You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to figure out how the certs are generated so that the docker commands are over TLS. I see that the container mounts it. I am just curious as to who is generate the certs as I see certs-client is and EmptyDir.
Best,
Puneeth
➜ docker_playground k -n ci describe pod comtravo-github-actions-deployment-czbjr-nrz2p
Name: comtravo-github-actions-deployment-czbjr-nrz2p
Namespace: ci
Priority: 0
Node: ip-10-31-0-12.eu-west-1.compute.internal/10.31.0.12
Start Time: Thu, 03 Feb 2022 10:38:47 +0100
Labels: pod-template-hash=749fd4569f
runner-deployment-name=comtravo-github-actions-deployment
runner-template-hash=68ffb9c79c
Annotations: kubernetes.io/psp: eks.privileged
Status: Running
IP: 10.31.0.203
IPs:
IP: 10.31.0.203
Controlled By: Runner/comtravo-github-actions-deployment-czbjr-nrz2p
Containers:
runner:
Container ID: docker://7291c6c82e46121786974660a753d41a8ecaffe7b602d9619e445915696eecd7
Image: comtravo/actions-runner:v2.286.1
Image ID: docker-pullable://comtravo/actions-runner@sha256:bbdc5c3f950f1108753fb0d891783c9ecae1632981b9711abf9a19eb4f3d734d
Port: <none>
Host Port: <none>
State: Running
Started: Thu, 03 Feb 2022 10:38:51 +0100
Ready: True
Restart Count: 0
Limits:
memory: 1Gi
Requests:
memory: 256Mi
Environment:
RUNNER_NAME: comtravo-github-actions-deployment-czbjr-nrz2p
RUNNER_ORG:
RUNNER_REPO: comtravo/ct-backend
RUNNER_ENTERPRISE:
RUNNER_LABELS: light-runner
RUNNER_GROUP:
RUNNER_TOKEN: 12345
DOCKERD_IN_RUNNER: false
GITHUB_URL: https://github.com/
RUNNER_WORKDIR: /runner/_work
RUNNER_EPHEMERAL: true
RUNNER_FEATURE_FLAG_EPHEMERAL: true
DOCKER_HOST: tcp://localhost:2376
DOCKER_TLS_VERIFY: 1
DOCKER_CERT_PATH: /certs/client
AWS_DEFAULT_REGION: eu-west-1
AWS_REGION: eu-west-1
AWS_ROLE_ARN: arn:aws:iam::123:role/infra/actions
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Mounts:
/certs/client from certs-client (ro)
/runner from runner (rw)
/runner/_work from work (rw)
/var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from actions-token-lhns5 (ro)
docker:
Container ID: docker://57c0f5139cc2aac4ba684ba04887b5fd78cbb68de2dc2a67fc5ccf30226a2f24
Image: docker:dind
Image ID: docker-pullable://docker@sha256:9398e00a10c16fb3b98c77d452708702e790fd41c725b9b89de26352bea7fdce
Port: <none>
Host Port: <none>
State: Running
Started: Thu, 03 Feb 2022 10:38:51 +0100
Ready: True
Restart Count: 0
Environment:
DOCKER_TLS_CERTDIR: /certs
AWS_DEFAULT_REGION: eu-west-1
AWS_REGION: eu-west-1
AWS_ROLE_ARN: arn:aws:iam::123:role/infra/actions
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Mounts:
/certs/client from certs-client (rw)
/runner from runner (rw)
/runner/_work from work (rw)
/var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from actions-token-lhns5 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
aws-iam-token:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 86400
runner:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
work:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
certs-client:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
actions-token-lhns5:
Type: Secret (a volume populated by a Secret)
SecretName: actions-token-lhns5
Optional: false
QoS Class: Burstable
Node-Selectors: node.kubernetes.io/workergroup-name=stateful
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 10m default-scheduler Successfully assigned ci/comtravo-github-actions-deployment-czbjr-nrz2p to ip-10-31-0-12.eu-west-1.compute.internal
Normal Pulling 10m kubelet Pulling image "comtravo/actions-runner:v2.286.1"
Normal Pulled 10m kubelet Successfully pulled image "comtravo/actions-runner:v2.286.1"
Normal Created 10m kubelet Created container runner
Normal Started 10m kubelet Started container runner
Normal Pulled 10m kubelet Container image "docker:dind" already present on machine
Normal Created 10m kubelet Created container docker
Normal Started 10m kubelet Started container docker
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
I am trying to figure out how the certs are generated so that the docker commands are over TLS. I see that the container mounts it. I am just curious as to who is generate the certs as I see
certs-client
is andEmptyDir
.Best,
Puneeth
Beta Was this translation helpful? Give feedback.
All reactions