Secret values from user-provided values.yaml are not base64-encoded

[madic-creates]

When users provide their own secret values (e.g., runner.token), these values are written directly to the secret's data: field without base64 encoding. However, when the chart generates default values, they are correctly encoded.

Root Cause

In secret-runner.yaml:

{{- $token := (get $runnerSecretData .Values.runner.tokenKey) | default (randAlphaNum 32 | b64enc) }}
{{ .Values.runner.tokenKey }}: {{ .Values.runner.token | default ($token) }}

• If runner.token is not set: Uses $token which includes | b64enc ✓
• If runner.token is set: Uses the value directly, bypassing b64enc ✗

Possible Fix (breaking change):

{{- $token := .Values.runner.token | default (randAlphaNum 32) }}
{{ .Values.runner.tokenKey }}: {{ $token | b64enc }}

Or clarifying in the docs that runner.token must already be base64 encoded (non-breaking change).

Impact:

Pods fail to start with:
Error: grpc: error while marshaling: string field contains invalid UTF-8

This occurs because Kubernetes interprets the unencoded value as base64 and decodes it, potentially producing invalid UTF-8 bytes.

My current workaround:

Pre-encode token value with base64 before setting it in values.yaml:

echo -n "your-token-here" | base64

Then use the encoded value:

runner:
  token: eW91ci10b2tlbi1oZXJl  # base64-encoded

This way, when Kubernetes decodes the value, it correctly results in the original token string.