Im trying to setup a runner, but the ci/cd pipeline always shows the runners registration token, the variable is picked from values.yml and I would like to encode it but Im unable to do it.
main.tf looks like this
resource "helm_release" "runner_pod" {
name = "runner-test"
namespace = "a-{{tenant_project}}-{{env}}"
repository = "https://charts.gitlab.io"
chart = "gitlab-runner"
version = "0.39.0"
values = [
"${file("./values.yml")}"
]
depends_on = [kubernetes_secret.auth_unified_ar]
}
values.yml file look like as follows
gitlabUrl: "https://gitlab.i.ca/"
runnerRegistrationToken: "{{cicd_token}}"
image: "virtual.artifactory.i.ca/gitlab/gitlab-runner:alpine-v15.2.1"
rbac:
create: true
runners:
tags: "a-{{tenant_project}}-{{env}}"
protected: {{protected}}
imagePullSecrets: [docker-cfg]
config: |
[[runners]]
[runners.kubernetes]
image = "mirror.gcr.io/library/ubuntu:22.04"
helper_image = "t-docker-virtual.artifactory.i.ca/gitlab/gitlab-runner-helper:x86_64-v14.10.2"
pull_policy = "if-not-present"
privileged = false
service_account = "a-{{tenant_project}}-{{env}}"
namespace = "a-{{tenant_project}}-{{env}}"
poll_timeout = 600
memory_limit = "6Gi"
memory_request = "6Gi"
helper_memory_limit = "1Gi"
helper_memory_request = "1Gi"
ephemeral_storage_limit = "4Gi"
ephemeral_storage_request = "4Gi"
helper_ephemeral_storage_limit = "4Gi"
helper_ephemeral_storage_request = "4Gi"
[runners.kubernetes.node_selector]
"iam.gke.io/gke-metadata-server-enabled" = "true"
How to encode the "runnerRegistrationToken: "{{cicd_token}}"" so the token is encoded when the pipeline runs.
So I solved this issue by passing the values directly as follows in main.tf
resource "helm_release" "runner_pod" {
......
......
set_sensitive {
name = "runnerRegistrationToken"
value = "{{cicd_token}}"
}
.......
}
and in the values.yml I removed the line 'runnerRegistrationToken: "{{cicd_token}}">'
gitlabUrl: "https://gitlab.i.ca/"
image: "virtual.artifactory.i.ca/gitlab/gitlab-runner:alpine-v15.2.1"
rbac:
create: true
runners:
tags: "a-{{tenant_project}}-{{env}}"
protected: {{protected}}
imagePullSecrets: [docker-cfg]
config: |.........
.....
....
and I was able to hide my token from revealing in ci cd pipeline