Problem to solve
The GitLab Runner Helm Chart allows one to refer to a Kubernetes Secrect that stores certificates:
certsSecretName: "my-certs"
When set, Gitlab can handle the provisioning of the contained certs and, based on naming select the correct one to use.
But what about in Jobs? my-certs could contain multiple certificates I want trusted. Is this directly supported?
See “Answer” below.
Steps to reproduce
Follow the Helm Chart documentation and ensure certsSecretName is set.
Also ensure the secret contains two different certs (gitlab.my-domain.tld.crt and some.other.tld.crt).
In the runner, /home/gitlab-runner/.gitlab-runner/certs will contain both certs and, based on the naming, will select gitlab.my-domain.tld.crtfor registration.
So far, so good.
When a job runs, the value for CI_SERVER_TLS_CA_FILE will be /builds/group/project.tmp/CI_SERVER_TLS_CA_FILE but this only contains the gitlab.my-domain.tld.crt cert, some.other.tld.crt is missing.
Is there an easy what to access both without further configuration, or do I have to add a [[runners.kubernetes.volumes.secret]] section into the TOML?
Answer
And I shall now answer myself…YES!
Configure [[runners.kubernetes.volumes.secret]] and map the secret a second time to some known location which you can then deal with manually. Example:
runners:
config: |
[[runners]]
[runners.kubernetes]
...
[[runners.kubernetes.volumes.secret]]
name = "my-certs"
mount_path = "/my/common/location"
read_only = true
I really don’t think this is well documented at all, so I am going to post this anyway just in case it help others.
Configuration
Not really applicable, all explained above.
Versions
- Self-managed
-
GitLab.comSaaS - Dedicated
- Self-hosted Runners
Versions
- GitLab (Web:
/helpor self-managed system informationsudo gitlab-rake gitlab:env:info): 17.5.2 - GitLab Runner, if self-hosted (Web
/admin/runnersor CLIgitlab-runner --version): 17.5.2