Add internal CA to gitlab-agent to it can connect to GitLab instance

roadSurfer · November 15, 2022, 9:58am

I have configured a gitlab-agent for my project and gotten is deployed to a simple Kubernetes instance. However it fails as it can’t perfrom the TLS handshake due to the GitLab instance using an internal CA for the cert:

{"level":"error","time":"2022-11-15T09:51:07.517Z","msg":"Error handling a connection","mod_name":"reverse_tunnel","error":"Connect(): rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://gitlab.domain.local/-/kubernetes-agent/\\\": x509: certificate signed by unknown authority\""}
{"level":"warn","time":"2022-11-15T09:52:46.550Z","msg":"GetConfiguration failed","error":"rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://gitlab.domain.local/-/kubernetes-agent/\\\": x509: certificate signed by unknown authority\""}

The Kubernetes node has a copy of the internal CA and trusts it, how do get the gitlab-agent to do the same? I can find instructions for the runner, but not the agent.

Thanks!

roadSurfer · November 15, 2022, 12:13pm

I found this issue which is marked as “Closed” and whilst the comments appear to contain the solution, the instructions seem to missing from the documentation.
Have I simply missed them?

roadSurfer · November 15, 2022, 1:13pm

I shall answer myself here, there is an undocumented setting config.caCert and it is used thusly:

helm upgrade --install some-name gitlab/gitlab-agent \
    --namespace gitlab-agent \
    --create-namespace \
    --set image.tag=v15.5.1 \
    --set config.token=gitlab-token \
    --set config.kasAddress=wss://gitlab.domain.local/-/kubernetes-agent/ \
    --set config.caCert="-----BEGIN CERTIFICATE-----
The cert goes here as a string
Note the enclosing quotes
-----END CERTIFICATE-----"

All options can be found here.

paddy-hack · November 25, 2022, 1:13am

You can stuff your certificate in a file and then use

--set-file config.caCert=cert.pem

as well. I prefer that over the really long string with embedded newlines on the command-line

roadSurfer · November 25, 2022, 2:21pm

Brillaint! I actually ended up using:
--set config.caCert="$(cat /path/to/cert.crt)"
But --set-file is much cleaner.