Merge branch 'renovate/major-ironbank' into 'main'

Update Ironbank to v17 (major)

See merge request !160

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.65.0-bb.0] - 2024-05-24
+### Changed
+- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner 16.11.0 -> 17.0.0
+- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper 16.11.1 -> 17.0.0
+
 ## [0.64.0-bb.0] - 2024-05-02
 ### Changed
 - Updated gluon 0.4.10 -> 0.5.0

README.md

 # gitlab-runner
 
-![Version: 0.64.0-bb.0](https://img.shields.io/badge/Version-0.64.0--bb.0-informational?style=flat-square) ![AppVersion: 16.11.0](https://img.shields.io/badge/AppVersion-16.11.0-informational?style=flat-square)
+![Version: 0.65.0-bb.0](https://img.shields.io/badge/Version-0.65.0--bb.0-informational?style=flat-square) ![AppVersion: 17.0.0](https://img.shields.io/badge/AppVersion-17.0.0-informational?style=flat-square)
 
 GitLab Runner
 
@@ -38,14 +38,14 @@ helm install gitlab-runner chart/
 |-----|------|---------|-------------|
 | image.registry | string | `"registry1.dso.mil"` |  |
 | image.image | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner"` |  |
-| image.tag | string | `"v16.11.0"` |  |
+| image.tag | string | `"v17.0.0"` |  |
 | useTini | bool | `true` |  |
 | imagePullPolicy | string | `"IfNotPresent"` |  |
 | gitlabUrl | string | `"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181"` |  |
 | terminationGracePeriodSeconds | int | `3600` |  |
 | concurrent | int | `50` |  |
 | shutdown_timeout | int | `0` |  |
-| checkInterval | int | `30` |  |
+| checkInterval | int | `3` |  |
 | sessionServer.enabled | bool | `false` |  |
 | rbac.create | bool | `true` |  |
 | rbac.generatedServiceAccountName | string | `""` |  |
@@ -64,7 +64,7 @@ helm install gitlab-runner chart/
 | runners.job.tag | string | `"9.4"` |  |
 | runners.helper.registry | string | `"registry1.dso.mil"` |  |
 | runners.helper.repository | string | `"ironbank/gitlab/gitlab-runner/gitlab-runner-helper"` |  |
-| runners.helper.tag | string | `"v16.11.0"` |  |
+| runners.helper.tag | string | `"v17.0.0"` |  |
 | runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    pull_policy = \"always\"\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"{{ printf \"%s/%s:%s\" .Values.runners.job.registry .Values.runners.job.repository .Values.runners.job.tag }}\"\n    helper_image = \"{{ printf \"%s/%s:%s\" .Values.runners.helper.registry .Values.runners.helper.repository .Values.runners.helper.tag }}\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n  [runners.kubernetes.helper_container_security_context]\n    run_as_non_root = true\n    run_as_user = 1001\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n    \"app\" = \"gitlab-runner\"\n"` |  |
 | runners.configPath | string | `""` |  |
 | runners.locked | bool | `false` |  |

chart/.gitlab-ci.yml

+##############
+# Conditions #
+##############
+
+.if-merge-request-pipeline: &if-merge-request-pipeline
+  if: $CI_PIPELINE_SOURCE == "merge_request_event"
+
+.if-default-branch: &if-default-branch
+  if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+.if-stable-release-branch: &if-stable-release-branch
+  if: $CI_COMMIT_REF_NAME =~ /\A[0-9]+-[0-9]+-stable\z/
+
+.if-release-tag: &if-release-tag
+  if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/charts/gitlab-runner"'
+
+.if-security-release-tag: &if-security-release-tag
+  if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/security/charts/gitlab-runner"'
+
+#########
+# Rules #
+#########
+
+.rules:default:
+  rules:
+  - <<: *if-merge-request-pipeline
+  - <<: *if-default-branch
+  - <<: *if-stable-release-branch
+  - <<: *if-release-tag
+  - <<: *if-security-release-tag
+
+.rules:release:development:
+  rules:
+  - <<: *if-default-branch
+    when: never
+  - <<: *if-merge-request-pipeline
+    when: manual
+
+.rules:release:beta:
+  rules:
+  - <<: *if-default-branch
+
+.rules:release:stable:
+  rules:
+  - <<: *if-release-tag
+  - <<: *if-security-release-tag
+
+############
+# Pipeline #
+############
+
+default:
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base-helm-3.7
+  tags:
+  - gitlab-org
+
+variables:
+  GIT_CLONE_PATH: $CI_BUILDS_DIR/gitlab-runner
+  ALPINE_IMAGE_TAG:             "3.18"
+  HELM_UNITTEST_PLUGIN_VERSION: "0.3.4"
+  KIND_VERSION:                 "v0.20.0"
+  KUBECTL_VERSION:              "v1.27.4"
+
+stages:
+- test
+- release
+- post-release
+
+lint:
+  extends:
+  - .rules:default
+  stage: test
+  script:
+  - helm lint .
+
+unit_tests:
+  extends:
+    - .rules:default
+  script:
+    - helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${HELM_UNITTEST_PLUGIN_VERSION}
+    - helm unittest .
+
+.integration_test:
+  extends:
+  - .rules:default
+  variables:
+    DOCKER_HOST: "tcp://kubernetes:2375/"
+    DOCKER_TLS_CERTDIR: ""
+    DOCKER_DRIVER: overlay2
+    INTEGRATION_HELM_POD_RELEASE_LABEL: release=$INTEGRATION_RUNNER_NAME
+  stage: test
+  services:
+  - name: docker:20.10.16-dind
+    alias: kubernetes
+  image: docker:20.10.16-git
+  before_script:
+  - apk add --no-cache openssl curl bash curl-dev
+  - bash scripts/check_token.sh "${TOKEN_TYPE}" "${TOKEN}"
+  script:
+    # Initialize KIND cluster
+  - curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
+  - curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/${KIND_VERSION}/kind-linux-amd64 && chmod +x /usr/local/bin/kind
+  - kind create cluster --config=$(pwd)/scripts/kind-config.yaml
+  - kind get kubeconfig|sed -e 's/0.0.0.0/kubernetes/g' > kubeconfig.yaml
+  - export KUBECONFIG=$(pwd)/kubeconfig.yaml
+  - kubectl version
+  - kubectl cluster-info
+  - bash -c "for _i in {0..60}; do kubectl -n default get serviceaccount default -o name > /dev/null 2>&1 && break; sleep 1; done"
+  - bash -c "for _i in {0..60}; do kubectl get nodes|grep -w Ready > /dev/null 2>&1 && break; sleep 1; done"
+  # Install helm latest version instead of pre-installed one in registry.gitlab.com/gitlab-org/gitlab-build-images image
+  - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+  # Run tests
+  - bash -x scripts/integration.sh "${TOKEN_TYPE}" "${TOKEN}" "${VALUE_YAML_FILE}"
+  after_script:
+  - >
+    [ ! -f $(pwd)/kubeconfig.yaml ] && exit 0
+  - export KUBECONFIG=$(pwd)/kubeconfig.yaml
+  - bash -x scripts/integration_cleanup.sh
+  tags:
+  - gitlab-org-docker
+
+# Registration token is deprecated and will be removed in GitLab 18.0
+# This integration test also will be removed in GitLab 18.0
+# Disabled because this was removed in GitLab 17.0 instead of 18.0
+# integration test registration token:
+#   extends:
+#   - .integration_test
+#   variables:
+#     INTEGRATION_RUNNER_NAME: integration-test-$CI_COMMIT_SHORT_SHA-registration-token
+#     TOKEN_TYPE: "registration"
+#     TOKEN: $REGISTRATION_TOKEN
+#     VALUE_YAML_FILE: "./values.yaml"
+
+integration test authentication token:
+  extends:
+  - .integration_test
+  variables:
+    INTEGRATION_RUNNER_NAME: integration-test-$CI_COMMIT_SHORT_SHA-authentication-token
+    TOKEN_TYPE: "authentication"
+    TOKEN: $AUTHENTICATION_TOKEN
+    VALUE_YAML_FILE: "./values.yaml"
+
+integration test mount empty dir:
+  extends:
+  - .integration_test
+  variables:
+    INTEGRATION_RUNNER_NAME: "integration-test-$CI_COMMIT_SHORT_SHA-empty-dir"
+    TOKEN_TYPE: "authentication"
+    TOKEN: $AUTHENTICATION_TOKEN
+    VALUE_YAML_FILE: "./scripts/empty-dir.yaml"
+
+release development:
+  extends:
+  - .rules:release:development
+  stage: release
+  script:
+  - helm package .
+  artifacts:
+    paths:
+    - gitlab-runner*.tgz
+    expire_in: 7d
+  allow_failure: true
+
+release beta:
+  extends:
+  - .rules:release:beta
+  stage: release
+  variables:
+    S3_URL: s3://${S3_BUCKET}${S3_PATH}
+    REPO_URL: https://${S3_BUCKET}.s3.amazonaws.com${S3_PATH}
+  script:
+  - apk add --no-cache py-pip
+  - pip install awscli
+  - 'beta_info=$(git describe --long | sed -r "s/v[0-9\.]+(-rc[0-9]+)?-//")'
+  - 'build_time=$(date +%s)'
+  - 'sed -r "s/(version: [0-9\.]+-beta)/\1-${build_time}-${beta_info}/" -i Chart.yaml'
+  - 'sed -r "s/appVersion: .*/appVersion: bleeding/" -i Chart.yaml'
+  - 'sed -r "s/imagePullPolicy: IfNotPresent/imagePullPolicy: Always/" -i values.yaml'
+  - mkdir -p public/
+  - aws s3 cp ${S3_URL}/index.yaml public/index.yaml || true
+  - (cd public; helm package ../)
+  - helm repo index public --merge public/index.yaml --url ${REPO_URL}
+  - aws s3 sync public ${S3_URL} --acl public-read
+  - 'echo "To install repository run: helm repo add gitlab-runner-beta ${REPO_URL} && helm repo update"'
+
+release stable:
+  extends:
+  - .rules:release:stable
+  stage: release
+  image: alpine:${ALPINE_IMAGE_TAG}
+  script:
+  - apk add --no-cache curl
+  - curl --fail-with-body
+         --request POST
+         --form "token=$CI_JOB_TOKEN"
+         --form ref=master
+         --form "variables[CHART_NAME]=$CI_PROJECT_NAME"
+         --form "variables[RELEASE_REF]=$CI_COMMIT_REF_NAME"
+         https://gitlab.com/api/v4/projects/2860651/trigger/pipeline
+
+trigger charts update:
+  extends:
+  - .rules:release:stable
+  stage: post-release
+  image: alpine:${ALPINE_IMAGE_TAG}
+  script:
+  - apk add --no-cache curl
+  - curl --fail-with-body
+         --request POST
+         --form "token=${GITLAB_CHARTS_TRIGGER_TOKEN}"
+         --form ref=master
+         --form "variables[DEPS_PIPELINE]=true"
+         https://gitlab.com/api/v4/projects/3828396/trigger/pipeline
+  needs:
+    - job: release stable
+
+##############
+# Includes #
+##############
+include:
+  - template: Security/Dependency-Scanning.gitlab-ci.yml

chart/CHANGELOG.md

+## v0.65.0 (2024-05-23)
+
+### New features
+
+- Update GitLab Runner version to v17.0.0
+
+### Maintenance
+
+- Default to https in values.yaml !470
+
+### Other changes
+
+- chore: set the checkInterval value the same as in the main documents. !472 (Michel Santello @michel.santello)
+
+## v0.64.1 (2024-05-03)
+
+### New features
+
+- Update GitLab Runner version to v16.11.1
+
 ## v0.64.0 (2024-04-18)
 
 ### New features

chart/Chart.yaml

 apiVersion: v2
 name: gitlab-runner
-version: 0.64.0-bb.0
-appVersion: 16.11.0
+version: 0.65.0-bb.0
+appVersion: 17.0.0
 description: GitLab Runner
 keywords:
 - git
@@ -21,12 +21,12 @@ dependencies:
     repository: oci://registry1.dso.mil/bigbang
 annotations:
   bigbang.dev/applicationVersions: |
-    - Gitlab Runner: v16.11.0
+    - Gitlab Runner: v17.0.0
   helm.sh/images: |
     - name: gitlab-runner
-      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v16.11.0
+      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v17.0.0
     - name: gitlab-runner-helper
-      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v16.11.0
+      image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v17.0.0
     - name: ubi9
       image: registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.4
 

chart/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
   type: git
   git:
-    commit: 496fb93cdc60b2373f2442479bd2de43619103bc
+    commit: e3df4d644b3c152ac35c2005ae8559e14af1aaf0
     repo: https://gitlab.com/gitlab-org/charts/gitlab-runner
     directory: /
-    ref: v0.64.0
+    ref: v0.65.0

chart/values.yaml

@@ -12,7 +12,7 @@
 image:
   registry: registry1.dso.mil
   image: ironbank/gitlab/gitlab-runner/gitlab-runner
-  tag: v16.11.0
+  tag: v17.0.0
 
 ## When using GitLab Runner Helm Chart with gitlab-runner-ubi-images (https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-ubi-images/container_registry)
 ## the installation fails because dumb-init is not packaged in the image. However, the tini is present.
@@ -71,7 +71,7 @@ gitlabUrl: http://gitlab-webservice-default.gitlab.svc.cluster.local:8181
 ## non-existant runners. Un-registering the runner before termination mitigates this issue.
 ## ref: https://docs.gitlab.com/runner/commands/index.html#gitlab-runner-unregister
 ##
-# unregisterRunners: true
+unregisterRunners: true
 
 ## When stopping the runner, give it time to wait for its jobs to terminate.
 ##
@@ -101,7 +101,7 @@ shutdown_timeout: 0
 ## Defines in seconds how often to check GitLab for a new builds
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
 ##
-checkInterval: 30
+checkInterval: 3
 
 ## Configure GitLab Runner's logging level. Available values are: debug, info, warn, error, fatal, panic
 ## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section
@@ -335,7 +335,7 @@ runners:
   helper:
     registry: registry1.dso.mil
     repository: ironbank/gitlab/gitlab-runner/gitlab-runner-helper
-    tag: "v16.11.0"
+    tag: "v17.0.0"
 
   # runner configuration, where the multi line strings is evaluated as
   # template so you can specify helm values inside of it.
@@ -377,7 +377,7 @@ runners:
   ##
   ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
   ##
-  locked: false
+  locked: true
 
   ## DEPRECATED: Specify the tags associated with the runner. Comma-separated list of tags.
   ##
@@ -399,13 +399,13 @@ runners:
   ##
   ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
   ##
-  runUntagged: true
+  # runUntagged: true
 
   ## DEPRECATED: Specify whether the runner should only run protected branches.
   ##
   ## ref: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
   ##
-  protected: true
+  # protected: true
 
   ## The name of the secret containing runner-token and runner-registration-token
   secret: gitlab-gitlab-runner-secret

tests/images.txt

-registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v16.11.0
+registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v17.0.0
 registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.4