private-ca: How to pass the certificates to the controller

[pharndt]

When using this for an internal GitHub Enterprise installation, it might be necessary to pass self-signed certificates to the controller in order to get it to work with an internal hostname.

Currently, I see two options on how to achieve this:

1. Adding the certificates as a volume mount (e.g., to the mountPath /etc/ssl/certs)
   This comes with the drawback, that is currently necessary to change the helm chart, which will cause effort on each update.

2. Adding the certificates by re-bundle the controller image
   In this case, the certificates can be copied to the image and the Helm chart stays untouched. On the other hand, it comes with the drawback that you will need to re-bundle each new version of the controller.

Do I miss an option? Would you accept a PR for the Helm chart, that adds an optional value for self-signed certificates that will get mounted to /etc/ssl/certs?

[gazab]

Edit: But now I realise you wanted to do this for the controller, not the Runners... I'll leave my reply below anyway

You are missing an option! I currently solve this by using initContainers in my RunnerSet spec. Something like this (ignore that it is an normal Deployment. The principle works with RunnerDeployment and RunnerSet as well):

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: webapp
  name: webapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webapp
  template:
    metadata:
      labels:
        app: webapp
    spec:
      initContainers:
        # This init container builds a cert bundle including self signed cert and stores it in the shared volume (/tmp)
        - name: ca-certs
          image: mcr.microsoft.com/dotnet/core/runtime-deps:3.0.3-buster-slim
          imagePullPolicy: Always
          command: [ 'sh', '-c', 'update-ca-certificates && cp /etc/ssl/certs/* /tmp/' ]
          volumeMounts:
          - name: enterprise-ca
            mountPath: /usr/local/share/ca-certificates/enterprise-ca.crt
            subPath: enterprise-ca.crt
          - mountPath: /tmp/
            name: ca-bundle
      containers:
      - name: app
        image: webapp:latest
        ports:
        - containerPort: 80
        # Mounts ca-bundle, which is now filled with both normal certs and custom certs, to /etc/ssl/certs in the main container
        volumeMounts:
        - mountPath: /etc/ssl/certs
          name: ca-bundle
      restartPolicy: Always
      volumes:
      # Load custom cert from secret
      - name: enterprise-ca
        secret:
          secretName: enterprise-ca
      # Shared volume between init container and main container
      - name: ca-bundle
        emptyDir: {}

So the init container collects all certs, included a custom cert populated from a secret, to a shared volume. This volume is then mounted to /etc/ssl/certs in the main container.

[pharndt]

This is a great option for the runner, thank you for the hint!

[casanova-21]

@gazab @pharndt Hi! 👋 I'm troubleshooting the same thing trying to get GHES working. Can you have a look at this Issue and see if you have any feedback? We're trying to figure out how to get the ca bundle presented to the controller and also if it's necessary to somehow get it presented to the runners as well. We're using a runnerdeployment in our testing.

[casanova-21]

Disregard the above comment as we were able to get this working. I'm working on documenting the process now.

[pharndt]

@casanova-21 Currently, I decided to re-bundle all images and add the certificates and some proxy settings to the bundles during the build process. For the runner, I would need to do this anyway as I like to install some extra tools and again some certificates for Node and Java builds.

The controller image is pretty easy:

FROM summerwind/actions-runner-controller:v0.20.3

ADD ./lib/some.crt /etc/ssl/certs/some.crt

in the dind image, I did the same and added ENV variables for the proxy.

[karthikGenAI]

@casanova-21 hey i have setup ARC for my GHES org, registration is sucessfull in the controller log and runners pods are getting created. However in the logs i see below, Any clues how to suppress or overcome this ssl issue? I am using PAT authentication for controller-manager secret

`2024-05-17 15:03:42.363 DEBUG --- Configuring the runner.

---

| ____ _ _ _ _ _ _ _ _ |
| / () || | | | | |_ / \ | |() ___ _ __ ___ |
| | | | | __| || | | | | ' \ / _ \ / | | |/ _ | ' / | |
| | || | | || _ | || | |) | / ___ \ (| || | () | | | __ \ |
| _||_|| ||_,|.__/ // __|_||_/|| ||___/ |
| |
| Self-hosted runner registration |
| |

Authentication

The SSL connection could not be established, see inner exception.
2024-05-17 15:03:46.920 DEBUG --- Configuration failed. Retrying
2024-05-17 15:03:47.922 DEBUG --- Configuring the runner.`