kubernetes: create masked CI variables as Kubernetes Secrets

Ghost Userrequested to merge
(removed):kubernetes-masked-vars-as-secrets into main

Description

Problem

Currently, in the Kubernetes executor, masked CI variables are injected directly as plain environment variable values in the Pod spec.

This has a few drawbacks:

  • Masked values are still visible in the Pod manifest
  • Values can be exposed via Kubernetes API access
  • This differs from Kubernetes best practices for handling secrets

Solution

This MR introduces an opt-in feature flag that injects masked variables as Kubernetes Secrets instead of inline environment variable values.

When the feature flag is enabled:

  • Masked (non-file) CI variables are stored in a Kubernetes Secret
  • Environment variables reference those values via secretKeyRef
  • Non-masked variables and file-type variables are unchanged
  • Behavior is fully backward-compatible when the flag is disabled

Feature Flag

  • Name: FF_KUBERNETES_MASKED_VARS_AS_SECRETS
  • Default: false
  • Scope: Kubernetes executor only

Implementation Details

  • Added a single, centralized secret name (gitlab-ci-job-secret)
  • Created a helper to build a Kubernetes Secret from masked variables
  • Ensured secret creation happens before Pod creation
  • Gracefully handles AlreadyExists errors
  • Environment variable generation switches between:
    • value (default behavior)
    • valueFrom.secretKeyRef (flag enabled)

Note on Test Failures

Tests pass locally but fail in CI due to logger initialization. The fix involves ensuring the feature flag check is robust in different environments.

Edited by Ghost User

Merge request reports