Read AutoscalingRunnerSet githubConfigSecret from controller namespace instead of runner namespace

[lacarvalho91]

We have a usecase where we need runner resources to live in namespaces owned by users of our platform, this is so that config maps and secrets they own can be mounted to the runners. The problem we have is that we are using runner groups, so the GitHub App needs org wide self hosted runners permission. Since we have to have the githubConfigSecret in the same namespace as the runners this means that users will have access to that GitHub App credentials secret which is of course a big security concern.

What we would prefer is to be able to define that secret in the same namespace as the controller.

I couldn't really see any technical reason that the secret needs to be in the runners namespace, its just that the controller is written to specifically read it from that namespace as shown here, so I'm wondering if we could just provide the option to read it from the controller namespace instead? The secret is then later copied into the listener namespace so I haven't been able to find anywhere where pods in the runner namespace needs to access that secret. The runner pods just use the jit config secret, they never seem to use the githubConfigSecret.

Its unfortunate that I don't seem to be able to raise an issue with this, since the issue templates suggest that feature requests for actions.github.com need to be raised on the GitHub Community Support Forum.

[lacarvalho91]

I was thinking this could be done by adding a githubConfigSecretNamespace property to the AutoscalingRunnerSet CRD? then its even more flexible than just the runners namespace or the controller namespace allowing it to use a secret from any other namespace would probably be bad

or only support controller/runner namespace by making githubConfigSecret optional and allowing the controller to be run with a --github-config-secret-namespace arg