Gitlab runner on kubernetes - docker

I would like to use kubernetes for gitlab runner.
I have a gitlab instance on server 1 and kubernetes on server 2 (with gitlab runner) .
I installed kubernetes with kubeadm and flannel network pod.
When I launch the build, I can connect with kubernetes.
But, the job is not running.
I have this error:
Post https://<master_ip>:<master_port>/api/v1/namespaces/gitlab/pods: x509: certificate signed by unknown authority
So I know it is a ssl issue.
Do I must create a ssl certificates?
And how and which argument?
Thanks for help

have you tried making a service account on kubernetes and generate a bearer token? Not sure if gitlab works with tokens. If not you'll need the following:
The following options are provided, which allow you to connect to the Kubernetes API:
host: Optional Kubernetes apiserver host URL (auto-discovery attempted if not specified)
cert_file: Optional Kubernetes apiserver user auth certificate
key_file: Optional Kubernetes apiserver user auth private key
ca_file: Optional Kubernetes apiserver ca certificate
So in short, you'll have to generate a key-cert combo based on the ca that you kubernetes apiserver uses. The content of your combo can be the following (this is a raw json example config that I use for cfssl):{"CN":"worker","hosts":[],"key":{"algo":"rsa","size":2048},"names":[{"C":"US","L":"OV","OU":"Devops"}]}

Related

Using cert-manager for self signed certificates in Rancher

I'm using Rancher for my PoC. As part of stack I'm using harbor as helm chart registry and container registry. I'm following this tutorial about how to configure self signed certificate in Ranchor for Harbor in this case.
I'm interested about how to use cert-manager for managing self-signed certificate in any cluster in Rancher. Currently cert-manager is running in rancher cluster (because rancher is using self-signed certificate too). Have I install cert-manager in all of my clusters in which I need to have an integration with Harbor. Since certificate is currently not configured, I'm always getting that error x509: certificate signed by unknown authority.
Check if, in the context of your tutorial, the page "Updating a Private CA Certificate"
It includes "Reconfigure Rancher agents to trust the private CA"
For each cluster under Rancher management (except the local Rancher management cluster) run the following command using the Kubeconfig file of the Rancher management cluster (RKE or K3S).
kubectl patch clusters.management.cattle.io <REPLACE_WITH_CLUSTERID> \
-p '{"status":{"agentImage":"dummy"}}' --type merge
This command will cause all Agent Kubernetes resources to be reconfigured with the checksum of the new certificate.

Self-signed docker registry in CircleCI

I'm using CircleCI 2.0 and I have a private docker registry with self-signed certificate. I'm able to configure my local docker, just like documented here, the problem is in CircleCI:
I'm using remote dockers so when I try to login in Docker registry it's failing with Error response from daemon: Get https://docker-registry.mycompany.com/v2/: x509: certificate signed by unknown authority.
Is there a way to install the certificate in a remote docker? I don't have access to the docker host's shell. I don't want to use machine executor type.
It's not possible. It could only be accomplished by using CircleCI's Enterprise level system.

GitLab container does not communicate with GitLab Container Registry container

I use this docker-compose file to create a GitLab installation along with the GitLab Container Registry enabled.
All containers start nicely, but when I try to access the container registry via a new GitLab project, I get a 500 error.
From Kitematic, in the registry container logs I see this
http: TLS handshake error from 192.168.99.1:54873: tls: first record does not look like a TLS handshake
I am not an expert in security, but from my research I think it has to do with the self-signed certificate that GitLab expects.
Is this the problem? How should I proceed?

Configure docker repo with https without domain name

I have a website that I'm running on a digital ocean droplet, which I want to continuously deploy via docker and a Teamcity build server which I have running on my home server. I want to enable https on my docker repo, with a self signed certificate, and without a domain name.
Let's say my home's ip address is 10.10.10.10 and the docker repo is running on port 5000.
I followed the steps here, however docker on my website complained that it cannot connect to the docker repo on my homeserver because it doesn't specify an IP in the SAN extension.
Okay. So I created a new certificate without the CN field and only an IP in the SAN, and now my cert config on my website looks like...
/etc/docker/certs.d/10.10.10.10:5000/ca.crt
I also added the cert to my general certs (Ubuntu 16.04 btw)
Then I try to pull the image from my home server to my website...
docker pull 10.10.10.10:5000/personal_site:latest
However, I'm getting this error.
Error response from daemon: Get https://10.10.10.10:5000/v1/_ping: x509:
certificate signed by unknown authority (possibly because of "x509:
invalid signature: parent certificate cannot sign this kind of
certificate" while trying to verify candidate authority certificate "serial:xxx")
I thought by adding my cert to the /etc/docker/... it would accept a self-signed cert. Anyone have any advice here?
You can't used a self signed certificate for this, it needs to be a CA certificate. Follow the same steps required to create a certificate for a docker host and store your CA in /etc/docker/certs.d/.... Or you can also define 10.10.10.10 as an insecure registry as part of the docker daemon startup (dockerd --insecure-registry 10.10.10.10:5000 ...) and docker should ignore any certificate issues.
I just did the same thing with this instructions create private repo with password without domain and ssl. That will require you to add certificate on client and domain on host file (if you love to have an domain yourself without registering new domain)

docker is using the v1 registry api when it should use v2

I'm trying to use a self hosted docker registry v2. I should be able to push a docker image, which does work locally on the host server (coreos) running the registry v2 container. However, on a separate machine (also coreos, same version) when I try to push to the registry, it's try to push to v1, giving this error:
Error response from daemon: v1 ping attempt failed with error: Get
https://172.22.22.11:5000/v1/_ping: dial tcp 172.22.22.11:5000: i/o timeout.
If this private registry supports only HTTP or HTTPS with an unknown CA
certificate, please add `--insecure-registry 172.22.22.11:5000` to the
daemon's arguments. In the case of HTTPS, if you have access to the registry's
CA certificate, no need for the flag; simply place the CA certificate at
/etc/docker/certs.d/172.22.22.11:5000/ca.crt
both machine's docker executable is v1.6.2. Why is it that one works and is pushing to v2 but the other is v1?
Here's the repo for the registry: https://github.com/docker/distribution
You need to secure the registry before you can access it remotely, or explicitly allow all your Docker daemons to access insecure registries.
To secure the registry the easiest choice is to buy an SSL certificate for your server, but you can also self-sign the certificate and distribute to clients.
To allow insecure access add the argument --insecure-registry myregistrydomain.com:5000 to all the daemons who need to access the registry. (Obviously replace the domain name and port with yours).
The full instructions (including an example of your error message) are available at: https://github.com/docker/distribution/blob/master/docs/deploying.md
Regarding the error message, I guess Docker tries to use v2 first, fails because of the security issue then tries v1 and fails again.
This may be due to an env variable being set. I had a very similar issue when using a system with this env variable set.
export DOCKER_HOST="tcp://hostname:5000"
Running docker login http://hostname:5000 did not work and gave the same v1 behaviour. I did not expect the env variable to take precedence over an argument passed directly to the command.
Go to /etc/docker/daemon.json. If the file is not present, create a file and add the following
{
"insecure-registries": ["hosted-registry-IP:port"]
}
After that restart the docker service by
service docker restart

Resources