Enable Docker TLS
What does this MR do?
The Reliability General team recently moved ops.gitlab.net
off its VM in us-east1
and into a Kubernetes cluster in us-central1
. As part of this work we are also introducing Kubernetes runners in us-central1
to replace the fleet of runner VMs in us-east1
.
While we were testing existing workloads on the new Kube-based runners we noticed some of the pipelines in the staging
project failing due to this error (example here):
$ eval "$QA_COMMAND"
[Jun 07 2023 04:42:31 UTC (Gitlab QA)] INFO -- Shell command: `docker login --username "gitlab-qa-bot" --password "*****" dev.gitlab.org:5005`
/builds/gitlab-org/quality/staging/.gems/bin/gitlab-qa: Command `docker login --username "gitlab-qa-bot" --password "*****" dev.gitlab.org:5005` failed! \e[31m✘\e[0m (Gitlab::QA::Support::ShellCommand::StatusError)
[Jun 07 2023 04:42:31 UTC (Gitlab QA)] ERROR -- Shell command output:
Failed to initialize: unable to resolve docker endpoint: open /docker/certs/client/ca.pem: no such file or directory
For the new runners we've enabled TLS verification in Docker since it's good practice and because the warnings are quite annoying, as you saw in this issue. Unfortunately this causes your pipelines to fail because you've explicitly disabled TLS verification, which prevents Docker from generating the client certificates.
The fix for this should simply be to enable TLS verification, so this MR removes the offending environment variables so the settings in the runners can be used instead.
Check-list
-
Verify the change in all affected pipelines.