Gitlab-runner with self-signed certificate

Infrastructure as Code & Cloud Native
,
1

I installed Gitlab(version 13.7.1-ee) on GKE with using helm.

and as prerequisites, because of Firewall rule, and having no controllable domain, I cannot use cert-manager’s valid certificate. Then I want to use self-signed cert or wildcard-cert supported by gitlab.

Gitlab-runner showed error when running.

status=couldn’t execute POST against https://gitlab.xxx.xxx.xxx.xip.io/api/v4/runners: Post https://gitlab.xxx.xxx.xxx.xip.io/api/v4/runners: x509: certificate signed by unknown authority

I tried several ways like,

a. setting envVars

values.yaml

gitlab-runner:
  envVars:
    - name: CI_SERVER_TLS_CA_FILE
      value: /home/gitlab-runner/.gitlab-runner/certs/gitlab.xxx.xxx.xxx.xxx.xip.io.crt
    - name: CONFIG_FILE
      value: /home/gitlab-runner/.gitlab-runner/config.toml

b. use same certificate on gitlab.web-service & gitlab-runner

made self-signed, made on my local machine using

openssl genrsa command

values.yaml

gitlab:
  webservice:
    ingress:
      tls:
        secretName: selfsigned-cert-tls

gitlab-runner:
  runners:
    certsSecretName: selfsigned-cert-tls

c. create self-signed certificate using cert-manager on GKE and use that cert.

use external cert-manager, and external nginx-ingress-controller (install both by myself using helm) and set

ingress

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: self-ingress
  namespace: gitlab
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "selfsigned-issuer"
spec:
  tls:
    - hosts:
      - gitlab.xxx.xxx.xxx.xxx.xip.io
      secretName: selfsigned-cert-tls
  rules:
   - host: gitlab.xxx.xxx.xxx.xxx.xip.io
    http:
      paths:
      - backend:
          serviceName: gitlab-webservice-default
          servicePort: 8181
        path: /
      - backend:
          serviceName: gitlab-webservice-default
          servicePort: 8080
        path: /admin/sidekiq

values.yaml

global:
  ingress:
    configureCertmanager: false

nginx-ingress:
  enabled:false

certmanager:
  install: false

d. using wildcard self signed cert made by gitlab, and use own self-signed cert for gitlab-runner

With this way, using Gitlab-runner is not recommended

values.yaml

certmanager:
  install: false

  ingress:
    configureCertmanager: false

gitlab-runner:
  runners:
    certsSecretName: selfsigned-cert-tls

but all of those still showed error

x509: certificate signed by unknown authority
sometimes x509: certificate is valid for ingress.local and not valid for gitlab.xxx.xxx.xxx.xxx.xip.io

I totally got lost

  • How self-signed cert must be created on GKE ?
  • What secret must be set for gitlab-runner ?
  • Possibly I cannot use xip.io for self-signed-cert ?
1 Like
2

I fixed this issue, following an article.

https://docs.d2iq.com/dkp/konvoy/1.4/tutorials/gitlab/

So, using wildcard self signed cert made by gitlab, and get cert data from wildcard-tls-gitlab

kubectl get secret gitlab-wildcard-tls --template=‘{{ index .data “tls.crt” }}’ | base64 -D > gitlab.crt

kubectl create secret generic gitlab-runner-certs --from-file=gitlab.xxx.xxx.xxx.xxx.xip.io.crt=xxx.xxx.xxx.xxx.xip.io.crt

I can use gitlab-runner-certs as gitlab-runner secrets.

and I noticed my value.yaml had mistake

gitlab-runner:
  certsSecretName: gitlab-runner-certs # correct
  runners: 
    certsSecretName: gitlab-runner-certs # wrong