gitlan docker X509 certificate error on login

Open Source Projects Docker Toolbox
1

We have ci in docker executor with docker-dind on gitlab. Here it is:

docker-build-job:
   stage: build
   image: docker:20.10.6
   scripts:
      - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.our.ru

config.toml:

[runners.docker]
    image = "docker:20.10.6"
    tls_verify = false
    privileged = true
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache", "/certs/client",  "/usr/share/ca-certificates:/certs"]
    shm_size = 0
  [[runners.docker.services]]
    alias = "docker"
    name = "docker:20.10.12-dind"
    volumes = ["/cache", "/certs/client", "/etc/gitlab-runner/certs:/certs/ca:ro"]
    command = ['/bin/sh', '-c', 'ls -alh /certs/client && dockerd-entrypoint.sh || exit']

I have following questions, help please:

  1. There is docker:20.10.12-dind in runners.docker.services section of config.toml. As far as I understand scripts of all ci jobs will be executed inside docker-dind container, and it doesn’t depend on absence of ‘services: docker:19.03.12-dind’ instruction in ci job. Am I right?

So, will this [[runners.docker.services]] filled section automatically execute job scripts inside dind container?

  1. As far as I understood this command is executed in dind container: - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.our.ru

The following error appears: Error response from daemon: Get "https://registry.our.ru/v2/": x509: certificate signed by unknown authority

I also execute this command openssl s_client -showcerts -connect registry.our.ru:443 and get response with ‘Verification: OK’. I understand that all my certificates are right. I can login registry.our.ru from my gitlab-runner computer with no problem.

Tell me , please, What I do wrong.

  1. There is following text in docker registry config file (config.yml):
auth:
  token:
    realm: https://gitlab.our.ru/jwt/auth
    service: container_registry
    issuer: omnibus-gitlab-issuer
    rootcertbundle: /etc/docker/registry/ssl/gitlab-registry.crt

Do I understand correctly that $CI_BUILD_TOKEN is involved in the creation of the certificate? Where should this certificate be located in the dind container? is this certificate verified by the root certificate located at /etc/docker/registry/ssl/gitlab-registry.crt?

Thank u in advance!