fix: remove Honeycomb API key from Terraform and VM metadata

The Honeycomb API key is now managed via the management plane: the
dashboard encrypts it with the runner's public key, the runner
decrypts it and persists it to Secret Manager. The Terraform variable
and cloud-init env var were a legacy bootstrap path that exposed the
key in plaintext in VM metadata (user-data).

Removed:
- var.honeycomb_api_key from variables.tf
- HONEYCOMB_API_KEY template variable from runner-vm.tf
- HONEYCOMB_API_KEY env var block from runner-cloud-init.tftpl

The runner orchestrator's os.Getenv fallback will be removed in a
companion PR on gitpod-next.

Co-authored-by: Ona <no-reply@ona.com>

Author: nandajavarma

files/runner-cloud-init.tftpl

@@ -611,10 +611,6 @@ write_files:
       https_proxy=${HTTPS_PROXY}
       all_proxy=${ALL_PROXY}
       no_proxy=${NO_PROXY}
-%{ if HONEYCOMB_API_KEY != "" ~}
-      HONEYCOMB_API_KEY=${HONEYCOMB_API_KEY}
-%{ endif ~}
-
 %{ if AUTH_PROXY_TLS_CERT != "" ~}
   # Auth proxy TLS certificate for verification (CA trust)
   - path: /var/lib/gitpod/auth-proxy-ca.crt

runner-vm.tf

@@ -140,7 +140,6 @@ data "cloudinit_config" "runner" {
       ENABLE_AGENTS                        = var.enable_agents
       AGENT_BUCKET_NAME                    = local.agent_bucket_name
       RUNNER_ASSETS_BUCKET_NAME            = google_storage_bucket.runner_assets.name
-      HONEYCOMB_API_KEY                    = var.honeycomb_api_key
       MIG_WARM_POOL_ENABLED                = true
       # Proxy configuration
       HTTP_PROXY  = local.http_proxy

variables.tf

@@ -337,9 +337,4 @@ variable "enable_agents" {
   default     = true
 }
 
-variable "honeycomb_api_key" {
-  description = "Honeycomb API key for development tracing. Enables tracing on the runner and environments when set."
-  type        = string
-  default     = ""
-  sensitive   = true
-}
+