Gitlab runner on k8s ignores authentication token secret

I am migrating to the new runner registration workflow. Idea is to obtain an authentication token via api (works), create a Kubernetes secret (works), and start the runner via helm and values.yaml. See

Problem is, the runner doesn’t start. The logfile shows

# crictl logs e78fee591479f
Registration attempt 1 of 30
Runtime platform                                    arch=amd64 os=linux pid=16 revision=102c81ba version=16.7.0
WARNING: Running in user-mode.                     
WARNING: The user-mode requires you to manually start builds processing: 
WARNING: $ gitlab-runner run                       
WARNING: Use sudo for system-mode:                 
WARNING: $ sudo gitlab-runner...                   
                                                   
Created missing unique system ID                    system_id=r_dQz7lthMcw7m
Merging configuration from template file "/configmaps/config.template.toml" 
Verifying runner... is not valid                    runner=jzsabercN
PANIC: Failed to verify the runner.                
Registration attempt 2 of 30
Runtime platform                                    arch=amd64 os=linux pid=35 revision=102c81ba version=16.7.0
WARNING: Running in user-mode.                     
WARNING: The user-mode requires you to manually start builds processing: 
WARNING: $ gitlab-runner run                       
WARNING: Use sudo for system-mode:                 
WARNING: $ sudo gitlab-runner...                   
                                                   
Merging configuration from template file "/configmaps/config.template.toml" 
Verifying runner... is not valid                    runner=jzsabercN
PANIC: Failed to verify the runner.                
Registration attempt 3 of 30
:

The secret “gitlab-runner” is set correctly in values.yaml:

image:
  registry: registry.gitlab.com
  image: gitlab-org/gitlab-runner
useTini: false
imagePullPolicy: IfNotPresent
gitlabUrl: https://gitlab.com/
terminationGracePeriodSeconds: 3600
concurrent: 3
shutdown_timeout: 0
checkInterval: 30
sessionServer:
  enabled: false
rbac:
  create: true
  rules: []
  clusterWideAccess: false
  podSecurityPolicy:
    enabled: false
    resourceNames:
    - gitlab-runner
metrics:
  enabled: true
  portName: metrics
  port: 9252
  serviceMonitor:
    enabled: false
service:
  enabled: false
  type: ClusterIP
runners:
  config: |
    [[runners]]
      output_limit = 32768
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "alpine"
        pull_policy = "if-not-present"
        allowed_pull_policies = ["always", "if-not-present"]
        poll_timeout = 300
        privileged = true
        [runners.kubernetes.pod_labels]
          "environment" = "runnerpod"
      [runners.cache]
        Type = "s3"
        Path = "runners.cache"
        Shared = true
        [runners.cache.s3]
          ServerAddress = "minio.example.com:9010"
          BucketName = "runners"
          Insecure = false
      [runners.feature_flags]
        FF_PRINT_POD_EVENTS = true
  configPath: ""
  name: "runner.kube002.terraform"
  secret: gitlab-runner
  cache: {}
securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  privileged: false
  capabilities:
    drop: ["ALL"]
strategy: {}
podSecurityContext:
  runAsUser: 100
  fsGroup: 65533
podLabels:
  environment: gitlabrunner
priorityClassName: ""
secrets: []
secrets:
  - name: s3access

The secret is set using

    kubectl -n ${namespace} create secret generic gitlab-runner \
            --from-literal=runner-registration-token='' \
            --from-literal=runner-token=$rtoken \
            --dry-run=client --save-config -o yaml | kubectl apply -f -

Obviously I missed something here. Every helpful hint is highly appreciated.