Add possibility to inject Registration Token from Hashicorp Vault Agent Injector
Hi,
At this time, there is two ways to give the Registration Token to the Helm Chart, using helm apply with the token in the value.yaml or by putting the token inside a Kubernetes Secret.
I would like to submit a MR that allows RegistrationToken/Token retrival from a Hashicorp Vault, using the Vault Agent.
This is needed for example if we want to deploy the helm chart using FluxCD with the File-Based Secret Injection approach.
Example of a value.yaml that add a podAnnotations understood by the Vault Agent:
gitlabUrl: https://gitlab.com/
#runnerRegistrationToken: "will_be_retrieved_by_vault_agent"
podAnnotations:
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-pre-populate-only: 'true'
vault.hashicorp.com/role: 'gitlab-runner'
vault.hashicorp.com/agent-inject-secret-runner-registration-token: 'secret/data/my-project/gitlab-runner'
vault.hashicorp.com/agent-inject-template-runner-registration-token: |
{{- with secret "secret/data/my-project/gitlab-runner" -}}
{{ .Data.data.registration-token }}
{{- end }}
This configuration will make Vault Agent to add a vault-agent-init container inside the pod, retrieve the Token from Vault using a Kubernetes Autentication and write the value inside /vault/secrets/runner-registration-token.
The Merge Request: !372 (closed)