Allow GitLab Runner service access

I have configured access to my Self-Hosted GitLab server in my local network using Cloudflare Argo, following the guideline on the cloudflare site

Now I am trying to setup gitlab runner on 2 machines, one for staging and one for production, using GitLab CD to deploy.
I can not get the gitlab-runner to register and I am fairly certain it’s an authentication issue.

Running the gitlab-runner register, with --debug, gives me this

Dialing: tcp gitlab.mydomain.com:443 ...      
Dialing: tcp mydomain.cloudflareaccess.com:443 ...  
ERROR: Registering runner... failed                 runner=Bhz9nQKY status=200 OK
PANIC: Failed to register the runner. You may be having network problems.

I have spent several days trying to setup service tokens but the only way to use them is with headers on the request. No idea how to add those.
I am starting to think i should add another app and configure Mutual TLS authentication perhaps.

anyone been able to set this up?

Domain is pointed to Cloudflare right?
Cloudflare IP addresses are allowed to connect to 80 and 443?
Are ports at the origins openned?
You are sure you have got SSL certificate generated?
If so, which option do you have for SSL for your domain? (should go with Full)

Hm, have you tried to run with debug? Do you get anything else?
sudo gitlab-runner -l debug register...

Maybe, hm, using the https address of Gitlab while registering it would help with it?

Or, which version of Gitlab runner are you running?
Could be due to downgrading gitlab runner to some previous version.

Moreover, SSH and other stuff is working correctly? Because, if proxied via Cloudflare, it could have different IP address, so … better to use IP address directly when connecting (should change the git/ssh config for it).

Due to being proxied, could you try to remove the proxy config (http_proxy, https_proxy, ftp_proxy, socks_proxy) from /etc/environment file?

When running gitlab-runner register, can you try manually reset the token for the project’s runner?

Can you try with adding in your existing config hostNetwork: true?

I appreciate the reply but need to clarify some of the questions and suggestions.

Domain is pointed to Cloudflare right?

gitlab is already setup and configured for https and ssh witch works from anywhere including the client server I am attempting to register

Cloudflare IP addresses are allowed to connect to 80 and 443?

sorry I don’t understand the context of this question. The only cloudflare IP’s I have had to configure are DNS. I don’t know of any others. The gitlab server DNS is configured in Cloudflare DNS and the server is listenting on 443 and 22 as per the guide listed on Cloudflares site “Zero Trust GitLab SSH & HTTP”

Are ports at the origins openned?

Are you referring to the client for the gitlab-runner outgoing ports? not sure why they would be blocked and can ssh to the gitlab server, from the runner client as well curl on 443.

You are sure you have got SSL certificate generated?

referring to the gitlab server? yes it has https cert issued by Cloudflare. It is on Flexible but will switch to FULL.

Hm, have you tried to run with debug? Do you get anything else?

yes I outlined that above and posted the results, not a lot to go on.

Maybe, hm, using the https address of Gitlab while registering it would help with it?

tried that with http and --debug

Dialing: tcp gitlab.myserver.com:80 ...       
Dialing: tcp gitlab.myserver.com:443 ...      
Dialing: tcp myserver.cloudflareaccess.com:443 ...  
ERROR: Registering runner... failed                 runner=Bhz9nQKY status=200 OK
PANIC: Failed to register the runner. You may be having network problems.

Or, which version of Gitlab runner are you running?

Latest

Moreover, SSH and other stuff is working correctly?
Yes both tested no issues and I can ssh from the client server to gitlab but not run gitlab-register

Due to being proxied, could you try to remove the proxy config (http_proxy, https_proxy, ftp_proxy, socks_proxy) from /etc/environment file?

there is no proxy config.

Any luck on this one? My gitlab runner cannot connect to my hosted gitlab with the same network error.