Merge branch 'renovate/ironbank' into 'main'

Update Ironbank

See merge request !151

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.64.0-bb.0] - 2024-05-02
+### Changed
+- Updated gluon 0.4.10 -> 0.5.0
+- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner 16.10.0 -> 16.11.0
+- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper 16.10.0 -> 16.11.0
+- Updated registry1.dso.mil/ironbank/redhat/ubi/ubi9 9.3 -> 9.4
+
 ## [0.63.0-bb.10] - 2024-05-14
 ### Changed
 - Refactored kubeapiPort to kubeAPIPort and added documentation for kubeAPIPort

README.md

 # gitlab-runner
 
-![Version: 0.63.0-bb.10](https://img.shields.io/badge/Version-0.63.0--bb.10-informational?style=flat-square) ![AppVersion: v16.10.0](https://img.shields.io/badge/AppVersion-v16.10.0-informational?style=flat-square)
+![Version: 0.64.0-bb.0](https://img.shields.io/badge/Version-0.64.0--bb.0-informational?style=flat-square) ![AppVersion: 16.11.0](https://img.shields.io/badge/AppVersion-16.11.0-informational?style=flat-square)
 
 GitLab Runner
 
@@ -38,7 +38,7 @@ helm install gitlab-runner chart/
 |-----|------|---------|-------------|
 | image.registry | string | `"registry1.dso.mil"` |  |
 | image.image | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner"` |  |
-| image.tag | string | `"v16.10.0"` |  |
+| image.tag | string | `"v16.11.0"` |  |
 | useTini | bool | `true` |  |
 | imagePullPolicy | string | `"IfNotPresent"` |  |
 | gitlabUrl | string | `"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181"` |  |
@@ -48,6 +48,7 @@ helm install gitlab-runner chart/
 | checkInterval | int | `30` |  |
 | sessionServer.enabled | bool | `false` |  |
 | rbac.create | bool | `true` |  |
+| rbac.generatedServiceAccountName | string | `""` |  |
 | rbac.rules | list | `[]` |  |
 | rbac.clusterWideAccess | bool | `false` |  |
 | rbac.podSecurityPolicy.enabled | bool | `false` |  |
@@ -60,10 +61,10 @@ helm install gitlab-runner chart/
 | service.type | string | `"ClusterIP"` |  |
 | runners.job.registry | string | `"registry1.dso.mil"` |  |
 | runners.job.repository | string | `"ironbank/redhat/ubi/ubi9"` |  |
-| runners.job.tag | string | `"9.3"` |  |
+| runners.job.tag | string | `"9.4"` |  |
 | runners.helper.registry | string | `"registry1.dso.mil"` |  |
 | runners.helper.repository | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner-helper"` |  |
-| runners.helper.tag | string | `"v16.10.0"` |  |
+| runners.helper.tag | string | `"v16.11.0"` |  |
 | runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    pull_policy = \"always\"\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"{{ printf \"%s/%s:%s\" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}\"\n    helper_image = \"{{ printf \"%s/%s:%s\" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n  [runners.kubernetes.helper_container_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n    \"app\" = \"gitlab-runner\"\n"` |  |
 | runners.configPath | string | `""` |  |
 | runners.locked | bool | `false` |  |

chart/CHANGELOG.md

+## v0.64.0 (2024-04-18)
+
+### New features
+
+- Update GitLab Runner version to v16.11.0
+- Add support for connection_max_age parameter !468
+- Propagate Service Account Name from values !367 (Martin Odstrčilík @martin.odstrcilik)
+
+### Bug fixes
+
+- Fix liveness probe for Runner Pod !466
+
 ## v0.63.0 (2024-03-22)
 
 ### New features

chart/Chart.lock

 dependencies:
 - name: gluon
   repository: oci://registry1.dso.mil/bigbang
-  version: 0.4.10
-digest: sha256:28e33aec024c763dcf52a836d96033fbdce99371249f38ce58dc1dc7adc683a4
-generated: "2024-04-25T15:47:04.587749-05:00"
+  version: 0.5.0
+digest: sha256:4562fda1edaeb3791ea813cd8e071709b2ccaf67105d7292c18a3e95b6a88c33
+generated: "2024-05-16T06:14:13.709706726Z"

chart/Chart.yaml

 apiVersion: v2
 name: gitlab-runner
-version: 0.63.0-bb.10
-appVersion: v16.10.0
+version: 0.64.0-bb.0
+appVersion: 16.11.0
 description: GitLab Runner
 keywords:
 - git
@@ -17,16 +17,16 @@ maintainers:
   email: support@gitlab.com
 dependencies:
   - name: gluon
-    version: 0.4.10
+    version: 0.5.0
     repository: oci://registry1.dso.mil/bigbang
 annotations:
   bigbang.dev/applicationVersions: |
-    - Gitlab Runner: v16.10.0
+    - Gitlab Runner: v16.11.0
   helm.sh/images: |
     - name: gitlab-runner
-      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v16.10.0
+      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v16.11.0
     - name: gitlab-runner-helper
-      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v16.10.0
+      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v16.11.0
     - name: ubi9
-      image: registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3
+      image: registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.4
 

chart/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
   type: git
   git:
-    commit: 2af0212d31cb50744a7960a831bee59eb3f2db20
+    commit: 496fb93cdc60b2373f2442479bd2de43619103bc
     repo: https://gitlab.com/gitlab-org/charts/gitlab-runner
     directory: /
-    ref: v0.63.0
+    ref: v0.64.0

chart/templates/_helpers.tpl

@@ -30,6 +30,17 @@ Create chart name and version as used by the chart label.
 {{-   printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Define the name of the service account
+*/}}
+{{- define "gitlab-runner.serviceAccount" -}}
+{{- if .Values.rbac.create -}}
+{{- default (include "gitlab-runner.fullname" .) .Values.rbac.generatedServiceAccountName | quote -}}
+{{- else -}}
+{{- .Values.rbac.serviceAccountName | quote -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Define the name of the secret containing the tokens
 */}}

chart/templates/configmap.yaml

@@ -13,7 +13,7 @@ data:
     #!/bin/bash
     set -e
 
-    export CONFIG_PATH_FOR_INIT="{{ ternary "/.gitlab-runner/" "/home/gitlab-runner/.gitlab-runner/" (and (hasKey .Values.securityContext "runAsNonRoot") (not .Values.securityContext.runAsNonRoot)) }}"
+    export CONFIG_PATH_FOR_INIT="{{ ternary "/etc/gitlab-runner/" "/home/gitlab-runner/.gitlab-runner/" (and (hasKey .Values.podSecurityContext "runAsUser") (eq 0 (.Values.podSecurityContext.runAsUser | int64))) }}"
     mkdir -p ${CONFIG_PATH_FOR_INIT}
     cp /configmaps/config.toml ${CONFIG_PATH_FOR_INIT}
 
@@ -91,6 +91,9 @@ data:
     {{- if .Values.sentryDsn }}
     sentry_dsn = "{{ .Values.sentryDsn }}"
     {{- end }}
+    {{- if .Values.connectionMaxAge }}
+    connection_max_age = "{{ .Values.connectionMaxAge }}"
+    {{- end }}
     {{- if eq (include "gitlab-runner.isSessionServerAllowed" . ) "true" }}
     [session_server]
       session_timeout = {{ include "gitlab-runner.server-session-timeout" . }}
@@ -165,11 +168,13 @@ data:
     #!/bin/bash
     set -eou pipefail
 
+    export CONFIG_PATH_FOR_INIT="{{ ternary "/etc/gitlab-runner/" "/home/gitlab-runner/.gitlab-runner/" (and (hasKey .Values.podSecurityContext "runAsUser") (eq 0 (.Values.podSecurityContext.runAsUser | int64))) }}"
+
     if ! /usr/bin/pgrep -f ".*register-the-runner"  > /dev/null && ! /usr/bin/pgrep -f "gitlab.*runner"  > /dev/null ; then
       exit 1
     fi
 
-    awk -F'"' '/^  name = ".*"/ { print $2 }' "${HOME%/root}/.gitlab-runner/config.toml" | xargs -I{} gitlab-runner verify -n {} 2>&1 | grep -E "is alive|is valid"
+    awk -F'"' '/^  name = ".*"/ { print $2 }' "${CONFIG_PATH_FOR_INIT}/config.toml" | xargs -I{} gitlab-runner verify -n {} 2>&1 | grep -E "is alive|is valid"
 
   {{- if eq (include "gitlab-runner.isSessionServerAllowed" . ) "true" }}
   set-session-server-address: |

chart/templates/deployment.yaml

@@ -60,7 +60,7 @@ spec:
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName | quote }}
       {{- end }}
-      serviceAccountName: {{ if .Values.rbac.create }}{{ include "gitlab-runner.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
+      serviceAccountName: {{ include "gitlab-runner.serviceAccount" . }}
       containers:
       - name: {{ include "gitlab-runner.fullname" . }}
         image: {{ include "gitlab-runner.image" . }}

chart/templates/role-binding.yaml

@@ -17,6 +17,6 @@ roleRef:
   name: {{ include "gitlab-runner.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "gitlab-runner.fullname" . }}
+  name: {{ include "gitlab-runner.serviceAccount" . }}
   namespace: "{{ .Release.Namespace }}"
 {{- end -}}

chart/templates/service-account.yaml

@@ -8,7 +8,7 @@ metadata:
     {{   $key }}: {{ tpl ($value) $ | quote }}
     {{- end }}
   {{- end}}
-  name: {{ include "gitlab-runner.fullname" . }}
+  name: {{ include "gitlab-runner.serviceAccount" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     app: {{ include "gitlab-runner.fullname" . }}

chart/values.yaml

@@ -12,7 +12,7 @@
 image:
   registry: registry1.dso.mil
   image: ironbank/gitlab/gitlab-runner/gitlab-runner
-  tag: v16.10.0
+  tag: v16.11.0
 
 ## When using GitLab Runner Helm Chart with gitlab-runner-ubi-images (https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/container_registry)
 ## the installation fails because dumb-init is not packaged in the image. However, the tini is present.
@@ -118,7 +118,12 @@ checkInterval: 30
 ##
 # sentryDsn:
 
-## A custom bash script that will be executed prior to the invocation
+## Configure GitLab Runner's maximum connection age for TLS keepalive connections.
+## ref https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
+##
+# connectionMaxAge: "15m"
+
+## A custom bash script that will be executed prior to the invocation of the
 ## gitlab-runner process
 #
 #preEntrypointScript: |
@@ -145,12 +150,9 @@ sessionServer:
 ## For RBAC support:
 rbac:
   create: true
-
-  ## Define specific rbac permissions.
-  ## DEPRECATED: see .Values.rbac.rules
-  # resources: ["pods", "pods/exec", "secrets"]
-  # verbs: ["get", "list", "watch", "create", "patch", "delete"]
-
+  ## Define the generated serviceAccountName when create is set to true
+  ## It defaults to "gitlab-runner.fullname" if not provided
+  generatedServiceAccountName: ""
 
   ## Define list of rules to be added to the rbac role permissions.
   ## Each rule supports the keys:
@@ -329,11 +331,11 @@ runners:
   job:
     registry: registry1.dso.mil
     repository: ironbank/redhat/ubi/ubi9
-    tag: "9.3"
+    tag: "9.4"
   helper:
     registry: registry1.dso.mil
     repository: ironbank/gitlab/gitlab-runner/gitlab-runner-helper
-    tag: "v16.10.0"
+    tag: "v16.11.0"
 
   # runner configuration, where the multi line strings is evaluated as
   # template so you can specify helm values inside of it.
@@ -900,4 +902,4 @@ bbtests:
             name: gitlab-gitlab-initial-root-password
             key: password          
 
-openshift: false
\ No newline at end of file
+openshift: false

tests/images.txt

-registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v16.10.0
-registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.3
+registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v16.11.0
+registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.4