Run Release Runner With TLS Support

This guide explains how to configure Digital.ai Release Runner to use TLS communication with Release, ensuring secure connections between your runner and Release server.

Overview

To enable TLS communication for Release Runner, you must provide a CA certificate so the runner can verify the Release server's identity. Starting with Release 26.3, the runner can also automatically propagate the same CA certificate to all executor environments (Kubernetes pods and Docker containers), instead of setting it on every connection separately.

Setting the CA Certificate

Set the environment variable RELEASE_RUNNER_REST_CLIENT_CA to the path of a PEM-encoded CA certificate file on the runner host:

RELEASE_RUNNER_REST_CLIENT_CA=/path/to/ca-certificates.pem

note

If you're using Helm to install the runner, set the runner.restClientCA value in the Helm chart.

CA Certificate Propagation to Executors

When RELEASE_RUNNER_REST_CLIENT_CA is configured, the runner automatically propagates the CA certificate to task executor environments:

• Kubernetes executors — The certificate is stored in a Kubernetes Secret and mounted as a volume into executor pods.
• Docker executors — The certificate file is copied into the executor container and the relevant environment variables are set.

This ensures that container plugin tasks can establish trusted TLS connections to the Release server.

Self-Signed Certificates

If your certificate is self-signed, make sure to set the environment variable RELEASE_RUNNER_REST_CLIENT_SELF_SIGNED_CERTIFICATE_ENABLED to true.