解决极狐GitLab release 关键字使用中 x509 证书不受信任的问题-编程知识

release 关键是极狐GitLab CI/CD 中用来发布版本的一个关键字，通常用法如下：

release_job:stage: releaseimage: registry.gitlab.com/gitlab-org/release-cli:latestrules:- if: $CI_COMMIT_TAG                 script:- echo "running release_job"release:                              tag_name: '$CI_COMMIT_TAG'description: '$CI_COMMIT_TAG'

整个过程是通过 release-cli 工具来实现的。

近期在探索CI/CD Component & CI/CD Catalog 功能的时候，也是使用 release 关键字将 component 发布到 Catalog 中。

create-release:stage: deployimage: registry.gitlab.com/gitlab-org/release-cli:latestscript: echo "Creating release $CI_COMMIT_TAG"rules:- if: $CI_COMMIT_TAGrelease:tag_name: $CI_COMMIT_TAGdescription: "Release $CI_COMMIT_TAG of components in $CI_PROJECT_PATH"

由于采用了自签名（self-signed certificate）的证书进行了 HTTPS 的配置，在用私有化部署的极狐GitLab 实例做测试时，就会出现 x509 证书不受信任的问题：

$ release-cli create --description "Release 2.0.0 of components in jh-gitlab/cicd-component" --tag-name "2.0.0"
time="2024-02-04T06:38:08Z" level=info msg="Creating Release..." cli=release-cli command=create name= project-id=1 ref=e8786a8fd333280dbfe480417237f97d6f6a7182 server-url="https://jhma.jihulab.net" tag-message= tag-name=2.0.0 version=0.16.0
time="2024-02-04T06:38:09Z" level=fatal msg="run app" cli=release-cli error="failed to create release: failed to do request: Post \"https://jhma.jihulab.net/api/v4/projects/1/releases\": tls: failed to verify certificate: x509: certificate signed by unknown authority" version=0.16.0

提示 tls: failed to verify certificate: x509: certificate signed by unknown authority。

针对这个问题，有以下两种解决方案。

方法一：设置 `--insecure-https` 参数

release-cli 的使用方法如下：

release-cli -h
NAME:release-cli - A CLI tool that interacts with GitLab's Releases APIUSAGE:help [global options] command [command options] [arguments...]VERSION:0.16.0DESCRIPTION:CLI tool that interacts with GitLab's Releases API https://docs.gitlab.com/ee/api/releases/.All configuration flags will default to GitLab's CI predefined environment variables (https://docs.gitlab.com/ee/ci/variables/predefined_variables.html).To override these values, use the [GLOBAL OPTIONS].Get started with release-cli https://gitlab.com/gitlab-org/release-cli.AUTHOR:GitLab Inc. <support@gitlab.com>COMMANDS:create            Create a Release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#create-a-releasecreate-from-file  Create a Release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#create-a-releaseget               Get a Release by tag name using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/index.html#get-a-release-by-a-tag-nameupdate            Update a release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#update-a-releasehelp, h           Shows a list of commands or help for one commandGLOBAL OPTIONS:--server-url value                 The base URL of the GitLab instance, including protocol and port, for example https://gitlab.example.com:8080 (default: "https://jhma.jihulab.net") [$CI_SERVER_URL]--job-token value                  Job token used for authenticating with the GitLab Releases API (default:  ) [$CI_JOB_TOKEN]--project-id value                 The current project's unique ID; used by GitLab CI internally (default: "1") [$CI_PROJECT_ID]--timeout value                    HTTP client's timeout in Go's duration format https://golang.org/pkg/time/#ParseDuration (default: 30s) [$RELEASE_CLI_TIMEOUT]--private-token value              Private token used for authenticating with the GitLab Releases API, requires api scope https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html, overrides job-token (default:  ) [$GITLAB_PRIVATE_TOKEN]--additional-ca-cert-bundle value  Configure a custom SSL CA certificate authority, can be a path to file or the content of the certificate [$ADDITIONAL_CA_CERT_BUNDLE]--insecure-https                   Set to true if you want to skip the client verifying the server's certificate chain and host name (default: false) [$INSECURE_HTTPS]--debug                            Set to true if you want extra debug output when running release-cli (default: false) [$DEBUG]--help, -h                         Show help (default: false)--version, -v                      Print the version (default: false)
/ # release-cli create -h
NAME:help create - Create a Release using GitLab's Releases API https://docs.gitlab.com/ee/api/releases/#create-a-releaseUSAGE:help create [command options] [arguments...]OPTIONS:--tag-name value     (required) The tag the release will be created from (default: "1.0.0") [$CI_COMMIT_TAG]--name value         The release name--description value  The description of the release; you can use Markdown. A file can be used to read the description contents, must exist inside the working directory; if it contains any whitespace, it will be treated as a string--tag-message value  Message to use if creating a new annotated tag--ref value          If tag_name doesn’t exist, the release will be created from ref; it can be a commit SHA, another tag name, or a branch name (default: "8b4838090bb46bf40ed77027feae074a47e6a132") [$CI_COMMIT_SHA]--assets-link value  JSON string representation of an asset link; (e.g. --assets-link='{"name": "Asset1", "url":"https://<domain>/some/location/1", "type": "other", "filepath": "xzy" }' or --assets-link='[{"name": "Asset1", "url":"https://example.com/some/location/1"}, {"name": "Asset2", "url":"https://example.com/some/location/2"}]'  (accepts multiple inputs)--milestone value    List of the titles of each milestone the release is associated with (e.g. --milestone "v1.0" --milestone "v1.0-rc)"; each milestone needs to exist                                                                                                                                                                          (accepts multiple inputs)--released-at value  The date when the release will be/was ready; defaults to the current time; expected in ISO 8601 format (2019-03-15T08:00:00Z)--help, -h           Show help (default: false)

里面有一个参数 --insecure-https ，描述为 Set to true if you want to skip the client verifying the server's certificate chain and host name (default: false) [$INSECURE_HTTPS]。也就是说，如果想要跳过客户端对于服务器证书验证的话，就需要将这个参数设置为 true，而这个参数默认是 false。也就是默认情况下会进行证书验证。

所以，可以在 CI/CD 流水线中使用 --insecure-https 参数：

create-release:stage: deployimage: name: registry.gitlab.com/gitlab-org/release-cli:latestscript:- release-cli --insecure-https=true create --name "Release $TAG" --description "Release $CI_COMMIT_TAG of components in $CI_PROJECT_PATH" --tag-name "$CI_COMMIT_TAG"tags:- jhrules:- if: $CI_COMMIT_TAG =~ /\d+/

接着触发 CI/CD 流水线，可以看到构建成功：

在这里插入图片描述

方法二：设置证书

同样在 release-cli 的使用中有一个关于证书的参数 --additional-ca-cert-bundle，描述为 Configure a custom SSL CA certificate authority, can be a path to file or the content of the certificate [$ADDITIONAL_CA_CERT_BUNDLE]。也就是说可以直接制定服务器证书的路径。

所以，CI/CD 流水线就变为了：

create-release:stage: deployimage: name: registry.gitlab.com/gitlab-org/release-cli:latestscript:- release-cli --additional-ca-cert-bundle="path/to/certificate" create --name "Release $TAG" --description "Release $CI_COMMIT_TAG of components in $CI_PROJECT_PATH" --tag-name "$CI_COMMIT_TAG"tags:- jhrules:- if: $CI_COMMIT_TAG =~ /\d+/

接着触发 CI/CD 流水线，可以看到构建成功：

在这里插入图片描述
这两种方式都可以解决自签名证书带来的证书不受信任问题。不过如果是生产环境，建议使用购买的 CA，这样这个问题就不存在了。