🔒 Consume centrally managed token (#137)

Signed-off-by: Jacob Woffenden <[email protected]>
ministryofjustice · Oct 23, 2024 · 36a9eeb · 36a9eeb
1 parent 5b39554
commit 36a9eeb
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 59 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 #checkov:skip=CKV_DOCKER_2:actions/runner does not provider a mechanism for checking the health of the service
-FROM public.ecr.aws/ubuntu/ubuntu@sha256:5b2fc4131b3c134a019c3ea815811de70e6ad9ee1626f59bf302558a95b436e5
+FROM public.ecr.aws/ubuntu/ubuntu@sha256:fb95efe0d22be277f10250f15e5172ec0fe22c37eca2ba55e78b526c447eec23
 
 LABEL org.opencontainers.image.vendor="Ministry of Justice" \
       org.opencontainers.image.authors="Analytical Platform" \

diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -3,8 +3,8 @@ apiVersion: v2
 name: actions-runner
 description: Deploy GitHub Actions self-hosted runner
 type: application
-version: 2.320.0-1
-appVersion: 2.320.0-1
+version: 2.320.0-2
+appVersion: 2.320.0-2
 icon: https://upload.wikimedia.org/wikipedia/en/thumb/4/4a/Ministry_of_Justice_logo_%28United_Kingdom%29.svg/611px-Ministry_of_Justice_logo_%28United_Kingdom%29.svg.png
 maintainers:
   - name: moj-data-platform-robot

diff --git a/chart/ci/lint-values.yaml b/chart/ci/lint-values.yaml
@@ -2,7 +2,8 @@
 github:
   organisation: ministryofjustice
   repository: analytical-platform
-  token: this-is-not-a-real-token
+  tokenSecretName: this-is-not-a-real-secret-name
+  tokenSecretKey: token
   runner:
     labels: "self-hosted,analytical-platform"
 

diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -40,25 +40,10 @@ spec:
             - name: GITHUB_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Release.Name }}-github-token
-                  key: token
+                  name: {{ .Values.github.tokenSecretName }}
+                  key: {{ .Values.github.tokenSecretKey }}
             - name: RUNNER_LABELS
               value: {{ .Values.github.runner.labels | quote }}
-            {{- if .Values.runner.cache.enabled }}
-            - name: AGENT_TOOLSDIRECTORY
-              value: {{ .Values.runner.cache.agentToolsDirectory }}
-            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- if .Values.runner.cache.enabled }}
-          volumeMounts:
-            - name: actions-runner-cache
-              mountPath: {{ .Values.runner.cache.agentToolsDirectory }}
-          {{- end }}
-      {{- if .Values.runner.cache.enabled }}
-      volumes:
-        - name: actions-runner-cache
-          persistentVolumeClaim:
-            claimName: {{ .Values.runner.cache.pvcName }}
-      {{- end }}
 {{- end }}
diff --git a/chart/templates/scaled-job.yaml b/chart/templates/scaled-job.yaml
@@ -7,8 +7,8 @@ metadata:
 spec:
   secretTargetRef:
     - parameter: personalAccessToken
-      name: {{ .Release.Name }}-github-token
-      key: token
+      name: {{ .Values.github.tokenSecretName }}
+      key: {{ .Values.github.tokenSecretKey }}
 ---
 apiVersion: keda.sh/v1alpha1
 kind: ScaledJob
@@ -47,23 +47,8 @@ spec:
               - name: GITHUB_TOKEN
                 valueFrom:
                   secretKeyRef:
-                    name: {{ .Release.Name }}-github-token
-                    key: token
-              {{- if .Values.runner.cache.enabled }}
-              - name: AGENT_TOOLSDIRECTORY
-                value: {{ .Values.runner.cache.agentToolsDirectory }}
-              {{- end }}
-            {{- if .Values.runner.cache.enabled }}
-            volumeMounts:
-              - name: actions-runner-cache
-                mountPath: {{ .Values.runner.cache.agentToolsDirectory }}
-            {{- end }}
-        {{- if .Values.runner.cache.enabled }}
-        volumes:
-          - name: actions-runner-cache
-            persistentVolumeClaim:
-              claimName: {{ .Values.runner.cache.pvcName }}
-        {{- end }}
+                    name: {{ .Values.github.tokenSecretName }}
+                    key: {{ .Values.github.tokenSecretKey }}
         {{- if .Values.ephemeral.karpenter.enabled }}
         restartPolicy: Never
         affinity:

diff --git a/chart/templates/secret.yaml b/chart/templates/secret.yaml
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -7,15 +7,16 @@ replicaCount: 1
 image:
   pullPolicy: IfNotPresent
   repository: ghcr.io/ministryofjustice/analytical-platform-actions-runner
-  tag: 2.320.0-1
+  tag: 2.320.0-2
 
 imagePullSecrets: []
 
 serviceAccount:
   create: true
   automount: true
   name: ""
-  annotations: {}
+  annotations:
+    checkov.io/skip1: "CKV_K8S_21=Default namespace is not used when deploying with Helm"
 
 podAnnotations: {}
 podLabels: {}
@@ -35,16 +36,11 @@ resources:
 github:
   organisation:
   repository:
-  token:
+  tokenSecretName: actions-runners-token-apc-self-hosted-runners
+  tokenSecretKey: token
   runner:
     labels:
 
-runner:
-  cache:
-    enabled: true
-    agentToolsDirectory: /actions-runner/_tools
-    pvcName: actions-runner-cache
-
 ephemeral:
   enabled: true
   karpenter: