Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add option to read Gitlab Runner Registration token from SSM #822

Merged

Conversation

Conoreby
Copy link
Contributor

@Conoreby Conoreby commented Apr 28, 2023

Description

Adds the ability to read the Gitlab registration token from SSM. If no registration token is passed in, it will look in SSM to find the token to use. This prevents the token from being leaked as part of the user_data.

module "gitlab_runner" {
  # ...
  gitlab_runner_registration_config = {
    registration_token = "" # this is the default value too
    # ...
  }

  secure_parameter_store_gitlab_runner_registration_token_name = "name-of-ssm-parameter-holding-the-registration-token"

Closes #776
Precondition for #186 to get rid of pre-registered runners.

Migrations required

NO

Verification

I modified the runner-default example to not pass in a registration token and added the token to SSM instead. Then I started up the runner and confirmed that it successfully registered with Gitlab.

@github-actions
Copy link
Contributor

Hey @Conoreby! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

  • the problem being solved
  • the best way a reviewer and you can test your changes

With submitting this PR you confirm that you hold the rights of the code added and agree that it will published under this LICENSE.

The following ChatOps commands are supported:

  • /help: notifies a maintainer to help you out

Simply add a comment with the command in the first line. If you need to pass more information, separate it with a blank line from the command.

This message was generated automatically. You are welcome to improve it.

@npalm
Copy link
Collaborator

npalm commented Apr 29, 2023

@Conoreby thanks, can you have a look on the failing workflows. Can you also add a note to the top-level readme about the options users have to provide the registration token.

Copy link
Collaborator

@kayman-mk kayman-mk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You made a good job here to make the module safer. Thank you.

template/gitlab-runner.tftpl Outdated Show resolved Hide resolved
template/gitlab-runner.tftpl Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
locals.tf Outdated Show resolved Hide resolved
@Conoreby Conoreby requested a review from kayman-mk May 2, 2023 15:14
kayman-mk
kayman-mk previously approved these changes May 3, 2023
@kayman-mk kayman-mk changed the title feat: Add option to read Gitlab Runner Registration from SSM by default feat: add option to read Gitlab Runner Registration token from SSM May 3, 2023
@kayman-mk kayman-mk merged commit 51d63e6 into cattle-ops:main May 3, 2023
kayman-mk pushed a commit that referenced this pull request May 3, 2023
🤖 I have created a release *beep* *boop*
---


##
[6.4.0](6.3.1...6.4.0)
(2023-05-03)


### Features

* add option to read Gitlab Runner Registration token from SSM
([#822](#822))
([51d63e6](51d63e6))


### Bug Fixes

* disable outputting config.toml by default
([#768](#768))
([2cd1e44](2cd1e44))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Signed-off-by: Niek Palm <dev.npalm@gmail.com>
Co-authored-by: cattle-ops-releaser[bot] <126345536+cattle-ops-releaser[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@Conoreby Conoreby deleted the read-registration-token-from-ssm branch May 3, 2023 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Security: registration token is stored in plan text in user-data
3 participants