Gitlab-runner can't hook to gitlab-runner-controller-manager

Hello everyone,

I’m setuping a self-hosted Gitlab for internal use only, I have a running Gitlab Omnibus (v15.7) instance with self-signed certificate and a single node kubernetes (v1.26.2) running on another VM. I managed to get a gitlab-runner-controller-manager running (installed through operator) but now I have an issue when I try to get a runner running, here is my runner yml definition :

apiVersion: apps.gitlab.com/v1beta2
kind: Runner
metadata:
name: gitlab-runner
spec:
gitlabUrl: https://gitlab.example.local
buildImage: alpine
token: gitlab-runner-secret
ca: gitlab-cert

“gitlab-cert” is a secret holding my Gitlab self-signed cert, created based on this documentation : Configuring GitLab Runner on OpenShift | GitLab

When I try to apply my runner yml I get this error :

Error from server (InternalError): error when creating “gitlab-runner.yml”: Internal error occurred: failed calling webhook “mrunner.kb.io”: failed to call webhook: Post “https://gitlab-runner-controller-manager-service.operators.svc:443/mutate-apps-gitlab-com-v1beta2-runner?timeout=10s”: Service Unavailable

I verified if the URL in the error is reachable with a redhat/ubi8 image (note that I use the insecure -k option) :

sh-4.4# curl -k -I -L https://gitlab-runner-controller-manager-service.operators.svc:443/mutate-apps-gitlab-com-v1beta2-runner?timeout=10s
HTTP/2 200
content-type: text/plain; charset=utf-8
content-length: 128
date: Tue, 28 Mar 2023 09:58:08 GMT

If I check used certificate with this URL I’m seeing this :

  • Server certificate:
  • subject: O=Red Hat, Inc.; CN=gitlab-runner-controller-manager-service.operators
  • start date: Mar 27 12:29:13 2023 GMT
  • expire date: Mar 26 12:29:13 2025 GMT
  • issuer: O=Red Hat, Inc.; CN=olm-selfsigned-5e1746db4db712
  • SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

Does anybody know what am I doing wrong here ? Any help would be welcome

Best regards

Ok, I find out by myself, it’s my system wide reverse proxy that’s messing with joigning gitlab-runner-controller-manager-service.operators.svc, I have to make sure that k8s internal request don’t pass through my proxy…

Another question, is it normal that the URL that is targeted when trying to create a gitlab runner pod is not in FQDN format ? I expected it to look like :

https://gitlab-runner-controller-manager-service.operators.svc**.k8s.gitlab.runner.local**:443

instead of just :

https://gitlab-runner-controller-manager-service.operators.svc:443

It cause a bad resolution leading the request to be forwarded to my http proxy.