Gitlab Runner on Kubernetes isn't handling certificates properly

Replace this template with your information

Describe your question in as much detail as possible:

I have two Gitlab Runners in Kubernetes deployed using the Helm chart. For this environment my organization uses an internal, self-signed certificate so we need to inject the CA’s certificate into the runner. My values file specifies certsSecretName: gitlab-domain-cert and indeed, there’s a certificategoeshere secret by the name of gitlab-domain-cert. If I exec into the runner pod and look in the /home/gitlab-runner/.gitlab-runner/ directory the certificate is in there. This is what I’d expect. However, when I run a job that requires interaction with Gitlab (building a container image for example) it errors with a “signed by unknown authority” error. Upon further investigation I see the job pod that gets spun up doesn’t have the certificate and I see the following error:

(⎈ |staging:gitlab-runner)[~]$ kubectl logs runner-rdxvbkh--project-66-concurrent-09cjkw svc-0
cp: can't stat '/etc/gitlab-image-runner/certs/ca.crt': No such file or directory

I would expect gitlab-runner to inject the certificate into the proper location but it doesn’t appear to be happening.

  • What version are you on? Are you using self-managed or Self-managed, standard

    • GitLab (Hint: /help): 14.6.5
    • Runner (Hint: /admin/runners): 14.6.1
  • Add the CI configuration from .gitlab-ci.yml and other configuration if relevant (e.g. docker-compose.yml)

Values File:

    image: gitlab/gitlab-runner:alpine-v14.6.1
    runnerRegistrationToken: redacted
    certsSecretName: gitlab-domain-cert
      create: true

Snippet of CI file.

  - name: docker:19.03.12-dind
        - /bin/sh
        - -c
        - mkdir -p /etc/docker/certs.d/${CI_REGISTRY}/ && cp /etc/gitlab-image-runner/certs/ca.crt /etc/docker/certs.d/${CI_REGISTRY}/ && || exit

  - build
  - test
  - release

  - docker info