Update Ironbank to v15 (major)

6a0f482b · bigbang bot · Micah Nagel · 0d98b88e · 6a0f482b · 0d98b88e
Commit 6a0f482b authored 2 years ago by bigbang bot Committed by Micah Nagel 2 years ago
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [0.41.0-bb.0] - 2022-06-13
+### Updated
+- Update helm chart to v0.41.0 app version 15.0.0
+
 ## [0.39.0-bb.3] - 2022-05-26
 ### Changed
 - Minor port name change to support istio mTLS

--- a/MODIFICATIONS.md
+++ b/MODIFICATIONS.md
-# Modifications made to upstream chart
-## chart/Chart.yaml
- set custom BigBang chart version 
- add dependencies yaml for the gluon library
-
-## chart/values.yaml
- set image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:vX.X.X
- set gitlabUrl: http://gitlab-webservice-default.gitlab.svc.cluster.local:8181
- set unregisterRunners: true
- set concurrent: 50
- set rbac.create: true
- set runners.config and runners.*
- set runUntagged: true
- set protected: true
- set secret: gitlab-gitlab-runner-secret
- set securityContext.runAsUser: 998
- set securityContext.fsGroup: 996
- set securityContext.runAsUser: 1000
- set resources limits
- set BigBang additional values monitoring.enabled: false
-
-## chart/templates/deployment.yaml
- remove /usr/bin/dumb-init line 89. That path does not exist in IronBank hardened image
-
-## chart/.gitignore
- comment ```charts/*``` need to include the gluon tgz archive
-
-##  chart/charts/*.tgz
- run ```helm dependency update ./chart``` to update the downloaded archives
- commit any tar archives that were downloaded from the helm dependency update command.
- commit the requirements.lock that was generated. This prevents deployments from looking for new versions.
-
-
--- a/README.md
+++ b/README.md
 # gitlab-runner

-![Version: 0.39.0-bb.3](https://img.shields.io/badge/Version-0.39.0--bb.3-informational?style=flat-square) ![AppVersion: 14.9.1](https://img.shields.io/badge/AppVersion-14.9.1-informational?style=flat-square)
+![Version: 0.41.0-bb.0](https://img.shields.io/badge/Version-0.41.0--bb.0-informational?style=flat-square) ![AppVersion: 15.0.0](https://img.shields.io/badge/AppVersion-15.0.0-informational?style=flat-square)

 GitLab Runner

@@ -35,7 +35,7 @@ helm install gitlab-runner chart/

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| image | string | `"registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v14.9.1"` |  |
+| image | string | `"registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v15.0.0"` |  |
 | imagePullPolicy | string | `"IfNotPresent"` |  |
 | gitlabUrl | string | `"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181"` |  |
 | unregisterRunners | bool | `true` |  |
@@ -54,7 +54,7 @@ helm install gitlab-runner chart/
 | metrics.serviceMonitor.enabled | bool | `false` |  |
 | service.enabled | bool | `true` |  |
 | service.type | string | `"ClusterIP"` |  |
-| runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.6\"\n    helper_image = \"registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v14.9.1\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n"` |  |
+| runners.config | string | `"[[runners]]\n  clone_url = \"http://gitlab-webservice-default.gitlab.svc.cluster.local:8181\"\n  cache_dir = \"/tmp/gitlab-runner/cache\"\n  [runners.kubernetes]\n    namespace = \"{{.Release.Namespace}}\"\n    image = \"registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.6\"\n    helper_image = \"registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v15.0.0\"\n    image_pull_secrets = [\"private-registry\"]\n  [runners.kubernetes.pod_labels]\n    \"job_id\" = \"${CI_JOB_ID}\"\n    \"job_name\" = \"${CI_JOB_NAME}\"\n    \"pipeline_id\" = \"${CI_PIPELINE_ID}\"\n"` |  |
 | runners.locked | bool | `false` |  |
 | runners.runUntagged | bool | `true` |  |
 | runners.protected | bool | `true` |  |

--- a/chart/.gitlab-ci.yml
+++ b/chart/.gitlab-ci.yml
@@ -50,17 +50,17 @@
 ############

 default:
-  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base-helm-3
  tags:
  - gitlab-org

 variables:
  GIT_CLONE_PATH: $CI_BUILDS_DIR/gitlab-runner
-  STABLE_REPO_URL: https://charts.helm.sh/stable

 stages:
 - test
 - release
+- post-release

 lint:
  extends:
@@ -69,12 +69,47 @@ lint:
  script:
  - helm lint .

+integration test:
+  extends:
+  - .rules:default
+  variables:
+    DOCKER_HOST: "tcp://kubernetes:2375/"
+    DOCKER_TLS_CERTDIR: ""
+    DOCKER_DRIVER: overlay2
+    INTEGRATION_RUNNER_NAME: integration-test-$CI_COMMIT_SHORT_SHA
+    INTEGRATION_HELM_POD_RELEASE_LABEL: release=$INTEGRATION_RUNNER_NAME
+  stage: test
+  services:
+  - name: docker:19.03.12-dind
+    alias: kubernetes
+  image: docker:19.03.12-git
+  script:
+    # Initialize KIND cluster
+  - apk add --no-cache openssl curl bash
+  - curl -Lo /usr/local/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.20.4/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
+  - curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 && chmod +x /usr/local/bin/kind
+  - kind create cluster --config=$(pwd)/scripts/kind-config.yaml
+  - kind get kubeconfig|sed -e 's/0.0.0.0/kubernetes/g' > kubeconfig.yaml
+  - export KUBECONFIG=$(pwd)/kubeconfig.yaml
+  - kubectl version
+  - kubectl cluster-info
+  - bash -c "for _i in {0..60}; do kubectl -n default get serviceaccount default -o name > /dev/null 2>&1 && break; sleep 1; done"
+  - bash -c "for _i in {0..60}; do kubectl get nodes|grep -w Ready > /dev/null 2>&1 && break; sleep 1; done"
+  # Install helm latest version instead of pre-installed one in registry.gitlab.com/gitlab-org/gitlab-build-images image
+  - curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+  # Run tests
+  - bash -x scripts/integration.sh
+  after_script:
+  - export KUBECONFIG=$(pwd)/kubeconfig.yaml
+  - bash -x scripts/integration_cleanup.sh
+  tags:
+  - gitlab-org-docker
+
 release development:
  extends:
  - .rules:release:development
  stage: release
  script:
-  - helm init --client-only --stable-repo-url=${STABLE_REPO_URL}
  - helm package .
  artifacts:
    paths:
@@ -91,7 +126,6 @@ release beta:
  script:
  - apk add --no-cache py-pip
  - pip install awscli
-  - helm init --client-only --stable-repo-url=${STABLE_REPO_URL}
  - 'beta_info=$(git describe --long | sed -r "s/v[0-9\.]+(-rc[0-9]+)?-//")'
  - 'build_time=$(date +%s)'
  - 'sed -r "s/(version: [0-9\.]+-beta)/\1-${build_time}-${beta_info}/" -i Chart.yaml'
@@ -119,9 +153,24 @@ release stable:
         --form "variables[RELEASE_REF]=$CI_COMMIT_REF_NAME"
         https://gitlab.com/api/v4/projects/2860651/trigger/pipeline

+trigger charts update:
+  extends:
+  - .rules:release:stable
+  stage: post-release
+  image: alpine:3.14
+  script:
+  - apk add --no-cache curl
+  - curl --fail-with-body
+         --request POST
+         --form "token=${GITLAB_CHARTS_TRIGGER_TOKEN}"
+         --form ref=master
+         --form "variables[DEPS_PIPELINE]=true"
+         https://gitlab.com/api/v4/projects/3828396/trigger/pipeline
+  needs:
+    - job: release stable
+
 ##############
 # Includes #
 ##############
 include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
-  
--- a/chart/CHANGELOG.md
+++ b/chart/CHANGELOG.md
+## v0.41.0 (2022-05-19)
+
+### New features
+
+- Update GitLab Runner version to 15.0.0
+- Add the ability to unregister only one runner !329 (LAKostis @LAKostis)
+- Remove init container and instead project secrets !312
+- Don't repeat chart name if release name starts with the chart name !232 (Ahmadali Shafiee @ahmadalli)
+
+### Maintenance
+
+- Use Helm 3 instead of 2.16.9 on lint/release jobs !342 (Takuya Noguchi @tnir)
+
+## v0.40.0 (2022-04-20)
+
+### New features
+
+- Update GitLab Runner version to 14.10.0
+- Add the possibility to configure maximum timeout that will be set for jobs when using the runner !341 (Adrien Gooris @adrien.gooris)
+
+### Maintenance
+
+- Add a post-release CI job to trigger a deps pipeline in Charts repo !339
+- Add helm install integration test !326
+- Make loadBalancerSourceRanges of Session Server configurable !334 (Matthias Baur @m.baur)
+
 ## v0.39.0 (2022-03-21)

 ### New Features

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v1
 name: gitlab-runner
-version: 0.39.0-bb.3
-appVersion: 14.9.1
+version: 0.41.0-bb.0
+appVersion: 15.0.0
 description: GitLab Runner
 keywords:
 - git
@@ -16,7 +16,7 @@ maintainers:
  email: support@gitlab.com
 annotations:
  bigbang.dev/applicationVersions: |
-    - Gitlab Runner: v14.9.1
+    - Gitlab Runner: v15.0.0
 dependencies:
  - name: gluon
    version: 0.2.9

--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: 88a9d9c5b648645ddac080b6c4b040534b426471
+    commit: 2b12d79e870068e91411ec4cd4aec0bf82f3d1ef
    repo: https://gitlab.com/gitlab-org/charts/gitlab-runner
    directory: /
-    ref: v0.39.0
+    ref: v0.41.0
--- a/chart/scripts/integration.sh
+++ b/chart/scripts/integration.sh
+#!/bin/bash
+
+INTEGRATION_RUNNER_NAME=${INTEGRATION_RUNNER_NAME:-integration-runner}
+INTEGRATION_HELM_POD_RELEASE_LABEL=${INTEGRATION_HELM_POD_RELEASE_LABEL:-release=$INTEGRATION_RUNNER_NAME}
+
+helm install -f values.yaml --timeout 5m --wait --set gitlabUrl="$CI_SERVER_URL",runnerRegistrationToken="$REGISTRATION_TOKEN" "$INTEGRATION_RUNNER_NAME" .
+
+kubectl describe pod -l "$INTEGRATION_HELM_POD_RELEASE_LABEL"
+
+timeout 60s grep -m1 "Runner registered successfully" <(kubectl logs -f -l "$INTEGRATION_HELM_POD_RELEASE_LABEL")
+
+exit_code="$?"
+
+kubectl logs -l "$INTEGRATION_HELM_POD_RELEASE_LABEL"
+
+exit $exit_code
--- a/chart/scripts/integration_cleanup.sh
+++ b/chart/scripts/integration_cleanup.sh
+#!/bin/bash
+
+INTEGRATION_RUNNER_NAME=${INTEGRATION_RUNNER_NAME:-integration-runner}
+HELM_POD_RELEASE_LABEL=${HELM_POD_RELEASE_LABEL:-release=$INTEGRATION_RUNNER_NAME}
+
+helm uninstall --timeout=2m --wait "$INTEGRATION_RUNNER_NAME"
\ No newline at end of file
--- a/chart/scripts/kind-config.yaml
+++ b/chart/scripts/kind-config.yaml
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  apiServerAddress: "0.0.0.0"
+  apiServerPort: 6443
\ No newline at end of file
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -15,7 +15,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{-     .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{-   else -}}
 {{-     $name := default .Chart.Name .Values.nameOverride -}}
-{{-     printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{-     if hasPrefix $name .Release.Name -}}
+{{-       .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{-     else -}}
+{{-       printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{-     end -}}
 {{-   end -}}
 {{- end -}}

@@ -87,7 +91,19 @@ Define the server session external port, using 8093 as a default value
 {{- end -}}

 {{/*
-Unregister runners on pod stop
+Unregister runner on pod stop
+*/}}
+{{- define "gitlab-runner.unregisterRunner" -}}
+{{- if or (and (hasKey .Values "unregisterRunner") .Values.unregisterRunner) (and (not (hasKey .Values "unregisterRunner")) .Values.runnerRegistrationToken) -}}
+lifecycle:
+  preStop:
+    exec:
+      command: ["/entrypoint", "unregister", "--config=/home/gitlab-runner/.gitlab-runner/config.toml"]
+{{- end -}}
+{{- end -}}
+
+{{/*
+Unregister all runners on pod stop
 */}}
 {{- define "gitlab-runner.unregisterRunners" -}}
 {{- if or (and (hasKey .Values "unregisterRunners") .Values.unregisterRunners) (and (not (hasKey .Values "unregisterRunners")) .Values.runnerRegistrationToken) -}}

--- a/chart/templates/configmap.yaml
+++ b/chart/templates/configmap.yaml
@@ -107,9 +107,6 @@ data:
  config.template.toml: {{ tpl (toYaml .Values.runners.config) $ | indent 2 }}
  {{ end }}

-  configure: |
-    set -e
-    cp /init-secrets/* /secrets
  register-the-runner: |
    #!/bin/bash
    MAX_REGISTER_ATTEMPTS=30
@@ -139,6 +136,9 @@ data:
        {{- if and (hasKey .Values.runners "name") .Values.runners.name }}
        --name={{ .Values.runners.name | quote -}} \
        {{- end }}
+        {{- if and (hasKey .Values.runners "maximumTimeout") .Values.runners.maximumTimeout }}
+        --maximum-timeout={{ .Values.runners.maximumTimeout | quote -}} \
+        {{- end }}
        {{- range $key, $value := .Values.runners.env }}
        --env {{ $key | quote -}} = {{- $value | quote }} \
        {{- end }}

--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -52,32 +52,6 @@ spec:
        {{-   end}}
        {{- end}}
      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
-      initContainers:
-      - name: configure
-        command: ['sh', '/configmaps/configure']
-        image: {{ include "gitlab-runner.image" . }}
-        imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
-        securityContext:
-          allowPrivilegeEscalation: false
-        env:
-        {{ include "gitlab-runner.runner-env-vars" . | indent 8 }}
-        volumeMounts:
-        - name: runner-secrets
-          mountPath: /secrets
-          readOnly: false
-        - name: configmaps
-          mountPath: /configmaps
-          readOnly: true
-        - name: init-runner-secrets
-          mountPath: /init-secrets
-          readOnly: true
-        {{- if .Values.certsSecretName }}
-        - name: custom-certs
-          readOnly: true
-          mountPath: /home/gitlab-runner/.gitlab-runner/certs/
-        {{- end }}
-        resources:
-{{ toYaml .Values.resources | indent 10 }}
      serviceAccountName: {{ if .Values.rbac.create }}{{ include "gitlab-runner.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
      containers:
      - name: {{ include "gitlab-runner.fullname" . }}
@@ -85,6 +59,7 @@ spec:
        imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
        securityContext:
          allowPrivilegeEscalation: false
+        {{- include "gitlab-runner.unregisterRunner" . | nindent 8 }}
        {{- include "gitlab-runner.unregisterRunners" . | nindent 8 }}
        command: ["/bin/bash", "/configmaps/entrypoint"]
        env:
@@ -114,7 +89,7 @@ spec:
          protocol: TCP
        {{- end }}
        volumeMounts:
-        - name: runner-secrets
+        - name: projected-secrets
          mountPath: /secrets
        - name: etc-gitlab-runner
          mountPath: /home/gitlab-runner/.gitlab-runner
@@ -134,7 +109,7 @@ spec:
      - name: etc-gitlab-runner
        emptyDir:
          medium: "Memory"
-      - name: init-runner-secrets
+      - name: projected-secrets
        projected:
          sources:
            {{- if .Values.runners.cache.cacheType }}

--- a/chart/templates/service-session-server.yaml
+++ b/chart/templates/service-session-server.yaml
@@ -17,6 +17,10 @@ spec:
  {{- if .Values.sessionServer.publicIP }}
  loadBalancerIP: {{ .Values.sessionServer.publicIP }}
  {{- end }}
+  {{- if .Values.sessionServer.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+    {{- toYaml .Values.sessionServer.loadBalancerSourceRanges | nindent 4 }}
+  {{- end }}
  ports:
  - protocol: TCP
    port: {{ include "gitlab-runner.server-session-external-port" . }}

--- a/chart/tests/cypress/04-gitlab-create-project.spec.js
+++ b/chart/tests/cypress/04-gitlab-create-project.spec.js
@@ -12,7 +12,7 @@ describe('Create Gitlab Project', () => {
    cy.get('input[id="user_login"]').type(Cypress.env('gitlab_username'))
    cy.get('input[id="user_password"]').type(Cypress.env('gitlab_password'))
    cy.get('button[type="submit"][name="button"]').click()
-
+    
    // if first login assign Developer role with the joining_team objective
    cy.url().then(($url) => {
      if ($url.includes('welcome')) {
@@ -21,7 +21,7 @@ describe('Create Gitlab Project', () => {
        cy.get('button[type="submit"]').click()
      }
    })
-
+    
    // check if project exists
    cy.get('body').then($body => {
      if ($body.find('.project-row').length === 0) {
@@ -36,4 +36,4 @@ describe('Create Gitlab Project', () => {
    })

  })
-})
+})
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -9,7 +9,7 @@
 ##       don't forget to change the securityContext;
 ##       these images run on different user IDs.
 ##
-image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v14.9.1
+image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v15.0.0

 ## Specify a imagePullPolicy for the main runner deployment
 ## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
@@ -57,6 +57,19 @@ gitlabUrl: http://gitlab-webservice-default.gitlab.svc.cluster.local:8181
 ##
 # runnerToken: ""
 #
+
+## Unregister runner before termination
+##
+## Updating the runner's chart version or configuration will cause the runner container
+## to be terminated and created again. This may cause your Gitlab instance to reference
+## non-existant runners. Un-registering the runner before termination mitigates this issue.
+## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-unregister
+##
+## Please set unregisterRunners to false if you set unregisterRunner to true as only
+## one preStop action is supported.
+##
+# unregisterRunner: true
+
 ## Unregister all runners before termination
 ##
 ## Updating the runner's chart version or configuration will cause the runner container
@@ -126,6 +139,8 @@ sessionServer:
  # internalPort: 8093
  # externalPort: 9000
  # publicIP: ""
+  # loadBalancerSourceRanges:
+  #   - 1.2.3.4/32

 ## For RBAC support:
 rbac:
@@ -307,7 +322,7 @@ runners:
      [runners.kubernetes]
        namespace = "{{.Release.Namespace}}"
        image = "registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.6"
-        helper_image = "registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v14.9.1"
+        helper_image = "registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v15.0.0"
        image_pull_secrets = ["private-registry"]
      [runners.kubernetes.pod_labels]
        "job_id" = "${CI_JOB_ID}"
@@ -347,7 +362,7 @@ runners:

  ## Specify the tags associated with the runner. Comma-separated list of tags.
  ##
-  ## ref: https://docs.gitlab.com/ce/ci/runners/#use-tags-to-limit-the-number-of-jobs-using-the-runner
+  ## ref: https://docs.gitlab.com/ee/ci/runners/configure_runners.html#use-tags-to-control-which-jobs-a-runner-can-run
  ##
  # tags: ""

@@ -355,6 +370,10 @@ runners:
  ##
  # name: ""

+  ## Specify the maximum timeout (in seconds) that will be set for job when using this Runner
+  ##
+  # maximumTimeout: ""
+
  ## Specify if jobs without tags should be run.
  ## If not specified, Runner will default to true if no tags were specified. In other case it will
  ## default to false.

--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
+# How to upgrade the Gitlab Runner Package chart
+BigBang makes modifications to the upstream helm chart. The full list of changes is at the end of  this document.
+1. Rennovate may have aleady made changes in the development branch. If that is the case then just verify that the changes are correct as you go through these steps.
+1. Discover the chart version tag that matches with the application version from the [upstream chart](https://gitlab.com/gitlab-org/charts/gitlab-runner) by looking at the Chart.yaml. Do diff between old and new release tags to become aware of any significant chart changes. A graphical diff tool such as [Meld](https://meldmerge.org/) is useful. You can see where the current helm chart came from by inspecting ```/chart/kptfile```
+1. Read the /CHANGELOG.md from the release tag from upstream [upstream chart](https://gitlab.com/gitlab-org/charts/gitlab-runner). Also, be aware of changes in the Gitlab chart that could affect the runner chart. Take note of any special upgrade instructions, if any.
+1. If Rennovate has not created a development branch and merge request then manually create them.
+1. Merge/Sync the new helm chart with the existing Gitlab Runner package code. A graphical diff tool like [Meld](https://meldmerge.org/) is useful. Reference the "Modifications made to upstream chart" section below. Be careful not to overwrite Big Bang Package changes that need to be kept. Note that some files will have combinations of changes that you will overwite and changes that you keep. Stay alert. The hardest file to update is the ```/chart/values.yaml``` because many defaults are changed.
+1. Look in ```/chart/Chart.yaml``` at the dependencies and verify that you have the most recent version of the [Bigbang Gluon](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/tags) library. If not, delete the ```/chart/charts/gluon-x.x.x.tgz``` file and the ```/requirements.lock``` file. You will replace these files in the next step.
+1. Run a helm dependency command to update the chart/charts/*.tgz archives and create a new requirements.lock file. You will commit the tar archives along with the requirements.lock that was generated.
+    ```bash
+    helm dependency update ./chart
+    ```
+1. In ```/chart/values.yaml``` update all the gitlab image tags to the new version. There are 3 images: gitlab-runner, gitlab-runner-helper, and the ubi.
+1. Update the Kptfile to point to the new tag and commit hash of the upstream repo.
+1. Update ```/tests/images.txt``` with the new image tags. This file insures that the images are packaged in the pipelienes.
+1. Update /CHANGELOG.md with an entry for "upgrade gitlab-runner to app version X.X.X chart version X.X.X-bb.X". Or, whatever description is appropriate.
+1. Update the /README.md following the [gluon library script](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/blob/master/docs/bb-package-readme.md)
+1. Update /chart/Chart.yaml to the appropriate versions. The annotation version is the actual image tag and should match the ```appVersion``` with a prepended `v`.
+    ```yaml
+    version: X.X.X-bb.X
+    appVersion: X.X.X
+    annotations:
+      bigbang.dev/applicationVersions: |
+        - Gitlab Runner: vX.X.X
+    dependencies:
+      - name: gluon
+        version: X.X.X
+        repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
+    ```
+1. Use a development environment to deploy and test Gitlab Runner. See more detailed testing instructions in [Gitlab Package documentation](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/blob/main/docs/DEVELOPMENT_MAINTENANCE.md). Test with Gitlab Package enabled to make sure the new gitlab-runner version still works with Gitlab. Also test an upgrade by deploying the old version first and then deploying the new version. Verify that the upgrade goes smoothly.
+1. When the Package pipeline runs expect the cypress tests to fail due to UI changes. Note that most of the cypress test files are synced from the [Gitlab Package](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/tree/main/chart/tests/cypress) to avoid having two different versions of the same tests. Gitlab-runner has a fifth `05` test that the Gitlab package does not have. If you sync the first 4 cypress tests from Gitlab you sholud not have any trouble. See the [Gitlab Package documentation](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/blob/main/docs/DEVELOPMENT_MAINTENANCE.md) if you do need to run the cypress tests locally.
+1. Update the /README.md again if you have made any additional changes during the upgrade/testing process.
+
+
+# Testing new Gitlab Runner version
+1. Follow the testing instructions from the [Gitlab Package documentation](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/blob/main/docs/DEVELOPMENT_MAINTENANCE.md). The details are not repeated here. 
+
+# Modifications made to upstream chart
+This is a high-level list of modifitations that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.
+
+##  /chart/charts/*.tgz
+- The BigBang Gluon library is added to the chart. Run ```helm dependency update ./chart```.
+- commit the tar archive that was downloaded from the helm dependency update command. And also commit the requirements.lock that was generated.
+
+## /chart/dashboards/*
+- add Grafana dashboards
+
+## /chart/templates/bigbang/*
+- add support for Grafana dashboards
+
+## /chart/templates/tests/*
+- add templates for helm tests
+
+## chart/templates/deployment.yaml
+- remove "/usr/bin/dumb-init", "--", line 64. That path does not exist in IronBank hardened image
+
+## /chart/tests/cypress/*
+- add cypress tests scripts
+
+## /chart/.gitignore
+- comment the ```charts/*```
+
+## /chart/Chart.yaml
+- The Chart.yaml is updated with BigBang version changes and dependencies
+
+## /Kptfile
+- Add the Kptfile to point to the upstream repo
+
+## /requirements.lock
+- added by the helm dependency update
+
+## /chart/values.yaml
+- GitlabUrl: http://gitlab-webservice-default.gitlab.svc.cluster.local:8181
+- unregisterRunners: true
+- concurrent: 50
+- rbac.create: true
+- portName: tcp-metrics
+- service.enabled: true
+- runners.config:  multiple changes
+- locked: false
+- runUntagged: true
+- protected: true
+- secret: gitlab-gitlab-runner-secret
+- securityContext: changes to work with IB images
+- resources: set requests and limits to the same values
\ No newline at end of file
--- a/tests/images.txt
+++ b/tests/images.txt
-registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v14.9.1
+registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v15.0.0
 registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.6