Overview
You may wish to contain your auth_token for Container Runner in a Kubernetes Secret.
This is possible via the customSecret parameter in your values.yaml
Please note for the container-agent pod to access this secret, you will need to have the correct Role and Rolebinding permissions set. If you utilize the built-in Service Role in your values.yaml to deploy the runner, you will not need to do anything. If you are using a custom Service Account, you will need to make sure it has the correct permissions.
How to configure a customSecret on Container Runner
Step 1 - Base64 encode your auth_token
When utilizing a Kubernetes secret, the value needs to be base64 encoded like so:
$ echo <runner_token_goes_here> | base64 -o w
This will output your token in base64 without new lines for the next step.
Step 2 - Create the secret
We will need to create a Kubernetes secret file.
# container-runner-secret.yamlapiVersion: v1 kind: Secret metadata: name: <name_of_your_secret> namespace: <namespace_container_runner_is_deployed_to> data: <namespace>.<runner_name>: <base64_encoded_token>
Due to Kubernetes' secret key character constraints, the / separating the namespace and resource class name is replaced with a . character. Other than this, the name must exactly match the resourceClasses config to match the token with the correct configuration.
Step 3 - Apply the secret
We can now apply the container-runner-secret.yaml.
$ kubectl apply -f container-runner-secret.yaml
Step 4 - Update your values.yaml
Once this secret is available in the namespace, we can utilize it in our values.yaml
# values.yamlagent: resourceClasses: <CircleCI_Namespace>/<Container_Runner_Name>: customSecret: <Secret_Name_From_Step_2>
Step 5 - Upgrade you deployment
With the secret being present in Kubernetes and your values.yaml referencing it, it is time to deploy it to your namespace.
We can run the following command to redeploy using our new values.yaml
$ helm upgrade container-agent container-agent/container-agent -n $namespace -f values.yaml