gitlab ce.md

In Bitnami GITLAB console

Copy of the current self-signed certificates:

$> sudo mv /etc/gitlab/ssl/server.crt /etc/gitlab/ssl/server.crt.back 
$> sudo mv /etc/gitlab/ssl/server.key /etc/gitlab/ssl/server.key.back
$> sudo mv /etc/gitlab/ssl/server.csr /etc/gitlab/ssl/server.csr.back

Create your private key:

$> sudo openssl genrsa -out /etc/gitlab/ssl/conf/gitlab.devsecops.acme.key 2048

Create a certificate Auth:

$> sudo openssl req -new -key /etc/gitlab/ssl/gitlab.devsecops.acme.key -out /etc/gitlab/ssl/cert.csr

Create a self signed certificate Auth, Until the certificate is received ;)

$> sudo openssl x509 -in /etc/gitlab/ssl/cert.csr 
    -out /etc/gitlab/ssl/gitlab.devsecops.acme.crt -req -signkey
    /etc/gitlab/ssl/gitlab.devsecops.acme.key -days 365

$> sudo openssl req -x509 -nodes -days 730 -subj
    '/serialNumber=0100000/subjectAltName=devsecops.acme
    /emailAddress=nickfury@[email protected]
    /DC=acme/C=FR/ST=Yvelines/L=Versailles/O=Acme systems, Inc.
    /OU=Levitics Application Lifecycle Management Suite/CN=www.devsecops.acme'
-newkey rsa:4096 -keyout /etc/nginx/ssl/www.devsecops.acme.key
-out /etc/nginx/ssl/www.devsecops.acme.crt

$> sudo openssl rsa -des3 -in gitlab.devsecops.acme.key -out privkey.pem

In Gitlab Runer registration PC console

$> SERVER=gitlab.devsecops.acme
$> PORT=443
$> CERTIFICATE=/etc/gitlab-runner/certs/${SERVER}.crt

####Create the certificates hierarchy expected by gitlab

$> sudo mkdir -p $(dirname "$CERTIFICATE")

Get the certificate in PEM format and store it

$> openssl s_client -connect ${SERVER}:${PORT} -showcerts </dev/null 2>/dev/null | 
sed -e '/-----BEGIN/,/-----END/!d' | sudo tee "$CERTIFICATE" >/dev/null

Register your runner

$> sudo gitlab-runner --debug register --tls-ca-file="$CERTIFICATE"  
    --non-interactive --url https://gitlab.devsecops.acme 
    --registration-token "rqCNpsn6zjfVAyQXcRFG" --description "Agent Smith" 
    --tag-list "agent-smith" --executor shell

Grant sudo permissions to the gitlab-runner

$> sudo usermod -a -G sudo gitlab-runner
$> sudo visudo

Do not do this for gitlab runners that can be executed by untrusted users.

$> gitlab-runner ALL=(ALL) NOPASSWD: ALL 

or allow execution of only one command, for example apt

$> gitlab-runner ALL=(ALL) NOPASSWD: /usr/bin/apt

Enable ssh clonhing on Bitnami gitlab console

$> sudo rm -f /etc/ssh/sshd_not_to_be_run
$> sudo systemctl enable ssh
$> sudo systemctl start ssh

Misc Certificat issue -- unknown autority

sudo openssl genrsa -out /etc/gitlab/ssl/gitlab-ce.key 2048
sudo openssl req -new -key /etc/gitlab/ssl/gitlab-ce.key \
    -out  /etc/gitlab/ssl/gitlab-ce.csr
sudo openssl x509 -in  /etc/gitlab/ssl/gitlab-ce.csr \
    -out  /etc/gitlab/ssl/gitlab-ce.crt -req \
    -signkey  /etc/gitlab/ssl/gitlab-ce.key -days 3650

$> sudo openssl rsa -des3 -in  /etc/gitlab/ssl/gitlab-ce.key -out gitlab-ce.pem