Skip to content
This repository has been archived by the owner on Dec 16, 2022. It is now read-only.

Commit

Permalink
Add runner runtime secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
szymonrychu committed Jun 15, 2022
1 parent 5e6f102 commit 9b5a071
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 2 deletions.
38 changes: 38 additions & 0 deletions chart/gha-runner/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,34 @@ spec:
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
initContainers:
- name: {{ .Chart.Name }}-init
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
command:
- bash
args:
- -cex
- |
cp -Rf /home/github/* /home/github-new/
gpg --import /secrets/private.rsa
cp -Rf /home/github/.gnupg /home/github-new/.gnupg
mkdir -p /home/code-new/.ssh
cp -Rf /secrets/id_rsa /home/github-new/.ssh/id_rsa
cp /secrets/id_rsa.pub /home/github-new/.ssh/id_rsa.pub
cp /secrets/known_hosts /home/github-new/.ssh/known_hosts
chmod 0600 /home/code-new/.ssh/id_rsa
volumeMounts:
- name: runtime-secrets
mountPath: "/secrets"
readOnly: true
- mountPath: /home/github-new
name: shared-data
resources:
{{- toYaml .Values.resources | nindent 12 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
Expand All @@ -52,6 +80,9 @@ spec:
key: github-personal-token
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: /home/github
name: shared-data
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -64,3 +95,10 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: shared-data
emptyDir: {}
- name: runtime-secrets
secret:
secretName: {{ include "gha-runner.fullname" . }}-runtime-secrets

15 changes: 14 additions & 1 deletion chart/gha-runner/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,17 @@ metadata:
{{- include "gha-runner.labels" . | nindent 4 }}
type: Opaque
data:
github-personal-token: {{ .Values.config.githubPersonalToken | b64enc | quote }}
github-personal-token: {{ .Values.config.githubPersonalToken | b64enc | quote }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gha-runner.fullname" . }}-runtime-secrets
labels:
{{- include "gha-runner.labels" . | nindent 4 }}
type: Opaque
data:
id_rsa: {{ .Values.secrets.privateKey | b64enc | quote }}
id_rsa.pub: {{ .Values.secrets.publicKey | b64enc | quote }}
known_hosts: {{ .Values.secrets.knownHosts | b64enc | quote }}
private.rsa: {{ .Values.secrets.gpgEncryptionKey | b64enc | quote }}
20 changes: 20 additions & 0 deletions chart/gha-runner/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,26 @@ config:
githubOwner: "szymonrychu"
githubRepository: "helmfile-cluster"

secrets:
privateKey: |
someprivatekey
publicKey: |
someprivatekey
knownHosts: |
|1|eHUy+DdABsrCSjWFrPHMB6u/aQg=|j1ubaHgHk7cCmhh2m4C9LHSlmVQ= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|1|5BTVwAXj+vC6I6aDQ43nP27WKAg=|2E8pPM72MPTPTIcEIBdl1+vZzVw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|1|PStxtwUxBOjdhk/VfSWaBbSyAvY=|vGUqFWFcpL6DfJH98NvWOOz+3mI= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
|1|kcm+w/r4hUIpANo2kt73krZRMg8=|1SboFAEvMi0z0cmY7B+NFlVnQlE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMSgqxFsxZv8pZwxx/NPdl7A2exC+V1uInBWvQhkcGch+0KEP9tsu32UnIQnk1+3oQqufo6PzZEtxWfYRMs2GU=
|1|1L+f7SudyNp0JUzd6qxPeJgKK3c=|vcu2S1jJp+QK/0cvFXWjMa46FMc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMSgqxFsxZv8pZwxx/NPdl7A2exC+V1uInBWvQhkcGch+0KEP9tsu32UnIQnk1+3oQqufo6PzZEtxWfYRMs2GU=
|1|TU4IYB00K1s7b+SDvElOk8Gjlvc=|EMWcRuR5MQ+Dhv6BHFkGcieHOso= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE1TvABrKxeuwCHvj5Z60W96RHuDQy/9IxAU4rPl52kkJVf8N6HT8coqwjIwIXlD93XVHdRrySkibHPu0etB8/E=
|1|kZfJKZH2y51Q+3Nz2oY8nEyPjHo=|0TzDqsFEbjI72oc9dEEmZaY8VZ8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE1TvABrKxeuwCHvj5Z60W96RHuDQy/9IxAU4rPl52kkJVf8N6HT8coqwjIwIXlD93XVHdRrySkibHPu0etB8/E=
|1|/fQqEb2/XE/lu0JFOM0i/y6wQco=|j8HFDqyleoXwASyCUwqm5aKWW2w= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAoLfwohyJai8WQpc0G4GoU5kuk65gh0dLGJiiur4XPBV0W71u+xzD3QHuV5kG0R2d1xp9AoQhK01b6RHO0MtmA=
|1|66KMNPk0RLY6vcf3yMRBDt2YrQo=|lYFJahwh2vjfE9PrWEJdj3y/mHw= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNr2UdEpYTtWhxtEGe/DA9X/RT9S6BJ92tIg+vh6Wlsb3AfqYcEZkz55aLv6oTfBLt2wW7arhobzc2FnbNIBUXM=
|1|TvNrVYFIso7uiWP0X+L/nRtS5WU=|KDtxXZ1Z/zP3fA9+4IqI+bcjAOc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMSgqxFsxZv8pZwxx/NPdl7A2exC+V1uInBWvQhkcGch+0KEP9tsu32UnIQnk1+3oQqufo6PzZEtxWfYRMs2GU=
|1|Vr1oUg8mUO+TkDh+z8ltWu2O8og=|pL9VFzXpIfXsVcfZIRCEAalE+Jc= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNr2UdEpYTtWhxtEGe/DA9X/RT9S6BJ92tIg+vh6Wlsb3AfqYcEZkz55aLv6oTfBLt2wW7arhobzc2FnbNIBUXM=
gpgEncryptionKey: |
someprivatekey
image:
repository: szymonrychu/gha-runner
pullPolicy: IfNotPresent
Expand Down
8 changes: 7 additions & 1 deletion entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,13 @@ remove() {
./config.sh remove --token "${RUNNER_TOKEN}"
}

trap 'remove; exit 130' INT
removeAndWait(){
sleep 600
remove
}


trap 'removeAndWait; exit 130' INT
trap 'remove; exit 143' TERM
./run.sh "$*" &
wait $!

0 comments on commit 9b5a071

Please sign in to comment.