how to provide own CA Root certificate and SSL Client certificate (cert + key) to dockerd in gitlab-ci pipeline for own docker registry?
I have virtual machine (CentOS 7) and installed docker and gitlab-runner. The runner is registred as docker:dind. The setup works OK but i am having trouble connecting to my own docker registry that has certificate from my own CA, but is also using client SSL certificate. When i pass to dockerd the argument --insecure-registry=gitlab.mazel.tov:4567 it doesnt verify the CA but i still dont know how to provide the Client SSL certificate and pipile will fail with this error.
$ docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://gitlab.mazel.tov:4567/v2/: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n"
I also have folder inside docker:dind container with my certs, but this approach doesnt work with dockerd? But on my computer or on server it works ok.
$ ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/
ca.crt
client.cert
client.key
I also explored dockerd --help but the option about certificates are only for the docker socket and i SSL configs for docker registry.
/etc/gitlab-runner/config.toml
[[runners]]
name = "My Docker Runner"
url = "https://gitlab.mazel.tov"
token = "ac17ab5cfff675fddd059d40a3"
tls-ca-file = "/etc/ssl/certs/myCA.pem"
tls-cert-file = "/etc/gitlab-runner/certs/mazel.tov.pem"
tls-key-file = "/etc/gitlab-runner/certs/mazel.tov.key"
executor = "docker"
[runners.docker]
image = "docker:dind"
privileged = true
disable_cache = false
volumes = ["/cache", "/etc/docker/certs.d:/etc/docker/certs.d"]
shm_size = 0
[runners.cache]
.gitlab-ci.yml
services:
- name: docker:dind
command: ["--insecure-registry=gitlab.mazel.tov:4567"]
variables:
DOCKER_DRIVER: overlay2
DOCKER_HOST: tcp://docker:2375/
stages:
- build
before_script:
- ls -la /etc/docker/certs.d/gitlab.mazel.tov\:4567/
- docker info
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN https://gitlab.mazel.tov:4567
build-web:
stage: build
script:
- docker build ...
- docker push ...
I dont like the --insecure-registry option neither. And my gitlab server has the client certificate configured on the Nginx level.
/etc/gitlab/gitlab.rb
nginx['ssl_client_certificate'] = "/etc/gitlab/ssl/myCA.crt"
nginx['ssl_verify_client'] = "on"
The certificates works OK on my machine and other server, i am just having trouble implementing it with gitlab-ci pipeline...
When I test the docker:dind on my mac and mount certificates it works OK, so the problem is only in the gitlab-ci pipeline? Maybe the dockerd is loaded before the mount folder occurs?
docker run -it --rm --privileged -v ~/.docker/certs.d/:/etc/docker/certs.d/ docker:dind sh
dockerd &
docker login https://gitlab.mazel.tov:4567
** it works **
