Merge branch '9-upgrade-gitlab-runner-to-13-12-0' into 'main'

Resolve "upgrade gitlab-runner to 13.12.0"

Closes #9

See merge request platform-one/big-bang/apps/developer-tools/gitlab-runner!21

.gitignore

 .idea
 .DS_Store
 
-*.tgz
-*.lock
\ No newline at end of file
+#*.tgz
+#*.lock
\ No newline at end of file

CHANGELOG.md

@@ -16,10 +16,19 @@
 - add template for service
 - add templated for servicemonitor
 
+## chart/.gitignore
+- comment ```charts/*``` need to include the gluon tgz archive
+
+## chart/requirements.yaml
+- add requirements file for the gluon library
+
 # Changelog
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.29.0-bb.0] - 2021-08-12
+- upgrade to app version 13.12.9 helm chart version 0.29.0
+
 ## [0.26.0-bb.3] - 2021-06-15
 - updated runner image to use UBI 8.4 from Registry1
 

chart/.gitignore

+gitlab-runner*.tgz
+# charts/*
+public/
+.tmp/
\ No newline at end of file

chart/.gitlab-ci.yml

+default:
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base
+  tags:
+  - gitlab-org
+
+variables:
+  GIT_CLONE_PATH: $CI_BUILDS_DIR/gitlab-runner
+  STABLE_REPO_URL: https://charts.helm.sh/stable
+
+stages:
+- test
+- release
+
+lint:
+  stage: test
+  script:
+  - helm lint .
+
+release development:
+  stage: release
+  script:
+  - helm init --client-only --stable-repo-url=${STABLE_REPO_URL}
+  - helm package .
+  when: manual
+  only:
+  - branches
+  except:
+  - master
+  artifacts:
+    paths:
+    - gitlab-runner*.tgz
+    expire_in: 7d
+
+release beta:
+  stage: release
+  variables:
+    S3_URL: s3://${S3_BUCKET}${S3_PATH}
+    REPO_URL: https://${S3_BUCKET}.s3.amazonaws.com${S3_PATH}
+  script:
+  - apk add --no-cache py-pip
+  - pip install awscli
+  - helm init --client-only --stable-repo-url=${STABLE_REPO_URL}
+  - 'beta_info=$(git describe --long | sed -r "s/v[0-9\.]+(-rc[0-9]+)?-//")'
+  - 'build_time=$(date +%s)'
+  - 'sed -r "s/(version: [0-9\.]+-beta)/\1-${build_time}-${beta_info}/" -i Chart.yaml'
+  - 'sed -r "s/appVersion: .*/appVersion: bleeding/" -i Chart.yaml'
+  - 'sed -r "s/imagePullPolicy: IfNotPresent/imagePullPolicy: Always/" -i values.yaml'
+  - mkdir -p public/
+  - aws s3 cp ${S3_URL}/index.yaml public/index.yaml || true
+  - (cd public; helm package ../)
+  - helm repo index public --merge public/index.yaml --url ${REPO_URL}
+  - aws s3 sync public ${S3_URL} --acl public-read
+  - 'echo "To install repository run: helm repo add gitlab-runner-beta ${REPO_URL} && helm repo update"'
+  only:
+  - master@gitlab-org/charts/gitlab-runner
+
+release stable:
+  stage: release
+  script:
+  - curl --request POST
+         --form "token=$CI_JOB_TOKEN"
+         --form ref=master
+         --form "variables[CHART_NAME]=$CI_PROJECT_NAME"
+         --form "variables[RELEASE_REF]=$CI_COMMIT_REF_NAME"
+         https://gitlab.com/api/v4/projects/2860651/trigger/pipeline
+  rules:
+  - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/charts/gitlab-runner"'
+  - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ && $CI_PROJECT_URL == "https://gitlab.com/gitlab-org/security/charts/gitlab-runner"'

chart/.gitlab/changelog.yml

+default_scope: other
+names:
+  new-feature: New features
+  security-fix: Security fixes
+  fix: Bug fixes
+  maintenance: Maintenance
+  runner-distribution: GitLab Runner distribution
+  documentation: Documentation changes
+  other: Other changes
+order:
+- new-feature
+- security-fix
+- fix
+- maintenance
+- runner-distribution
+- documentation
+- other
+label_matchers:
+- labels:
+  - documentation
+  scope: documentation
+- labels:
+  - feature::addition
+  scope: new-feature
+- labels:
+  - security
+  scope: security-fix
+- labels:
+  - bug
+  scope: fix
+- labels:
+  - runner-distribution
+  scope: runner-distribution
+- labels:
+  - technical debt
+  scope: maintenance
+- labels:
+  - tooling::pipelines
+  scope: maintenance
+- labels:
+  - tooling::workflow
+  scope: maintenance
+- labels:
+  - feature::maintenance
+  scope: maintenance
+- labels:
+  - feature::enhancement
+  scope: maintenance
+authorship_labels:
+- Community contribution

chart/CHANGELOG.md

+## v0.29.0 (2021-05-20)
+
+### New features
+
+- Update GitLab Runner version to 13.12.0
+
+## v0.28.0 (2021-04-20)
+
+### New features
+
+- Update GitLab Runner version to 13.11.0
+
+### Maintenance
+
+- Pass runners.config through the template engine !290 (Dmitriy @Nevoff89)
+- Add role support of individual verbs list for different resources !280 (Horatiu Eugen Vlad @hvlad)
+- Use runner namespace for role and role binding if it is specified !256 (Alex Sears @searsaw)
+- Add optional configuration values for pod security context `runAsUser` and `supplementalGroups` !242 (Horatiu Eugen Vlad @hvlad)
+
+### Documentation changes
+
+- docs: add notice that we run tpl on runner config !291
+- Add comment on imagePullPolicy !288
+
+## v0.27.0 (2021-03-21)
+
+### New features
+
+- Update GitLab Runner version to 13.10.0
+- Allow setting deployment replicas !286
+- Add support for specify ConfigMaps for gitlab-runner deployment !285
+- Allow to mount arbitrary Kubernetes secrets !283
+
 ## v0.26.0 (2021-02-22)
 
 ### New features

chart/Chart.yaml

 apiVersion: v1
 name: gitlab-runner
-version: 0.26.0-bb.3
-appVersion: 13.9.0
+version: 0.29.0-bb.0
+appVersion: 13.12.0
 description: GitLab Runner
 keywords:
 - git

chart/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
     type: git
     git:
-        commit: 56838d88bc8fdd5a1e36456662c1f84338e5eb91
+        commit: acde317c103d5cd56cce5ce300081254a5be6c36
         repo: https://gitlab.com/gitlab-org/charts/gitlab-runner
         directory: /
-        ref: v0.26.0
+        ref: v0.29.0

chart/requirements.lock

+dependencies:
+- name: gluon
+  repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
+  version: 0.2.2
+digest: sha256:3cc6a4183f49d5ee05c2d80e1128ebf8b5440facc662b557dd672733f2927c1b
+generated: "2021-08-12T11:51:26.866661315-06:00"

chart/requirements.yaml

+dependencies:
+- name: gluon
+  version: "0.2.2"
+  repository: "oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon"
+

chart/templates/configmap.yaml

@@ -12,7 +12,7 @@ data:
     #!/bin/bash
     set -e
     mkdir -p /home/gitlab-runner/.gitlab-runner/
-    cp /scripts/config.toml /home/gitlab-runner/.gitlab-runner/
+    cp /configmaps/config.toml /home/gitlab-runner/.gitlab-runner/
 
     # Set up environment variables for cache
     if [[ -f /secrets/accesskey && -f /secrets/secretkey ]]; then
@@ -46,12 +46,12 @@ data:
     fi
 
     # Register the runner
-    if ! sh /scripts/register-the-runner; then
+    if ! sh /configmaps/register-the-runner; then
       exit 1
     fi
 
     # Run pre-entrypoint-script
-    if ! bash /scripts/pre-entrypoint-script; then
+    if ! bash /configmaps/pre-entrypoint-script; then
       exit 1
     fi
 
@@ -72,9 +72,9 @@ data:
     {{- if .Values.sentryDsn }}
     sentry_dsn = "{{ .Values.sentryDsn }}"
     {{- end }}
-  
+
   {{ if .Values.runners.config }}
-  config.template.toml: {{ toYaml .Values.runners.config | indent 2 }}
+  config.template.toml: {{ tpl (toYaml .Values.runners.config) $ | indent 2 }}
   {{ end }}
 
   configure: |
@@ -126,7 +126,7 @@ data:
         {{-   end }}
         {{- end }}
         {{- if .Values.runners.config }}
-        --template-config /scripts/config.template.toml \
+        --template-config /configmaps/config.template.toml \
         {{- end }}
         --non-interactive
 
@@ -155,3 +155,5 @@ data:
 
   pre-entrypoint-script: |
 {{ .Values.preEntrypointScript | default "" | indent 4 }}
+
+{{ if not (empty .Values.configMaps) }}{{ toYaml .Values.configMaps | indent 2 }}{{ end }}

chart/templates/deployment.yaml

@@ -8,7 +8,7 @@ metadata:
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 spec:
-  replicas: 1
+  replicas: {{ default 1 .Values.replicas }}
   selector:
     matchLabels:
       app: {{ include "gitlab-runner.fullname" . }}
@@ -35,13 +35,22 @@ spec:
     spec:
       securityContext:
         runAsUser: {{ .Values.securityContext.runAsUser }}
+        {{- if .Values.securityContext.runAsGroup }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+        {{- end}}
         {{- if .Values.securityContext.fsGroup }}
         fsGroup: {{ .Values.securityContext.fsGroup }}
         {{- end}}
+        {{- if .Values.securityContext.supplementalGroups }}
+        supplementalGroups:
+        {{-   range .Values.securityContext.supplementalGroups }}
+          - {{ . }}
+        {{-   end}}
+        {{- end}}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       initContainers:
       - name: configure
-        command: ['sh', '/config/configure']
+        command: ['sh', '/configmaps/configure']
         image: {{ include "gitlab-runner.image" . }}
         imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
         securityContext:
@@ -52,8 +61,8 @@ spec:
         - name: runner-secrets
           mountPath: /secrets
           readOnly: false
-        - name: scripts
-          mountPath: /config
+        - name: configmaps
+          mountPath: /configmaps
           readOnly: true
         - name: init-runner-secrets
           mountPath: /init-secrets
@@ -73,12 +82,12 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
         {{- include "gitlab-runner.unregisterRunners" . | nindent 8 }}
-        command: ["/bin/bash", "/scripts/entrypoint"]
+        command: ["/bin/bash", "/configmaps/entrypoint"]
         env:
         {{ include "gitlab-runner.runner-env-vars" . | indent 8 }}
         livenessProbe:
           exec:
-            command: ["/bin/bash", "/scripts/check-live"]
+            command: ["/bin/bash", "/configmaps/check-live"]
           initialDelaySeconds: 60
           timeoutSeconds: 1
           periodSeconds: 10
@@ -100,8 +109,8 @@ spec:
           mountPath: /secrets
         - name: etc-gitlab-runner
           mountPath: /home/gitlab-runner/.gitlab-runner
-        - name: scripts
-          mountPath: /scripts
+        - name: configmaps
+          mountPath: /configmaps
         {{- if .Values.certsSecretName }}
         - name: custom-certs
           readOnly: true
@@ -145,12 +154,17 @@ spec:
                     path: runner-registration-token
                   - key: runner-token
                     path: runner-token
+
+            {{- range .Values.secrets }}
+            - secret:
+{{ toYaml . | indent 16 }}
+            {{- end }}
       {{- if .Values.certsSecretName }}
       - name: custom-certs
         secret:
           secretName: {{ .Values.certsSecretName }}
       {{- end }}
-      - name: scripts
+      - name: configmaps
         configMap:
           name: {{ include "gitlab-runner.fullname" . }}
     {{- if .Values.imagePullSecrets }}

chart/templates/role-binding.yaml

@@ -8,6 +8,9 @@ metadata:
     chart: {{ include "gitlab-runner.chart" . }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
+  {{ if not .Values.rbac.clusterWideAccess -}}
+  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: {{ if .Values.rbac.clusterWideAccess }}"ClusterRole"{{ else }}"Role"{{ end }}

chart/templates/role.yaml

@@ -8,6 +8,9 @@ metadata:
     chart: {{ include "gitlab-runner.chart" . }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
+  {{ if not .Values.rbac.clusterWideAccess -}}
+  namespace: {{ default .Release.Namespace .Values.runners.namespace | quote }}
+  {{- end }}
 rules:
 {{- if .Values.rbac.podSecurityPolicy.enabled }}
 - apiGroups: ['policy']
@@ -16,15 +19,14 @@ rules:
   resourceNames:
 {{ toYaml .Values.rbac.podSecurityPolicy.resourceNames | indent 2 }}
 {{- end }}
+{{- if or (empty .Values.rbac.rules) (or .Values.rbac.resources .Values.rbac.verbs) }}
 - apiGroups: [""]
-  {{- if .Values.rbac.resources }}
-  resources: [{{ join ", " .Values.rbac.resources }}]
-  {{- else }}
-  resources: ["*"]
-  {{- end }}
-  {{- if .Values.rbac.verbs }}
-  verbs: [{{ join ", " .Values.rbac.verbs }}]
-  {{- else }}
-  verbs: ["*"]
-  {{- end }}
+  resources: {{ (default (list "*") .Values.rbac.resources | toJson) }}
+  verbs: {{ (default (list "*") .Values.rbac.verbs | toJson) }}
+{{- end -}}
+{{ range .Values.rbac.rules }}
+- apiGroups: {{ (default (list "") .apiGroups) | toJson }}
+  resources: {{ (default (list "*") .resources) | toJson }}
+  verbs: {{ (default (list "*") .verbs) | toJson }}
+{{- end }}
 {{- end -}}

chart/templates/tests/test-gitlab-runners.yaml

-{{- include "bb-test-lib.cypress-configmap.base" . }}
+{{- include "gluon.tests.cypress-configmap.base" . }}
 ---
-{{- include "bb-test-lib.cypress-runner.base" . }}
\ No newline at end of file
+{{- include "gluon.tests.cypress-runner.base" . }}
\ No newline at end of file

chart/values.yaml

@@ -6,13 +6,17 @@
 ## ref: https://hub.docker.com/r/gitlab/gitlab-runner/tags/
 ##
 ## Note: If you change the image to the ubuntu release
-##       don't forget to change the securityContext; 
+##       don't forget to change the securityContext;
 ##       these images run on different user IDs.
 ##
-image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v13.9.0
+image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:v13.12.0
 
-## Specify a imagePullPolicy
+## Specify a imagePullPolicy for the main runner deployment
 ## 'Always' if imageTag is 'latest', else set to 'IfNotPresent'
+##
+## Note: it does not apply to job containers launched by this executor.
+## Use `pull_policy` in [runners.kubernetes] to change it.
+##
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
 ##
 imagePullPolicy: IfNotPresent
@@ -21,9 +25,12 @@ imagePullPolicy: IfNotPresent
 ## Kubernetes supports specifying container image registry keys on a Pod.
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
 ##
-# imagePullSecrets: 
+# imagePullSecrets:
 #   - name: "image-pull-secret"
 
+## How many runner pods to launch.
+# replicas: 1
+
 ## The GitLab Server URL (with protocol) that want to register the runner against
 ## ref: https://docs.gitlab.com/runner/commands/README.html#gitlab-runner-register
 ##
@@ -100,9 +107,22 @@ checkInterval: 30
 rbac:
   create: true
   ## Define specific rbac permissions.
+  ## DEPRECATED: see .Values.rbac.rules
   # resources: ["pods", "pods/exec", "secrets"]
   # verbs: ["get", "list", "watch", "create", "patch", "delete"]
 
+  ## Define list of rules to be added to the rbac role permissions.
+  ## Each rule supports the keys:
+  ## - apiGroups: default "" (indicates the core API group) if missing or empty.
+  ## - resources: default "*" if missing or empty.
+  ## - verbs: default "*" if missing or empty.
+  rules: []
+  # - resources: ["pods", "secrets"]
+  #   verbs: ["get", "list", "watch", "create", "patch", "delete"]
+  # - apiGroups: [""]
+  #   resources: ["pods/exec"]
+  #   verbs: ["create", "patch", "delete"]
+
   ## Run the gitlab-bastion container with the ability to deploy/manage containers of jobs
   ## cluster-wide or only within namespace
   clusterWideAccess: false
@@ -136,16 +156,20 @@ metrics:
   enabled: true
 
 ## Configuration for the Pods that the runner launches for each new job
-## ref: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
-## ref: https://docs.gitlab.com/runner/executors/kubernetes.html
+##
 runners:
+  # runner configuration, where the multi line strings is evaluated as
+  # template so you can specify helm values inside of it.
+  #
+  # tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
+  # runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configuration.html
   config: |
     [[runners]]
       clone_url = "http://gitlab-webservice-default.gitlab.svc.cluster.local:8181"
       cache_dir = "/tmp/gitlab-runner/cache"
       [runners.kubernetes]
         image = "registry1.dso.mil/ironbank/redhat/ubi/ubi8:8.4"
-        helper_image = "registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v13.9.0"
+        helper_image = "registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:v13.12.0"
         image_pull_secrets = ["private-registry"]
       [runners.kubernetes.pod_labels]
         "job_id" = "${CI_JOB_ID}"
@@ -398,11 +422,14 @@ runners:
 ## ref: http://kubernetes.io/docs/user-guide/security-context/
 ##
 securityContext:
-  fsGroup: 65533
-  runAsUser: 1000
+  runAsUser: 998
+  # runAsGroup: 65533
+  fsGroup: 996
+  # supplementalGroups: [65533]
+
   ## Note: values for the ubuntu image:
-  # fsGroup: 999
   # runAsUser: 999
+  # fsGroup: 999
 
 ## Configure resource requests and limits
 ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -485,6 +512,26 @@ podLabels: {}
   #     metricName: gitlab_runner_jobs
   #     targetAverageValue: 400m
 
+## Secrets to be additionally mounted to the containers.
+## All secrets are mounted through init-runner-secrets volume
+## and placed as readonly at /init-secrets in the init container
+## and finally copied to an in-memory volume runner-secrets that is
+## mounted at /secrets.
+secrets: []
+  # Example:
+  # - name: my-secret
+  # - name: myOtherSecret
+  #   items:
+  #     - key: key_one
+  #       path: path_one
+
+## Additional config files to mount in the containers in `/configmaps`.
+##
+## Please note that a number of keys are reserved by the runner.
+## See https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/master/templates/configmap.yaml
+## for a current list.
+configMaps: {}
+
 # BigBang Additional values
 monitoring:
-  enabled: false
\ No newline at end of file
+  enabled: false