Question regarding certs mounted on the runner and dind container

[Puneeth-n]

Hi,

I am trying to figure out how the certs are generated so that the docker commands are over TLS. I see that the container mounts it. I am just curious as to who is generate the certs as I see certs-client is and EmptyDir.

Best,
Puneeth

➜  docker_playground k -n ci describe pod comtravo-github-actions-deployment-czbjr-nrz2p
Name:         comtravo-github-actions-deployment-czbjr-nrz2p
Namespace:    ci
Priority:     0
Node:         ip-10-31-0-12.eu-west-1.compute.internal/10.31.0.12
Start Time:   Thu, 03 Feb 2022 10:38:47 +0100
Labels:       pod-template-hash=749fd4569f
              runner-deployment-name=comtravo-github-actions-deployment
              runner-template-hash=68ffb9c79c
Annotations:  kubernetes.io/psp: eks.privileged
Status:       Running
IP:           10.31.0.203
IPs:
  IP:           10.31.0.203
Controlled By:  Runner/comtravo-github-actions-deployment-czbjr-nrz2p
Containers:
  runner:
    Container ID:   docker://7291c6c82e46121786974660a753d41a8ecaffe7b602d9619e445915696eecd7
    Image:          comtravo/actions-runner:v2.286.1
    Image ID:       docker-pullable://comtravo/actions-runner@sha256:bbdc5c3f950f1108753fb0d891783c9ecae1632981b9711abf9a19eb4f3d734d
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Thu, 03 Feb 2022 10:38:51 +0100
    Ready:          True
    Restart Count:  0
    Limits:
      memory:  1Gi
    Requests:
      memory:  256Mi
    Environment:
      RUNNER_NAME:                    comtravo-github-actions-deployment-czbjr-nrz2p
      RUNNER_ORG:
      RUNNER_REPO:                    comtravo/ct-backend
      RUNNER_ENTERPRISE:
      RUNNER_LABELS:                  light-runner
      RUNNER_GROUP:
      RUNNER_TOKEN:                  12345
      DOCKERD_IN_RUNNER:              false
      GITHUB_URL:                     https://github.com/
      RUNNER_WORKDIR:                 /runner/_work
      RUNNER_EPHEMERAL:               true
      RUNNER_FEATURE_FLAG_EPHEMERAL:  true
      DOCKER_HOST:                    tcp://localhost:2376
      DOCKER_TLS_VERIFY:              1
      DOCKER_CERT_PATH:               /certs/client
      AWS_DEFAULT_REGION:             eu-west-1
      AWS_REGION:                     eu-west-1
      AWS_ROLE_ARN:                   arn:aws:iam::123:role/infra/actions
      AWS_WEB_IDENTITY_TOKEN_FILE:    /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    Mounts:
      /certs/client from certs-client (ro)
      /runner from runner (rw)
      /runner/_work from work (rw)
      /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from actions-token-lhns5 (ro)
  docker:
    Container ID:   docker://57c0f5139cc2aac4ba684ba04887b5fd78cbb68de2dc2a67fc5ccf30226a2f24
    Image:          docker:dind
    Image ID:       docker-pullable://docker@sha256:9398e00a10c16fb3b98c77d452708702e790fd41c725b9b89de26352bea7fdce
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Thu, 03 Feb 2022 10:38:51 +0100
    Ready:          True
    Restart Count:  0
    Environment:
      DOCKER_TLS_CERTDIR:           /certs
      AWS_DEFAULT_REGION:           eu-west-1
      AWS_REGION:                   eu-west-1
      AWS_ROLE_ARN:                 arn:aws:iam::123:role/infra/actions
      AWS_WEB_IDENTITY_TOKEN_FILE:  /var/run/secrets/eks.amazonaws.com/serviceaccount/token
    Mounts:
      /certs/client from certs-client (rw)
      /runner from runner (rw)
      /runner/_work from work (rw)
      /var/run/secrets/eks.amazonaws.com/serviceaccount from aws-iam-token (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from actions-token-lhns5 (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  aws-iam-token:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  86400
  runner:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  work:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  certs-client:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
  actions-token-lhns5:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  actions-token-lhns5
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  node.kubernetes.io/workergroup-name=stateful
Tolerations:     node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                 node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  10m   default-scheduler  Successfully assigned ci/comtravo-github-actions-deployment-czbjr-nrz2p to ip-10-31-0-12.eu-west-1.compute.internal
  Normal  Pulling    10m   kubelet            Pulling image "comtravo/actions-runner:v2.286.1"
  Normal  Pulled     10m   kubelet            Successfully pulled image "comtravo/actions-runner:v2.286.1"
  Normal  Created    10m   kubelet            Created container runner
  Normal  Started    10m   kubelet            Started container runner
  Normal  Pulled     10m   kubelet            Container image "docker:dind" already present on machine
  Normal  Created    10m   kubelet            Created container docker
  Normal  Started    10m   kubelet            Started container docker