Add option to disable global cache credentials export

Rehabrequested to merge
fix/gcs-credentials-workload-identity into main

Problem

The chart's entrypoint unconditionally exports cache credential env vars (CACHE_S3_*, GOOGLE_APPLICATION_CREDENTIALS, CACHE_GCS_*, CACHE_AZURE_*) when the corresponding secrets are mounted. For the docker+machine executor, these env vars are inherited by docker-machine subprocesses, which then authenticate as the cache service account instead of using their own identity (e.g. Workload Identity on GKE) for VM provisioning.

Solution

Adds a new runners.cache.disableGlobalCredentialsExport flag (default: false). When set to true, the chart skips the entire cache credentials export block, allowing subprocesses to use their own identity.

Required Configuration When Enabled

When disableGlobalCredentialsExport: true, the cache credential env vars are no longer set, so the runner cannot pick up credentials implicitly. Users must explicitly configure cache credentials in runners.config under [runners.cache.*]. For example, with GCS:

[runners.cache]
  Type = "gcs"
  Shared = true
  [runners.cache.gcs]
    CredentialsFile = "/secrets/gcs-application-credentials-file"
    BucketName = "my-cache-bucket"

The secret file is still mounted at /secrets/gcs-application-credentials-file (via runners.cache.secretName); only the env var export is skipped.

Backward Compatibility

Default behavior is unchanged. Users opt-in to the new behavior only when needed.

Tests

Added unit tests in tests/configmap_test.yaml covering:

  • Default behavior exports all cache credentials
  • disableGlobalCredentialsExport: true skips all exports
  • Explicit false exports all cache credentials

Related

Edited by Rehab

Merge request reports