Improve authentication token detection
What does this MR do?
When GitLab Runner Helm Chart is used with a secret, the authentication token mechanism fails to detect it and defaults to a registration token. The changes implemented in this commit checks if the CI_SERVER_TOKEN is a authentication thus fixing the previous failure
Why was this MR needed?
To improve coverage for the authentication token as the registration token removal milestone is getting closer.
What's the best way to test this MR?
- Create a secret
cat <<EOF > secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: gitlab-runner-secret
type: Opaque
stringData:
runner-token: glrt-REDACTED
runner-registration-token: ""
EOF
k apply -f secret.yaml- Install GitLab Runner using the values.yaml below
values.yaml
image:
registry: registry.gitlab.com
image: gitlab-org/gitlab-runner
tag: alpine-v17.8.3
useTini: false
imagePullPolicy: IfNotPresent
# replicas: 1
gitlabUrl: https://gitlab.com/
useJobNamespace: true
terminationGracePeriodSeconds: 0
concurrent: 1
checkInterval: 1
logLevel: "debug"
sessionServer:
enabled: false
# publicIP: ""
annotations: {}
timeout: 1800
internalPort: 8093
externalPort: 9000
## For RBAC support:
rbac:
create: true
generatedServiceAccountName: "ra-sa-temp-generated"
rules:
- apiGroups: [""]
resources: ["configmaps", "pods", "events", "pods/attach", "secrets", "services", "serviceAccounts"]
verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
clusterWideAccess: false
serviceAccountAnnotations:
tests: ratchade-rbac
tests-rbac: ratchade-rbac
podSecurityPolicy:
enabled: false
resourceNames:
- gitlab-runner
serviceAccount:
create: true
name: "ra-sa-temp"
annotations:
tests: ratchade-serviceaccount
tests-serviceaccount: ratchade-serviceaccount
imagePullSecrets: []
metrics:
enabled: true
portName: metrics
port: 9252
serviceMonitor:
enabled: false
service:
enabled: false
type: ClusterIP
runners:
config: |
shutdown_timeout = 100
[[runners]]
# shell = "powershell"
shell = "bash"
[runners.kubernetes]
host = ""
bearer_token_overwrite_allowed = false
pod_termination_grace_period_seconds = 0
namespace = ""
environment = ["FF_USE_ADVANCED_POD_SPEC_CONFIGURATION=true"]
namespace_overwrite_allowed = ""
pod_labels_overwrite_allowed = ""
service_account_overwrite_allowed = ""
pod_annotations_overwrite_allowed = ""
node_selector_overwrite_allowed = ".*"
[[runners.kubernetes.services]]
[runners.kubernetes.dns_config]
[runners.kubernetes.pod_labels]
user = "ratchade"
runUntagged: true
protected: true
tags: "tests, ra-tests"
secret: gitlab-runner-secret. # <===================== Secret sets here
cache: {}
builds: {}
services: {}
helpers: {}
envVars: {}
securityContext:
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
runAsNonRoot: false
privileged: true
capabilities:
drop:
- ALL
podSecurityContext:
runAsUser: 100
runAsGroup: 65533
fsGroup: 65533
resources:
requests: {}
affinity: {}
nodeSelector:
kubernetes.io/arch: "amd64"
kubernetes.io/os: "linux"
tolerations: []
hostAliases: []
podAnnotations: {}
podLabels: {}
hpa: {}
secrets: []
configMaps: {}
volumeMounts: []
volumes: []
# deploymentLifecycle:
# lifecycle:
# preStop:
# exec:
# command: ["/entrypoint", "unregister", "--all-runners"]helm install --namespace default gitlab-runner -f <PATH_TO_VALUE_YAML> .The GitLab Runner Manager Pod should run without any errors (that can be checked in the Pod log).
Doing the same tests with the main branch will log the following error in the GitLab Runner Manager Pod
Registration attempt 1 of 30
Runtime platform arch=amd64 os=linux pid=14 revision=690ce25c version=17.8.3
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
Created missing unique system ID system_id=r_wpD42lWzEfPH
Merging configuration from template file "/configmaps/config.template.toml"
FATAL: Runner configuration other than name and executor configuration is reserved (specifically --locked, --access-level, --run-untagged, --maximum-timeout, --paused, --t
Registration attempt 2 of 30
Runtime platform arch=amd64 os=linux pid=19 revision=690ce25c version=17.8.3
WARNING: Running in user-mode.
WARNING: The user-mode requires you to manually start builds processing:
WARNING: $ gitlab-runner run
WARNING: Use sudo for system-mode:
WARNING: $ sudo gitlab-runner...
Merging configuration from template file "/configmaps/config.template.toml"
FATAL: Runner configuration other than name and executor configuration is reserved (specifically --locked, --access-level, --run-untagged, --maximum-timeout, --paused, --t