Introduced in GitLab Runner 0.7.0 Show GitLab Runner provides two options to configure certificates to be used to verify TLS peers:
Supported options for self-signed certificates targeting the GitLab serverThis section refers to the situation where only the GitLab server requires a custom certificate. If other hosts also require a custom certificate authority (CA), please see the next section. GitLab Runner supports the following options:
Notes:
Git cloningThe runner injects missing certificates to build the CA chain in build containers by using CI_SERVER_TLS_CA_FILE. This allows git clone and artifacts to work with servers that do not use publicly trusted certificates. This approach is secure, but makes the runner a single point of trust. Trusting TLS certificates for Docker and Kubernetes executorsThere are two contexts that need to be taken into account when we consider registering a certificate on a container:
Trusting the certificate for user scriptsIf your build script needs to communicate with peers through TLS and needs to rely on a self-signed certificate or custom Certificate Authority, you will need to perform the certificate installation in the build job, as the Docker container running the user scripts doesn’t have the certificate files installed by default. This might be required to use a custom cache host, perform a secondary git clone, or fetch a file through a tool like wget, for example. To install the certificate:
If you just need the GitLab server CA cert that can be used, you can retrieve it from the file stored in the CI_SERVER_TLS_CA_FILE variable: curl --cacert "${CI_SERVER_TLS_CA_FILE}" ${URL} -o ${FILE} Trusting the certificate for the other CI/CD stagesYou can map a certificate file to /etc/gitlab-runner/certs/ca.crt on Linux, or C:\GitLab-Runner\certs\ca.crt on Windows. The Runner helper image installs this user-defined ca.crt file at start-up, and uses it when performing operations like cloning and uploading artifacts, for example. Docker
KubernetesDue to a known issue in the Kubernetes executor’s handling of the helper image’s ENTRYPOINT, the mapped certificate file isn’t automatically installed to the system certificate store. TroubleshootingRefer to the general SSL troubleshooting documentation. In addition, you can use the tlsctl tool to debug GitLab certificates from the runner’s end. |