How to install ca cert on GitLab Managed K8s intalled runner?

GreenZombie76 · October 22, 2020, 10:59am

Ive installed standalone runners, docker runners and k8s runners with helm charts. In all these cases I could start the runner with ca files relevant to my corporate environment.

Now, I have managed to get a K8s cluster provisioned with K3s that actually works and have attached it as a managed Group Cluster and installed Helm Tiller, Prometheus and GitLab Runner from applications.

Being a corporate install, I had to do the PodPresets thing on K3s to ensure that the relevant corporate proxies were added to things run in the gitlab-managed-apps namespace for the above to work.

Now, my problem is one that i’ve solved often, but don’t know how to in the world of AutoDevOps and managed Kubernetes to sort this problem out:

WARNING: Checking for jobs... failed                runner=uagZ6Z7E status=couldn't execute POST against https://digit.mgsops.net/api/v4/jobs/request: Post https://digit.mgsops.net/api/v4/jobs/request: x509: certificate signed by unknown authority
WARNING: Checking for jobs... failed                runner=uagZ6Z7E status=couldn't execute POST against https://digit.mgsops.net/api/v4/jobs/request: Post https://digit.mgsops.net/api/v4/jobs/request: x509: certificate signed by unknown authority
WARNING: Checking for jobs... failed                runner=uagZ6Z7E status=couldn't execute POST against https://digit.mgsops.net/api/v4/jobs/request: Post https://digit.mgsops.net/api/v4/jobs/request: x509: certificate signed by unknown authority
WARNING: Checking for jobs... failed                runner=uagZ6Z7E status=couldn't execute POST against https://digit.mgsops.net/api/v4/jobs/request: Post https://digit.mgsops.net/api/v4/jobs/request: x509: certificate signed by unknown authority

Now, we are using an internal CA, but, the GitLAb instance clearly has its own https certificates. But has not provided them to the runners. And, outside of the PodPresets to setup proxies, there is no documentation at all on how to customize the installation of things on managed K8s.

GitLab Specs

GitLab Enterprise Edition 12.9.8-ee
I think we have an Ultimate subscription but I’m just a lowly dev and don’t have the details.

GreenZombie76 · October 25, 2020, 4:25pm

As it turns out, PodPresets can be used to inject certificates into containers. This PodPreset worked for me:

apiVersion: settings.k8s.io/v1alpha1
kind: PodPreset
metadata:
  name: internal-runner-presets
  namespace: gitlab-managed-apps
spec:
#  selector:
#    matchLabels:
#      app: runner-gitlab-runner
  env:
  - name: http_proxy
    value: "http://10.1.1.1:8080"
  - name: https_proxy
    value: "http://10.1.1.1:8080"
  - name: no_proxy
    value: "10.1.0.0/12,.internal.net"
  volumeMounts:
  - name: mgsops-ca-certs
    mountPath: /etc/ssl/certs/internal-ca.pem
    subPath: internal-ca.pem
  volumes:
  - name: internal-ca-certs
    configMap:
      name: internal-certstore