Vault Gitlab JWT vault self signer cert

Running with gitlab-runner 13.9.0 (2ebc4dc4)
on global-it-services-gitlab-runner-6967469784-z2n46 KDaxbzYz
Resolving secrets
00:00
Resolving secret “KV1_PASSWORD”…
Using “vault” secret resolver…
ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: checking Vault server health: Get https://test-vault.***.net/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299: x509: certificate signed by unknown authority

QA Gitlab JWT vault secrets:

stage: QA-review-deploy

allow_failure: true

tags:
- Global IT Services

variables:
# Vault Environment Variables
VAULT_SERVER_URL: https://test-vault.***.net
VAULT_AUTH_PATH: gitlab-jwt
VAULT_AUTH_ROLE: gitlab-role-test

secrets:
KV1_PASSWORD:
vault:
engine:
name: kv-v1
path: kv1_qa
path: kv1_qa/gitlab_jwt
field: password

script:
- echo “Test vault JWT Read KV Store”
- echo {CI_JOB_JWT} - echo {KV1_PASSWORD}

The Runner is a gitlab helm chart deployment

With the self signed CA cert set as per

Set the certsSecretName in order to pass custom certificates for GitLab Runner to use

Provide resource name for a Kubernetes Secret Object in the same namespace,

this is used to populate the /etc/gitlab-runner/certs directory

ref: Self-signed certificates or custom Certification Authorities | GitLab

certsSecretName: “${CERT_SECRET_NAME}”

Testing on image with Self signed cert backed in image

QA Gitlab JWT role gitlab-kv1-qa-test:

stage: QA-review-deploy

tags:
- Global IT Services

variables:
# Vault Environment Variables
VAULT_ADDR: https://test-vault.***.net

script:
- echo “Test vault JWT Read KV Store”
- echo {CI_JOB_JWT} #- export VAULT_ADDR=http://vault.example.com:8200 # Authenticate and get token. Token expiry time and other properties can be configured # when configuring JWT Auth - https://www.vaultproject.io/api/auth/jwt#parameters-1 - export VAULT_TOKEN="(vault write -field=token auth/gitlab-jwt/login role=gitlab-kv1-qa-test jwt=CI_JOB_JWT)" # Now use the VAULT_TOKEN to read the secret and store it in an environment variable - KV1_PASSWORD="(vault kv get -field=password kv1_qa/gitlab_jwt)"
# Use the secret
- echo ${KV1_PASSWORD}

KV1_PASSWORD="(vault kv get -field=password kv1_qa/gitlab_jwt)"
echo {KV1_PASSWORD}
gitlab-kv1-jwt-test-password
Cleaning up file based variables
00:00
Job succeeded

As per the Kubernetes note at the very bottom of that page self-signed/custom certificates are currently broken on Kubernetes executors.
A workaround would be to create own helper image with required CAs/certs and use it.

Thank you for the quick reply, I put the issue back on the testing backlog :).