Support for external secrets added via values.yaml envVars value; avoid setting volumes and volume mounts for nonexistent secrets
What does this MR do?
Allows users to prevent creating projected volumes to mount non-existent secrets, for use when the runner authentication or registration token may be provided by an external secret provider via environment variables defined in the Pod spec.containers[].env: field.
Why was this MR needed?
In our org, we use a tool to retrieve the secrets from Azure Keyvault, and this works by retrieving the secret securely from Keyvault during pod init, then storing it in an environment variable defined as part of the Pod spec itself. In our case, we don't want to set either the runnerRegistrationToken nor the runnerToken values. Instead we will add an environment variable to values.yaml as below:
envVars:
- name: CI_SERVER_TOKEN
value: runner-token@azurekeyvaultBy doing this, combined with this MR, our AKV2K8S instance will identify the Pod spec values containing @azurekeyvault, retrieve the secret from keyvault, and inject the value into the same environment variable without the entrypoint script overriding the value, and without creating and mounting unnecessary volumes.
Before this change, attempting to install via helm without specifying --set runnerToken resulted in the chart being rendered without a secret, but with the runner container attempting to mount the non-existent secret. After this change, attempting to install via helm without specifying --set runnerToken, the volume mount and volume are no longer rendered in the pod deployment manifest; however if the value is specified, or set in values.yaml, the volume and volume mount are still present.
What's the best way to test this MR?
In main: helm template gitlab-runner ., observe that the volume and volume mount are defined in the deployment manifest, but no Secret resource is rendered.
Switch to this branch and run the same command, observe that now, no secret, volume nor volume mount are defined.
While still in this branch, run helm template gitlab-runner . --set runnerToken=TEST-RUNNER-TOKEN, observe that the secret is rendered with the base64 encoded value, and the volume and volume mount are present.