Allow GitLab Runner service access

I have configured access to my Self-Hosted GitLab server in my local network using Cloudflare Argo, following the guideline on the cloudflare site

Now I am trying to setup gitlab runner on 2 machines, one for staging and one for production, using GitLab CD to deploy.
I can not get the gitlab-runner to register and I am fairly certain it’s an authentication issue.

Running the gitlab-runner register, with --debug, gives me this

Dialing: tcp gitlab.mydomain.com:443 ...      
Dialing: tcp mydomain.cloudflareaccess.com:443 ...  
ERROR: Registering runner... failed                 runner=Bhz9nQKY status=200 OK
PANIC: Failed to register the runner. You may be having network problems.

I have spent several days trying to setup service tokens but the only way to use them is with headers on the request. No idea how to add those.
I am starting to think i should add another app and configure Mutual TLS authentication perhaps.

anyone been able to set this up?

Domain is pointed to Cloudflare right?
Cloudflare IP addresses are allowed to connect to 80 and 443?
Are ports at the origins openned?
You are sure you have got SSL certificate generated?
If so, which option do you have for SSL for your domain? (should go with Full)

Hm, have you tried to run with debug? Do you get anything else?
sudo gitlab-runner -l debug register...

Maybe, hm, using the https address of Gitlab while registering it would help with it?

Or, which version of Gitlab runner are you running?
Could be due to downgrading gitlab runner to some previous version.

Moreover, SSH and other stuff is working correctly? Because, if proxied via Cloudflare, it could have different IP address, so … better to use IP address directly when connecting (should change the git/ssh config for it).

Due to being proxied, could you try to remove the proxy config (http_proxy, https_proxy, ftp_proxy, socks_proxy) from /etc/environment file?

When running gitlab-runner register, can you try manually reset the token for the project’s runner?

Can you try with adding in your existing config hostNetwork: true?