diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-29 21:10:22 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-29 21:10:22 +0300 |
commit | 13592f8455bfd17acd7cb10ccea015e3b63c155d (patch) | |
tree | f7f83ba592eca75307e91f4f764e4607d4456025 /doc/ci/secrets/index.md | |
parent | f4d51a9f71cf3d4b0874a3e1948fe3c1ea193c4d (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/ci/secrets/index.md')
-rw-r--r-- | doc/ci/secrets/index.md | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md index 52bf30a9b35..9280b03be85 100644 --- a/doc/ci/secrets/index.md +++ b/doc/ci/secrets/index.md @@ -181,3 +181,32 @@ You can also specify some attributes for the resulting Vault tokens, such as tim IP address range, and number of uses. The full list of options is available in [Vault's documentation on creating roles](https://www.vaultproject.io/api/auth/jwt#create-role) for the JSON web token method. + +## Using a self-signed Vault server + +When the Vault server is using a self-signed certificate, you will see the following error in the job logs: + +```plaintext +ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: checking Vault server health: Get https://vault.example.com:8000/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299: x509: certificate signed by unknown authority +``` + +You have two options to solve this error: + +- Add the self-signed certificate to the GitLab Runner server's CA store. + If you deployed GitLab Runner using the [Helm chart](https://docs.gitlab.com/runner/install/kubernetes.html), you will have to create your own GitLab Runner image. +- Use the `VAULT_CACERT` environment variable to configure GitLab Runner to trust the certificate: + - If you are using systemd to manage GitLab Runner, see [how to add an environment variable for GitLab Runner](https://docs.gitlab.com/runner/configuration/init.html#setting-custom-environment-variables). + - If you deployed GitLab Runner using the [Helm chart](https://docs.gitlab.com/runner/install/kubernetes.html): + 1. [Provide a custom certificate for accessing GitLab](https://docs.gitlab.com/runner/install/kubernetes.html#providing-a-custom-certificate-for-accessing-gitlab), and make sure to add the certificate for the Vault server instead of the certificate for GitLab. If your GitLab instance is also using a self-signed certificate, you should be able to add both in the same `Secret`. + 1. Add the following lines in your `values.yaml` file: + + ```yaml + ## Replace both the <SECRET_NAME> and the <VAULT_CERTIFICATE> + ## with the actual values you used to create the secret + + certsSecretName: <SECRET_NAME> + + envVars: + - name: VAULT_CACERT + value: "/home/gitlab-runner/.gitlab-runner/certs/<VAULT_CERTIFICATE>" + ``` |