Ensure TLS is disabled with `dind` service in Code Quality template (!132814) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-ensure-docker-tls-disabled-code-quality into master Sep 27, 2023

What does this MR do and why?

The Code Quality job template does everything it can to run the Docker-in-Docker image (dind) without TLS. However, previously it did not set DOCKER_TLS_VERIFY. A runner might inadvertently enable TLS by specifying the default environment config:

[[runners]]
  environment = [
    # Docker
    "DOCKER_HOST=tcp://docker:2376",
    "DOCKER_TLS_VERIFY=1",
    "DOCKER_TLS_CERTDIR=/docker/certs",
    "DOCKER_CERT_PATH=/docker/certs/client",
    "DOCKER_DRIVER=overlay2",
  ]

To ensure TLS is disabled for the dind service, set the DOCKER_TLS_VERIFY flag to blank. Also clear DOCKER_CERT_PATH just in case.

This was discovered in gitlab-com/gl-infra/delivery#19684 (closed).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 27, 2023 by Stan Hu

Ensure TLS is disabled with `dind` service in Code Quality template

What does this MR do and why?

MR acceptance checklist

Merge request reports