Use Helm GitLab-Runner in Kubernetes for Gitlab and Docker Registry with self signed certificate (x509 Error)

1.1k views Asked by At

Hei guys,

i have set up a local kubernetes cluster with k3s (currently 1 Intel NUC) using ubuntu server 18 LTS. I also have a working Synology Diskstation with GitLab and a private Registry (running on docker). Both (GitLab and Registry) are using the same custom self-signed certificate (https://my.domain/ = GitLab - https://my.domain:8050/ = Registry).

Now i have added my kubernetes cluster to gitlab and trying to use gitlab auto devops. I installed the gitlab-runner helm chart with the following config:

# GitLab Runner Image
##
## By default it's using gitlab/gitlab-runner:alpine-v{VERSION}
## where {VERSION} is taken from Chart.yaml from appVersion field
##
## ref: https://hub.docker.com/r/gitlab/gitlab-runner/tags/
##
## Note: If you change the image to the ubuntu release
##       don't forget to change the securityContext; 
##       these images run on different user IDs.
##
# image: gitlab/gitlab-runner:alpine-v11.6.0

## Specify a imagePullPolicy
## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
##
imagePullPolicy: IfNotPresent

## Specifying ImagePullSecrets on a Pod
## Kubernetes supports specifying container image registry keys on a Pod.
## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
##
# imagePullSecrets: 
#   - name: "image-pull-secret"

## The GitLab Server URL (with protocol) that want to register the runner against
## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
##
gitlabUrl: https://my.domain/

## The Registration Token for adding new Runners to the GitLab Server. This must
## be retrieved from your GitLab Instance.
## ref: https://docs.gitlab.com/ce/ci/runners/README.html
##
runnerRegistrationToken: my_token

## The Runner Token for adding new Runners to the GitLab Server. This must
## be retrieved from your GitLab Instance. It is token of already registered runner.
## ref: (we don't yet have docs for that, but we want to use existing token)
##
# runnerToken: ""
#
## Unregister all runners before termination
##
## Updating the runner's chart version or configuration will cause the runner container
## to be terminated and created again. This may cause your Gitlab instance to reference
## non-existant runners. Un-registering the runner before termination mitigates this issue.
## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-unregister
##
# unregisterRunners: true

## When stopping the runner, give it time to wait for its jobs to terminate.
##
## Updating the runner's chart version or configuration will cause the runner container
## to be terminated with a graceful stop request. terminationGracePeriodSeconds
## instructs Kubernetes to wait long enough for the runner pod to terminate gracefully.
## ref: https://docs.gitlab.com/runner/commands/#signals
terminationGracePeriodSeconds: 3600

## Set the certsSecretName in order to pass custom certficates for GitLab Runner to use
## Provide resource name for a Kubernetes Secret Object in the same namespace,
## this is used to populate the /home/gitlab-runner/.gitlab-runner/certs/ directory
## ref: https://docs.gitlab.com/runner/configuration/tls-self-signed.html#supported-options-for-self-signed-certificates
##
certsSecretName: "gitlab-crt"
...

At first i had the problem that gitlab-runner couldnt connect to my gitlab instance because of the self signed certificat (got x509 error while registering to gitlab instance). But i could fix it with setting certsSecretName in my values.config file to a secret containing my self-signed certificate. But now when my runner is trying to pull from my registry i also get that damn x509 error.

Logging to GitLab Container Registry with CI credentials...
time="2021-03-01T20:49:12Z" level=info msg="Error logging in to v2 endpoint, trying next endpoint: Get https://my.domain:8050/v2/: x509: certificate signed by unknown authority"
Get https://my.domain:8050/v2/: x509: certificate signed by unknown authority
Cleaning up file based variables
00:00
ERROR: Job failed: command terminated with exit code 1

Does anybody know how to fix this? I think it has something to do with the pulled gitlab-runner-helper image in my gitlab-runner? But i cant find anything how to add my self-signed certificate to this helper image. (Note: I have installed the custom certificate on my intel nucs ca-certificates. So curl or wget does work without error)

Please help me. Thanks a lot. Simon

0

There are 0 answers