Commit 20613ef8 authored by Steve Azzopardi's avatar Steve Azzopardi

Add doc for codequality image self signed registry

When users specify `$CODE_QUALITY_IMAGE` to point to an image that is a
registry with a self signed certificate it fails with `x509:
certificate signed by unknown authority`.

Add documentation on how to add the registry certificate so that it's
trusted by DinD.
parent fa65ff1d
......@@ -422,6 +422,71 @@ for more details.
Here's [an example project](https://gitlab.com/jheimbuck_gl/jh_java_example_project) that uses Code Quality with a `.codeclimate.yml` file.
## Use a Code Quality image hosted in a registry with untrusted certificates
If you set the `CODE_QUALITY_IMAGE` to an image that is hosted in a
Docker registry which uses a TLS certificate that is not trusted, such as
a self-signed certificate, you will see errors like the one below:
```shell
$ docker pull --quiet "$CODE_QUALITY_IMAGE"
Error response from daemon: Get https://gitlab.example.com/v2/: x509: certificate signed by unknown authority
```
To fix this, configure the Docker daemon to [trust certificates](https://docs.docker.com/registry/insecure/#use-self-signed-certificates)
by putting the certificate inside of the `/etc/docker/certs.d`
directory.
This Docker daemon is exposed to the subsequent Code Quality Docker container in the
[GitLab Code Quality](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.8.3-ee/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml#L41)
and should be to exposed any other containers in which you want to have
your certificate configuration apply.
### Docker
If you have access to GitLab Runner configuration, add the directory as a
[volume mount](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section). For example:
```toml
[[runners]]
...
executor = "docker"
[runners.docker]
...
privileged = true
volumes = ["/cache", "/etc/gitlab-runner/certs/gitlab.example.com.crt:/etc/docker/certs.d/gitlab.example.com/ca.crt:ro"]
```
Replace `gitlab.example.com` with the actual domain of the registry.
### Kubernetes
If you have access to GitLab Runner configuration and the Kubernetes cluster,
you can [mount a ConfigMap](https://docs.gitlab.com/runner/executors/kubernetes.html#configmap-volumes):
1. Create a ConfigMap with the certificate:
```shell
kubectl create configmap registry-crt --namespace gitlab-runner --from-file /etc/gitlab-runner/certs/gitlab.example.com.crt
```
1. Update GitLab Runner `config.toml` to specify the ConfigMap:
```toml
[[runners]]
...
executor = "kubernetes"
[runners.kubernetes]
image = "alpine:3.12"
privileged = true
[[runners.kubernetes.volumes.config_map]]
name = "registry-crt"
mount_path = "/etc/docker/certs.d/gitlab.example.com/ca.crt"
sub_path = "gitlab.example.com.crt"
```
Replace `gitlab.example.com` with the actual domain of the registry.
## Troubleshooting
### Changing the default configuration has no effect
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment