Gitlab 16.1.0 self-managed container images not working with HTTP
Hello!
I’m currently working on creating a container for ci/cd builds with an internal self-managed server. (No access to external servers). Because we have to use self-signed certificates, which will not work properly. So we are using an HTTP server instead. Our gitlab container repository is also hosted through HTTP, yet there seems to be no way to run an CI/CD pipeline with an image from an HTTP instance.
The container image has already been pushed and appears properly though HTTP. And we have tried a self-signed certificate which does not work sadly (pipeline gives an invalid cert error).
And when we run an image through HTTP, it requires an HTTPS response.
So is there any way we can pull the image from the HTTP source?
The following does not work
image: http://<URL>/group/project/image:version
couldn't parse image reference "http://<URL>/group/project/image:version":
image: <URL>/group/project/image:version
http: server gave HTTP response to HTTPS client
And this is when we use self-signed
x509: certificate relies on legacy Common Name field, use SANs instead.
Self-signed or custom CA works as well. You just have to add it to the required trust stores.
You can use HTTP, but you have to configure your GitLab Runner runtime to accept “insecure” registry. For docker executor you need to setup Docker according to Test an insecure registry | Docker Documentation
Regarding your TLS error, it means you have not generated the self-signed TLS certificate properly. SAN is a required extension nowadays.
I have been battling with the self signed certificate portion of this for a while.
I have the gitlab runner hosted on an internal helm/kubernete instance, and have been trying to inject the self-signed certificate into the runner.
I have verified the certificate works through the manual process of using docker pull (created /etc/docker/certs.d/…) and the cert has worked on our different servers. I have tested it by also removing the cert files to see the expected error of signed by unknown authority. Yet I can not get it to work within gitlab-runner.
I have tried different config.toml options at different mounting points.
via [[runners.kubernetes.volumes.secret]]
/etc/docker/certs.d/<host>/ca.crt
/etc/gitlab-runner/certs/<hostname>.crt
/etc/sll/certs/<host>.crt
Also I have tried using the certificate at the root level of the kubernete (helm configuration outside of the config.toml [[runner]] items. Yet I seem to get the same error for the above.
WARNING: Failed to pull image with policy "Always": image pull failed: rpc error: code = Unknown desc = failed to pull and unpack image [...]
x509: certificate signed by unknown authority
Do you have any other guiding points for me to add the self-signed certificate in?
The images are pulled by the container runtime in k8s cluster, in general it relies on the CA trust from the OS. So you have to add your self-singed cert to OS trust store. This depends on the distro you are using. I am not going to list steps for every possible Linux distro. I am sure you can use your favorite search engine to find how to add SSL certificate to OS trust store.