Configuring GitFlic Agent with a Self-Signed Certificate
If the GitFlic Self-hosted server is configured with a self-signed certificate, additional steps are required for agents to work correctly.
This guide describes the steps for all types of agents, including those running in Docker containers.
Adding the Certificate to Trusted Certificates
For all agent types, you must first add the self-signed certificate to the trusted certificates and to the Java Key Store.
-
Copy the self-signed certificate to the server where you plan to run the agents.
-
Add the certificate to the trusted certificates
sudo cp selfsigned.crt /usr/local/share/ca-certificates/selfsigned.crt sudo update-ca-certificatessudo cp selfsigned.crt /etc/pki/ca-trust/source/anchors/ sudo update-ca-trust extractsudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain selfsigned.crtwhere
selfsigned.crtis the self-signed certificate -
Import the certificate into the Java Key Store (JKS)
keytool -import -noprompt \ -storepass changeit \ -trustcacerts \ -alias selfsigned-cert \ -file selfsigned.crt \ -keystore "$JAVA_HOME/lib/security/cacerts"Make sure the $JAVA_HOME variable is available in your environment. Otherwise, specify the OpenJDK installation path manually.
-
Register the agent and make sure the registration completes without errors.
Configuring a Docker-Type Agent
For Docker-type agents, you need to pass the self-signed certificate into the container where the pipeline runs. This feature is available in agent version 4.0.0 and above.
-
Make sure you are using agent version 4.0.0 or higher.
-
Make sure the certificate is created with the SAN (Subject Alternative Name) option.
The certificate must be created with SAN specified. If you use the certificate for
localhost, you must also addhost.docker.internalto the SAN. -
Configure passing the certificate into the pipeline container
To pass the certificate into the pipeline container, configure agent settings to mount the self-signed certificate.
Example:
docker.volumes[0]=/home/user/selfsigned.crt:/etc/gitflic-runner/certs/selfsigned.crtwhere
/home/user/selfsigned.crtis the path to the certificate on the host, and/etc/gitflic-runner/certs/selfsigned.crtis the path in the container -
Add the
CA_CERTIFICATES_PATHvariable to CI/CDAdd the
CA_CERTIFICATES_PATHvariable to CI/CD (for example, via CI/CD settings in the web interface or in thegitflic-ci.yamlfile) and set its value to the certificate path in the container's file system as specified in the agent configuration (step 3).variables: CA_CERTIFICATES_PATH: /etc/gitflic-runner/certs/selfsigned.crt
Configuring an Agent Running in a Docker Container
If the agent is running in a Docker container or via the official Docker Compose, you need to build and use your own agent image.
-
Create a Dockerfile and specify the base image
FROM registry.gitflic.ru/company/gitflic/runner:<Agent_Version> -
Add a command to copy the certificate into the image
Example:
COPY /home/user/selfsigned.crt /usr/local/share/ca-certificates/selfsigned.crtwhere
/home/user/selfsigned.crtis the path to the self-signed certificate on the host -
Add commands to import this certificate into the trusted store and Java Key Store
RUN update-ca-certificates RUN keytool -import -noprompt \ -storepass changeit \ -trustcacerts \ -alias selfsigned-cert \ -file /usr/local/share/ca-certificates/selfsigned.crt \ -keystore "$JAVA_HOME/lib/security/cacerts" -
Build the agent image
docker build -t registry.gitflic.ru/company/gitflic/runner:custom . -
Create a file for additional agent parameters, for example
additional.properties, and specify the Volume parameter in itdocker.volumes[0]=/home/user/selfsigned.crt:/etc/gitflic-runner/certs/selfsigned.crtInstead of
/home/user/selfsigned.crt, specify the path to the self-signed certificate on the host, since the pipeline container uses the host's Docker socket, not the agent container's. -
Copy the created file into the
runner-configDocker Volumedocker run --rm \ -v runner-config:/data \ -v "$(pwd)":/src \ alpine cp /src/additional.properties /data/Run this command in the directory with the
additional.propertiesfile created in step 5. -
Add the
CA_CERTIFICATES_PATHvariable to CI/CDvariables: CA_CERTIFICATES_PATH: /etc/gitflic-runner/certs/selfsigned.crt -
Start the agent
docker run \ --env "REG_URL=<URL obtained in the GitFlic application>" \ --env "REG_TOKEN=<Agent registration token obtained in the GitFlic interface>" \ --volume runner-config:/gitflic-runner/config \ --volume runner-log:/gitflic-runner/log \ --volume //var/run/docker.sock://var/run/docker.sock \ --detach \ registry.gitflic.ru/company/gitflic/runner:customSpecify the built image in the
docker-compose.yamlfile and startdocker compose down && docker compose up
Building a Custom Helper Image for Docker-Type Agents
If you do not want to use the solution described above and specify additional parameters for each agent, you can build your own helper image for Docker-type agents, publish it to the registry, and use it everywhere:
-
Create a Dockerfile similar to the agent image, using the official
gitflic-runner-helperimage as the baseFROM registry.gitflic.ru/company/gitflic/gitflic-runner-helper:<agent_version> COPY ./selfsigned.crt /usr/local/share/ca-certificates/custom-certs/ RUN update-ca-certificates && \ keytool -import -noprompt \ -storepass changeit \ -trustcacerts \ -alias selfsigned-cert \ -file /usr/local/share/ca-certificates/custom-certs/selfsigned.crt \ -keystore /etc/ssl/certs/java/cacertsWhere
selfsigned.crtis the self-signed certificate -
Build the image
docker build -t registry.gitflic.ru/company/gitflic/gitflic-runner-helper:custom . -
Add a parameter to the agent to specify the built image
application.propertiesrunner.helperImage=registry.gitflic.ru/company/gitflic/gitflic-runner-helper:customdocker-compose.yamlenvironment: HELPER_IMAGE: "registry.gitflic.ru/company/gitflic/gitflic-runner-helper:custom" -
Start the agent
Automated translation!
This page has been automatically translated. The text may contain inaccuracies.