I installed Gitlab(version 13.7.1-ee) on GKE with using helm.
and as prerequisites, because of Firewall rule, and having no controllable domain, I cannot use cert-manager’s valid certificate. Then I want to use self-signed cert or wildcard-cert supported by gitlab.
Gitlab-runner showed error when running.
I tried several ways like,
gitlab-runner: envVars: - name: CI_SERVER_TLS_CA_FILE value: /home/gitlab-runner/.gitlab-runner/certs/gitlab.xxx.xxx.xxx.xxx.xip.io.crt - name: CONFIG_FILE value: /home/gitlab-runner/.gitlab-runner/config.toml
b. use same certificate on gitlab.web-service & gitlab-runner
made self-signed, made on my local machine using
gitlab: webservice: ingress: tls: secretName: selfsigned-cert-tls gitlab-runner: runners: certsSecretName: selfsigned-cert-tls
c. create self-signed certificate using cert-manager on GKE and use that cert.
use external cert-manager, and external nginx-ingress-controller (install both by myself using helm) and set
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: self-ingress namespace: gitlab annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/issuer: "selfsigned-issuer" spec: tls: - hosts: - gitlab.xxx.xxx.xxx.xxx.xip.io secretName: selfsigned-cert-tls rules: - host: gitlab.xxx.xxx.xxx.xxx.xip.io http: paths: - backend: serviceName: gitlab-webservice-default servicePort: 8181 path: / - backend: serviceName: gitlab-webservice-default servicePort: 8080 path: /admin/sidekiq
global: ingress: configureCertmanager: false nginx-ingress: enabled:false certmanager: install: false
d. using wildcard self signed cert made by gitlab, and use own self-signed cert for gitlab-runner
With this way, using Gitlab-runner is not recommended
certmanager: install: false ingress: configureCertmanager: false gitlab-runner: runners: certsSecretName: selfsigned-cert-tls
but all of those still showed error
x509: certificate signed by unknown authority
sometimes x509: certificate is valid for ingress.local and not valid for gitlab.xxx.xxx.xxx.xxx.xip.io
I totally got lost
- How self-signed cert must be created on GKE ?
- What secret must be set for gitlab-runner ?
- Possibly I cannot use
xip.iofor self-signed-cert ?