Merge branch 'docs/codequality-self-signed-registry' into 'master'

Add doc for codequality image self signed registry See merge request gitlab-org/gitlab!52566

Merge branch 'docs/codequality-self-signed-registry' into 'master'
Add doc for codequality image self signed registry See merge request gitlab-org/gitlab!52566
c7a970b2 · Evan Read · 50c3e0ee · 20613ef8 · c7a970b2
Commit c7a970b2 authored Feb 14, 2021 by Evan Read
Hide whitespace changes
Inline Side-by-side

Showing with 65 additions and 0 deletions

doc/user/project/merge_requests/code_quality.md doc/user/project/merge_requests/code_quality.md +65 -0

No files found.
--- a/doc/user/project/merge_requests/code_quality.md
+++ b/doc/user/project/merge_requests/code_quality.md
@@ -422,6 +422,71 @@ for more details.

 Here's [an example project](https://gitlab.com/jheimbuck_gl/jh_java_example_project) that uses Code Quality with a `.codeclimate.yml` file.

+## Use a Code Quality image hosted in a registry with untrusted certificates
+
+If you set the `CODE_QUALITY_IMAGE` to an image that is hosted in a
+Docker registry which uses a TLS certificate that is not trusted, such as
+a self-signed certificate, you will see errors like the one below:
+
+```shell
+$ docker pull --quiet "$CODE_QUALITY_IMAGE"
+Error response from daemon: Get https://gitlab.example.com/v2/: x509: certificate signed by unknown authority
+```
+
+To fix this, configure the Docker daemon to [trust certificates](https://docs.docker.com/registry/insecure/#use-self-signed-certificates)
+by putting the certificate inside of the `/etc/docker/certs.d`
+directory.
+
+This Docker daemon is exposed to the subsequent Code Quality Docker container in the
+[GitLab Code Quality](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.8.3-ee/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml#L41)
+and should be to exposed any other containers in which you want to have
+your certificate configuration apply.
+
+### Docker
+
+If you have access to GitLab Runner configuration, add the directory as a
+[volume mount](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section). For example:
+
+```toml
+[[runners]]
+  ...
+  executor = "docker"
+  [runners.docker]
+    ...
+    privileged = true
+    volumes = ["/cache", "/etc/gitlab-runner/certs/gitlab.example.com.crt:/etc/docker/certs.d/gitlab.example.com/ca.crt:ro"]
+```
+
+Replace `gitlab.example.com` with the actual domain of the registry.
+
+### Kubernetes
+
+If you have access to GitLab Runner configuration and the Kubernetes cluster,
+you can [mount a ConfigMap](https://docs.gitlab.com/runner/executors/kubernetes.html#configmap-volumes):
+
+1. Create a ConfigMap with the certificate:
+
+    ```shell
+    kubectl create configmap registry-crt --namespace gitlab-runner --from-file /etc/gitlab-runner/certs/gitlab.example.com.crt
+    ```
+
+1. Update GitLab Runner `config.toml` to specify the ConfigMap:
+
+    ```toml
+    [[runners]]
+      ...
+      executor = "kubernetes"
+      [runners.kubernetes]
+        image = "alpine:3.12"
+        privileged = true
+        [[runners.kubernetes.volumes.config_map]]
+          name = "registry-crt"
+          mount_path = "/etc/docker/certs.d/gitlab.example.com/ca.crt"
+          sub_path = "gitlab.example.com.crt"
+    ```
+
+Replace `gitlab.example.com` with the actual domain of the registry.
+
 ## Troubleshooting

 ### Changing the default configuration has no effect