如何在極狐GitLab Runner 新增信任快取域名證書

本文作者：徐曉偉

GitLab 是一個全球知名的一體化 DevOps 平臺，很多人都透過私有化部署 GitLab 來進行原始碼託管。極狐GitLab 是 GitLab 在中國的發行版，專門為中國程式設計師服務。可以一鍵式部署極狐GitLab。

問題參見：

場景是極狐GitLab Runner 新增 MinIO 域名 host的時候卻無法驗證 MinIO（快取伺服器）域名證書

解決方案

下載證書

# 下載證書
openssl s_client -showcerts -connect minio.test.helm.xuxiaowei.cn:443 -servername minio.test.helm.xuxiaowei.cn < /dev/null 2>/dev/null | openssl x509 -outform PEM > minio.test.helm.xuxiaowei.cn.crt

將證書匯入到 k8s 中

# -n=gitlab-test：指定名稱空間
# create configmap minio-certs：建立 ConfigMap 名稱是 minio-certs
# --from-file=minio.test.helm.xuxiaowei.cn.crt=minio.test.helm.xuxiaowei.cn.crt：配置來自檔案，檔名 minio.test.helm.xuxiaowei.cn.crt，放入 ConfigMap 中的鍵也是 minio.test.helm.xuxiaowei.cn.crt
kubectl -n=gitlab-test create configmap minio-certs --from-file=minio.test.helm.xuxiaowei.cn.crt=minio.test.helm.xuxiaowei.cn.crt

# 檢視
# kubectl -n=gitlab-test get configmap minio-certs -o yaml

匯出 helm gitlab 配置

helm -n gitlab-test get values my-gitlab > my-gitlab.yaml

檢視 極狐gitlab runner 預設配置

# 此處為節選，不同版本可能會存在差異，請以 https://artifacthub.io/packages/helm/gitlab/gitlab?modal=values 中的配置為準
gitlab-runner:
  runners:
    config: |
      [[runners]]
        [runners.kubernetes]
        image = "ubuntu:22.04"
        {{- if .Values.global.minio.enabled }}
        [runners.cache]
          Type = "s3"
          Path = "gitlab-runner"
          Shared = true
          [runners.cache.s3]
            ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }}
            BucketName = "runner-cache"
            BucketLocation = "us-east-1"
            Insecure = false
        {{ end }}

修改 helm gitlab 配置

gitlab-runner:
  runners:
    config: |
      [[runners]]
        [runners.kubernetes]
        image = "ubuntu:22.04"

        # https://docs.gitlab.cn/runner/executors/kubernetes.html#configmap-%E5%8D%B7
        # https://docs.gitlab.cn/runner/executors/kubernetes.html#%E9%85%8D%E7%BD%AE%E5%8D%B7%E7%B1%BB%E5%9E%8B
        # https://kubernetes.io/zh-cn/docs/concepts/storage/volumes/
        # https://kubernetes.io/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/
        [[runners.kubernetes.volumes.config_map]]
          name = "minio-certs"
          mount_path = "/etc/ssl/certs/minio.test.helm.xuxiaowei.cn.crt"
          sub_path = "minio.test.helm.xuxiaowei.cn.crt"
          [runners.kubernetes.volumes.config_map.items]
            "minio.test.helm.xuxiaowei.cn.crt" = "minio.test.helm.xuxiaowei.cn.crt"

        {{- if .Values.global.minio.enabled }}
        [runners.cache]
          Type = "s3"
          Path = "gitlab-runner"
          Shared = true
          [runners.cache.s3]
            ServerAddress = {{ include "gitlab-runner.cache-tpl.s3ServerAddress" . }}
            BucketName = "runner-cache"
            BucketLocation = "us-east-1"
            Insecure = false
        {{ end }}

更新 helm gitlab 配置

helm upgrade -n gitlab-test --install my-gitlab gitlab/gitlab -f my-gitlab.yaml --timeout 600s --version 7.7.0

檢視修改結果

1. 等待所有 gitlab-runner 舊 pod 刪除完成，新 pod 正常執行時，重試流水線，即可正確訪問到 MinIO（快取伺服器）的 域名

   1. 首次執行，沒有快取伺服器沒有依賴，下載失敗
      
   2. 首次執行成功，依賴上傳至快取伺服器
      
   3. 後續執行，快取伺服器已經有依賴了，下載成功了，並且流水線時長大大縮短了
      

2. 檢視配置如下

   [root@anolis-7-9 ~]# kubectl -n gitlab-test get pod | grep runner
   my-gitlab-gitlab-runner-57fddb64b7-xdndt             1/1     Running     0               10m
   runner-z1gihfdz-project-1-concurrent-0-k3h251j8      2/2     Running     0               20s
   [root@anolis-7-9 ~]# 
   

   注意，檢視的是 helper 容器，可以看到容器內已經有自己配置的證書了， 所以才能信任 MinIO（快取伺服器）的 證書

   [root@anolis-7-9 ~]# kubectl -n gitlab-test exec -it runner-z1gihfdz-project-1-concurrent-0-k3h251j8 -c helper cat /etc/ssl/certs/minio.test.helm.xuxiaowei.cn.crt
   kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
   -----BEGIN CERTIFICATE-----
   MIICqjCCAgugAwIBAgIQbha0RtIy+yeQHAEidwDJXzAKBggqhkjOPQQDBDAdMRsw
   GQYDVQQDExJjZXJ0LW1hbmFnZXIubG9jYWwwHhcNMjMxMjIyMDUwNTMyWhcNMjQw
   MzIxMDUwNTMyWjAVMRMwEQYDVQQFEwoxMjM0NTY3ODkwMIIBIjANBgkqhkiG9w0B
   AQEFAAOCAQ8AMIIBCgKCAQEAxoxsHstWtaaMLYDojvL5zw4C20ZkS3IJJ1u5S7Qv
   C1yiz3d6LrWnb7RSEWGO2ckZoYNRfHnDipEJnC8nY0BU2SvYfG8+sx80Fpyt1+5V
   TkMU8WSFnNtgPupojGEKsWRLEFg1lEu5mH36v1d0EO31/r7D69uO3rRbh7UpN9f6
   /BbJV/f+TpyDsAYEuZa2jqkRyR6KIDSQkQtZvVsSlpcB4Z3EQpCj31tOpufLjIxY
   qPGUrOcL9mIsc+wz+CvxQFU5n3H650F6p0AG/EzjZ6ClghPRxZrTLfY9iQP2zxnQ
   B941eW1y40nmHttmRg0whDJFU3i6VpALPE6Bv0w9X+bJtQIDAQABo2owaDAOBgNV
   HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRkqQQEnhfwEmG6
   AC+eFFOS91CTfDAnBgNVHREEIDAeghxtaW5pby50ZXN0LmhlbG0ueHV4aWFvd2Vp
   LmNuMAoGCCqGSM49BAMEA4GMADCBiAJCAaGgfzw1PYdr81UP/xpXE1tsYV+fYlDp
   oj/AJBtnUsaLonnVihknaEUe97aFstiiPkgu33C37evwUBZXneIKZ2+QAkIBchVK
   Q7ywP+X/8rSAse46rwNyx0y+svLnwUTp/sen2I/9EGVU20ESm5X1x/iyGNsmFNlb
   I8Bn2W7QLYcdpvAJ/wY=
   -----END CERTIFICATE-----
   [root@anolis-7-9 ~]# 
   

更多關於極狐GitLab 的最佳實踐，請搜尋關注【極狐GitLab】公眾號或者登入極狐GitLab 官網 https://gitlab.cn 進行學習。