Bug in GitLab k8s authentication with intermediate certificate?

I installed Omnibus Gitlab locally where I also have a bare-metal kubernetes cluster running. I have attempted to add the cluster to Gitlab but am getting “There was a problem authenticating with your cluster. Please ensure your CA Certificate and Token are valid.”

The PKI for my cluster is as follows:

  • self-signed root ca
  • kubernetes ca signed by root ca
  • apiserver cert signed by kubernetes ca

I have created a service account for Gitlab and retrieved the account token. I am able to curl the API Server from the Gitlab server using the following command:

curl --verbose -X GET $APISERVER/api/v1 --header "Authorization: Bearer $TOKEN" --cacert bundle.crt

where bundle.crt contains the kubernetes ca followed by the root ca.

I’ve tried adding both the kubernetes ca and root ca in the cluster CA Certificate edit box, just the kubernetes ca, and just the root ca. I’ve tried adding the root ca to Gitlab by putting it in a file at /etc/gitlab/trusted-certs/.crt and running gitlab-ctl reconfigure. Nothing has had any apparent affect.

Does anyone have any suggestions? Is there a log somewhere that might have more detail that might be helpful?

edit: changed title to hopefully better reflect the issue I am having.

1 Like

FWIW, I recreated the cluster without an intermediate CA and Gitlab accepted it as expected.

I opened issue #198424.