Transmit masked variables to container entry via a secret
What does this MR do?
It sets up kubernetes secrets to contain masked ci job variables, and configured pod containers to include the content of those k8s secrets in their configuration. Masked file-type variables each get their on k8s secret, and other masked variables are added to one or more k8s secrets, depending on space requirements.
Why was this MR needed?
Some customers run code that depends on CI job secrets being present in their container configuration, but we have not been setting that up due to concerns that secrets might be visible through kubectl describe
or similar.
What's the best way to test this MR?
Here's how I've tested it: I created a container image whose entrypoint printed its environment, then used this image with the gitlab-runner kubernetes executor. While sending jobs to this runner, I used kubectl get secrets
to show the secrets that were created, and I used kubectl logs
to examine the environment of the container entrypoint process.
What are the relevant issue numbers?
fixes #37226 (closed) #30999 (closed) #28866 (closed) #27971 (closed) #26989 (closed)