Search code examples
kubernetesterraformgoogle-kubernetes-enginekubernetes-helm

Encode runnerRegistrationToken when running ci cd pipeline

Im trying to setup a runner, but the ci/cd pipeline always shows the runners registration token, the variable is picked from values.yml and I would like to encode it but Im unable to do it.

main.tf looks like this

resource "helm_release" "runner_pod" {
  name       = "runner-test"
  namespace  = "a-{{tenant_project}}-{{env}}"
  repository = "https://charts.gitlab.io"
  chart      = "gitlab-runner"
  version    = "0.39.0"

  values = [
    "${file("./values.yml")}"
  ]
  depends_on = [kubernetes_secret.auth_unified_ar]
}

values.yml file look like as follows

gitlabUrl: "https://gitlab.i.ca/"
runnerRegistrationToken: "{{cicd_token}}"
image: "virtual.artifactory.i.ca/gitlab/gitlab-runner:alpine-v15.2.1"
rbac:
  create: true
runners:
  tags: "a-{{tenant_project}}-{{env}}"
  protected: {{protected}}
  imagePullSecrets: [docker-cfg]
  config: |
    [[runners]]
      [runners.kubernetes]
        image = "mirror.gcr.io/library/ubuntu:22.04"
        helper_image = "t-docker-virtual.artifactory.i.ca/gitlab/gitlab-runner-helper:x86_64-v14.10.2"
        pull_policy = "if-not-present"
        privileged = false
        service_account = "a-{{tenant_project}}-{{env}}"
        namespace = "a-{{tenant_project}}-{{env}}"
        poll_timeout = 600
        memory_limit = "6Gi"
        memory_request = "6Gi"
        helper_memory_limit = "1Gi"
        helper_memory_request = "1Gi"
        ephemeral_storage_limit = "4Gi"
        ephemeral_storage_request = "4Gi"
        helper_ephemeral_storage_limit = "4Gi"
        helper_ephemeral_storage_request = "4Gi"
        [runners.kubernetes.node_selector]
          "iam.gke.io/gke-metadata-server-enabled" = "true"

How to encode the "runnerRegistrationToken: "{{cicd_token}}"" so the token is encoded when the pipeline runs.

Solution

  • So I solved this issue by passing the values directly as follows in main.tf

    resource "helm_release" "runner_pod" {
......
......
  set_sensitive {
    name  = "runnerRegistrationToken"
    value = "{{cicd_token}}"
  }
.......
}

    and in the values.yml I removed the line 'runnerRegistrationToken: "{{cicd_token}}">'

    gitlabUrl: "https://gitlab.i.ca/"
image: "virtual.artifactory.i.ca/gitlab/gitlab-runner:alpine-v15.2.1"
rbac:
  create: true
runners:
  tags: "a-{{tenant_project}}-{{env}}"
  protected: {{protected}}
  imagePullSecrets: [docker-cfg]
  config: |.........
.....
....

    and I was able to hide my token from revealing in ci cd pipeline