expose adding Custom CA certs

api/v1beta1/runner_types.go

@@ -63,6 +63,10 @@ type RunnerSpec struct {
 	// Path defines the Runner Cache path
 	CachePath string `json:"cachePath,omitempty"`
 
+	// Name of tls secret containing the custom certificate
+	// authority (CA) certificates
+	CertificateAuthority string `json:"ca,omitempty"`
+
 	// Enable sharing of cache between Runners
 	CacheShared bool `json:"cacheShared,omitempty"`
 

bundle/manifests/apps.gitlab.com_runners.yaml

@@ -47,6 +47,9 @@ spec:
             buildImage:
               description: The name of the default image to use to run build jobs, when none is specified
               type: string
+            ca:
+              description: Name of tls secret containing the custom certificate authority (CA) certificates
+              type: string
             cachePath:
               description: Path defines the Runner Cache path
               type: string
@@ -70,13 +73,11 @@ spec:
                   description: Name of the bucket in which the cache will be stored
                   type: string
                 credentials:
-                  description: contains the GCS accessID and privateKey
+                  description: contains the GCS 'access-id' and 'private-key'
                   type: string
                 credentialsFile:
                   description: Takes GCS credentials file, 'keys.json'
                   type: string
-              required:
-              - credentialsFile
               type: object
             gitlab:
               description: gitlab specifies the GitLab instance the GitLab Runner will register against
@@ -102,7 +103,7 @@ spec:
                   description: Name of the bucket in which the cache will be stored
                   type: string
                 credentials:
-                  description: Credentials is the name of the secret containing the 'accesskey' and 'secretkey' used to access the object storage
+                  description: Name of the secret containing the 'accesskey' and 'secretkey' used to access the object storage
                   type: string
                 insecure:
                   description: Use insecure connections or HTTP

config/crd/bases/apps.gitlab.com_runners.yaml

@@ -58,6 +58,10 @@ spec:
               description: The name of the default image to use to run build jobs,
                 when none is specified
               type: string
+            ca:
+              description: Name of tls secret containing the custom certificate authority
+                (CA) certificates
+              type: string
             cachePath:
               description: Path defines the Runner Cache path
               type: string

config/deploy/apps.gitlab.com_runners.yaml

@@ -47,6 +47,9 @@ spec:
             buildImage:
               description: The name of the default image to use to run build jobs, when none is specified
               type: string
+            ca:
+              description: Name of tls secret containing the custom certificate authority (CA) certificates
+              type: string
             cachePath:
               description: Path defines the Runner Cache path
               type: string
@@ -70,13 +73,11 @@ spec:
                   description: Name of the bucket in which the cache will be stored
                   type: string
                 credentials:
-                  description: contains the GCS accessID and privateKey
+                  description: contains the GCS 'access-id' and 'private-key'
                   type: string
                 credentialsFile:
                   description: Takes GCS credentials file, 'keys.json'
                   type: string
-              required:
-              - credentialsFile
               type: object
             gitlab:
               description: gitlab specifies the GitLab instance the GitLab Runner will register against
@@ -102,7 +103,7 @@ spec:
                   description: Name of the bucket in which the cache will be stored
                   type: string
                 credentials:
-                  description: Credentials is the name of the secret containing the 'accesskey' and 'secretkey' used to access the object storage
+                  description: Name of the secret containing the 'accesskey' and 'secretkey' used to access the object storage
                   type: string
                 insecure:
                   description: Use insecure connections or HTTP

controllers/runner/deployment.go

@@ -194,6 +194,10 @@ func runnerSecretsVolume(cr *gitlabv1beta1.Runner) []corev1.VolumeProjection {
 		secrets = append(secrets, gcsCredentialsSecretProjection(cr))
 	}
 
+	if cr.Spec.CertificateAuthority != "" {
+		secrets = append(secrets, getCertificateAuthoritySecretProjection(cr))
+	}
+
 	return secrets
 }
 
@@ -251,6 +255,22 @@ func gcsCredentialsSecretProjection(cr *gitlabv1beta1.Runner) corev1.VolumeProje
 	}
 }
 
+func getCertificateAuthoritySecretProjection(cr *gitlabv1beta1.Runner) corev1.VolumeProjection {
+	return corev1.VolumeProjection{
+		Secret: &corev1.SecretProjection{
+			LocalObjectReference: corev1.LocalObjectReference{
+				Name: cr.Spec.CertificateAuthority,
+			},
+			Items: []corev1.KeyToPath{
+				{
+					Key:  "tls.crt",
+					Path: "hostname.crt",
+				},
+			},
+		},
+	}
+}
+
 // isCacheS3 checks if the GitLab Runner Cache is of type S3
 func isCacheS3(cr *gitlabv1beta1.Runner) bool {
 	return cr.Spec.S3 != nil && cr.Spec.S3.Credentials != ""

hack/assets/templates/gitlab-runner/entrypoint.sh

 #!/bin/bash
 set -e
-mkdir -p ~/.gitlab-runner/
+mkdir -p ~/.gitlab-runner/certs
 cp /scripts/config.toml ~/.gitlab-runner/
 
+# Add custom CA certificate if available
+if [[ -f /secrets/custom-ca.crt ]]
+then 
+  cp /secrets/hostname.crt ~/.gitlab-runner/certs/
+fi
+
 # Register the runner
 if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then
     export CACHE_S3_ACCESS_KEY=$(cat /secrets/accesskey)