Configure actions-runner-controller without cert-manager | josh-ops

[utterances-bot]

Configure actions-runner-controller without cert-manager | josh-ops

Configure actions-runner-controller without cert-manager so that you can use self-signed or self-managed certificates to scale your GitHub runners

https://josh-ops.com/posts/actions-runner-controller-without-cert-manager/

[ghost]

Hi On step 1. the command need to be changed to :

openssl genrsa -out ca-key.key 4096

With ca-key.key instead of ca.key

[joshjohanning]

Thank you @PostRaphaelPerrin! There were a few consistencies in the key file names, just fixed!

I went with ca.key and server.key instead of ca-key.key and server-key.key

[sergiumihailov]

Thanks Josh,

I guess you have to change:

5. Create your Server certificate config file - ie server.cnf to
6. Create your Server certificate config file - ie server.cOnf because later you are using server.conf. Up to you ;)

[joshjohanning]

@sergiumihailov thank you for catching! Fixed 😄

server.cnf changed to server.conf.

[noamgreen]

Hi , did you try on eks 1.24 ? i am getting "x509: certificate signed by unknown authority" http: TLS handshake error from:IP:PORT: remote error: tls: bad certificate

Internal error occurred: failed calling webhook \"mutate.runner.actions.summerwind.dev\": failed to call webhook: Post \"https://github-runner-actions-runner-controller-webhook.github-runner.svc:443/mutate-actions-summerwind-dev-v1alpha1-runner?timeout=10s\": x509: certificate signed by unknown authority (possibly because of \"x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)\" while trying to verify candidate authority certificate)

[noamgreen]

Hi all !! in EKS 1.24 signed CA will not work

"In Kubernetes 1.23 and earlier, kubelet serving certificates with unverifiable IP and DNS Subject Alternative Names (SANs) are automatically issued with unverifiable SANs. These unverifiable SANs are omitted from the provisioned certificate. In version 1.24 and later clusters, kubelet serving certificates aren't issued if any SAN can't be verified. This prevents kubectl exec and kubectl logs commands from working. For more information, see Certificate signing considerations before upgrading your cluster to Kubernetes 1.24. "

[joshjohanning]

@noamgreen Interesting, I hadn't tried this on 1.24... seems problematic 😬

[saurabh21316]

Same, didn't get it working with gke 1.25.

Error from server (InternalError): error when creating "runner.yaml": Internal error occurred: failed calling webhook "mutate.runnerdeployment.actions.summerwind.dev": failed to call webhook: Post "https://actions-runner-controller-webhook.gh-action-runner.svc:443/mutate-actions-summerwind-dev-v1alpha1-runnerdeployment?timeout=10s": dial tcp 100.78.9.182:9443: i/o timeout

[joshjohanning]

@saurabh21316 At this point I would probably go with the GHA scale set runners, which doesn’t require cert-manager.

https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller#installing-actions-runner-controller