Merge branch 'bstask-fix' into 'main'

Update gitlab-runner to 16.5.0, gluon to 0.4.4 See merge request !108

Merge branch 'bstask-fix' into 'main'
32332aad · Blane Staskiewicz · 0cbca5e7 · 69871ff1 · 32332aad · 32332aad
Commit 32332aad authored 1 year ago by Blane Staskiewicz
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,14 @@

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.58.1-bb.0] - 2023-11-09
+### Changed
+- Updated ironbank/gitlab/gitlab-runner/gitlab-runner v15.11.0 -> v16.5.0
+- Updated ironbank/gitlab/gitlab-runner/gitlab-runner-helper v15.11.0 -> v16.5.0
+- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner v15.11.0 -> v16.5.0
+- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper v15.11.0 -> v16.5.0
+- Updated gluon 0.4.1 -> 0.4.4
+
 ## [0.52.0-bb.8] - 2023-11-03
 ### Changed
 - Added additional kubernetes label to runner to allow it to work with network policy by default 

--- a/README.md
+++ b/README.md
 # gitlab-runner

-![Version: 0.52.0-bb.8](https://img.shields.io/badge/Version-0.52.0--bb.8-informational?style=flat-square) ![AppVersion: v15.11.0](https://img.shields.io/badge/AppVersion-v15.11.0-informational?style=flat-square)
+![Version: 0.58.1-bb.0](https://img.shields.io/badge/Version-0.58.1--bb.0-informational?style=flat-square) ![AppVersion: 16.5.0](https://img.shields.io/badge/AppVersion-16.5.0-informational?style=flat-square)

 GitLab Runner

@@ -38,11 +38,12 @@ helm install gitlab-runner chart/
 |-----|------|---------|-------------|
 | image.registry | string | `"registry1.dso.mil"` |  |
 | image.image | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner"` |  |
-| image.tag | string | `"v15.11.0"` |  |
+| image.tag | string | `"v16.5.0"` |  |
 | imagePullPolicy | string | `"IfNotPresent"` |  |
 | gitlabUrl | string | `"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181"` |  |
 | terminationGracePeriodSeconds | int | `3600` |  |
 | concurrent | int | `50` |  |
+| shutdown_timeout | int | `0` |  |
 | checkInterval | int | `30` |  |
 | sessionServer.enabled | bool | `false` |  |
 | rbac.create | bool | `true` |  |
@@ -61,8 +62,9 @@ helm install gitlab-runner chart/
 | runners.job.tag | string | `"8.7"` |  |
 | runners.helper.registry | string | `"registry1.dso.mil"` |  |
 | runners.helper.repository | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner-helper"` |  |
-| runners.helper.tag | string | `"v15.11.0"` |  |
-| runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    pull_policy = \"always\"\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"{{ printf \"%s/%s:%s\" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}\"\n    helper_image = \"{{ printf \"%s/%s:%s\" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n    run_as_group = 1001\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n    \"app\" = \"gitlab-runner\"\n"` |  |
+| runners.helper.tag | string | `"v16.5.0"` |  |
+| runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    pull_policy = \"always\"\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"{{ printf \"%s/%s:%s\" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}\"\n    helper_image = \"{{ printf \"%s/%s:%s\" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n  [runners.kubernetes.helper_container_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n    \"app\" = \"gitlab-runner\"\n"` |  |
+| runners.configPath | string | `""` |  |
 | runners.locked | bool | `false` |  |
 | runners.runUntagged | bool | `true` |  |
 | runners.protected | bool | `true` |  |
@@ -91,6 +93,8 @@ helm install gitlab-runner chart/
 | nodeSelector | object | `{}` |  |
 | tolerations | list | `[]` |  |
 | hostAliases | list | `[]` |  |
+| deploymentAnnotations | object | `{}` |  |
+| deploymentLabels | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
 | priorityClassName | string | `""` |  |

--- a/chart/CHANGELOG.md
+++ b/chart/CHANGELOG.md
+## v0.58.1 (2023-10-24)
+
+### Bug fixes
+
+- Update liveness probe to support authentication token !446
+
+## v0.58.0 (2023-10-20)
+
+### New features
+
+- Update GitLab Runner version to v16.5.0
+- Add shutdown_timeout flag for global section config !435 (Maxim Tacu @mtacu)
+
+### Bug fixes
+
+- Add missing rbac when debugging services !442 (Ismael Posada Trobo @iposadat)
+- Adjust the runner image to match the configured podSecurityContext !434 (Harald Dunkel @hdunkel)
+- Support for external secrets added via values.yaml envVars value; avoid setting volumes and volume mounts for nonexistent secrets !426 (Thomas Spear @tspearconquest)
+- Make livenessProbe actually probe for a working runner !404 (fiskhest @fiskhest)
+- helm: fix runners.config template rendering !386 (Viktor Oreshkin @stek29)
+
+### Maintenance
+
+- Add ephemeral-storage example in resources.requests and resources.limits !443
+- Update broken and outdated links in Helm chart values.yaml !438 (Kolja Lucht @k0jak)
+
+## v0.57.1 (2023-10-06)
+
+### New features
+
+- Update GitLab Runner version to v16.4.1
+
+## v0.57.0 (2023-09-25)
+
+### New features
+
+- Update GitLab Runner version to v16.3.2
+
+## v0.56.1 (2023-09-18)
+
+### New features
+
+- Update GitLab Runner version to v16.3.1
+
+## v0.56.0 (2023-08-21)
+
+### New features
+
+- Update GitLab Runner version to v16.2.1
+
+## v0.55.0 (2023-07-23)
+
+### New features
+
+- Update GitLab Runner version to v16.1.1
+
+## v0.54.0 (2023-06-21)
+
+### New features
+
+- Update GitLab Runner version to v16.0.3
+
+## v0.53.2 (2023-06-08)
+
+### New features
+
+- Update GitLab Runner version to v16.0.2
+
+### Bug fixes
+
+- Revert cache settings through Kubernetes secret in values yaml !406
+- Take in account registration token from secret !405
+- Support empty rules defined in the values.yaml !402
+
+### Maintenance
+
+- Remove reference to rbac.resources and rbac.verbs !403
+
+## v0.52.1 (2023-06-02)
+
+### New features
+
+- Update GitLab Runner version to v15.11.1
+
+## v0.53.1 (2023-05-25)
+
+### New features
+
+- Update GitLab Runner version to v16.0.1
+
+## v0.53.0 (2023-05-22)
+
+### New features
+
+- Update GitLab Runner version to v16.0.0
+
+### Maintenance
+
+- Adapt the Helm Chart to support the next Token Architecture !398
+- Remove namespace and cache deprecated fields from the Helm Chart project !397
+- Remove all deprecated fields that can be resolved with template merging !393
+- Fix failure in integration tests !390
+
 ## v0.52.0 (2023-04-22)

 ### New features

--- a/chart/Chart.lock
+++ b/chart/Chart.lock
 dependencies:
 - name: gluon
  repository: oci://registry1.dso.mil/bigbang
-  version: 0.4.1
-digest: sha256:f4b60df466aec59a58670243fe19c3c8f7c10cd711c892a7b83b65d4be294c8e
-generated: "2023-09-20T08:03:24.800996-05:00"
+  version: 0.4.4
+digest: sha256:306ebeeb7af982b73ea4d7ffb6a6467c2be21d957b2f2af92973e859c03c05a9
+generated: "2023-11-09T06:02:11.34392503-07:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: gitlab-runner
-version: 0.52.0-bb.8
-appVersion: v15.11.0
+version: 0.58.1-bb.0
+appVersion: 16.5.0
 description: GitLab Runner
 keywords:
 - git
@@ -17,15 +17,15 @@ maintainers:
  email: support@gitlab.com
 dependencies:
  - name: gluon
-    version: 0.4.1
+    version: 0.4.4
    repository: oci://registry1.dso.mil/bigbang
 annotations:
  bigbang.dev/applicationVersions: |
-    - Gitlab Runner: v15.11.0
+    - Gitlab Runner: v16.5.0
  helm.sh/images: |
    - name: gitlab-runner
-      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v15.11.0
+      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v16.5.0
    - name: gitlab-runner-helper
-      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v15.11.0
+      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v16.5.0
    - name: ubi8
-      image: registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.8
+      image: registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.7
--- a/chart/Kptfile
+++ b/chart/Kptfile
 apiVersion: kpt.dev/v1alpha1
 kind: Kptfile
 metadata:
-    name: chart
+  name: chart
 upstream:
-    type: git
-    git:
-        commit: 06141493a569f60e3f59500695c3c43760738034
-        repo: https://gitlab.com/gitlab-org/charts/gitlab-runner
-        directory: /
-        ref: v0.52.0
+  type: git
+  git:
+    commit: 7d7fa445629018930f97c24ce85b36adc5776e02
+    repo: https://gitlab.com/gitlab-org/charts/gitlab-runner
+    directory: /
+    ref: v0.58.1
--- a/chart/README.md
+++ b/chart/README.md
@@ -2,3 +2,7 @@

 This chart deploys a GitLab Runner instance into your Kubernetes
 cluster. For more information, please review [our documentation](https://docs.gitlab.com/charts/charts/gitlab/gitlab-runner).
+
+# Development
+
+Please follow [development documentation](DEVELOPMENT.md).
\ No newline at end of file
--- a/chart/charts/gluon-0.4.1.tgz
+++ b/chart/charts/gluon-0.4.1.tgz
--- a/chart/charts/gluon-0.4.4.tgz
+++ b/chart/charts/gluon-0.4.4.tgz
--- a/chart/scripts/integration.sh
+++ b/chart/scripts/integration.sh
 #!/bin/bash

+# Two types of token are supported:
+# - Registration Token (registration)
+# - Authentication Token (authentication)
+tokenType=$1
+token=$2
+valueYamlPath=$3
+
 INTEGRATION_RUNNER_NAME=${INTEGRATION_RUNNER_NAME:-integration-runner}
 INTEGRATION_HELM_POD_RELEASE_LABEL=${INTEGRATION_HELM_POD_RELEASE_LABEL:-release=$INTEGRATION_RUNNER_NAME}

-helm install -f values.yaml --timeout 5m --wait --set gitlabUrl="$CI_SERVER_URL",runnerRegistrationToken="$REGISTRATION_TOKEN" "$INTEGRATION_RUNNER_NAME" .
+case $tokenType in
+    "registration")
+        helm install -f "$valueYamlPath" --timeout 5m --wait --set gitlabUrl="$CI_SERVER_URL",runnerRegistrationToken="$token" "$INTEGRATION_RUNNER_NAME" .
+        ;;
+    "authentication")
+        helm install -f "$valueYamlPath" --timeout 5m --wait --set gitlabUrl="$CI_SERVER_URL",runnerToken="$token" "$INTEGRATION_RUNNER_NAME" .
+        ;;
+    *)
+        echo "Token provided is not supported"
+        exit 1
+        ;;
+esac

 kubectl describe pod -l "$INTEGRATION_HELM_POD_RELEASE_LABEL"


--- a/chart/templates/_cache.tpl
+++ b/chart/templates/_cache.tpl
-{{- define "gitlab-runner.cache" }}
-{{-   if .Values.runners.cache.cacheType }}
- name: CACHE_TYPE
-  value: {{ default "" .Values.runners.cache.cacheType | quote }}
- name: CACHE_PATH
-  value: {{ coalesce .Values.runners.cache.cachePath .Values.runners.cache.s3CachePath | default "" | quote }}
-{{-     if .Values.runners.cache.cacheShared }}
- name: CACHE_SHARED
-  value: "true"
-{{-     end }}
-{{-     if eq .Values.runners.cache.cacheType "s3" }}
- name: CACHE_S3_SERVER_ADDRESS
-  value: {{ include "gitlab-runner.cache.s3ServerAddress" . }}
- name: CACHE_S3_BUCKET_NAME
-  value: {{ default "" .Values.runners.cache.s3BucketName | quote }}
- name: CACHE_S3_BUCKET_LOCATION
-  value: {{ default "" .Values.runners.cache.s3BucketLocation | quote }}
-{{-       if .Values.runners.cache.s3CacheInsecure }}
- name: CACHE_S3_INSECURE
-  value: "true"
-{{-       end }}
-{{-     end }}
-{{-     if eq .Values.runners.cache.cacheType "gcs" }}
- name: CACHE_GCS_BUCKET_NAME
-  value: {{ default "" .Values.runners.cache.gcsBucketName | quote }}
-{{-     end }}
-{{-   end }}
-{{- end -}}
--- a/chart/templates/_env_vars.tpl
+++ b/chart/templates/_env_vars.tpl
 {{- define "gitlab-runner.runner-env-vars" }}
 - name: CI_SERVER_URL
  value: {{ include "gitlab-runner.gitlabUrl" . }}
- name: CLONE_URL
-  value: {{ default "" .Values.runners.cloneUrl | quote }}
-{{- if .Values.runners.requestConcurrency }}
- name: RUNNER_REQUEST_CONCURRENCY
-  value: {{ default 1 .Values.runners.requestConcurrency | quote }}
-{{- end }}
 - name: RUNNER_EXECUTOR
  value: {{ default "kubernetes" .Values.runners.executor | quote }}
+{{- if eq (include "gitlab-runner.isAuthToken" .) "false" }}
 - name: REGISTER_LOCKED
  {{ if or (not (hasKey .Values.runners "locked")) .Values.runners.locked -}}
  value: "true"
@@ -17,124 +12,12 @@
  {{- end }}
 - name: RUNNER_TAG_LIST
  value: {{ default "" .Values.runners.tags | quote }}
-{{- if .Values.runners.outputLimit }}
- name: RUNNER_OUTPUT_LIMIT
-  value: {{ .Values.runners.outputLimit | quote }}
-{{- end}}
-{{- if eq (default "kubernetes" .Values.runners.executor) "kubernetes" }}
-{{- if .Values.runners.image }}
- name: KUBERNETES_IMAGE
-  value: {{ .Values.runners.image | quote }}
-{{- end }}
-{{- if .Values.runners.privileged }}
- name: KUBERNETES_PRIVILEGED
-  value: "true"
 {{- end }}
-{{- if or .Values.runners.namespace (not (regexMatch "\\s*namespace\\s*=" .Values.runners.config)) }}
+{{- if eq (default "kubernetes" .Values.runners.executor) "kubernetes" }}
+{{- if not (regexMatch "\\s*namespace\\s*=" .Values.runners.config) }}
 - name: KUBERNETES_NAMESPACE
-  value: {{ default .Release.Namespace .Values.runners.namespace | quote }}
-{{- end }}
-{{- if .Values.runners.pollTimeout }}
- name: KUBERNETES_POLL_TIMEOUT
-  value: {{ .Values.runners.pollTimeout | quote }}
-{{- end }}
-{{- if .Values.runners.builds.cpuLimit }}
- name: KUBERNETES_CPU_LIMIT
-  value: {{ .Values.runners.builds.cpuLimit | quote }}
-{{- end }}
-{{- if .Values.runners.builds.cpuLimitOverwriteMaxAllowed }}
- name: KUBERNETES_CPU_LIMIT_OVERWRITE_MAX_ALLOWED
-  value: {{ .Values.runners.builds.cpuLimitOverwriteMaxAllowed | quote }}
-{{- end }}
-{{- if .Values.runners.builds.memoryLimit }}
- name: KUBERNETES_MEMORY_LIMIT
-  value: {{ .Values.runners.builds.memoryLimit | quote }}
-{{- end }}
-{{- if .Values.runners.builds.memoryLimitOverwriteMaxAllowed }}
- name: KUBERNETES_MEMORY_LIMIT_OVERWRITE_MAX_ALLOWED
-  value: {{ .Values.runners.builds.memoryLimitOverwriteMaxAllowed | quote }}
-{{- end }}
-{{- if .Values.runners.builds.cpuRequests }}
- name: KUBERNETES_CPU_REQUEST
-  value: {{ .Values.runners.builds.cpuRequests | quote }}
-{{- end }}
-{{- if .Values.runners.builds.cpuRequestsOverwriteMaxAllowed }}
- name: KUBERNETES_CPU_REQUEST_OVERWRITE_MAX_ALLOWED
-  value: {{ .Values.runners.builds.cpuRequestsOverwriteMaxAllowed | quote }}
-{{- end }}
-{{- if .Values.runners.builds.memoryRequests }}
- name: KUBERNETES_MEMORY_REQUEST
-  value: {{ .Values.runners.builds.memoryRequests| quote }}
-{{- end }}
-{{- if .Values.runners.builds.memoryRequestsOverwriteMaxAllowed }}
- name: KUBERNETES_MEMORY_REQUEST_OVERWRITE_MAX_ALLOWED
-  value: {{ .Values.runners.builds.memoryRequestsOverwriteMaxAllowed | quote }}
-{{- end }}
-{{- if .Values.runners.serviceAccountName }}
- name: KUBERNETES_SERVICE_ACCOUNT
-  value: {{ .Values.runners.serviceAccountName | quote }}
-{{- end }}
-{{- if .Values.runners.services.cpuLimit }}
- name: KUBERNETES_SERVICE_CPU_LIMIT
-  value: {{ .Values.runners.services.cpuLimit | quote }}
-{{- end }}
-{{- if .Values.runners.services.memoryLimit }}
- name: KUBERNETES_SERVICE_MEMORY_LIMIT
-  value: {{ .Values.runners.services.memoryLimit | quote }}
-{{- end }}
-{{- if .Values.runners.services.cpuRequests }}
- name: KUBERNETES_SERVICE_CPU_REQUEST
-  value: {{ .Values.runners.services.cpuRequests | quote }}
-{{- end }}
-{{- if .Values.runners.services.memoryRequests }}
- name: KUBERNETES_SERVICE_MEMORY_REQUEST
-  value: {{ .Values.runners.services.memoryRequests | quote }}
-{{- end }}
-{{- if .Values.runners.helpers.cpuLimit }}
- name: KUBERNETES_HELPER_CPU_LIMIT
-  value: {{ .Values.runners.helpers.cpuLimit | quote }}
-{{- end }}
-{{- if .Values.runners.helpers.memoryLimit }}
- name: KUBERNETES_HELPER_MEMORY_LIMIT
-  value: {{ .Values.runners.helpers.memoryLimit | quote }}
-{{- end }}
-{{- if .Values.runners.helpers.cpuRequests }}
- name: KUBERNETES_HELPER_CPU_REQUEST
-  value: {{ .Values.runners.helpers.cpuRequests | quote }}
-{{- end }}
-{{- if .Values.runners.helpers.memoryRequests }}
- name: KUBERNETES_HELPER_MEMORY_REQUEST
-  value: {{ .Values.runners.helpers.memoryRequests | quote }}
-{{- end }}
-{{- if .Values.runners.helpers.image }}
- name: KUBERNETES_HELPER_IMAGE
-  value: {{ .Values.runners.helpers.image | quote }}
-{{- end }}
-{{- if .Values.runners.imagePullPolicy }}
- name: KUBERNETES_PULL_POLICY
-  value: {{ .Values.runners.imagePullPolicy | quote }}
-{{- end }}
-{{- if .Values.runners.pod_security_context }}
-{{-   if .Values.runners.pod_security_context.run_as_non_root }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_NON_ROOT
-  value: "true"
-{{-   end }}
-{{-   if .Values.runners.pod_security_context.run_as_user }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_USER
-  value: {{ .Values.runners.pod_security_context.run_as_user | quote }}
-{{-   end }}
-{{-   if .Values.runners.pod_security_context.run_as_group }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_RUN_AS_GROUP
-  value: {{ .Values.runners.pod_security_context.run_as_group | quote }}
-{{-   end }}
-{{-   if .Values.runners.pod_security_context.fs_group }}
- name: KUBERNETES_POD_SECURITY_CONTEXT_FS_GROUP
-  value: {{ .Values.runners.pod_security_context.fs_group | quote }}
-{{-   end }}
-{{- end }}
+  value: {{ .Release.Namespace | quote }}
 {{- end }}
-{{- if .Values.runners.cache -}}
-{{ include "gitlab-runner.cache" . }}
 {{- end }}
 {{- if .Values.envVars -}}
 {{ range .Values.envVars }}

--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -41,7 +41,7 @@ Define the name of the secret containing the tokens
 Define the name of the s3 cache secret
 */}}
 {{- define "gitlab-runner.cache.secret" -}}
-{{- if .Values.runners.cache.secretName -}}
+{{- if hasKey .Values.runners.cache "secretName" -}}
 {{- .Values.runners.cache.secretName | quote -}}
 {{- end -}}
 {{- end -}}
@@ -53,26 +53,15 @@ Template for outputing the gitlabUrl
 {{- .Values.gitlabUrl | quote -}}
 {{- end -}}

-{{/*
-Template runners.cache.s3ServerAddress in order to allow overrides from external charts.
-*/}}
-{{- define "gitlab-runner.cache.s3ServerAddress" }}
-{{- default "" .Values.runners.cache.s3ServerAddress | quote -}}
-{{- end -}}
-
 {{/*
 Define the image, using .Chart.AppVersion and GitLab Runner image as a default value
 */}}
 {{- define "gitlab-runner.image" }}
-{{- if kindIs "string" .Values.image -}}
-{{- .Values.image }}
-{{- else -}}
 {{- $appVersion := ternary "bleeding" (print "v" .Chart.AppVersion) (eq .Chart.AppVersion "bleeding") -}}
 {{- $appVersionImageTag := printf "alpine-%s" $appVersion -}}
 {{- $imageTag := default $appVersionImageTag .Values.image.tag -}}
 {{- printf "%s/%s:%s" .Values.image.registry .Values.image.image $imageTag }}
 {{- end -}}
-{{- end -}}

 {{/*
 Define the server session timeout, using 1800 as a default value
@@ -106,3 +95,16 @@ lifecycle:
      command: ["/entrypoint", "unregister", "--all-runners"]
 {{- end -}}
 {{- end -}}
+
+{{/*
+Define if the registration token provided (if any)
+is an authentication token or not
+*/}}
+{{- define "gitlab-runner.isAuthToken" -}}
+{{- $isAuthToken := false -}}
+{{- $hasRegistrationToken := hasKey .Values "runnerRegistrationToken" -}}
+{{- if $hasRegistrationToken -}}
+{{-   $isAuthToken = (hasPrefix "glrt-" .Values.runnerRegistrationToken) -}}
+{{- end -}}
+{{- $isAuthToken -}}
+{{- end -}}
--- a/chart/templates/configmap.yaml
+++ b/chart/templates/configmap.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "gitlab-runner.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "gitlab-runner.fullname" . }}
    chart: {{ include "gitlab-runner.chart" . }}
@@ -60,16 +60,6 @@ data:
      export CI_SERVER_TOKEN=$(cat /secrets/runner-token)
    fi

-    {{- if and (not (empty .Values.runnerToken)) (ne "1" ((default "1" .Values.replicas) | toString)) }}
-    {{- fail "Using a runner token with more than 1 replica is not supported." }}
-    {{- end }}
-
-    # Validate this also at runtime in case the user has set a custom secret
-    if [[ ! -z "$CI_SERVER_TOKEN" && "{{ default 1 .Values.replicas }}" -ne "1" ]]; then
-      echo "Using a runner token with more than 1 replica is not supported."
-      exit 1
-    fi
-
    # Register the runner
    if ! sh /configmaps/register-the-runner; then
      exit 1
@@ -81,10 +71,14 @@ data:
    fi

    # Start the runner
-    exec /entrypoint run --user=gitlab-runner \
+    exec /entrypoint run \
+    {{- if and .Values.runners.executor (ne "shell" ((.Values.runners.executor) | toString)) }}
+      --user=gitlab-runner \
+    {{- end }}
      --working-directory=/home/gitlab-runner

  config.toml: |
+    shutdown_timeout = {{ .Values.shutdown_timeout }}
    concurrent = {{ .Values.concurrent }}
    check_interval = {{ .Values.checkInterval }}
    log_level = {{ default "info" .Values.logLevel | quote }}
@@ -92,7 +86,7 @@ data:
    log_format = {{ .Values.logFormat | quote }}
    {{- end }}
    {{- if .Values.metrics.enabled }}
-    listen_address = ':9252'
+    listen_address = ":{{ .Values.metrics.port }}"
    {{- end }}
    {{- if .Values.sentryDsn }}
    sentry_dsn = "{{ .Values.sentryDsn }}"
@@ -105,59 +99,43 @@ data:
    {{- end }}

  {{ if .Values.runners.config }}
-  config.template.toml: {{ tpl (toYaml .Values.runners.config) $ | indent 2 }}
+  config.template.toml: {{ tpl .Values.runners.config $ | toYaml | indent 2 }}
  {{ end }}

  register-the-runner: |
    #!/bin/bash
    MAX_REGISTER_ATTEMPTS=30

+    # Reset/unset the not needed flags when an authentication token
+    RUN_UNTAGGED="{{ ternary "--run-untagged=true" "" (and (hasKey .Values.runners "runUntagged") .Values.runners.runUntagged) }}"
+    ACCESS_LEVEL="{{ ternary "--access-level=ref_protected" "" (and (hasKey .Values.runners "protected") .Values.runners.protected) }}"
+
+    if [ ! -z "$REGISTRATION_TOKEN" ] && [ "${REGISTRATION_TOKEN#glrt-}" != "$REGISTRATION_TOKEN" ]; then
+      RUN_UNTAGGED=""
+      ACCESS_LEVEL=""
+      unset REGISTER_LOCKED
+      unset RUNNER_TAG_LIST
+    fi
+
    for i in $(seq 1 "${MAX_REGISTER_ATTEMPTS}"); do
      echo "Registration attempt ${i} of ${MAX_REGISTER_ATTEMPTS}"
      /entrypoint register \
-        {{- range .Values.runners.imagePullSecrets }}
-        --kubernetes-image-pull-secrets {{ . | quote }} \
-        {{- end }}
-        {{- range $key, $val := .Values.runners.nodeSelector }}
-        --kubernetes-node-selector {{ $key | quote }}:{{ $val | quote }} \
-        {{- end }}
-        {{- range .Values.runners.nodeTolerations }}
-        {{-   $keyValue := .key }}
-        {{-   if eq (.operator | default "Equal") "Equal"  }}
-        {{-     $keyValue = print $keyValue "=" (.value | default "" ) }}
-        {{-   end }}
-        --kubernetes-node-tolerations {{ $keyValue }}:{{ .effect | quote }} \
-        {{- end }}
-        {{- range $key, $value := .Values.runners.podLabels }}
-        --kubernetes-pod-labels {{ $key | quote }}:{{ $value | quote }} \
-        {{- end }}
-        {{- range $key, $val := .Values.runners.podAnnotations }}
-        --kubernetes-pod-annotations {{ $key | quote }}:{{ $val | quote }} \
-        {{- end }}
        {{- if and (hasKey .Values.runners "name") .Values.runners.name }}
        --name={{ .Values.runners.name | quote -}} \
        {{- end }}
        {{- if and (hasKey .Values.runners "maximumTimeout") .Values.runners.maximumTimeout }}
        --maximum-timeout={{ .Values.runners.maximumTimeout | quote -}} \
        {{- end }}
-        {{- range $key, $value := .Values.runners.env }}
-        --env {{ $key | quote -}} = {{- $value | quote }} \
-        {{- end }}
-        {{- if and (hasKey .Values.runners "runUntagged") .Values.runners.runUntagged }}
-        --run-untagged=true \
-        {{- end }}
-        {{- if and (hasKey .Values.runners "protected") .Values.runners.protected }}
-        --access-level="ref_protected" \
+        {{- if eq (include "gitlab-runner.isAuthToken" . ) "false" }}
+        ${RUN_UNTAGGED} \
        {{- end }}
-        {{- if .Values.runners.pod_security_context }}
-        {{-   if .Values.runners.pod_security_context.supplemental_groups }}
-        {{-     range $gid := .Values.runners.pod_security_context.supplemental_groups }}
-        --kubernetes-pod-security-context-supplemental-groups {{ $gid | quote }} \
-        {{-     end }}
-        {{-   end }}
+        {{- if eq (include "gitlab-runner.isAuthToken" . ) "false" }}
+        ${ACCESS_LEVEL} \
        {{- end }}
        {{- if .Values.runners.config }}
        --template-config /configmaps/config.template.toml \
+        {{- else if .Values.runners.configPath }}
+        --template-config {{ .Values.runners.configPath }} \
        {{- end }}
        --non-interactive

@@ -176,14 +154,17 @@ data:

  check-live: |
    #!/bin/bash
-    if /usr/bin/pgrep -f .*register-the-runner; then
-      exit 0
-    elif /usr/bin/pgrep gitlab.*runner; then
-      exit 0
-    else
+    set -eou pipefail
+
+    if ! /usr/bin/pgrep -f ".*register-the-runner"  > /dev/null && ! /usr/bin/pgrep -f "gitlab.*runner"  > /dev/null ; then
      exit 1
    fi

+    name=$(awk -F'"' '/^  name = ".*"/ { print $2 }' "${HOME%/root}/.gitlab-runner/config.toml")
+    url=$(awk -F'"' '/^  url = ".*"/ { print $2 }' "${HOME%/root}/.gitlab-runner/config.toml")
+
+    gitlab-runner verify -n "$name" -u "$url" 2>&1 | grep -E "is alive|is valid"
+
  {{- if and (eq (default 1.0 .Values.replicas) 1.0) .Values.sessionServer .Values.sessionServer.enabled }}
  set-session-server-address: |
    #!/bin/bash
@@ -214,7 +195,7 @@ data:
        | grep '"hostname":' | cut -d ":" -f2 | xargs)

      ADDRESS="${SERVICEHOSTNAME:-$SERVICEIP}"
-      
+
      if [ -z "${ADDRESS}" ]
      then
        echo "Service LoadBalancer External Address not yet available"

--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -2,12 +2,19 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gitlab-runner.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "gitlab-runner.fullname" . }}
    chart: {{ include "gitlab-runner.chart" . }}
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
+    {{- range $key, $value := .Values.deploymentLabels }}
+    {{   $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+    {{- toYaml .Values.deploymentAnnotations | nindent 4 }}
+  {{- end }}
 spec:
  {{- if not .Values.hpa}}
  replicas: {{ default 1 .Values.replicas }}
@@ -28,7 +35,9 @@ spec:
        {{- end }}
      annotations:
        checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if or .Values.runnerRegistrationToken .Values.runnerToken .Values.runners.secret }}
        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+        {{- end }}
        {{- if .Values.metrics.enabled }}
        prometheus.io/scrape: 'true'
        prometheus.io/port: {{ .Values.metrics.port | quote }}
@@ -37,10 +46,15 @@ spec:
        {{   $key }}: {{ $value | quote }}
        {{- end }}
    spec:
+      {{- if hasKey .Values "automountServiceAccountToken" }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+      {{- end }}
      {{- if .Values.schedulerName }}
      schedulerName: {{ .Values.schedulerName }}
      {{- end }}
-      securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- with .Values.podSecurityContext }}
+      securityContext: {{ toYaml . | nindent 8 }}
+      {{- end }}
      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
      {{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName | quote }}
@@ -84,8 +98,10 @@ spec:
          protocol: TCP
        {{- end }}
        volumeMounts:
+        {{- if or (include "gitlab-runner.cache.secret" .) .Values.runnerRegistrationToken .Values.runnerToken .Values.secrets .Values.runners.secret }}
        - name: projected-secrets
          mountPath: /secrets
+        {{- end }}
        - name: etc-gitlab-runner
          mountPath: /home/gitlab-runner/.gitlab-runner
        - name: configmaps
@@ -107,28 +123,15 @@ spec:
      - name: etc-gitlab-runner
        emptyDir:
          medium: "Memory"
+      {{- if or (include "gitlab-runner.cache.secret" .) .Values.runnerRegistrationToken .Values.runnerToken .Values.secrets .Values.runners.secret }}
      - name: projected-secrets
        projected:
          sources:
-            {{- if .Values.runners.cache.cacheType }}
-              # .Values.runners.cache.cacheType is deprecated: https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/224
-            {{- end }}
-
-            {{- if and .Values.runners.cache .Values.runners.cache.cacheType }}
-            {{-   if and (include "gitlab-runner.cache.secret" .) (eq .Values.runners.cache.cacheType "s3") }}
-            - secret:
-                name: {{ include "gitlab-runner.cache.secret" . }}
-            {{-   end }}
-            {{-   if eq .Values.runners.cache.cacheType "gcs"}}
-            - secret:
-                # Outdated default secret "s3access" kept for compatibilty with older installs using it.
-                # Will be removed in next major release: https://gitlab.com/gitlab-org/charts/gitlab-runner/merge_requests/177
-                name: {{ default "s3access" (include "gitlab-runner.cache.secret" .) }}
-            {{-   end }}
-            {{- else if include "gitlab-runner.cache.secret" . }}
+            {{- if include "gitlab-runner.cache.secret" . }}
            - secret:
                name: {{ include "gitlab-runner.cache.secret" . }}
            {{- end }}
+            {{- if  or .Values.runnerRegistrationToken .Values.runnerToken .Values.runners.secret }}
            - secret:
                name: {{ include "gitlab-runner.secret" . }}
                items:
@@ -136,11 +139,12 @@ spec:
                    path: runner-registration-token
                  - key: runner-token
                    path: runner-token
-
+            {{- end }}
            {{- range .Values.secrets }}
            - secret:
 {{ toYaml . | indent 16 }}
            {{- end }}
+      {{- end }}
      {{- if .Values.certsSecretName }}
      - name: custom-certs
        secret:

--- a/chart/templates/hpa.yaml
+++ b/chart/templates/hpa.yaml
 {{- if .Values.hpa}}
+{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }}
+apiVersion: autoscaling/v2
+{{- else if .Capabilities.APIVersions.Has "autoscaling/v2beta2" }}
+apiVersion: autoscaling/v2beta2
+{{- else }}
 apiVersion: autoscaling/v2beta1
+{{- end }}
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "gitlab-runner.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  namespace: {{ .Release.Namespace | quote }}
 spec:
  scaleTargetRef:
    apiVersion: apps/v1

--- a/chart/templates/role-binding.yaml
+++ b/chart/templates/role-binding.yaml
@@ -9,7 +9,7 @@ metadata:
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
  {{ if not .Values.rbac.clusterWideAccess -}}
-  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  namespace: {{ .Release.Namespace | quote }}
  {{- end }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io

--- a/chart/templates/role.yaml
+++ b/chart/templates/role.yaml
@@ -9,7 +9,7 @@ metadata:
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
  {{ if not .Values.rbac.clusterWideAccess -}}
-  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  namespace: {{ .Release.Namespace | quote }}
  {{- end }}
 rules:
 {{- if .Values.rbac.podSecurityPolicy.enabled }}
@@ -19,10 +19,10 @@ rules:
  resourceNames:
 {{ toYaml .Values.rbac.podSecurityPolicy.resourceNames | indent 2 }}
 {{- end }}
-{{- if or (empty .Values.rbac.rules) (or .Values.rbac.resources .Values.rbac.verbs) }}
+{{- if empty .Values.rbac.rules }}
 - apiGroups: [""]
-  resources: {{ (default (list "*") .Values.rbac.resources | toJson) }}
-  verbs: {{ (default (list "*") .Values.rbac.verbs | toJson) }}
+  resources: {{ (list "*") | toJson }}
+  verbs: {{ (list "*") | toJson }}
 {{- end -}}
 {{ range .Values.rbac.rules }}
 - apiGroups: {{ (default (list "") .apiGroups) | toJson }}

--- a/chart/templates/secrets.yaml
+++ b/chart/templates/secrets.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitlab-runner.secret" . }}
-  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "gitlab-runner.fullname" . }}
    chart: {{ include "gitlab-runner.chart" . }}

--- a/chart/templates/service-account.yaml
+++ b/chart/templates/service-account.yaml
@@ -5,11 +5,11 @@ metadata:
  {{- if .Values.rbac.serviceAccountAnnotations }}
  annotations:
    {{- range $key, $value := .Values.rbac.serviceAccountAnnotations }}
-    {{   $key }}: {{ $value | quote }}
+    {{   $key }}: {{ tpl ($value) $ | quote }}
    {{- end }}
  {{- end}}
  name: {{ include "gitlab-runner.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "gitlab-runner.fullname" . }}
    chart: {{ include "gitlab-runner.chart" . }}