Overview
You may wish to contain your auth_token
for Container Runner in a Kubernetes Secret.
This is possible via the customSecret
parameter in your values.yaml
Please note for the container-agent
pod to access this secret, you will need to have the correct Role and Rolebinding permissions set. If you utilize the built-in Service Role in your values.yaml
to deploy the runner, you will not need to do anything. If you are using a custom Service Account, you will need to make sure it has the correct permissions.
How to configure a customSecret on Container Runner
Step 1 - Base64 encode your auth_token
When utilizing a Kubernetes secret, the value needs to be base64 encoded like so:
$ echo <runner_token_goes_here> | base64 -o w
This will output your token in base64 without new lines for the next step.
Step 2 - Create the secret
We will need to create a Kubernetes secret file.
# container-runner-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: <name_of_your_secret>
namespace: <namespace_container_runner_is_deployed_to>
data:
<namespace>.<runner_name>: <base64_encoded_token>
Due to Kubernetes' secret key character constraints, the /
separating the namespace and resource class name is replaced with a .
character. Other than this, the name must exactly match the resourceClasses config to match the token with the correct configuration.
Step 3 - Apply the secret
We can now apply the container-runner-secret.yaml
.
$ kubectl apply -f container-runner-secret.yaml
Step 4 - Update your values.yaml
Once this secret is available in the namespace, we can utilize it in our values.yaml
# values.yaml
agent:
resourceClasses:
<CircleCI_Namespace>/<Container_Runner_Name>:
customSecret: <Secret_Name_From_Step_2>
Step 5 - Upgrade you deployment
With the secret being present in Kubernetes and your values.yaml
referencing it, it is time to deploy it to your namespace.
We can run the following command to redeploy using our new values.yaml
$ helm upgrade container-agent container-agent/container-agent -n <namespace> -f values.yaml
Additional Resources
Comments
Article is closed for comments.