Gitlab runner fail to use cache with minio

Question

I installed a self-hosted Gitlab using the Helm chart on a Kubernetes cluster. Everything is working fine except one thing: the cache.

In my .gitlab-ci.yml file I have

cache:
  paths:
    - .m2/repository/
    - target/

But when running the job I have this warning when trying to download the cache:

WARNING: Retrying...                                
error=Get https://minio.mydomain.com/runner-cache/gitlab-runner/project/6/default?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=xxx: x509: certificate signed by unknown authority

And when uploading I have:

WARNING: Retrying...                                error=received: 501 Not Implemented
Uploading cache.zip to https://minio.mydomain.com/runner-cache/gitlab-runner/project/6/default 
FATAL: received: 501 Not Implemented   

But the certificate is provided by LetsEncrypt so it's not an unknown authority. When I go on minio.mydomain.com I can see that the connection is secure

I've also check that the runner is using the right credentials and yes it is.

I'm kind of lost here. Any hints is welcome.

Thanks.

Answer 1

You need to add the CA to the image that is hosting the cache.

You can follow these instructions from this gitlab issue for a workaround:

Update the helper image to have the ca chain for the self-signed certificate trusted.

FROM gitlab/gitlab-runner-helper:x86_64-latest

RUN apk add --no-cache ca-certificates

COPY ca.crt /usr/local/share/ca-certificates/ca.crt

RUN update-ca-certificates

RUN rm /usr/local/share/ca-certificates/ca.crt

docker build -t registry.gitlab.com/namespace/project/tools/gitlab-runner-helper:$SOME_TAG

Override the helper image used by GitLab by updating the config.toml to use the image you just build with the correct CA trusted.

If you are using the helm chart you can define KUBERNETES_HELPER_CPU_LIMIT environment variable and define it in envVars

Hope this helps.