QA::GitlabRunner uses fixed TLS cert name gitlab.test.crt, breaks on custom GitLab hosts

Summary

In qa/service/docker_run/gitlab_runner.rb, the method add_gitlab_tls_cert hardcodes the certificate file name as gitlab.test.crt, regardless of the actual GitLab server hostname.

This causes TLS trust issues when the GitLab instance runs under a different hostname (e.g., gitlab.mycompany.com), because GitLab Runner expects the self-signed certificate file name to match the GitLab server's hostname as per the official documentation.

Steps to Reproduce

  1. Run GitLab QA tests with a GitLab instance hosted at a non-gitlab.test domain (e.g., gitlab.example.com).
  2. Let QA spawn a runner via QA::Service::DockerRun::GitlabRunner.
  3. Observe runner failing to connect to GitLab due to SSL errors.

What is the current bug behavior?

The TLS certificate is written and copied into the container with the name /etc/gitlab-runner/certs/gitlab.test.crt, which does not match the GitLab hostname.

What is the expected correct behavior?

The certificate file name should match the actual GitLab hostname, e.g., /etc/gitlab-runner/certs/gitlab.example.com.crt.

Relevant code

def add_gitlab_tls_cert
  gitlab_tls_certificate = Tempfile.new('gitlab-cert')
  gitlab_tls_certificate.write(Runtime::Env.gitlab_tls_certificate)
  gitlab_tls_certificate.close

  <<~CMD
    && docker cp #{gitlab_tls_certificate.path} #{@name}:/etc/gitlab-runner/certs/gitlab.test.crt
  CMD
end
Edited by 🤖 GitLab Bot 🤖