE-----nginx Ingress :
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitlab
namespace: gitlab
annotations:
nginx.org/client-max-body-size: 20m
nginx.org/server-snippets: |
location /-/kubernetes-agent/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://gitlab-gitlab-gitlab.fr.mydomain.com-gitlab-80;
}
spec:
ingressClassName: nginx
defaultBackend:
service:
name: gitlab
port:
number: 80
rules:
- host: gitlab.fr.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitlab
port:
number: 80
tls:
- hosts:
- gitlab.fr.mydomain.comProblem
I'm trying to register the kubernetes cluster with the gitlab-agent (https://docs.gitlab.com/ee/user/clusters/agent/install/) Gitlab pod throws an exception in the logs (formatted for visibility):
2022-11-14_12:46:39.29373 {
"level": "error",
"time": "2022-11-14T12:46:39.293Z",
"msg": "AgentInfo()",
"grpc_service": "gitlab.agent.agent_configuration.rpc.AgentConfiguration",
"grpc_method": "GetConfiguration",
"error": "Get \"https://gitlab.fr.mydomain.com/api/v4/internal/kubernetes/agent_info\": x509: certificate signed by unknown authority"
}Interpretation
It seems the agent can reach the gitlab instance, since this error appear in Gitlab logs, but for some reason it's using its external URL for its own API. Maybe that's a piece sent by the agent as part of the registration, but not sure where to change that without changing Gitlab external URL.
I did different tests, including forcing agent <-> gitlab communication through the cluster network, meaning without SSL without much success. At some point I had kubectlin the pipeline complaining about self signed x509 certificate, and forcing the connection didn't correctly authenticate. I've read it's normal, kubectl won't send credential over unsecured channel.
So I went back to configure the agent like I think it should work.
As you see above, I configured the ingress to be able to upgrade the connection for WSS, which seems to have solved a previous issue I had while the agent tries to connect to gitlab.
Now it can connect to gitlab, but gitlab is trying to connect to itself through external URL and fails to find a valid CA.
Questions
What would be the correct settings to let gitlab talk to its own API internally?
Should I set the CA in Gitlab container itself? I see no particular reason that I have to do this but maybe that's the only way to solve the issue.