The new Runops Agent removes the dependency on Github. It is faster, and can be 100% self-hosted (if desired). We packaged the Agent in a Docker image that runs anywhere. The Agent retrieves secrets from a Vault or Secret Manager of your choice, hosted by you.
Targets no longer store secrets. You can store Secrets in one of the Secret Manager tools:
- AWS secrets manager
- Hashcorp Vault
- Google (GCP) secrets manager (future releases)
Each target requires a new secret record, named with the same name of the target.
An example on how to create a secret to a mysql target named
It is highly recommended that a new IAM role and user are created to access this new resource. The
secret-string param is a regular JSON.
For hashcorp, different secrets are required.
VAULT_AUTH_METHOD variable is how the runner is authenticating into Vault.
kubernetes-account-service is available, but other login methods
will be available in the future.
Both k8s (account-service) and vault needs to be configured for this method to work.
Please reach out for more details at:
WARN: Pasting the below snippets in the terminal will automatically create the Kubernetes resources. Make sure you update the variables and set the context and namespace of your choice before running them.
Replace with your values
Create the Secret
Export the first 3 mandatory envs, and optionally the others related to customer provider
Create a new target (or update one) to use new runner. Tags should match the
TAGS variable in the image deployment:
secret_provider can be one of the following: [aws, hashcorp] secret_path is the name of the secret at aws (i.e. my-prod-mysql-secret), or the path at hashcorp (i.e. /databases/cred/my-postgres)
Now, you can create tasks normally for that target.
Currently, this runner supports only:
Remaining types in future releases.
To continue using current gihub runner, simply omit
secret-provider and it will default to github. On the other hand,
a set of secrets must be supplied.