Gitlab-runner(Kubernetes Executor) on EKS using Container Registry with self-signed certificate

*I have configured GitLab CE in an EC2 instance, EKS cluster with GitLab Runner, enabled container registry, and using self-signed certificate *

I have already completed the following steps

• Configured container registry and can perform login
• Configured GitLab Runner using helm on EKS cluster, provided certs as certsSecretName

I’m facing an error while executing the pipeline with image in the Container Registry
WARNING: Failed to pull the image with policy "": image pull failed: rpc error: code = Unknown desc = Error response from daemon: Get "https://domain:port/v2/": x509: certificate signed by unknown authority

• • I have already tried to mount the tls chain same as GitLab runner using the config.toml file but it didn’t work"

config.toml

config: |
    [[runners]]
      environment = ["GIT_SSL_NO_VERIFY=true"]
      [runners.kubernetes.node_selector]
        "kubernetes.io/os" = "linux"

      [runners.kubernetes]
        namespace = "example"
        image = "container_registry:port/group/image:latest"
        pullpolicy = "always"
        poll_timeout = 3600
        [[runners.kubernetes.volumes.secret]]
          name = "secret"
          mount_path = "/home/gitlab-runner/.gitlab-runner/certs/"
          read_only = true

Hi @VipinSinghR

the image for the Pod is pulled by Kubernetes node, that’s the component which have to trust the self-signed certificate.

Hi @balonik
Can you please share any kind of details or documentation on how I can add the self-signed certs to the node?

That really depends on what kind of Kubernetes distribution you are using. I suggest to look in their docs.

@balonik sorry for the delay in reply but, your suggestion did resolve my issue partially by adding the cert manually on Kubernetes worker nodes. Let me know if you have any suggestions on how I can update it in all the nodes(windows included) automatically.

I would add it to your provisioning automation.