From 26bd579fb2c032bffcf884d71293bd6b3e69b455 Mon Sep 17 00:00:00 2001
From: RENOVATE_BOT
<group_3988_bot_6690300925770a391b8033731fdaab32@noreply.repo1.dso.mil>
Date: Tue, 29 Oct 2024 20:23:21 +0000
Subject: [PATCH] SKIP UPDATE CHECK Update Ironbank
---
.gitignore | 10 +
CHANGELOG.md | 23 +-
README.md | 90 +-
chart/.gitlab-ci.yml | 5 +-
chart/.gitlab/ci/operator.gitlab-ci.yml | 14 +
chart/.markdownlint-cli2.yaml | 7 +-
chart/.vale.ini | 5 +-
chart/CHANGELOG.md | 362 ++---
chart/CONTRIBUTING.md | 7 +-
chart/Chart.yaml | 32 +-
chart/Kptfile | 4 +-
chart/README.md | 115 +-
chart/bigbang/README.md | 3 +-
chart/charts/gitlab-runner-0.67.0.tgz | Bin 26810 -> 0 bytes
chart/charts/gitlab-runner-0.68.0.tgz | Bin 0 -> 27777 bytes
.../gitlab/charts/geo-logcursor/Chart.yaml | 4 +-
chart/charts/gitlab/charts/gitaly/Chart.yaml | 4 +-
.../gitaly/templates/_configmap_spec.yaml | 10 +-
.../gitaly/templates/_statefulset_spec.yaml | 2 +-
chart/charts/gitlab/charts/gitaly/values.yaml | 6 +
.../gitlab/charts/gitlab-exporter/Chart.yaml | 2 +-
.../gitlab-exporter/templates/_helpers.tpl | 20 +
.../gitlab-exporter/templates/configmap.yaml | 4 +-
.../gitlab/charts/gitlab-pages/Chart.yaml | 4 +-
.../gitlab-pages/templates/configmap.yml | 4 +
.../gitlab/charts/gitlab-pages/values.yaml | 1 +
.../gitlab/charts/gitlab-shell/Chart.yaml | 4 +-
.../gitlab-shell/templates/configmap.yml | 4 +-
.../templates/traefik-tcp-ingressroute.yaml | 7 +-
.../charts/gitlab-shell/values.schema.json | 10 +
.../gitlab/charts/gitlab-shell/values.yaml | 4 +
chart/charts/gitlab/charts/kas/Chart.yaml | 4 +-
.../gitlab/charts/kas/templates/_helpers.tpl | 5 +-
.../charts/gitlab/charts/mailroom/Chart.yaml | 4 +-
.../gitlab/charts/migrations/Chart.yaml | 4 +-
.../charts/gitlab/charts/praefect/Chart.yaml | 4 +-
chart/charts/gitlab/charts/sidekiq/Chart.yaml | 4 +-
.../charts/gitlab/charts/spamcheck/Chart.yaml | 2 +-
chart/charts/gitlab/charts/toolbox/Chart.yaml | 4 +-
.../charts/toolbox/templates/_helpers.tpl | 2 +
.../gitlab/charts/webservice/Chart.yaml | 4 +-
.../charts/webservice/templates/_helpers.tpl | 6 +-
.../charts/gitlab/templates/_rails.redis.tpl | 21 +
chart/charts/gitlab/templates/_redis.tpl | 27 +
.../nginx-ingress/templates/clusterrole.yaml | 8 +
.../templates/controller-deployment.yaml | 8 +-
.../templates/controller-role.yaml | 8 +
chart/charts/nginx-ingress/values.yaml | 7 +-
chart/charts/registry/index.md | 4 +-
chart/charts/registry/templates/_redis.tpl | 35 +-
chart/doc/.vale/gitlab_base/BadPlurals.yml | 14 +
chart/doc/.vale/gitlab_base/British.yml | 120 ++
chart/doc/.vale/gitlab_base/CIConfigFile.yml | 13 +
.../doc/.vale/gitlab_base/CodeblockFences.yml | 13 +
.../gitlab_base/CommandStringsQuoted.yml | 14 +
chart/doc/.vale/gitlab_base/CurrentStatus.yml | 13 +
chart/doc/.vale/gitlab_base/DefaultBranch.yml | 14 +
chart/doc/.vale/gitlab_base/Dropdown.yml | 14 +
chart/doc/.vale/gitlab_base/EOLWhitespace.yml | 13 +
.../.vale/gitlab_base/ElementDescriptors.yml | 14 +
chart/doc/.vale/gitlab_base/FutureTense.yml | 15 +
.../gitlab_base/GitLabFlavoredMarkdown.yml | 14 +
.../doc/.vale/gitlab_base/HeadingContent.yml | 19 +
chart/doc/.vale/gitlab_base/HeadingDepth.yml | 13 +
chart/doc/.vale/gitlab_base/HeadingLink.yml | 18 +
.../.vale/gitlab_base/InclusiveLanguage.yml | 22 +
chart/doc/.vale/gitlab_base/LatinTerms.yml | 17 +
chart/doc/.vale/gitlab_base/Level.yml | 18 +
.../.vale/gitlab_base/MeaningfulLinkWords.yml | 17 +
.../gitlab_base/MergeConflictMarkers.yml | 13 +
.../doc/.vale/gitlab_base/MultiLineLinks.yml | 14 +
.../.vale/gitlab_base/NonStandardQuotes.yml | 14 +
.../.vale/gitlab_base/OutdatedVersions.yml | 14 +
chart/doc/.vale/gitlab_base/OxfordComma.yml | 12 +
chart/doc/.vale/gitlab_base/Possessive.yml | 13 +
chart/doc/.vale/gitlab_base/Prerequisites.yml | 14 +
chart/doc/.vale/gitlab_base/ReadingLevel.yml | 15 +
chart/doc/.vale/gitlab_base/Repetition.yml | 12 +
.../doc/.vale/gitlab_base/SentenceLength.yml | 13 +
.../doc/.vale/gitlab_base/SentenceSpacing.yml | 14 +
chart/doc/.vale/gitlab_base/Simplicity.yml | 18 +
chart/doc/.vale/gitlab_base/Spelling.yml | 16 +
.../.vale/gitlab_base/SubstitutionWarning.yml | 77 +
chart/doc/.vale/gitlab_base/Substitutions.yml | 69 +
chart/doc/.vale/gitlab_base/ToDo.yml | 14 +
.../.vale/gitlab_base/UnclearAntecedent.yml | 22 +
chart/doc/.vale/gitlab_base/Units.yml | 15 +
chart/doc/.vale/gitlab_base/Uppercase.yml | 268 ++++
chart/doc/.vale/gitlab_base/Wordy.yml | 19 +
chart/doc/.vale/gitlab_base/Zip.yml | 15 +
.../.vale/gitlab_base/spelling-exceptions.txt | 1235 +++++++++++++++++
chart/doc/.vale/gitlab_docs/AlertBoxStyle.yml | 20 +
.../.vale/gitlab_docs/Badges-Offerings.yml | 13 +
chart/doc/.vale/gitlab_docs/Badges-Tiers.yml | 13 +
chart/doc/.vale/gitlab_docs/HistoryItems.yml | 14 +
.../.vale/gitlab_docs/HistoryItemsOrder.yml | 13 +
.../.vale/gitlab_docs/InternalLinkCase.yml | 13 +
.../gitlab_docs/InternalLinkExtension.yml | 13 +
.../.vale/gitlab_docs/InternalLinkFormat.yml | 13 +
.../.vale/gitlab_docs/InternalLinksCode.yml | 12 +
.../doc/.vale/gitlab_docs/ReferenceLinks.yml | 14 +
chart/doc/.vale/gitlab_docs/RelativeLinks.yml | 13 +
.../RelativeLinksDoubleSlashes.yml | 13 +
chart/doc/.vale/gitlab_docs/TabsLinks.yml | 13 +
.../external-db/external-omnibus-psql.md | 3 +-
.../external-omnibus-gitaly.md | 2 +-
.../external-object-storage/aws-iam-roles.md | 2 +-
chart/doc/advanced/external-redis/index.md | 4 +
chart/doc/advanced/ubi/index.md | 5 +-
chart/doc/charts/gitlab/gitaly/index.md | 39 +-
.../charts/gitlab/gitlab-exporter/index.md | 34 +-
chart/doc/charts/gitlab/gitlab-pages/index.md | 63 +-
chart/doc/charts/gitlab/gitlab-shell/index.md | 38 +-
chart/doc/charts/gitlab/gitlab-zoekt/index.md | 5 +
chart/doc/charts/gitlab/index.md | 42 +
chart/doc/charts/gitlab/kas/index.md | 34 +-
chart/doc/charts/gitlab/mailroom/index.md | 34 +-
chart/doc/charts/gitlab/migrations/index.md | 34 +-
chart/doc/charts/gitlab/praefect/index.md | 34 +-
chart/doc/charts/gitlab/sidekiq/index.md | 4 +-
chart/doc/charts/gitlab/spamcheck/index.md | 34 +-
chart/doc/charts/gitlab/toolbox/index.md | 34 +-
chart/doc/charts/globals.md | 36 +-
chart/doc/charts/minio/index.md | 2 +-
chart/doc/charts/nginx/fork.md | 24 +
chart/doc/charts/registry/index.md | 32 +-
.../doc/charts/registry/metadata_database.md | 7 +-
chart/doc/development/index.md | 2 +-
.../doc/installation/command-line-options.md | 3 +
chart/doc/installation/deployment.md | 5 +-
.../installation/migration/package_to_helm.md | 8 +-
chart/doc/installation/version_mappings.md | 31 +-
chart/doc/releases/8_0.md | 27 +
chart/doc/troubleshooting/index.md | 4 +
.../troubleshooting/kubernetes_cheat_sheet.md | 1 +
chart/examples/ubi/values.yaml | 2 +-
chart/requirements.lock | 6 +-
chart/requirements.yaml | 2 +-
chart/spec/configuration/gitaly_spec.rb | 83 +-
.../configuration/gitlab_exporter_spec.rb | 34 +-
chart/spec/configuration/gitlab_shell_spec.rb | 49 +
chart/spec/configuration/kas_spec.rb | 19 +-
chart/spec/configuration/pages_spec.rb | 9 +
chart/spec/configuration/redis_spec.rb | 74 +
chart/spec/configuration/registry_spec.rb | 64 +
.../configuration/securitycontext_spec.rb | 21 +
chart/spec/configuration/workhorse_spec.rb | 64 +
chart/spec/runtime_template_helper.rb | 1 +
chart/templates/NOTES.txt | 14 +
chart/templates/_helpers.tpl | 10 +
chart/templates/_traefik.tpl | 23 +
chart/templates/upgrade_check_hook.yaml | 3 +-
chart/values.yaml | 48 +-
docs/DEVELOPMENT_MAINTENANCE.md | 83 +-
docs/Elastic.md | 18 +-
docs/PostgresSql.md | 2 +-
docs/gitlab17.md | 3 +-
docs/k8s-resources.md | 6 +-
docs/keycloak-dev.md | 28 +-
docs/keycloak.md | 27 +-
docs/operational-production-settings.md | 23 +-
docs/overview.md | 22 +-
docs/test-package-against-bb.md | 2 +
tests/images.txt | 4 +-
164 files changed, 3946 insertions(+), 841 deletions(-)
create mode 100644 .gitignore
create mode 100644 chart/.gitlab/ci/operator.gitlab-ci.yml
delete mode 100644 chart/charts/gitlab-runner-0.67.0.tgz
create mode 100644 chart/charts/gitlab-runner-0.68.0.tgz
create mode 100644 chart/charts/gitlab/charts/gitlab-exporter/templates/_helpers.tpl
create mode 100644 chart/doc/.vale/gitlab_base/BadPlurals.yml
create mode 100644 chart/doc/.vale/gitlab_base/British.yml
create mode 100644 chart/doc/.vale/gitlab_base/CIConfigFile.yml
create mode 100644 chart/doc/.vale/gitlab_base/CodeblockFences.yml
create mode 100644 chart/doc/.vale/gitlab_base/CommandStringsQuoted.yml
create mode 100644 chart/doc/.vale/gitlab_base/CurrentStatus.yml
create mode 100644 chart/doc/.vale/gitlab_base/DefaultBranch.yml
create mode 100644 chart/doc/.vale/gitlab_base/Dropdown.yml
create mode 100644 chart/doc/.vale/gitlab_base/EOLWhitespace.yml
create mode 100644 chart/doc/.vale/gitlab_base/ElementDescriptors.yml
create mode 100644 chart/doc/.vale/gitlab_base/FutureTense.yml
create mode 100644 chart/doc/.vale/gitlab_base/GitLabFlavoredMarkdown.yml
create mode 100644 chart/doc/.vale/gitlab_base/HeadingContent.yml
create mode 100644 chart/doc/.vale/gitlab_base/HeadingDepth.yml
create mode 100644 chart/doc/.vale/gitlab_base/HeadingLink.yml
create mode 100644 chart/doc/.vale/gitlab_base/InclusiveLanguage.yml
create mode 100644 chart/doc/.vale/gitlab_base/LatinTerms.yml
create mode 100644 chart/doc/.vale/gitlab_base/Level.yml
create mode 100644 chart/doc/.vale/gitlab_base/MeaningfulLinkWords.yml
create mode 100644 chart/doc/.vale/gitlab_base/MergeConflictMarkers.yml
create mode 100644 chart/doc/.vale/gitlab_base/MultiLineLinks.yml
create mode 100644 chart/doc/.vale/gitlab_base/NonStandardQuotes.yml
create mode 100644 chart/doc/.vale/gitlab_base/OutdatedVersions.yml
create mode 100644 chart/doc/.vale/gitlab_base/OxfordComma.yml
create mode 100644 chart/doc/.vale/gitlab_base/Possessive.yml
create mode 100644 chart/doc/.vale/gitlab_base/Prerequisites.yml
create mode 100644 chart/doc/.vale/gitlab_base/ReadingLevel.yml
create mode 100644 chart/doc/.vale/gitlab_base/Repetition.yml
create mode 100644 chart/doc/.vale/gitlab_base/SentenceLength.yml
create mode 100644 chart/doc/.vale/gitlab_base/SentenceSpacing.yml
create mode 100644 chart/doc/.vale/gitlab_base/Simplicity.yml
create mode 100644 chart/doc/.vale/gitlab_base/Spelling.yml
create mode 100644 chart/doc/.vale/gitlab_base/SubstitutionWarning.yml
create mode 100644 chart/doc/.vale/gitlab_base/Substitutions.yml
create mode 100644 chart/doc/.vale/gitlab_base/ToDo.yml
create mode 100644 chart/doc/.vale/gitlab_base/UnclearAntecedent.yml
create mode 100644 chart/doc/.vale/gitlab_base/Units.yml
create mode 100644 chart/doc/.vale/gitlab_base/Uppercase.yml
create mode 100644 chart/doc/.vale/gitlab_base/Wordy.yml
create mode 100644 chart/doc/.vale/gitlab_base/Zip.yml
create mode 100644 chart/doc/.vale/gitlab_base/spelling-exceptions.txt
create mode 100644 chart/doc/.vale/gitlab_docs/AlertBoxStyle.yml
create mode 100644 chart/doc/.vale/gitlab_docs/Badges-Offerings.yml
create mode 100644 chart/doc/.vale/gitlab_docs/Badges-Tiers.yml
create mode 100644 chart/doc/.vale/gitlab_docs/HistoryItems.yml
create mode 100644 chart/doc/.vale/gitlab_docs/HistoryItemsOrder.yml
create mode 100644 chart/doc/.vale/gitlab_docs/InternalLinkCase.yml
create mode 100644 chart/doc/.vale/gitlab_docs/InternalLinkExtension.yml
create mode 100644 chart/doc/.vale/gitlab_docs/InternalLinkFormat.yml
create mode 100644 chart/doc/.vale/gitlab_docs/InternalLinksCode.yml
create mode 100644 chart/doc/.vale/gitlab_docs/ReferenceLinks.yml
create mode 100644 chart/doc/.vale/gitlab_docs/RelativeLinks.yml
create mode 100644 chart/doc/.vale/gitlab_docs/RelativeLinksDoubleSlashes.yml
create mode 100644 chart/doc/.vale/gitlab_docs/TabsLinks.yml
create mode 100644 chart/templates/_traefik.tpl
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..0edec293f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,10 @@
+.idea
+chart/tests/.env
+chart/tests/cypress.env.json
+chart/tests/cypress.config.js
+chart/tests/cypress/downloads/
+chart/tests/cypress/fixtures/
+chart/tests/cypress/support/
+chart/tests/cypress/screenshots/
+chart/tests/cypress/videos/
+node_modules
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 43af8aa35..f8a14f6f8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,28 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
---
+
+## [8.3.0-bb.0] (2024-10-23)
+
+### Changed
+
+- ironbank/gitlab/gitlab/gitlab-webservice (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter (source) v1.64.1 -> v1.65.0
+- registry1.dso.mil/ironbank/gitlab/gitlab/certificates (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitaly (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice (source) v17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse (source) 17.2.9 -> 17.3.6
+- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl (source) 17.2.9 -> 17.3.6
+
## [8.2.9-bb.4] (2024-10-22)
### Added
@@ -80,7 +102,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Update ironbank/bitnami/redis (source) 7.0.0-debian-10-r3 -> 7.4.0
-
## [8.2.7-bb.0] (2024-09-18)
### Changed
diff --git a/README.md b/README.md
index 63369e1b9..ed8146e26 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,12 @@
<!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
# gitlab
- 
+ 
GitLab is the most comprehensive AI-powered DevSecOps Platform.
## Upstream References
+
- <https://about.gitlab.com/>
- <https://gitlab.com/gitlab-org/charts/gitlab>
@@ -27,7 +28,7 @@ The [upstream chart's release notes](https://gitlab.com/gitlab-org/charts/gitlab
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
@@ -48,7 +49,7 @@ helm install gitlab chart/
| global.image | object | `{}` | |
| global.pod.labels | object | `{}` | |
| global.edition | string | `"ee"` | |
-| global.gitlabVersion | string | `"17.2.9"` | |
+| global.gitlabVersion | string | `"17.3.6"` | |
| global.application.create | bool | `false` | |
| global.application.links | list | `[]` | |
| global.application.allowClusterRoles | bool | `true` | |
@@ -360,7 +361,7 @@ helm install gitlab chart/
| global.workhorse.tls.enabled | bool | `false` | |
| global.webservice.workerTimeout | int | `60` | |
| global.certificates.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/certificates"` | |
-| global.certificates.image.tag | string | `"17.2.9"` | |
+| global.certificates.image.tag | string | `"17.3.6"` | |
| global.certificates.image.pullSecrets[0].name | string | `"private-registry"` | |
| global.certificates.init.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| global.certificates.init.securityContext.runAsUser | int | `65534` | |
@@ -397,12 +398,12 @@ helm install gitlab chart/
| global.certificates.customCAs[29].secret | string | `"ca-certs-dod-trust-anchors-self-signed"` | |
| global.certificates.customCAs[30].secret | string | `"ca-certs-eca"` | |
| global.kubectl.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/kubectl"` | |
-| global.kubectl.image.tag | string | `"17.2.9"` | |
+| global.kubectl.image.tag | string | `"17.3.6"` | |
| global.kubectl.image.pullSecrets[0].name | string | `"private-registry"` | |
| global.kubectl.securityContext.runAsUser | int | `65534` | |
| global.kubectl.securityContext.fsGroup | int | `65534` | |
| global.gitlabBase.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base"` | |
-| global.gitlabBase.image.tag | string | `"17.2.9"` | |
+| global.gitlabBase.image.tag | string | `"17.3.6"` | |
| global.gitlabBase.image.pullSecrets[0].name | string | `"private-registry"` | |
| global.serviceAccount.enabled | bool | `true` | |
| global.serviceAccount.create | bool | `true` | |
@@ -415,6 +416,7 @@ helm install gitlab chart/
| global.extraEnv | object | `{}` | |
| global.extraEnvFrom | object | `{}` | |
| global.job.nameSuffixOverride | string | `nil` | |
+| global.traefik.apiVersion | string | `""` | |
| containerSecurityContext.runAsUser | int | `65534` | |
| containerSecurityContext.runAsGroup | int | `65534` | |
| containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
@@ -425,6 +427,7 @@ helm install gitlab chart/
| upgradeCheck.securityContext.runAsUser | int | `65534` | |
| upgradeCheck.securityContext.runAsGroup | int | `65534` | |
| upgradeCheck.securityContext.fsGroup | int | `65534` | |
+| upgradeCheck.containerSecurityContext | object | `{}` | |
| upgradeCheck.tolerations | list | `[]` | |
| upgradeCheck.annotations."sidecar.istio.io/inject" | string | `"true"` | |
| upgradeCheck.configMapAnnotations | object | `{}` | |
@@ -464,86 +467,86 @@ helm install gitlab chart/
| nginx-ingress-geo.<<.controller.config.server-name-hash-bucket-size | string | `"256"` | |
| nginx-ingress.controller.config.server-name-hash-bucket-size | string | `"256"` | |
| nginx-ingress-geo.controller.config.<<.use-http2 | string | `"true"` | |
-| nginx-ingress-geo.controller.<<.config.use-http2 | string | `"true"` | |
| nginx-ingress.controller.config.use-http2 | string | `"true"` | |
+| nginx-ingress-geo.controller.<<.config.use-http2 | string | `"true"` | |
| nginx-ingress-geo.<<.controller.config.use-http2 | string | `"true"` | |
+| nginx-ingress-geo.<<.controller.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` | |
| nginx-ingress.controller.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` | |
| nginx-ingress-geo.controller.<<.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` | |
-| nginx-ingress-geo.<<.controller.config.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` | |
| nginx-ingress-geo.controller.config.<<.ssl-ciphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"` | |
| nginx-ingress-geo.<<.controller.config.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` | |
-| nginx-ingress-geo.controller.config.<<.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` | |
| nginx-ingress.controller.config.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` | |
| nginx-ingress-geo.controller.<<.config.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` | |
-| nginx-ingress-geo.<<.controller.config.server-tokens | string | `"false"` | |
-| nginx-ingress.controller.config.server-tokens | string | `"false"` | |
-| nginx-ingress-geo.controller.<<.config.server-tokens | string | `"false"` | |
+| nginx-ingress-geo.controller.config.<<.ssl-protocols | string | `"TLSv1.3 TLSv1.2"` | |
| nginx-ingress-geo.controller.config.<<.server-tokens | string | `"false"` | |
-| nginx-ingress.controller.config.upstream-keepalive-connections | int | `100` | |
+| nginx-ingress-geo.controller.<<.config.server-tokens | string | `"false"` | |
+| nginx-ingress.controller.config.server-tokens | string | `"false"` | |
+| nginx-ingress-geo.<<.controller.config.server-tokens | string | `"false"` | |
| nginx-ingress-geo.<<.controller.config.upstream-keepalive-connections | int | `100` | |
| nginx-ingress-geo.controller.<<.config.upstream-keepalive-connections | int | `100` | |
| nginx-ingress-geo.controller.config.<<.upstream-keepalive-connections | int | `100` | |
+| nginx-ingress.controller.config.upstream-keepalive-connections | int | `100` | |
| nginx-ingress-geo.controller.config.<<.upstream-keepalive-time | string | `"30s"` | |
-| nginx-ingress-geo.<<.controller.config.upstream-keepalive-time | string | `"30s"` | |
| nginx-ingress-geo.controller.<<.config.upstream-keepalive-time | string | `"30s"` | |
+| nginx-ingress-geo.<<.controller.config.upstream-keepalive-time | string | `"30s"` | |
| nginx-ingress.controller.config.upstream-keepalive-time | string | `"30s"` | |
-| nginx-ingress-geo.controller.<<.config.upstream-keepalive-timeout | int | `5` | |
| nginx-ingress.controller.config.upstream-keepalive-timeout | int | `5` | |
-| nginx-ingress-geo.controller.config.<<.upstream-keepalive-timeout | int | `5` | |
+| nginx-ingress-geo.controller.<<.config.upstream-keepalive-timeout | int | `5` | |
| nginx-ingress-geo.<<.controller.config.upstream-keepalive-timeout | int | `5` | |
+| nginx-ingress-geo.controller.config.<<.upstream-keepalive-timeout | int | `5` | |
| nginx-ingress.controller.config.upstream-keepalive-requests | int | `1000` | |
-| nginx-ingress-geo.<<.controller.config.upstream-keepalive-requests | int | `1000` | |
| nginx-ingress-geo.controller.<<.config.upstream-keepalive-requests | int | `1000` | |
| nginx-ingress-geo.controller.config.<<.upstream-keepalive-requests | int | `1000` | |
+| nginx-ingress-geo.<<.controller.config.upstream-keepalive-requests | int | `1000` | |
| nginx-ingress-geo.<<.controller.service.externalTrafficPolicy | string | `"Local"` | |
-| nginx-ingress.controller.service.externalTrafficPolicy | string | `"Local"` | |
| nginx-ingress-geo.controller.<<.service.externalTrafficPolicy | string | `"Local"` | |
-| nginx-ingress-geo.controller.<<.ingressClassByName | bool | `false` | |
+| nginx-ingress.controller.service.externalTrafficPolicy | string | `"Local"` | |
| nginx-ingress-geo.<<.controller.ingressClassByName | bool | `false` | |
+| nginx-ingress-geo.controller.<<.ingressClassByName | bool | `false` | |
| nginx-ingress.controller.ingressClassByName | bool | `false` | |
-| nginx-ingress.controller.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` | |
| nginx-ingress-geo.<<.controller.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` | |
+| nginx-ingress.controller.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` | |
| nginx-ingress-geo.controller.<<.ingressClassResource.name | string | `"{{ include \"ingress.class.name\" $ }}"` | |
+| nginx-ingress-geo.controller.<<.resources.requests.cpu | string | `"100m"` | |
| nginx-ingress.controller.resources.requests.cpu | string | `"100m"` | |
| nginx-ingress-geo.<<.controller.resources.requests.cpu | string | `"100m"` | |
-| nginx-ingress-geo.controller.<<.resources.requests.cpu | string | `"100m"` | |
-| nginx-ingress.controller.resources.requests.memory | string | `"100Mi"` | |
| nginx-ingress-geo.controller.<<.resources.requests.memory | string | `"100Mi"` | |
+| nginx-ingress.controller.resources.requests.memory | string | `"100Mi"` | |
| nginx-ingress-geo.<<.controller.resources.requests.memory | string | `"100Mi"` | |
-| nginx-ingress-geo.<<.controller.publishService.enabled | bool | `true` | |
| nginx-ingress-geo.controller.<<.publishService.enabled | bool | `true` | |
| nginx-ingress.controller.publishService.enabled | bool | `true` | |
-| nginx-ingress-geo.controller.<<.replicaCount | int | `2` | |
+| nginx-ingress-geo.<<.controller.publishService.enabled | bool | `true` | |
| nginx-ingress-geo.<<.controller.replicaCount | int | `2` | |
| nginx-ingress.controller.replicaCount | int | `2` | |
-| nginx-ingress-geo.controller.<<.minAvailable | int | `1` | |
+| nginx-ingress-geo.controller.<<.replicaCount | int | `2` | |
| nginx-ingress.controller.minAvailable | int | `1` | |
| nginx-ingress-geo.<<.controller.minAvailable | int | `1` | |
+| nginx-ingress-geo.controller.<<.minAvailable | int | `1` | |
+| nginx-ingress-geo.controller.<<.scope.enabled | bool | `true` | |
| nginx-ingress.controller.scope.enabled | bool | `true` | |
| nginx-ingress-geo.<<.controller.scope.enabled | bool | `true` | |
-| nginx-ingress-geo.controller.<<.scope.enabled | bool | `true` | |
| nginx-ingress-geo.controller.<<.metrics.enabled | bool | `true` | |
-| nginx-ingress-geo.<<.controller.metrics.enabled | bool | `true` | |
| nginx-ingress.controller.metrics.enabled | bool | `true` | |
+| nginx-ingress-geo.<<.controller.metrics.enabled | bool | `true` | |
| nginx-ingress-geo.controller.<<.metrics.service.annotations."gitlab.com/prometheus_scrape" | string | `"true"` | |
| nginx-ingress.controller.metrics.service.annotations."gitlab.com/prometheus_scrape" | string | `"true"` | |
| nginx-ingress-geo.<<.controller.metrics.service.annotations."gitlab.com/prometheus_scrape" | string | `"true"` | |
| nginx-ingress.controller.metrics.service.annotations."gitlab.com/prometheus_port" | string | `"10254"` | |
| nginx-ingress-geo.<<.controller.metrics.service.annotations."gitlab.com/prometheus_port" | string | `"10254"` | |
| nginx-ingress-geo.controller.<<.metrics.service.annotations."gitlab.com/prometheus_port" | string | `"10254"` | |
+| nginx-ingress.controller.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` | |
| nginx-ingress-geo.controller.<<.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` | |
| nginx-ingress-geo.<<.controller.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` | |
-| nginx-ingress.controller.metrics.service.annotations."prometheus.io/scrape" | string | `"true"` | |
| nginx-ingress-geo.controller.<<.metrics.service.annotations."prometheus.io/port" | string | `"10254"` | |
| nginx-ingress-geo.<<.controller.metrics.service.annotations."prometheus.io/port" | string | `"10254"` | |
| nginx-ingress.controller.metrics.service.annotations."prometheus.io/port" | string | `"10254"` | |
-| nginx-ingress-geo.<<.controller.admissionWebhooks.enabled | bool | `false` | |
| nginx-ingress.controller.admissionWebhooks.enabled | bool | `false` | |
| nginx-ingress-geo.controller.<<.admissionWebhooks.enabled | bool | `false` | |
+| nginx-ingress-geo.<<.controller.admissionWebhooks.enabled | bool | `false` | |
| nginx-ingress-geo.<<.defaultBackend.resources.requests.cpu | string | `"5m"` | |
| nginx-ingress.defaultBackend.resources.requests.cpu | string | `"5m"` | |
-| nginx-ingress.defaultBackend.resources.requests.memory | string | `"5Mi"` | |
| nginx-ingress-geo.<<.defaultBackend.resources.requests.memory | string | `"5Mi"` | |
+| nginx-ingress.defaultBackend.resources.requests.memory | string | `"5Mi"` | |
| nginx-ingress.rbac.create | bool | `true` | |
| nginx-ingress-geo.<<.rbac.create | bool | `true` | |
| nginx-ingress-geo.<<.rbac.scope | bool | `false` | |
@@ -672,7 +675,7 @@ helm install gitlab chart/
| redis.metrics.enabled | bool | `true` | |
| redis.metrics.image.registry | string | `"registry1.dso.mil/ironbank/bitnami"` | |
| redis.metrics.image.repository | string | `"analytics/redis-exporter"` | |
-| redis.metrics.image.tag | string | `"v1.64.1"` | |
+| redis.metrics.image.tag | string | `"v1.65.0"` | |
| redis.metrics.image.pullSecrets | list | `[]` | |
| redis.metrics.resources.limits.cpu | string | `"250m"` | |
| redis.metrics.resources.limits.memory | string | `"256Mi"` | |
@@ -772,7 +775,7 @@ helm install gitlab chart/
| registry.resources.requests.cpu | string | `"200m"` | |
| registry.resources.requests.memory | string | `"1024Mi"` | |
| registry.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry"` | |
-| registry.image.tag | string | `"17.2.9"` | |
+| registry.image.tag | string | `"17.3.6"` | |
| registry.image.pullSecrets[0].name | string | `"private-registry"` | |
| registry.ingress.enabled | bool | `false` | |
| registry.metrics.enabled | bool | `true` | |
@@ -828,7 +831,7 @@ helm install gitlab chart/
| gitlab.toolbox.replicas | int | `1` | |
| gitlab.toolbox.antiAffinityLabels.matchLabels.app | string | `"gitaly"` | |
| gitlab.toolbox.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox"` | |
-| gitlab.toolbox.image.tag | string | `"17.2.9"` | |
+| gitlab.toolbox.image.tag | string | `"17.3.6"` | |
| gitlab.toolbox.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.toolbox.init.resources.requests.cpu | string | `"200m"` | |
| gitlab.toolbox.init.resources.requests.memory | string | `"200Mi"` | |
@@ -865,7 +868,7 @@ helm install gitlab chart/
| gitlab.gitlab-exporter.resources.requests.memory | string | `"200Mi"` | |
| gitlab.gitlab-exporter.capabilities.drop[0] | string | `"ALL"` | |
| gitlab.gitlab-exporter.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter"` | |
-| gitlab.gitlab-exporter.image.tag | string | `"17.2.9"` | |
+| gitlab.gitlab-exporter.image.tag | string | `"17.3.6"` | |
| gitlab.gitlab-exporter.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.gitlab-exporter.metrics.enabled | bool | `true` | |
| gitlab.gitlab-exporter.metrics.port | int | `9168` | |
@@ -887,7 +890,7 @@ helm install gitlab chart/
| gitlab.migrations.resources.requests.cpu | string | `"500m"` | |
| gitlab.migrations.resources.requests.memory | string | `"1.5G"` | |
| gitlab.migrations.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox"` | |
-| gitlab.migrations.image.tag | string | `"17.2.9"` | |
+| gitlab.migrations.image.tag | string | `"17.3.6"` | |
| gitlab.migrations.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.migrations.securityContext.runAsUser | int | `1000` | |
| gitlab.migrations.securityContext.runAsGroup | int | `1000` | |
@@ -911,14 +914,14 @@ helm install gitlab chart/
| gitlab.webservice.resources.requests.cpu | string | `"300m"` | |
| gitlab.webservice.resources.requests.memory | string | `"2.5G"` | |
| gitlab.webservice.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice"` | |
-| gitlab.webservice.image.tag | string | `"17.2.9"` | |
+| gitlab.webservice.image.tag | string | `"17.3.6"` | |
| gitlab.webservice.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.webservice.workhorse.resources.limits.cpu | string | `"600m"` | |
| gitlab.webservice.workhorse.resources.limits.memory | string | `"2.5G"` | |
| gitlab.webservice.workhorse.resources.requests.cpu | string | `"600m"` | |
| gitlab.webservice.workhorse.resources.requests.memory | string | `"2.5G"` | |
| gitlab.webservice.workhorse.image | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse"` | |
-| gitlab.webservice.workhorse.tag | string | `"17.2.9"` | |
+| gitlab.webservice.workhorse.tag | string | `"17.3.6"` | |
| gitlab.webservice.workhorse.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.webservice.workhorse.metrics.enabled | bool | `true` | |
| gitlab.webservice.workhorse.metrics.serviceMonitor.enabled | bool | `true` | |
@@ -929,7 +932,7 @@ helm install gitlab chart/
| gitlab.webservice.metrics.serviceMonitor.enabled | bool | `true` | |
| gitlab.webservice.helmTests.enabled | bool | `false` | |
| gitlab.sidekiq.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq"` | |
-| gitlab.sidekiq.image.tag | string | `"17.2.9"` | |
+| gitlab.sidekiq.image.tag | string | `"17.3.6"` | |
| gitlab.sidekiq.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.sidekiq.init.resources.limits.cpu | string | `"200m"` | |
| gitlab.sidekiq.init.resources.limits.memory | string | `"200Mi"` | |
@@ -947,7 +950,7 @@ helm install gitlab chart/
| gitlab.sidekiq.containerSecurityContext.runAsGroup | int | `1000` | |
| gitlab.sidekiq.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| gitlab.gitaly.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitaly"` | |
-| gitlab.gitaly.image.tag | string | `"17.2.9"` | |
+| gitlab.gitaly.image.tag | string | `"17.3.6"` | |
| gitlab.gitaly.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.gitaly.init.resources.limits.cpu | string | `"200m"` | |
| gitlab.gitaly.init.resources.limits.memory | string | `"200Mi"` | |
@@ -967,7 +970,7 @@ helm install gitlab chart/
| gitlab.gitaly.containerSecurityContext.runAsGroup | int | `1000` | |
| gitlab.gitaly.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| gitlab.gitlab-shell.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell"` | |
-| gitlab.gitlab-shell.image.tag | string | `"17.2.9"` | |
+| gitlab.gitlab-shell.image.tag | string | `"17.3.6"` | |
| gitlab.gitlab-shell.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.gitlab-shell.init.resources.limits.cpu | string | `"200m"` | |
| gitlab.gitlab-shell.init.resources.limits.memory | string | `"200Mi"` | |
@@ -985,15 +988,15 @@ helm install gitlab chart/
| gitlab.gitlab-shell.containerSecurityContext.runAsGroup | int | `1000` | |
| gitlab.gitlab-shell.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| gitlab.mailroom.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom"` | |
-| gitlab.mailroom.image.tag | string | `"17.2.9"` | |
+| gitlab.mailroom.image.tag | string | `"17.3.6"` | |
| gitlab.mailroom.image.pullSecrets[0].name | string | `"private-registry"` | |
| gitlab.mailroom.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| gitlab.gitlab-pages.service.customDomains.type | string | `"ClusterIP"` | |
| gitlab.gitlab-pages.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages"` | |
-| gitlab.gitlab-pages.image.tag | string | `"17.2.9"` | |
+| gitlab.gitlab-pages.image.tag | string | `"17.3.6"` | |
| gitlab.gitlab-pages.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| gitlab.praefect.image.repository | string | `"registry1.dso.mil/ironbank/gitlab/gitlab/gitaly"` | |
-| gitlab.praefect.image.tag | string | `"17.2.9"` | |
+| gitlab.praefect.image.tag | string | `"17.3.6"` | |
| gitlab.praefect.init.resources.limits.cpu | string | `"200m"` | |
| gitlab.praefect.init.resources.limits.memory | string | `"200Mi"` | |
| gitlab.praefect.init.resources.requests.cpu | string | `"200m"` | |
@@ -1124,4 +1127,3 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
---
_This file is programatically generated using `helm-docs` and some BigBang-specific templates. The `gluon` repository has [instructions for regenerating package READMEs](https://repo1.dso.mil/big-bang/product/packages/gluon/-/blob/master/docs/bb-package-readme.md)._
-
diff --git a/chart/.gitlab-ci.yml b/chart/.gitlab-ci.yml
index 664c9aabb..2e447075c 100644
--- a/chart/.gitlab-ci.yml
+++ b/chart/.gitlab-ci.yml
@@ -28,7 +28,7 @@ default:
variables:
AUTO_DEPLOY_TAG_REGEX: '^[0-9]+\.[0-9]+\.[0-9]+\+[a-z0-9]{7,}$'
- DOCKER_VERSION: "24.0.6"
+ DOCKER_VERSION: "27.1.1"
HELM_VERSION: "3.10.3"
KUBECTL_VERSION: "1.27.9"
STABLE_REPO_URL: "https://charts.helm.sh/stable"
@@ -50,7 +50,7 @@ variables:
DEBIAN_VERSION: bookworm
RUBY_VERSION: "3.1.5"
CI_TOOLS_VERSION: "4.22.0"
- GITLAB_QA_VERSION: "14.12.0"
+ GITLAB_QA_VERSION: "14.13.0"
# STRICT_VERSIONS is used in RSpecs to ensure exact version match for tools like "helm" and "kubectl"
STRICT_VERSIONS: "true"
KUBE_CRD_SCHEMA_URL: "https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/v3/apis__apiextensions.k8s.io__v1_openapi.json"
@@ -87,6 +87,7 @@ stages:
include:
- local: '/.gitlab/ci/rules.gitlab-ci.yml'
- local: '/.gitlab/ci/review-apps.gitlab-ci.yml'
+ - local: '/.gitlab/ci/operator.gitlab-ci.yml'
- template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml
- template: Jobs/SAST.latest.gitlab-ci.yml
diff --git a/chart/.gitlab/ci/operator.gitlab-ci.yml b/chart/.gitlab/ci/operator.gitlab-ci.yml
new file mode 100644
index 000000000..1f538d8a7
--- /dev/null
+++ b/chart/.gitlab/ci/operator.gitlab-ci.yml
@@ -0,0 +1,14 @@
+trigger_operator_test:
+ stage: approve-review-apps
+ trigger:
+ project: 'gitlab-org/cloud-native/gitlab-operator'
+ branch: master
+ variables:
+ CHARTS_REF: "${CI_COMMIT_SHA}"
+ TRIGGER_PROJECT: "${CI_PROJECT_PATH}"
+ inherit:
+ variables: false
+ when: manual
+ rules:
+ - if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PIPELINE_SOURCE == "merge_request_event"'
+
diff --git a/chart/.markdownlint-cli2.yaml b/chart/.markdownlint-cli2.yaml
index 812ab05f6..a56c1c1f1 100644
--- a/chart/.markdownlint-cli2.yaml
+++ b/chart/.markdownlint-cli2.yaml
@@ -16,7 +16,12 @@ config:
style: "atx"
hr-style: # MD035
style: "---"
- line-length: false # MD013
+ line-length: # MD013
+ code_blocks: false
+ tables: false
+ headings: true
+ heading_line_length: 100
+ line_length: 800
no-duplicate-heading: # MD024
siblings_only: true
no-emphasis-as-heading: false # MD036
diff --git a/chart/.vale.ini b/chart/.vale.ini
index 13b198b91..8d8dd99f1 100644
--- a/chart/.vale.ini
+++ b/chart/.vale.ini
@@ -6,4 +6,7 @@ StylesPath = doc/.vale
MinAlertLevel = suggestion
[*.md]
-BasedOnStyles = gitlab
+BasedOnStyles = gitlab_base, gitlab_docs
+
+# Ignore SVG markup
+TokenIgnores = (\*\*\{\w*\}\*\*)
diff --git a/chart/CHANGELOG.md b/chart/CHANGELOG.md
index 2c9e00f09..41f983a97 100644
--- a/chart/CHANGELOG.md
+++ b/chart/CHANGELOG.md
@@ -2,33 +2,50 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
-## 8.2.9 (2024-10-09)
+## 8.3.6 (2024-10-22)
No changes.
-## 8.2.8 (2024-09-25)
+## 8.3.5 (2024-10-09)
No changes.
-## 8.2.7 (2024-09-16)
+## 8.3.4 (2024-09-24)
No changes.
-## 8.2.6 (2024-09-13)
+## 8.3.3 (2024-09-16)
No changes.
-## 8.2.5 (2024-09-11)
+## 8.3.2 (2024-09-11)
No changes.
-## 8.2.4 (2024-08-21)
+## 8.3.1 (2024-08-20)
No changes.
-## 8.2.3 (2024-08-20)
+## 8.3.0 (2024-08-14)
-No changes.
+### Added (4 changes)
+
+- [Add support for Redis usernames in Workhorse config](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/9d39fcf7abf8dc8c987592b6a8e69739740a2c32) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3877))
+- [Add support for configuring Redis client timeouts](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/d0cb87cbc5b07d2a7f80cf63376a8893b1c7e150) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3825))
+- [Support Redis cluster configuration for registry rate-limiting](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/0658f782489dd8d9d2d351773ecae817d1d4c106) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3844))
+- [Traefik: implement template for apiVersion](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/dab859121cf325d508f732d6b92f5871c93076c2) by @marcel1802 ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3837))
+
+### Fixed (3 changes)
+
+- [Support Redis usernames for gitlab-kas](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/ee710780e678c82a8af49424dbc77d60fd4d8c70) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3877))
+- [Sync Gitaly graceful shutdown with pod](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/3d91502b4b57d5466e3ab5c62cdc4763cd7617ba) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3870))
+- [Make GitLab Exporter work with global.redis.queues definition](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/1da8f2d29c5b720be1f2f654246d447b05cc8b6e) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3795))
+
+### Changed (3 changes)
+
+- [Update Helm release gitlab-runner to v0.67.1](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/f44a22b79ca6c1193b342306dd5b2a295e03e09a) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3871))
+- [Update gitlab-org/charts/gitlab-runner from 0.66.0 to 0.67.0](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/b467affed97511abb50aacc2dbfab479694624b5) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3849))
+- [Update gitlab-org/gitlab-qa from 14.12.0 to 14.13.0](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/8c71f92f9de6e01ffddc7d004987f18901104a26) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3848))
## 8.2.2 (2024-08-06)
@@ -57,6 +74,14 @@ No changes.
- [Update cert-manager/cert-manager from 1.12.11 to 1.12.12](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/726af7eb0d223e28ba35b0287a3134ba267ddd01) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3817))
- [Update gitlab-org/charts/gitlab-runner from 0.65.0 to 0.66.0](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/4b2f9346d27fa467ea97cc4f44794288e61325a8) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3810))
+## 8.1.4 (2024-08-06)
+
+No changes.
+
+## 8.1.3 (2024-07-24)
+
+No changes.
+
## 8.1.2 (2024-07-09)
### Changed (1 change)
@@ -100,6 +125,16 @@ No changes.
- [Remove gke125 CI jobs](gitlab-org/charts/gitlab@57ced9243021af6de6e324f2ec5ad17b5dcf975e) ([merge request](gitlab-org/charts/gitlab!3760))
+## 8.0.6 (2024-08-06)
+
+### Changed (1 change)
+
+- [Update gitlab-org/charts/gitlab-runner from 0.64.1 to 0.65.0](https://gitlab.com/gitlab-org/security/charts/gitlab/-/commit/62619d53b4d05b3ea740fda9bde573e659172cad)
+
+## 8.0.5 (2024-07-24)
+
+No changes.
+
## 8.0.4 (2024-07-09)
No changes.
@@ -148,6 +183,14 @@ No changes.
- [Remove deprecated queue selector and negate options from Sidekiq chart](gitlab-org/charts/gitlab@6c3bf44290e29b230132bb17d244d38e218eb15b) ([merge request](gitlab-org/charts/gitlab!3697))
- [Remove support for busybox init containers](gitlab-org/charts/gitlab@f85e7f94cc4863038461daece756081e9d1d960a) ([merge request](gitlab-org/charts/gitlab!3709))
+## 7.11.8 (2024-08-05)
+
+No changes.
+
+## 7.11.7 (2024-07-23)
+
+No changes.
+
## 7.11.6 (2024-07-09)
No changes.
@@ -200,6 +243,10 @@ No changes.
- [Allow routing rules to contain shard information](gitlab-org/charts/gitlab@aad02140fdabbf2a045e2701b8f1f5b6c3ab81c5) ([merge request](gitlab-org/charts/gitlab!3682))
+## 7.10.9 (2024-07-23)
+
+No changes.
+
## 7.10.8 (2024-06-25)
No changes.
@@ -250,6 +297,10 @@ No changes.
- [Removed kubernetes 1.22 testing](gitlab-org/charts/gitlab@ca9ec21a32e28e63b8e731c317d5089384c9c782) ([merge request](gitlab-org/charts/gitlab!3597))
+## 7.9.10 (2024-07-23)
+
+No changes.
+
## 7.9.9 (2024-06-25)
No changes.
@@ -310,6 +361,10 @@ No changes.
- [Update gitlab-org/gitlab-exporter from 13.5.0 to 14.0.0](gitlab-org/charts/gitlab@6cedee72b82377bbea9ca4c915c4e9bd83d22a45) ([merge request](gitlab-org/charts/gitlab!3542))
- [Update gitlab-org/gitlab-qa from 13.1.0 to 13.2.1](gitlab-org/charts/gitlab@8c970eb366b508ef20d30c6369a6aeee57fed149) ([merge request](gitlab-org/charts/gitlab!3573))
+## 7.8.9 (2024-07-23)
+
+No changes.
+
## 7.8.8 (2024-06-25)
No changes.
@@ -358,7 +413,7 @@ No changes.
### Changed (5 changes)
-- [Stop sidekiq namespaced probes in gitlab-exporter ](gitlab-org/charts/gitlab@aec9b2e9bad6c64b03a3f38abaf86c3731920915) ([merge request](gitlab-org/charts/gitlab!3479))
+- [Stop sidekiq namespaced probes in gitlab-exporter](gitlab-org/charts/gitlab@aec9b2e9bad6c64b03a3f38abaf86c3731920915) ([merge request](gitlab-org/charts/gitlab!3479))
- [Require upgrade stop at 16.7/chart 7.7](gitlab-org/charts/gitlab@25cd781235f9e91c8754cf6157ef4b75bf3cdc5b) ([merge request](gitlab-org/charts/gitlab!3559))
- [Update gitlab-org/charts/gitlab-runner from 0.59.2 to 0.60.0](gitlab-org/charts/gitlab@aa2dfde6fe0556b1ab4c5fc270e120464a7fac4a) ([merge request](gitlab-org/charts/gitlab!3549))
- [Update gitlab-org/gitlab-qa from 13.0.0 to 13.1.0](gitlab-org/charts/gitlab@02624f32e73ac31e78309e4fec083de88e14f6c4) ([merge request](gitlab-org/charts/gitlab!3539))
@@ -368,6 +423,10 @@ No changes.
- [Provide option to configure kas redis using global.redis.kas](gitlab-org/charts/gitlab@3e03a63726406922b39057c804d1d7d43508946f) ([merge request](gitlab-org/charts/gitlab!3544))
+## 7.7.9 (2024-07-23)
+
+No changes.
+
## 7.7.8 (2024-06-25)
No changes.
@@ -424,6 +483,10 @@ No changes.
- [Doc: FIPS Add note of UBI expectations for FIPS mode host](gitlab-org/charts/gitlab@4274d077ab7d6b08b9ac640182640b02ea22b4f7) ([merge request](gitlab-org/charts/gitlab!3487))
+## 7.6.9 (2024-07-23)
+
+No changes.
+
## 7.6.8 (2024-06-25)
No changes.
@@ -483,6 +546,10 @@ No changes.
- [Deprecate namespace in mailroom.yml](gitlab-org/charts/gitlab@781a94d070a5ae221c33f1a31fdd9ecde15f2be6) ([merge request](gitlab-org/charts/gitlab!3419))
+## 7.5.9 (2024-07-23)
+
+No changes.
+
## 7.5.8 (2024-01-24)
No changes.
@@ -544,6 +611,10 @@ No changes.
- [Enable dual-namespace polling for sidekiq probe in gitlab-exporter](gitlab-org/charts/gitlab@08e94769a6169bdc380e7d46b3ed300aa9c9cfab) ([merge request](gitlab-org/charts/gitlab!3388))
+## 7.4.6 (2024-07-23)
+
+No changes.
+
## 7.4.5 (2024-01-11)
No changes.
@@ -591,6 +662,10 @@ No changes.
- [Update gitlab-org/container-registry from 3.79.0-gitlab to 3.80.0-gitlab](gitlab-org/charts/gitlab@7f61401aaa147497b4a9a32fa25a1c6896bfe394) ([merge request](gitlab-org/charts/gitlab!3341))
- [Update gitlab-org/gitlab-qa from 12.2.1 to 12.3.0](gitlab-org/charts/gitlab@021b652e4100e94f0f59985cdb21022015275b61) ([merge request](gitlab-org/charts/gitlab!3349))
+## 7.3.8 (2024-07-23)
+
+No changes.
+
## 7.3.7 (2024-01-11)
No changes.
@@ -640,6 +715,10 @@ No changes.
- [Update gitlab-org/gitlab-qa from 12.2.0 to 12.2.1](gitlab-org/charts/gitlab@eff824a0b05538a9d648e21601ac444fc578a701) ([merge request](gitlab-org/charts/gitlab!3299))
- [Update gitlab-org/charts/gitlab-runner from 0.52.0 to 0.53.0](gitlab-org/charts/gitlab@44694d066d142a42600fd152cc7ce2ca532ab72b) ([merge request](gitlab-org/charts/gitlab!3192))
+## 7.2.10 (2024-07-23)
+
+No changes.
+
## 7.2.9 (2024-01-11)
No changes.
@@ -707,6 +786,10 @@ No changes.
- [Remove registry migration configuration](gitlab-org/charts/gitlab@7593db8956336c56f038542e6e89d5c8690f03de) ([merge request](gitlab-org/charts/gitlab!3280))
+## 7.1.7 (2024-07-23)
+
+No changes.
+
## 7.1.6 (2024-01-11)
No changes.
@@ -768,6 +851,12 @@ No changes.
- [Add troubleshooting docs on s3cmd PermissionError](gitlab-org/charts/gitlab@fb92de457cd14c19218db9c8f37a8672051becdf) ([merge request](gitlab-org/charts/gitlab!3198))
- [Postgres: correct minimum version in NOTES](gitlab-org/charts/gitlab@5ea24b44e59236bd82b3a81f6c9f0601159778d7) by @jouve ([merge request](gitlab-org/charts/gitlab!3213))
+## 7.0.9 (2024-07-23)
+
+### Fixed (1 change)
+
+- [Use tcp prefix for KAS service port names](https://gitlab.com/gitlab-org/charts/gitlab/-/commit/78b9f549790ec74398ab53826991b1a9c3e9f2a6) ([merge request](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3339))
+
## 7.0.8 (2023-08-01)
No changes.
@@ -809,7 +898,7 @@ No changes.
- [Registry; add support for database discovery for primary records](gitlab-org/charts/gitlab@02618c9b63bfac6c6baf257bc020439a45d3f220) ([merge request](gitlab-org/charts/gitlab!3142))
- [Add SMTP read and write timeout values](gitlab-org/charts/gitlab@843467c988f90f358d58ace7c6514634443b384f) ([merge request](gitlab-org/charts/gitlab!3156))
- [Add annotations to upgradeCheck ConfigMap](gitlab-org/charts/gitlab@9bd462052cc3ca33994ff262c66208ec8d70a7c8) by @LukasAuerbeck ([merge request](gitlab-org/charts/gitlab!3116))
-- [ Adding containerSecurityContext logic to geo chart](gitlab-org/charts/gitlab@10d9b8c945f10f9e84f1b280e88a040e33586f5b) ([merge request](gitlab-org/charts/gitlab!3127))
+- [Adding containerSecurityContext logic to geo chart](gitlab-org/charts/gitlab@10d9b8c945f10f9e84f1b280e88a040e33586f5b) ([merge request](gitlab-org/charts/gitlab!3127))
- [Allow configuring an embedding database](gitlab-org/charts/gitlab@6a923ec7421e814add2fef3069320c13f28f354c) ([merge request](gitlab-org/charts/gitlab!3107))
### Fixed (7 changes)
@@ -987,7 +1076,7 @@ No changes.
### Added (6 changes)
- [Support setting extra env vars for kas](gitlab-org/charts/gitlab@f8c5589fc5c82ea20b3798838da007b066ec67e4) ([merge request](gitlab-org/charts/gitlab!3023))
-- [Add containerSecurityContext helper templates and values to Gitaly chart ](gitlab-org/charts/gitlab@a7cd11bbc886271d4212ad368fd41885a674a647) by @BrettSeedling ([merge request](gitlab-org/charts/gitlab!2793))
+- [Add containerSecurityContext helper templates and values to Gitaly chart](gitlab-org/charts/gitlab@a7cd11bbc886271d4212ad368fd41885a674a647) by @BrettSeedling ([merge request](gitlab-org/charts/gitlab!2793))
- [Add new cron backup parameter Ref #3076](gitlab-org/charts/gitlab@42b7f8dab938d0d748318d736a42e0070472ccea) by @Vedrillan ([merge request](gitlab-org/charts/gitlab!2984))
- [Add support for Gitaly GPG signing](gitlab-org/charts/gitlab@d65fa4b7880f2b006cb1f0b54c704d47febee136) ([merge request](gitlab-org/charts/gitlab!2754))
- [Add support for fsGroupChangePolicy to all subcharts](gitlab-org/charts/gitlab@20283351cbe24015d25b7823746534c9b65a139a) ([merge request](gitlab-org/charts/gitlab!3000))
@@ -1464,7 +1553,7 @@ No changes.
### Fixed (5 changes)
-- [Add a relabel_config to target __scheme__ in the default values](gitlab-org/charts/gitlab@cedee2096d5558aad731c76ffb4f7122db0f9697) ([merge request](gitlab-org/charts/gitlab!2672))
+- [Add a relabel_config to target **scheme** in the default values](gitlab-org/charts/gitlab@cedee2096d5558aad731c76ffb4f7122db0f9697) ([merge request](gitlab-org/charts/gitlab!2672))
- [Fix custom certificate authorities not working on UBI containers](gitlab-org/charts/gitlab@faed05de75b98269deabf1336e9e613348417c37) ([merge request](gitlab-org/charts/gitlab!2650))
- [Add KAS configmap checksum to deployment spec](gitlab-org/charts/gitlab@180b80d2f1b64614c52b69988c4c7358cfa6abe4) ([merge request](gitlab-org/charts/gitlab!2654))
- [Allow shell maxUnavailable to be a percentage](gitlab-org/charts/gitlab@9758097c837ba2c5dbe4823bde327be82ada51ff) ([merge request](gitlab-org/charts/gitlab!2627))
@@ -2373,7 +2462,6 @@ No changes.
- Add Microsoft Graph config support for MailRoom. !1929
- Added support for IAM roles in EKS. !1940
-
## 4.10.5 (2021-06-01)
No changes.
@@ -2392,7 +2480,6 @@ No changes.
- Fix for Rancher/RKE: Remove extra space before -}} in _kas.tpl. !1925
-
## 4.10.1 (2021-03-31)
### Fixed (1 change)
@@ -2403,7 +2490,6 @@ No changes.
- GitLab Exporter to 10.1.0. !1915
-
## 4.10.0 (2021-03-22)
### Fixed (6 changes, 2 of them are from the community)
@@ -2436,7 +2522,6 @@ No changes.
- Webservice: enable per-deployment blackoutSeconds. !1867
- Add migration configurations to registry chart. !1888
-
## 4.9.7 (2021-04-27)
No changes.
@@ -2455,7 +2540,6 @@ No changes.
- GitLab Runner to 0.26.0. !1858
-
## 4.9.3 (2021-03-08)
- No changes.
@@ -2519,7 +2603,6 @@ No changes.
- Clarify EKS installation instructions. !1801
- Add outgoing email section to 'globals' docs. !1821
-
## 4.8.8 (2021-04-13)
- No changes.
@@ -2551,14 +2634,12 @@ No changes.
- Fixes backups when GitLab KAS is enabled. !1765
- Fix Gitaly persistence configuration. !1796
-
## 4.8.1 (2021-01-26)
### Changed (1 change)
- Update GitLab Runner chart to 0.25.0. !1775
-
## 4.8.0 (2021-01-22)
### Fixed (2 changes, 1 of them is from the community)
@@ -2585,7 +2666,6 @@ No changes.
- Add tolerations for minio create bucket job. !1744 (David ALEXANDRE)
- Add upgrade survey link to upgrade output. !1762
-
## 4.7.9 (2021-03-17)
- No changes.
@@ -2619,7 +2699,6 @@ No changes.
- Minio: Adds podLabels and podAnnotations to chart. !1264 (Kavanaugh Latiolais)
- Support custom labels for Pods of GitLab components. !1457 (Maxence Laude)
-
## 4.7.4 (2021-01-13)
- No changes.
@@ -2634,14 +2713,12 @@ No changes.
- Fix nginx-ingress checkConfig error. !1730
-
## 4.7.1 (2020-12-23)
### Changed (1 change)
- GitLab Runner to 0.24.0. !1724
-
## 4.7.0 (2020-12-22)
### Fixed (3 changes)
@@ -2678,7 +2755,6 @@ No changes.
- Update NGINX from v0.20.0 to 0.41.2. !1690
- Changes the default loglevel for registry to info. !1703
-
## 4.6.7 (2021-02-11)
- No changes.
@@ -2699,7 +2775,6 @@ No changes.
- Minio: Adds podLabels and podAnnotations to chart. !1264 (Kavanaugh Latiolais)
- Support custom labels for Pods of GitLab components. !1457 (Maxence Laude)
-
## 4.6.5 (2021-01-13)
- No changes.
@@ -2714,7 +2789,6 @@ No changes.
- Update gitlab-runner from 0.22.0 to 0.23.0. !1686 (Jan Brummelte)
-
## 4.6.2 (2020-12-07)
- No changes.
@@ -2757,7 +2831,6 @@ No changes.
- Update resource specifications for Webservice and Sidekiq. !1634
- Set release_package to run manually. !1641
-
## 4.5.7 (2021-01-13)
- No changes.
@@ -2772,7 +2845,6 @@ No changes.
- Set release_package to run manually. !1641
-
## 4.5.4 (2020-11-13)
- No changes.
@@ -2788,7 +2860,6 @@ No changes.
- geo-logcursor: move redis secrets to optional. !1614
- Remove trailing space causing errors in the deprecation template. !1615
-
## 4.5.1 (2020-10-22)
- No changes.
@@ -2817,14 +2888,12 @@ No changes.
- cleanup registry.fullname templates. !1568
- Bump default gitlab-kas image tag to v0.0.6. !1582
-
## 4.4.6 (2020-12-07)
### Other (1 change)
- Set release_package to run manually. !1641
-
## 4.4.5 (2020-11-04)
### Fixed (2 changes)
@@ -2832,21 +2901,18 @@ No changes.
- Fix PG password error when enabling extensions during DB init. !1593
- geo-logcursor: move redis secrets to optional. !1614
-
## 4.4.4 (2020-10-15)
### Fixed (1 change)
- Praefect: fixup certificates mounts #2341. !1590
-
## 4.4.3 (2020-10-07)
### Added (1 change)
- Adds NetworkPolicy for gitlab-shell. !1580
-
## 4.4.2 (2020-10-01)
### Changed (1 change)
@@ -2858,14 +2924,12 @@ No changes.
- Bump default gitlab-kas image tag to v0.0.5. !1565
- Update GitLab Version to 13.4.2.
-
## 4.4.1 (2020-09-24)
### Other (1 change)
- Update GitLab Version to 13.4.1.
-
## 4.4.0 (2020-09-22)
### Fixed (1 change)
@@ -2902,7 +2966,6 @@ No changes.
- Adds capability to specify memoryKiller per Pod. !1536
- Update GitLab Version to 13.4.0.
-
## 4.3.9 (2020-11-02)
- No changes.
@@ -2917,7 +2980,6 @@ No changes.
- Update GitLab Version to 13.3.7.
-
## 4.3.6 (2020-09-14)
### Changed (1 change)
@@ -2928,21 +2990,18 @@ No changes.
- Update GitLab Version to 13.3.6.
-
## 4.3.5 (2020-09-04)
### Other (1 change)
- Update GitLab Version to 13.3.5.
-
## 4.3.4 (2020-09-02)
### Other (1 change)
- Update GitLab Version to 13.3.4.
-
## 4.3.3 (2020-09-02)
### Fixed (1 change)
@@ -2953,7 +3012,6 @@ No changes.
- Update GitLab Version to 13.3.3.
-
## 4.3.2 (2020-08-28)
### Fixed (2 changes, 2 of them are from the community)
@@ -2965,7 +3023,6 @@ No changes.
- Update GitLab Version to 13.3.2.
-
## 4.3.1 (2020-08-25)
### Changed (1 change)
@@ -2976,7 +3033,6 @@ No changes.
- Update GitLab Version to 13.3.1.
-
## 4.3.0 (2020-08-22)
### Removed (1 change)
@@ -3007,42 +3063,36 @@ No changes.
- Update GitLab Version to 13.3.0.
-
## 4.2.10 (2020-10-01)
### Other (1 change)
- Update GitLab Version to 13.2.10.
-
## 4.2.9 (2020-09-04)
### Other (1 change)
- Update GitLab Version to 13.2.9.
-
## 4.2.8 (2020-09-02)
### Other (1 change)
- Update GitLab Version to 13.2.8.
-
## 4.2.7 (2020-09-02)
### Other (1 change)
- Update GitLab Version to 13.2.7.
-
## 4.2.6 (2020-08-18)
### Other (1 change)
- Update GitLab Version to 13.2.6.
-
## 4.2.5 (2020-08-18)
### Changed (1 change)
@@ -3053,28 +3103,24 @@ No changes.
- Update GitLab Version to 13.2.5.
-
## 4.2.4 (2020-08-11)
### Other (1 change)
- Update GitLab Version to 13.2.4.
-
## 4.2.3 (2020-08-05)
### Other (1 change)
- Update GitLab Version to 13.2.3.
-
## 4.2.2 (2020-07-30)
### Other (1 change)
- Update GitLab Version to 13.2.2.
-
## 4.2.1 (2020-07-24)
### Fixed (1 change, 1 of them is from the community)
@@ -3089,7 +3135,6 @@ No changes.
- Update GitLab Version to 13.2.1.
-
## 4.2.0 (2020-07-22)
### Fixed (2 changes)
@@ -3113,63 +3158,54 @@ No changes.
- Add an annotations support to the migrations job template. !1423 (Tiago Posse)
- Update GitLab Version to 13.2.0.
-
## 4.1.12 (2020-09-04)
### Other (1 change)
- Update GitLab Version to 13.1.11.
-
## 4.1.11 (2020-09-02)
### Other (1 change)
- Update GitLab Version to 13.1.10.
-
## 4.1.10 (2020-09-02)
### Other (1 change)
- Update GitLab Version to 13.1.9.
-
## 4.1.9 (2020-08-18)
### Other (1 change)
- Update GitLab Version to 13.1.8.
-
## 4.1.7 (2020-08-05)
### Other (1 change)
- Update GitLab Version to 13.1.6.
-
## 4.1.6 (2020-07-24)
### Other (1 change)
- Update GitLab Version to 13.1.5.
-
## 4.1.5 (2020-07-24)
### Other (1 change)
- Update GitLab Version to 13.1.5.
-
## 4.1.4 (2020-07-09)
### Other (1 change)
- Update GitLab Version to 13.1.4.
-
## 4.1.3 (2020-07-06)
### Changed (1 change)
@@ -3180,14 +3216,12 @@ No changes.
- Update GitLab Version to 13.1.3.
-
## 4.1.2 (2020-07-01)
### Other (1 change)
- Update GitLab Version to 13.1.2.
-
## 4.1.1 (2020-06-24)
### Fixed (1 change)
@@ -3198,7 +3232,6 @@ No changes.
- Update GitLab Version to 13.1.1.
-
## 4.1.0 (2020-06-22)
### Fixed (3 changes, 1 of them is from the community)
@@ -3238,56 +3271,48 @@ No changes.
- Update GitLab Runner chart to 0.18.0. !1416
- Update GitLab Version to 13.1.0.
-
## 4.0.12 (2020-08-18)
### Other (1 change)
- Update GitLab Version to 13.0.14.
-
## 4.0.11 (2020-08-18)
### Other (1 change)
- Update GitLab Version to 13.0.13.
-
## 4.0.10 (2020-08-05)
### Other (1 change)
- Update GitLab Version to 13.0.12.
-
## 4.0.9 (2020-07-09)
### Other (1 change)
- Update GitLab Version to 13.0.10.
-
## 4.0.8 (2020-07-06)
### Other (1 change)
- Update GitLab Version to 13.0.9.
-
## 4.0.7 (2020-07-01)
### Other (1 change)
- Update GitLab Version to 13.0.8.
-
## 4.0.6 (2020-06-25)
### Other (1 change)
- Update GitLab Version to 13.0.7.
-
## 4.0.5 (2020-06-10)
### Changed (1 change)
@@ -3298,21 +3323,18 @@ No changes.
- Update GitLab Version to 13.0.6.
-
## 4.0.4 (2020-06-04)
### Other (1 change)
- Update GitLab Version to 13.0.5.
-
## 4.0.3 (2020-06-03)
### Other (1 change)
- Update GitLab Version to 13.0.4.
-
## 4.0.2 (2020-05-29)
### Fixed (3 changes, 1 of them is from the community)
@@ -3329,7 +3351,6 @@ No changes.
- Update GitLab Version to 13.0.3.
-
## 4.0.1 (2020-05-27)
### Fixed (1 change)
@@ -3344,7 +3365,6 @@ No changes.
- Update GitLab Version to 13.0.1.
-
## 4.0.0 (2020-05-22)
### Fixed (2 changes)
@@ -3380,42 +3400,36 @@ No changes.
- Update bitnami/postgres -> 8.9.4, postgres -> 11.7.0. !1320
- Update GitLab Version to 13.0.0.
-
## 3.3.13 (2020-07-06)
### Other (1 change)
- Update GitLab Version to 12.10.14.
-
## 3.3.12 (2020-07-01)
### Other (1 change)
- Update GitLab Version to 12.10.13.
-
## 3.3.11 (2020-06-25)
### Other (1 change)
- Update GitLab Version to 12.10.12.
-
## 3.3.9 (2020-06-04)
### Other (1 change)
- Update GitLab Version to 12.10.10.
-
## 3.3.7 (2020-05-29)
### Other (1 change)
- Update GitLab Version to 12.10.8.
-
## 3.3.6 (2020-05-27)
### Fixed (1 change)
@@ -3426,7 +3440,6 @@ No changes.
- Update GitLab Version to 12.10.7.
-
## 3.3.5 (2020-05-15)
### Changed (1 change)
@@ -3437,21 +3450,18 @@ No changes.
- Update GitLab Version to 12.10.6.
-
## 3.3.4 (2020-05-14)
### Other (1 change)
- Update GitLab Version to 12.10.5.
-
## 3.3.3 (2020-05-04)
### Other (1 change)
- Update GitLab Version to 12.10.3.
-
## 3.3.2 (2020-04-30)
### Fixed (3 changes)
@@ -3464,14 +3474,12 @@ No changes.
- Update GitLab Version to 12.10.2.
-
## 3.3.1 (2020-04-24)
### Other (1 change)
- Update GitLab Version to 12.10.1.
-
## 3.3.0 (2020-04-22)
### Removed (1 change)
@@ -3507,49 +3515,42 @@ No changes.
- Update GitLab Version to 12.10.0.
-
## 3.2.9 (2020-06-10)
### Other (1 change)
- Update GitLab Version to 12.9.10.
-
## 3.2.8 (2020-06-03)
### Other (1 change)
- Update GitLab Version to 12.9.9.
-
## 3.2.7 (2020-05-27)
### Other (1 change)
- Update GitLab Version to 12.9.8.
-
## 3.2.6 (2020-05-14)
### Other (1 change)
- Update GitLab Version to 12.9.7.
-
## 3.2.5 (2020-04-30)
### Other (1 change)
- Update GitLab Version to 12.9.5.
-
## 3.2.4 (2020-04-17)
### Other (1 change)
- Update GitLab Version to 12.9.4.
-
## 3.2.3 (2020-04-15)
### Added (1 change, 1 of them is from the community)
@@ -3560,21 +3561,18 @@ No changes.
- Update GitLab Version to 12.9.3.
-
## 3.2.2 (2020-03-31)
### Other (1 change)
- Update GitLab Version to 12.9.2.
-
## 3.2.1 (2020-03-26)
### Other (1 change)
- Update GitLab Version to 12.9.1.
-
## 3.2.0 (2020-03-22)
### Fixed (4 changes, 1 of them is from the community)
@@ -3593,21 +3591,18 @@ No changes.
- Update GitLab Version to 12.9.0.
-
## 3.1.8 (2020-04-30)
### Other (1 change)
- Update GitLab Version to 12.8.10.
-
## 3.1.7 (2020-04-15)
### Other (1 change)
- Update GitLab Version to 12.8.9.
-
## 3.1.6 (2020-03-26)
### Fixed (1 change)
@@ -3618,28 +3613,24 @@ No changes.
- Update GitLab Version to 12.8.8.
-
## 3.1.5 (2020-03-16)
### Other (1 change)
- Update GitLab Version to 12.8.7.
-
## 3.1.4 (2020-03-11)
### Other (1 change)
- Update GitLab Version to 12.8.6.
-
## 3.1.3 (2020-03-09)
### Other (1 change)
- Update GitLab Version to 12.8.5.
-
## 3.1.2
### Changed (1 change)
@@ -3650,14 +3641,12 @@ No changes.
- Update GitLab Version to 12.8.2.
-
## 3.1.1
### Other (1 change)
- Update GitLab Version to 12.8.1.
-
## 3.1.0
### Fixed (4 changes, 2 of them are from the community)
@@ -3695,14 +3684,12 @@ No changes.
- Bump Container Registry to v2.8.1-gitlab. !1173
- Update GitLab Version to 12.8.0.
-
## 3.0.7 (2020-04-15)
### Other (1 change)
- Update GitLab Version to 12.7.9.
-
## 3.0.6 (2020-03-26)
### Fixed (1 change)
@@ -3713,14 +3700,12 @@ No changes.
- Update GitLab Version to 12.7.8.
-
## 3.0.5
### Other (1 change)
- Update GitLab Version to 12.7.7.
-
## 3.0.4
### Fixed (1 change, 1 of them is from the community)
@@ -3731,7 +3716,6 @@ No changes.
- Update GitLab Version to 12.7.6.
-
## 3.0.3
### Fixed (1 change)
@@ -3742,7 +3726,6 @@ No changes.
- Update GitLab Version to 12.7.5.
-
## 3.0.2
### Changed (1 change)
@@ -3753,7 +3736,6 @@ No changes.
- Update GitLab Version to 12.7.4.
-
## 3.0.1
### Changed (1 change)
@@ -3764,7 +3746,6 @@ No changes.
- Update GitLab Version to 12.7.2.
-
## 3.0.0
### Fixed (2 changes)
@@ -3794,14 +3775,12 @@ No changes.
- Use mail_room gem version from Gemfile.lock as appVersion in the chart. !1088
- Update GitLab Version to 12.7.0.
-
## 2.6.9
### Other (1 change)
- Update GitLab Version to 12.6.8.
-
## 2.6.8
### Fixed (1 change, 1 of them is from the community)
@@ -3812,14 +3791,12 @@ No changes.
- Update GitLab Version to 12.6.7.
-
## 2.6.7
### Other (1 change)
- Update GitLab Version to 12.6.6.
-
## 2.6.6
### Fixed (1 change)
@@ -3830,21 +3807,18 @@ No changes.
- Update GitLab Version to 12.6.4.
-
## 2.6.5
### Other (1 change)
- Update GitLab Version to 12.6.4.
-
## 2.6.4
### Other (1 change)
- Update GitLab Version to 12.6.3.
-
## 2.6.3
### Fixed (1 change)
@@ -3855,14 +3829,12 @@ No changes.
- Update GitLab Version to 12.6.2.
-
## 2.6.2
### Other (1 change)
- Update GitLab Version to 12.6.2.
-
## 2.6.1
### Other (2 changes)
@@ -3870,7 +3842,6 @@ No changes.
- Update gitlab-org/charts/gitlab-runner from 0.11.0 to 0.12.0. !1085
- Update GitLab Version to 12.6.1.
-
## 2.6.0
### Fixed (3 changes, 1 of them is from the community)
@@ -3904,21 +3875,18 @@ No changes.
- Document the use of external Minio for object storage. !1005
- Update GitLab Version to 12.6.0.
-
## 2.5.11
### Other (1 change)
- Update GitLab Version to 12.5.10.
-
## 2.5.10
### Other (1 change)
- Update GitLab Version to 12.5.9.
-
## 2.5.9
### Fixed (1 change)
@@ -3929,21 +3897,18 @@ No changes.
- Update GitLab Version to 12.5.7.
-
## 2.5.8
### Other (1 change)
- Update GitLab Version to 12.5.7.
-
## 2.5.7
### Other (1 change)
- Update GitLab Version to 12.5.6.
-
## 2.5.6
### Added (1 change, 1 of them is from the community)
@@ -3954,14 +3919,12 @@ No changes.
- Update GitLab Version to 12.5.5.
-
## 2.5.5
### Other (1 change)
- Update GitLab Version to 12.5.4.
-
## 2.5.4
### Fixed (1 change)
@@ -3972,21 +3935,18 @@ No changes.
- Update GitLab Version to 12.5.3.
-
## 2.5.3
### Other (1 change)
- Update GitLab Version to 12.5.2.
-
## 2.5.2
### Other (1 change)
- Update GitLab Version to 12.5.1.
-
## 2.5.1
### Added (1 change)
@@ -3997,7 +3957,6 @@ No changes.
- Update GitLab Version to 12.5.0.
-
## 2.5.0
### Fixed (2 changes)
@@ -4028,42 +3987,36 @@ No changes.
- Update gitlab-runner to 0.11.0/12.5.0. !1046
- Update GitLab Version to 12.5.0.
-
## 2.4.13
### Other (1 change)
- Update GitLab Version to 12.4.8.
-
## 2.4.12
### Other (1 change)
- Update GitLab Version to 12.4.7.
-
## 2.4.10
### Other (1 change)
- Update GitLab Version to 12.4.5.
-
## 2.4.9
### Other (1 change)
- Update GitLab Version to 12.4.4.
-
## 2.4.8
### Other (1 change)
- Update GitLab Version to 12.4.3.
-
## 2.4.7
### Fixed (1 change)
@@ -4080,7 +4033,6 @@ No changes.
- Adds the global gitlab annotations to mailroom.
- Update GitLab Version to 12.4.2.
-
## 2.4.6
### Fixed (1 change)
@@ -4095,7 +4047,6 @@ No changes.
- Update GitLab Version to 12.4.2.
-
## 2.4.5
### Other (2 changes)
@@ -4103,7 +4054,6 @@ No changes.
- Update GitLab Runner to v12.4.1. !1018
- Update GitLab Version to 12.4.1.
-
## 2.4.4
### Added (1 change)
@@ -4114,7 +4064,6 @@ No changes.
- Update GitLab Version to 12.4.1.
-
## 2.4.3
### Fixed (1 change)
@@ -4125,7 +4074,6 @@ No changes.
- Update GitLab Version to 12.4.1.
-
## 2.4.2
### Fixed (1 change)
@@ -4136,7 +4084,6 @@ No changes.
- Update GitLab Version to 12.4.0.
-
## 2.4.1
### Fixed (2 changes)
@@ -4148,7 +4095,6 @@ No changes.
- Update GitLab Version to 12.4.0.
-
## 2.4.0
### Fixed (5 changes, 1 of them is from the community)
@@ -4178,7 +4124,6 @@ No changes.
- Update gitlab-runner to 0.10.0/12.4.0. !1003
- Update GitLab Version to 12.4.0.
-
## 2.3.12
### Fixed (2 changes)
@@ -4190,21 +4135,18 @@ No changes.
- Update GitLab Version to 12.3.9.
-
## 2.3.11
### Other (1 change)
- Update GitLab Version to 12.3.8.
-
## 2.3.10
### Other (1 change)
- Update GitLab Version to 12.3.7.
-
## 2.3.9
### Fixed (1 change)
@@ -4215,7 +4157,6 @@ No changes.
- Update GitLab Version to 12.3.6.
-
## 2.3.8
### Fixed (1 change)
@@ -4234,14 +4175,12 @@ No changes.
- Update GitLab Version to 12.3.5.
-
## 2.3.7
### Other (1 change)
- Update GitLab Version to 12.3.5.
-
## 2.3.6
### Other (2 changes)
@@ -4249,7 +4188,6 @@ No changes.
- Update gitlab-runner to v0.9.1. !987
- Update GitLab Version to 12.3.4.
-
## 2.3.5
### Fixed (1 change, 1 of them is from the community)
@@ -4260,21 +4198,18 @@ No changes.
- Update GitLab Version to 12.3.4.
-
## 2.3.3
### Other (1 change)
- Update GitLab Version to 12.3.2.
-
## 2.3.2
### Other (1 change)
- Update GitLab Version to 12.3.1.
-
## 2.3.1
### Fixed (1 change)
@@ -4285,7 +4220,6 @@ No changes.
- Update GitLab Version to 12.3.0.
-
## 2.3.0
### Fixed (4 changes, 2 of them are from the community)
@@ -4317,7 +4251,6 @@ No changes.
- Update gitlab-runner to 0.9.0/12.3.0. !965
- Update GitLab Version to 12.3.0.
-
## 2.2.12
### Fixed (1 change)
@@ -4328,21 +4261,18 @@ No changes.
- Update GitLab Version to 12.2.9.
-
## 2.2.11
### Other (1 change)
- Update GitLab Version to 12.2.8.
-
## 2.2.10
### Other (1 change)
- Update GitLab Version to 12.2.7.
-
## 2.2.9
### Other (1 change)
@@ -4357,14 +4287,12 @@ No changes.
- Update GitLab Version to 12.2.8.
-
## 2.2.8
### Other (1 change)
- Update GitLab Version to 12.2.7.
-
## 2.2.7
### Fixed (1 change)
@@ -4375,14 +4303,12 @@ No changes.
- Update GitLab Version to 12.2.6.
-
## 2.2.6
### Other (1 change)
- Update GitLab Version to 12.2.5.
-
## 2.2.5
### Fixed (1 change)
@@ -4399,7 +4325,6 @@ No changes.
- Update gitlab-runner to 0.8.0/12.2.0. !912
- Update GitLab Version to 12.2.4.
-
## 2.2.4
### Added (2 changes, 2 of them are from the community)
@@ -4411,28 +4336,24 @@ No changes.
- Update GitLab Version to 12.2.4.
-
## 2.2.3
### Other (1 change)
- Update GitLab Version to 12.2.4.
-
## 2.2.2
### Other (1 change)
- Update GitLab Version to 12.2.3.
-
## 2.2.1
### Other (1 change)
- Update GitLab Version to 12.2.1.
-
## 2.2.0
### Fixed (4 changes, 1 of them is from the community)
@@ -4461,14 +4382,12 @@ No changes.
- Document global.ingress.class & sample Traefik. !898
- Update GitLab Version to 12.2.0.
-
## 2.1.14
### Other (1 change)
- Update GitLab Version to 12.1.14.
-
## 2.1.13
### Fixed (1 change, 1 of them is from the community)
@@ -4479,28 +4398,24 @@ No changes.
- Update GitLab Version to 12.1.14.
-
## 2.1.12
### Other (1 change)
- Update GitLab Version to 12.1.13.
-
## 2.1.11
### Other (1 change)
- Update GitLab Version to 12.1.12.
-
## 2.1.10
### Other (1 change)
- Update GitLab Version to 12.1.11.
-
## 2.1.8
### Fixed (1 change)
@@ -4511,14 +4426,12 @@ No changes.
- Update GitLab Version to 12.1.8.
-
## 2.1.7
### Other (1 change)
- Update GitLab Version to 12.1.6.
-
## 2.1.6
### Fixed (1 change, 1 of them is from the community)
@@ -4529,7 +4442,6 @@ No changes.
- Update GitLab Version to 12.1.4.
-
## 2.1.5
### Fixed (1 change)
@@ -4540,35 +4452,30 @@ No changes.
- Update GitLab Version to 12.1.4.
-
## 2.1.4
### Other (1 change)
- Update GitLab Version to 12.1.4.
-
## 2.1.3
### Other (1 change)
- Update GitLab Version to 12.1.3.
-
## 2.1.2
### Other (1 change)
- Update GitLab Version to 12.1.2.
-
## 2.1.1
### Other (1 change)
- Update GitLab Version to 12.1.1.
-
## 2.1.0
### Fixed (8 changes, 2 of them are from the community)
@@ -4602,28 +4509,24 @@ No changes.
- Update gitlab-runner to 0.7.0/12.1.0. !878
- Update GitLab Version to 12.1.0.
-
## 2.0.7
### Other (1 change)
- Update GitLab Version to 12.0.9.
-
## 2.0.6
### Other (1 change)
- Update GitLab Version to 12.0.8.
-
## 2.0.5
### Other (1 change)
- Update GitLab Version to 12.0.6.
-
## 2.0.4
### Fixed (4 changes)
@@ -4637,14 +4540,12 @@ No changes.
- Update GitLab Version to 12.0.4.
-
## 2.0.3 (2019-07-03)
### Other (1 change)
- Update GitLab Version to 12.0.3.
-
## 2.0.2 (2019-06-26)
### Changed (1 change)
@@ -4656,14 +4557,12 @@ No changes.
- Update gitlab-runner to 0.6.0/12.0.0. !832
- Update GitLab Version to 12.0.2.
-
## 2.0.1 (2019-06-25)
### Other (1 change)
- Update GitLab Version to 12.0.1.
-
## 2.0.0 (2019-06-22)
### Fixed (6 changes)
@@ -4671,7 +4570,7 @@ No changes.
- Ensure unicorn.rb issues appropriate lifecycle hooks. !791
- Add missing object storage settings in task-runner. !793
- Disable storage redirect of Registry when the internal Minio is used. !797
-- Port over https://github.com/helm/charts/pull/13646. !804
+- Port over <https://github.com/helm/charts/pull/13646>. !804
- Add SMTP and other missing settings for task-runner. !809
- Fix example smtp settings. !810
@@ -4694,14 +4593,12 @@ No changes.
- Default Registry replicas to minReplicas. !794 (skarbek)
- Update GitLab Version to 12.0.0.
-
## 1.9.8
### Other (1 change)
- Update GitLab Version to 11.11.8.
-
## 1.9.7
### Fixed (2 changes)
@@ -4713,14 +4610,12 @@ No changes.
- Update GitLab Version to 11.11.7.
-
## 1.9.5 (2019-06-26)
### Other (1 change)
- Update GitLab Version to 11.11.4.
-
## 1.9.4 (2019-06-21)
### Added (1 change)
@@ -4731,14 +4626,12 @@ No changes.
- Update GitLab Version to 11.11.3.
-
## 1.9.3 (2019-06-10)
### Other (1 change)
- Update GitLab Version to 11.11.3.
-
## 1.9.2 (2019-06-05)
### Other (2 changes)
@@ -4746,7 +4639,6 @@ No changes.
- Update gitlab-runner to 0.5.2/11.11.2. !806
- Update GitLab Version to 11.11.2.
-
## 1.9.1 (2019-06-03)
### Other (2 changes)
@@ -4754,7 +4646,6 @@ No changes.
- Update GitLab Runner Helm Chart to 0.5.1. !801
- Update GitLab Version to 11.11.1.
-
## 1.9.0 (2019-05-22)
### Changed (4 changes)
@@ -4779,14 +4670,12 @@ No changes.
- Update gitlab-runner to 0.5.0/11.11.0. !798
- Update GitLab Version to 11.11.0.
-
## 1.8.6 (2019-07-03)
### Other (1 change)
- Update GitLab Version to 11.10.8.
-
## 1.8.5 (2019-06-26)
### Performance (1 change)
@@ -4801,28 +4690,24 @@ No changes.
- Update GitLab Version to 11.10.7.
-
## 1.8.4 (2019-05-01)
### Other (1 change)
- Update GitLab Version to 11.10.4.
-
## 1.8.3 (2019-04-30)
### Other (1 change)
- Update GitLab Version to 11.10.3.
-
## 1.8.2 (2019-04-29)
### Other (1 change)
- Update GitLab Version to 11.10.2.
-
## 1.8.1 (2019-04-24)
### Other (2 changes)
@@ -4830,7 +4715,6 @@ No changes.
- Update gitlab-runner to 0.4.1/11.10.1. !768
- Update GitLab Version to 11.10.1.
-
## 1.8.0 (2019-04-22)
### Fixed (2 changes)
@@ -4854,14 +4738,12 @@ No changes.
- Update gitlab-runner to 0.4.0/11.10.0. !765
- Update GitLab Version to 11.10.0.
-
## 1.7.5 (2019-04-11)
### Other (1 change)
- Update GitLab Version to 11.9.8.
-
## 1.7.4 (2019-04-10)
### Fixed (1 change)
@@ -4872,7 +4754,6 @@ No changes.
- Update GitLab Version to 11.9.7.
-
## 1.7.3 (2019-04-05)
### Fixed (2 changes)
@@ -4884,7 +4765,6 @@ No changes.
- Update GitLab Version to 11.9.6.
-
## 1.7.2 (2019-04-02)
### Fixed (1 change)
@@ -4895,7 +4775,6 @@ No changes.
- Update GitLab Version to 11.9.4.
-
## 1.7.1 (2019-03-25)
### Other (2 changes)
@@ -4903,7 +4782,6 @@ No changes.
- Update gitlab-runner to 0.3.0/11.9.0. !735
- Update GitLab Version to 11.9.1.
-
## 1.7.0 (2019-03-22)
### Fixed (5 changes, 3 of them are from the community)
@@ -4933,7 +4811,6 @@ No changes.
- Automate version mapping updates. !704
- Update GitLab Version to 11.9.0.
-
## 1.6.3 (2019-03-20)
### Changed (1 change)
@@ -4944,7 +4821,6 @@ No changes.
- Update GitLab Version to 11.8.3.
-
## 1.6.2 (2019-03-13)
### Fixed (1 change)
@@ -4955,7 +4831,6 @@ No changes.
- Update GitLab Version to 11.8.2.
-
## 1.6.1 (2019-03-04)
### Fixed (1 change)
@@ -4967,7 +4842,6 @@ No changes.
- Update gitlab-runner to 0.2.0/11.8.0. !697
- Update GitLab Version to 11.8.1.
-
## 1.6.0 (2019-02-22)
### Fixed (1 change)
@@ -4992,21 +4866,18 @@ No changes.
- Allow static ServiceAccount Name in shared-secrets. !688
- Update GitLab Version to 11.8.0.
-
## 1.5.3 (2019-02-05)
### Other (1 change)
- Update GitLab Version to 11.7.5.
-
## 1.5.2 (2019-02-05)
### Other (1 change)
- Update GitLab Version to 11.7.4.
-
## 1.5.1 (2019-01-31)
### Other (2 changes)
@@ -5014,7 +4885,6 @@ No changes.
- Update gitlab-runner to 0.1.45/11.7.0. !654
- Update GitLab Version to 11.7.3.
-
## 1.5.0 (2019-01-22)
### Fixed (5 changes, 1 of them is from the community)
@@ -5044,14 +4914,12 @@ No changes.
- Move ingress enabled detection to helper method. !607
- Update GitLab Version to 11.7.0.
-
## 1.4.4 (2019-01-17)
### Other (1 change)
- Update GitLab Version to 11.6.5.
-
## 1.4.3 (2019-01-16)
### Other (2 changes)
@@ -5059,21 +4927,18 @@ No changes.
- Update gitlab/gitlab-runner to v0.1.44. !633
- Update GitLab Version to 11.6.4.
-
## 1.4.2 (2019-01-05)
### Other (1 change)
- Update GitLab Version to 11.6.3.
-
## 1.4.1 (2019-01-02)
### Other (1 change)
- Update GitLab Version to 11.6.2.
-
## 1.4.0 (2018-12-22)
### Fixed (1 change, 1 of them is from the community)
@@ -5102,7 +4967,6 @@ No changes.
- Operator Version 0.1. !605
- Update GitLab Version to 11.6.0.
-
## 1.3.4 (2018-12-14)
### Other (3 changes)
@@ -5111,14 +4975,12 @@ No changes.
- Fix Broken Icon Image on Helm Hub. !597
- Update GitLab Version to 11.5.4.
-
## 1.3.3 (2018-12-06)
### Other (1 change)
- Update GitLab Version to 11.5.3.
-
## 1.3.2 (2018-12-04)
### Added (1 change, 1 of them is from the community)
@@ -5129,14 +4991,12 @@ No changes.
- Update GitLab Version to 11.5.2.
-
## 1.3.1 (2018-11-28)
### Other (1 change)
- Update GitLab Version to 11.5.1.
-
## 1.3.0 (2018-11-22)
### Fixed (2 changes, 1 of them is from the community)
@@ -5164,14 +5024,12 @@ No changes.
- Update nginx-ingress fork to 0.30.0. !578
- Update GitLab Version to 11.5.0.
-
## 1.2.6 (2018-11-20)
### Other (1 change)
- Update GitLab Version to 11.4.7.
-
## 1.2.5 (2018-11-20)
### Other (2 changes)
@@ -5179,28 +5037,24 @@ No changes.
- Mount configuration files directly to /srv/gitlab/config instead of /var/opt/gitlab/config/gitlab. !565
- Update GitLab Version to 11.4.6.
-
## 1.2.4 (2018-11-05)
### Other (1 change)
- Update GitLab Version to 11.4.5.
-
## 1.2.3 (2018-11-01)
### Other (1 change)
- Update GitLab Version to 11.4.4.
-
## 1.2.2 (2018-10-29)
### Other (1 change)
- Update GitLab Version to 11.4.3.
-
## 1.2.1 (2018-10-29)
### Fixed (1 change)
@@ -5211,7 +5065,6 @@ No changes.
- Update GitLab Version to 11.4.2.
-
## 1.2.0 (2018-10-22)
### Security (1 change)
@@ -5245,14 +5098,12 @@ No changes.
- Use example.com in documentation and examples as per RFC2606. !512 (Scott Leggett)
- Update GitLab Version to 11.4.0.
-
## 1.1.6 (2018-10-17)
### Other (1 change)
- Update GitLab Version to 11.3.6.
-
## 1.1.5 (2018-10-15)
### Fixed (1 change)
@@ -5267,35 +5118,30 @@ No changes.
- Update GitLab Version to 11.3.5.
-
## 1.1.4 (2018-10-05)
### Other (1 change)
- Update GitLab Version to 11.3.4.
-
## 1.1.3 (2018-10-04)
### Other (1 change)
- Update GitLab Version to 11.3.3.
-
## 1.1.2 (2018-10-03)
### Other (1 change)
- Update GitLab Version to 11.3.2.
-
## 1.1.1 (2018-10-01)
### Other (1 change)
- Update GitLab Version to 11.3.1.
-
## 1.1.0 (2018-09-22)
### Fixed (1 change)
@@ -5317,14 +5163,12 @@ No changes.
- Added namespace to resources. !443 (Matthias van de Meent (Cofano Software Solutions))
- Update GitLab Version to 11.3.0.
-
## 1.0.2 (2018-08-28)
### Fixed (1 change)
- Fixed setting the connection to a non-default redis port. !470
-
## 1.0.1 (2018-08-22)
- No changes.
@@ -5379,14 +5223,12 @@ No changes.
- add anti-affinity to nginx.
- Remove Dockerfile since it's been moved to gitlab-org/gitlab-build-images.
-
## 0.3.5 (2018-07-31)
### Fixed (1 change)
- Pin the minio/mc image version to a know working tag. !426
-
## 0.3.4 (2018-07-31)
- No changes.
diff --git a/chart/CONTRIBUTING.md b/chart/CONTRIBUTING.md
index 3d84b673b..d5d5c3128 100644
--- a/chart/CONTRIBUTING.md
+++ b/chart/CONTRIBUTING.md
@@ -67,8 +67,8 @@ request is as follows:
1. If you are contributing code, fill in the template already provided in the
"Description" field.
1. If you are contributing documentation
- 1. Choose `Documentation` from the "Choose a template" menu and fill in the template.
- 1. Ensure the branch name starts with `docs-` or ends with `-docs`
+ 1. Choose `Documentation` from the "Choose a template" menu and fill in the template.
+ 1. Ensure the branch name starts with `docs-` or ends with `-docs`
1. Mention the issue(s) your merge request solves, using the `Solves #XXX` or
`Closes #XXX` syntax to auto-close the issue(s) once the merge request will
be merged.
@@ -162,7 +162,7 @@ This code of conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community.
Instances of abusive, harassing, or otherwise unacceptable behavior can be
-reported by emailing contact@gitlab.com.
+reported by emailing <contact@gitlab.com>.
This Code of Conduct is adapted from the [Contributor Covenant][contributor-covenant], version 1.1.0,
available at [http://contributor-covenant.org/version/1/1/0/](http://contributor-covenant.org/version/1/1/0/).
@@ -174,5 +174,4 @@ available at [http://contributor-covenant.org/version/1/1/0/](http://contributor
[changelog]: doc/development/changelog.md "Generate a changelog entry"
[git-squash]: https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits
[definition-of-done]: http://guide.agilealliance.org/guide/definition-of-done.html
-[contributor-covenant]: http://contributor-covenant.org
[CNG]: https://gitlab.com/gitlab-org/build/CNG/
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index 58c00d189..bdb9c2f27 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,8 +1,8 @@
---
apiVersion: v1
name: gitlab
-version: 8.2.9-bb.4
-appVersion: v17.2.9
+version: 8.3.6-bb.0
+appVersion: v17.3.6
description: GitLab is the most comprehensive AI-powered DevSecOps Platform.
keywords:
- gitlab
@@ -15,40 +15,40 @@ maintainers:
email: support@gitlab.com
annotations:
bigbang.dev/applicationVersions: |
- - Gitlab: 17.2.9
+ - Gitlab: 17.3.6
bigbang.dev/upstreamReleaseNotesMarkdown: |
The [upstream chart's release notes](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/CHANGELOG.md) may help when reviewing this package.
helm.sh/images: |
- name: redis-exporter
condition: redis.metrics.enabled
- image: registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter:v1.64.1
+ image: registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter:v1.65.0
- name: redis
condition: redis.install
image: registry1.dso.mil/ironbank/bitnami/redis:7.4.1
- name: alpine-certificates
- image: registry1.dso.mil/ironbank/gitlab/gitlab/certificates:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/certificates:17.3.6
- name: cfssl-self-sign
condition: shared-secrets.enabled
image: registry1.dso.mil/ironbank/gitlab/gitlab/cfssl-self-sign:1.6.1
- name: gitaly
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitaly:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitaly:17.3.6
- name: gitlab-container-registry
condition: registry.enabled
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry:17.3.6
- name: gitlab-shell
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell:17.3.6
- name: gitlab-sidekiq
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq:17.3.6
- name: gitlab-toolbox
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox:17.3.6
- name: gitlab-webservice
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice:17.3.6
- name: gitlab-workhorse
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse:17.3.6
- name: gitlab-pages
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages:17.3.6
- name: kubectl
- image: registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:17.3.6
- name: mc
image: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2024-10-02T08-27-28Z
- name: minio
@@ -60,10 +60,10 @@ annotations:
condition: upgradeCheck.enabled
image: registry1.dso.mil/ironbank/redhat/ubi/ubi9:9.4
- name: gitlab-base
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base:17.3.6
- name: gitlab-exporter
condition: gitlab.gitlab-exporter.enabled
- image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter:17.2.9
+ image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter:17.3.6
- name: bbtests
condition: bbtests.enabled
image: registry1.dso.mil/bigbang-ci/gitlab-tester:0.0.4
diff --git a/chart/Kptfile b/chart/Kptfile
index ff461be26..804ab58b4 100644
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
- commit: 7747e52f59619c1d3f885e6e326bcb248008fc0f
+ commit: 960b9c67fb2c0a92dfbd71f4197248e714c1652b
repo: https://gitlab.com/gitlab-org/charts/gitlab
directory: /
- ref: v8.2.9
+ ref: v8.3.6
diff --git a/chart/README.md b/chart/README.md
index 6c852a812..e51f0732e 100644
--- a/chart/README.md
+++ b/chart/README.md
@@ -5,6 +5,7 @@
Exporter for GitLab Prometheus metrics (e.g. CI, pull mirrors)
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-exporter>
@@ -12,6 +13,7 @@ Exporter for GitLab Prometheus metrics (e.g. CI, pull mirrors)
* <https://gitlab.com/gitlab-org/gitlab-exporter>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -23,12 +25,13 @@ Exporter for GitLab Prometheus metrics (e.g. CI, pull mirrors)
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install gitlab-exporter chart/
```
@@ -81,6 +84,7 @@ helm install gitlab-exporter chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# migrations
 
@@ -88,12 +92,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Database migrations and other versioning tasks for upgrading Gitlab
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/migrations>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-rails>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -105,12 +111,13 @@ Database migrations and other versioning tasks for upgrading Gitlab
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install migrations chart/
```
@@ -153,6 +160,7 @@ helm install migrations chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# praefect
 
@@ -160,6 +168,7 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Praefect is a router and transaction manager for Gitaly, and a required component for running a Gitaly Cluster.
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/praefect>
@@ -167,6 +176,7 @@ Praefect is a router and transaction manager for Gitaly, and a required componen
* <https://gitlab.com/gitlab-org/gitaly/-/tree/master/cmd/praefect>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -178,12 +188,13 @@ Praefect is a router and transaction manager for Gitaly, and a required componen
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install praefect chart/
```
@@ -225,6 +236,7 @@ helm install praefect chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# sidekiq
 
@@ -232,12 +244,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Gitlab Sidekiq for asynchronous task processing in rails
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/sidekiq>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-sidekiq>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -249,12 +263,13 @@ Gitlab Sidekiq for asynchronous task processing in rails
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install sidekiq chart/
```
@@ -406,6 +421,7 @@ helm install sidekiq chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# toolbox
 
@@ -413,12 +429,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
For manually running rake tasks through kubectl
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/toolbox>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-toolbox>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -430,12 +448,13 @@ For manually running rake tasks through kubectl
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install toolbox chart/
```
@@ -563,6 +582,7 @@ helm install toolbox chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# registry
 
@@ -570,12 +590,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Stateless, highly scalable application that stores and lets you distribute container images
## Upstream References
+
* <https://docs.gitlab.com/ee/user/packages/container_registry>
* <https://gitlab.com/gitlab-org/container-registry>
* <https://gitlab.com/gitlab-org/charts/gitlab/charts/registry>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -587,12 +609,13 @@ Stateless, highly scalable application that stores and lets you distribute conta
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install registry chart/
```
@@ -672,7 +695,7 @@ helm install registry chart/
| init.image | object | `{}` | |
| init.resources.requests.cpu | string | `"50m"` | |
| init.containerSecurityContext | object | `{}` | |
-| init.script | string | `"if [ -e /config/accesskey ] ; then\n sed -e 's@ACCESS_KEY@'\"$(cat /config/accesskey)\"'@' -e 's@SECRET_KEY@'\"$(cat /config/secretkey)\"'@' /config/config.yml > /registry/config.yml\nelse\n cp -v -r -L /config/config.yml /registry/config.yml\nfi\n# Place the `http.secret` value from the kubernetes secret\nsed -i -e 's@HTTP_SECRET@'\"$(cat /config/httpSecret)\"'@' /registry/config.yml\n# Populate sensitive registry notification secrets in the config file\nif [ -d /config/notifications ]; then\n for i in /config/notifications/*; do\n filename=$(basename $i);\n sed -i -e 's@'\"${filename}\"'@'\"$(cat $i)\"'@' /registry/config.yml;\n done\nfi\n# Insert any provided `storage` block from kubernetes secret\nif [ -d /config/storage ]; then\n # Copy contents of storage secret(s)\n mkdir -p /registry/storage\n cp -v -r -L /config/storage/* /registry/storage/\n # Ensure there is a new line in the end\n echo '' >> /registry/storage/config\n # Default `delete.enabled: true` if not present.\n ## Note: busybox grep doesn't support multiline, so we chain `egrep`.\n if ! $(egrep -A1 '^delete:\\s*$' /registry/storage/config \| egrep -q '\\s{2,4}enabled:') ; then\n echo 'delete:' >> /registry/storage/config\n echo ' enabled: true' >> /registry/storage/config\n fi\n # Indent /registry/storage/config 2 spaces before inserting into config.yml\n sed -i 's/^/ /' /registry/storage/config\n # Insert into /registry/config.yml after `storage:`\n sed -i '/^storage:/ r /registry/storage/config' /registry/config.yml\n # Remove the now extraneous `config` file\n rm /registry/storage/config\nfi\n# Copy any middleware.storage if present\nif [ -d /config/middleware.storage ]; then\n cp -v -r -L /config/middleware.storage /registry/middleware.storage\nfi\n# Set to known path, to used ConfigMap\ncat /config/certificate.crt > /registry/certificate.crt\n# Copy the optional profiling keyfile to the expected location\nif [ -f /config/profiling-key.json ]; then\n cp /config/profiling-key.json /registry/profiling-key.json\nfi\n# Insert Database password, if enabled\nif [ -f /config/database_password ] ; then\n sed -i -e 's@DB_PASSWORD_FILE@'\"$(cat /config/database_password)\"'@' /registry/config.yml\nfi\n# Insert Redis password, if enabled\nif [ -f /config/registry/redis-password ] ; then\n sed -i -e 's@REDIS_CACHE_PASSWORD@'\"$(cat /config/registry/redis-password)\"'@' /registry/config.yml\nfi\n# Copy the database TLS connection files to the expected location and set permissions\nif [ -d /config/ssl ]; then\n cp -r /config/ssl/ /registry/ssl\n chmod 700 /registry/ssl\n chmod 600 /registry/ssl/*.pem\nfi\n# Copy TLS certificates if present\nif [ -d /config/tls ]; then\n cp -r /config/tls/ /registry/tls\n chmod 700 /registry/tls\n chmod 600 /registry/tls/*\nfi"` | |
+| init.script | string | `"if [ -e /config/accesskey ] ; then\n sed -e 's@ACCESS_KEY@'\"$(cat /config/accesskey)\"'@' -e 's@SECRET_KEY@'\"$(cat /config/secretkey)\"'@' /config/config.yml > /registry/config.yml\nelse\n cp -v -r -L /config/config.yml /registry/config.yml\nfi\n# Place the`http.secret` value from the kubernetes secret\nsed -i -e 's@HTTP_SECRET@'\"$(cat /config/httpSecret)\"'@' /registry/config.yml\n# Populate sensitive registry notification secrets in the config file\nif [ -d /config/notifications ]; then\n for i in /config/notifications/*; do\n filename=$(basename $i);\n sed -i -e 's@'\"${filename}\"'@'\"$(cat $i)\"'@' /registry/config.yml;\n done\nfi\n# Insert any provided `storage` block from kubernetes secret\nif [ -d /config/storage ]; then\n # Copy contents of storage secret(s)\n mkdir -p /registry/storage\n cp -v -r -L /config/storage/* /registry/storage/\n # Ensure there is a new line in the end\n echo '' >> /registry/storage/config\n # Default `delete.enabled: true` if not present.\n ## Note: busybox grep doesn't support multiline, so we chain `egrep`.\n if ! $(egrep -A1 '^delete:\\s*$' /registry/storage/config \| egrep -q '\\s{2,4}enabled:') ; then\n echo 'delete:' >> /registry/storage/config\n echo ' enabled: true' >> /registry/storage/config\n fi\n # Indent /registry/storage/config 2 spaces before inserting into config.yml\n sed -i 's/^/ /' /registry/storage/config\n # Insert into /registry/config.yml after`storage:`\n sed -i '/^storage:/ r /registry/storage/config' /registry/config.yml\n # Remove the now extraneous`config`file\n rm /registry/storage/config\nfi\n# Copy any middleware.storage if present\nif [ -d /config/middleware.storage ]; then\n cp -v -r -L /config/middleware.storage /registry/middleware.storage\nfi\n# Set to known path, to used ConfigMap\ncat /config/certificate.crt > /registry/certificate.crt\n# Copy the optional profiling keyfile to the expected location\nif [ -f /config/profiling-key.json ]; then\n cp /config/profiling-key.json /registry/profiling-key.json\nfi\n# Insert Database password, if enabled\nif [ -f /config/database_password ] ; then\n sed -i -e 's@DB_PASSWORD_FILE@'\"$(cat /config/database_password)\"'@' /registry/config.yml\nfi\n# Insert Redis password, if enabled\nif [ -f /config/registry/redis-password ] ; then\n sed -i -e 's@REDIS_CACHE_PASSWORD@'\"$(cat /config/registry/redis-password)\"'@' /registry/config.yml\nfi\n# Copy the database TLS connection files to the expected location and set permissions\nif [ -d /config/ssl ]; then\n cp -r /config/ssl/ /registry/ssl\n chmod 700 /registry/ssl\n chmod 600 /registry/ssl/*.pem\nfi\n# Copy TLS certificates if present\nif [ -d /config/tls ]; then\n cp -r /config/tls/ /registry/tls\n chmod 700 /registry/tls\n chmod 600 /registry/tls/*\nfi"` | |
| resources.requests.cpu | string | `"50m"` | |
| resources.requests.memory | string | `"32Mi"` | |
| nodeSelector | object | `{}` | |
@@ -747,6 +770,7 @@ helm install registry chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# gitlab
 
@@ -754,11 +778,13 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
GitLab is the most comprehensive AI-powered DevSecOps Platform.
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -770,12 +796,13 @@ GitLab is the most comprehensive AI-powered DevSecOps Platform.
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install gitlab chart/
```
@@ -1749,6 +1776,7 @@ helm install gitlab chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# gitlab-shell
 
@@ -1756,12 +1784,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
sshd for Gitlab
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-shell>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-shell>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -1773,12 +1803,13 @@ sshd for Gitlab
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install gitlab-shell chart/
```
@@ -1886,6 +1917,7 @@ helm install gitlab-shell chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# webservice
 
@@ -1893,12 +1925,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
HTTP server for Gitlab
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/webservice>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-webservice>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -1910,12 +1944,13 @@ HTTP server for Gitlab
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install webservice chart/
```
@@ -2142,6 +2177,7 @@ helm install webservice chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# gitlab-pages
 
@@ -2149,6 +2185,7 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Daemon for serving static websites from GitLab projects
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-pages>
@@ -2156,6 +2193,7 @@ Daemon for serving static websites from GitLab projects
* <https://gitlab.com/gitlab-org/gitlab-pages>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2167,12 +2205,13 @@ Daemon for serving static websites from GitLab projects
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install gitlab-pages chart/
```
@@ -2276,6 +2315,7 @@ helm install gitlab-pages chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# geo-logcursor
 
@@ -2283,12 +2323,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
GitLab Geo logcursor
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/charts/gitlab/tree/master/charts/gitlab/charts/geo-logcursor>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-rails>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2300,12 +2342,13 @@ GitLab Geo logcursor
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install geo-logcursor chart/
```
@@ -2364,6 +2407,7 @@ helm install geo-logcursor chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# kas
 
@@ -2371,12 +2415,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
GitLab Agent Server
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitlab-kas>
* <https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2388,12 +2434,13 @@ GitLab Agent Server
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install kas chart/
```
@@ -2472,6 +2519,7 @@ helm install kas chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# minio
 
@@ -2479,12 +2527,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Object storage server built for cloud applications and devops.
## Upstream References
+
* <https://minio.io>
* <https://gitlab.com/gitlab-org/charts/gitlab/charts/minio>
* <https://github.com/minio/minio>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2496,12 +2546,13 @@ Object storage server built for cloud applications and devops.
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install minio chart/
```
@@ -2649,6 +2700,7 @@ helm install minio chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# certmanager-issuer
 
@@ -2656,6 +2708,7 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Configuration Job to add LetsEncrypt Issuer to cert-manager
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/certmanager-issuer>
@@ -2663,6 +2716,7 @@ Configuration Job to add LetsEncrypt Issuer to cert-manager
* <https://github.com/jetstack/cert-manager>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2674,12 +2728,13 @@ Configuration Job to add LetsEncrypt Issuer to cert-manager
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install certmanager-issuer chart/
```
@@ -2697,6 +2752,7 @@ helm install certmanager-issuer chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# gitaly
 
@@ -2704,12 +2760,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Git RPC service for handling all the git calls made by GitLab
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/gitaly>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitaly>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2721,12 +2779,13 @@ Git RPC service for handling all the git calls made by GitLab
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install gitaly chart/
```
@@ -2800,6 +2859,7 @@ helm install gitaly chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# mailroom
 
@@ -2807,12 +2867,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Handling incoming emails
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/mailroom>
* <https://gitlab.com/gitlab-org/build/CNG/tree/master/gitlab-mailroom>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2824,12 +2886,13 @@ Handling incoming emails
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install mailroom chart/
```
@@ -2919,6 +2982,7 @@ helm install mailroom chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# spamcheck
 
@@ -2926,12 +2990,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
GitLab Anti-Spam Engine
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/gitlab/charts/spamcheck>
* <https://gitlab.com/gitlab-org/spamcheck>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -2943,12 +3009,13 @@ GitLab Anti-Spam Engine
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install spamcheck chart/
```
@@ -3001,6 +3068,7 @@ helm install spamcheck chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# nginx-ingress
  
@@ -3008,12 +3076,14 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
## Upstream References
+
* <https://github.com/kubernetes/ingress-nginx>
* <https://github.com/kubernetes/ingress-nginx>
* <https://gitlab.com/gitlab-org/charts/gitlab/tree/master/charts/nginx-ingress>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -3027,12 +3097,13 @@ Kubernetes: `>=1.19.0-0`
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install nginx-ingress chart/
```
@@ -3280,6 +3351,7 @@ helm install nginx-ingress chart/
## Contributing
Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in contributing.
+
# gitlab
 
@@ -3287,11 +3359,13 @@ Please see the [contributing guide](./CONTRIBUTING.md) if you are interested in
Web-based Git-repository manager with wiki and issue-tracking features.
## Upstream References
+
* <https://about.gitlab.com/>
* <https://gitlab.com/gitlab-org/charts/gitlab>
## Learn More
+
* [Application Overview](docs/overview.md)
* [Other Documentation](docs/)
@@ -3303,12 +3377,13 @@ Web-based Git-repository manager with wiki and issue-tracking features.
Install Helm
-https://helm.sh/docs/intro/install/
+<https://helm.sh/docs/intro/install/>
## Deployment
* Clone down the repository
* cd into directory
+
```bash
helm install gitlab chart/
```
diff --git a/chart/bigbang/README.md b/chart/bigbang/README.md
index 8ab490d2b..cf6c793c8 100644
--- a/chart/bigbang/README.md
+++ b/chart/bigbang/README.md
@@ -1,3 +1,4 @@
# DoD Approved External PKI Certificate Trust Chains
+
The version 9.5 certs were downloaded from [public.cyber.mil](https://public.cyber.mil/pki-pke/pkipke-document-library/)
-https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-dod_approved_external_pkis_trust_chains.zip
\ No newline at end of file
+<https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-dod_approved_external_pkis_trust_chains.zip>
diff --git a/chart/charts/gitlab-runner-0.67.0.tgz b/chart/charts/gitlab-runner-0.67.0.tgz
deleted file mode 100644
index 01c3ead152248be206ec321b979d584368dad45a..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001
literal 26810
zcmV)0K+eA(iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMZ(cHFkID0qJNQ<Pddk(6Vyzw}}E-rCo)tk^n{C5<F!pMA44
zZ8VAQM#Lr<f^4ay=&pHz`)^)j{>}^B`y}%uvrqs?kj?&(<T!huV`i;bO#+2Np-`wQ
z6beI@1f=i8X&BPDaWo=v;!epp_?OT4G@H%l-p&sG+iW(=|2FqJ?SE<Q?CtDznytOv
z_P;b+o&DYRzd-YIA~EktMMC0#X+FEHa_9a@9ul!1Xe<~HyD(|hNEBs1Tl;R?ZPt7$
zyqHA^zI(@#Q__b^WS1KA<hxOlM55bhC{}VkK5nE@z=<y!PD4yZLdT6L=08&}X^;s?
zNZe@eHeYr+4aIf6fDgGFg~Qqno!;`;7u}izLzdJW@L0_OpGE<n*2aW|31K0Pu>c(t
z7IZ<RQN-iqb>4anAS7d&A$t;fZcV)@aC=SgH1;S0tLTF+%j03glhZ;pinW(jnpfKA
zo^Y)ydg|3ChVD&wZ{Ka!zRdU+=l_HRDHWev04$#Wd+m0oQ=0!f?bhzs`Tr%J_4VSM
zhLbTF(%SlZZG9cyOu?rEk_HK|WK%#YSU7~34w*>esk;K-cS#VjkUEq5AC51tPR`FB
zB;4B(jVWZWfC)&*4Gm!s^D*R$kouj=Bp5In_!_yG4k~5OJX9JU*W#mRdeCUU>b&gy
zHy-;meltBdJN$6`jo@)|K!o>=pd|K2KmK%Jx{$xo7@YBhcHv|IQ=Wo1BH@riGNQmF
z2_fP5BkiYQl0r-aN`xdVsK@8wWq4{0LHTJ;6>(wHUFBOWI7F8NblDH&0r;R}e<
z5O@ea8w_Yn!vs<x$M3ChC4N|_TZ3%4x>W;L0|hM;jkA&qU>y=N>_Rq__pTbE!)#z4
z9%>TFzm90AnWV^6?`fdN6>eEFD#~Fe?K4OBX={lfW{&4K=GCqk;cbZ)j!7sI5(Fec
zHX<w#(5D_r1%*$3I_^6xWXUJVi6KuQBHj%dQXg2DkEjdp`7NE$_yv4QSjez+6jMRN
zM3Nk?M@)dn!vPznv1;j-1p$yC;J5SpEQd`<7NB=gz&w@&Q=lQ~2Z|dcihPhY8H$7w
zAK&D7*HS^RS;)FDAc3Gb7*`SX*kB4oVSkYZ!37VPH<e6>kmZ633Lm}3j%k?4x|@f=
zEt!f<U;|bAnha%cHv^JTk!-#I8VJd#$hw;+gEO97C`xP=CI?Hv=Ts4uL{Tu6<$vaV
z$c9QlK+@0~Q6KtKNF)jA9re<L$4JzVa)hEZ2zn7>FG&DDDy)TjllEyG(u9hitVzUh
zJZ6MMUf5+E*I~&q9*q)<bwoom(|QzBM>b4-JyO}U%4sR5f8KYS?s5{Gn8H`oi)kX{
zbR}@Xr3i!XGi;0wBS7SJGlaA_F&qsybeaQlpWDg2Mb$~!VWF^fc<2x(;!5D=T%<eG
ztx2imXkDw0pOIdUs$WNHT(dFdY4SpjnxGyJeenVrFkllJQXznZKE#yx41Yy2?^7Y!
zn;6!Nu$$_O26v?(bzuh^Inr}ZO&A0DLRP31es$sg0nwJThLPYc4ahVDw%5dO5sex5
zv$rkvR-~Rsg}5HYRE&7wccF#vr7THfYQ67N;FNVxAyxeO1+jY1Z(&TrsYP29J!%fB
zSpzYZa)`)Qij{ca!=?IoCD~aC5+>knCOvR1yd@zDhL}orLx>Y5*NOK`Bs`v;vN21r
z4@zuOvs_%!ctT_NczFt2xKKnfPq@c}ZAeBWu>i}-K$RHNT_Hmvh2zYGn4@odd^{$h
zFB&ZL>76@D#=&|~M4LtwQPj7OaWJEFOnDkRK9|xI8^BJzJ-)a+K03TUe%r+kUaIM<
zR)uSh$_|f#_`aO%A-&a0r7(I!fg+XStlTk58y?f$6OEAG_Pm&4gS}fG-wXnNi`~?N
zjOA>!5UVcK>)EL2)%)@2s-<w8s^REM{!d~?C)8Ieog|s5f-7_AQ5Q}U)C5OTcakki
zArJxy<ZPK{V@`dIdoKI7ZmHI%Mr0!Y^bBv31g1230sS<ATbl8YTvJI1^p1%{b_m<s
zwh5CHV;#xyG0b?51c5Fjb%+6%Q=G<Q79th(NPUcaqCjUHx+wq+Nzj%a@VH7_P)do#
z*qPKuU4~0?n)axV;uFVN{w=3~AwHREP=?rnMQk;RP;c~5DGhn(AUPz3%<2js!)z85
z`%=+y7_)>8rGB7f0uv&ov+L87r(+rxCuIIxvtk#LIHkEFDiR(=MYLbQkWHk100|o-
z5pD@XEgV=Pq++5N+K|`%(xZt&kH9b{9v!3s_5ou0OG-uJ+SGn0OI+A%f`liBH%`4o
z*xH5ZWx&HB(2%FYQKkas%Rr&u83Mud@guk{*f1o4s4Yad3!S~DS^%!38abli(Kr!G
zyEr3bsj~x`W)iiC2mxLy5<bRq1Lh&C$&M6l4K=+H?TeUCm@lP|a`m9Dq6C>uAk`$C
z_kX5dVpM)1i^}pMA|8FA><DCQ2_DH6@hFuFF_v$P_?VU~PPb%$%KkOLXEF8UGPpWr
zEw*YTfp7#3296{%_0?3-8YJ}{j-EQ<40vo8b7bR8Q_V?;G&`lzmyD>Ru@oq~)#NG-
zMYlqw8IwCUPR9_Y<35e0u$Fpe8lx#HXVTNUNBoHtP`*=mt$K;b2E0#D$28J5Z#GjY
z&N7^|&IxIlumJHM@L12SQJVPtHUu6~J!Pd-5Wv#}#VWm%LP6GvVlLIJN6dxib;+RC
zOO(Fb1=X*&bRgA6OPPidzXd)>XsGNT>fM<6Ao*Ob)cuqN{+AmKiNZ;k(0D?ES!K8|
zS2qO&d^nVXHJ}q3xNtZjEI`v&xgvqYv<p7%r$cE%4EPJUC2{xyXdLtS1q?_+f)@~x
zka=IKhwBpQQ;BbRTFmR*fX8E!%<G+5ni6`Kynvqtw({kA@*N_#tSeVEl*Z@Vt1~kR
zet+Zyw)s|s%aAjo$m3zC0Dv@^<pj7sy@DG`BO>iUtAO}&-N+mLK<*BQ(pYZoj+K^u
zXx6ko5hG9=E!xzP+C!geX9)EniW!fMy3N7~_ms@y1NlY*E37s~X4Tef>rqUPB`G7$
z!sH4Y>B4W)P^8|7Lw!VpfY%FNquUWpMnwZljCdOOAQGwdC_kk@%|~Q5iWE>J4H8s3
zlq*WJvR0&&Vy5b8V~+{#?ebq3e^(5i)Xo`V5a~snK$P|a=IMV<E+jl2LrjAyaJ6XD
zyM)Fe3E<=cNSbi)neh08#!8LB)(PUvJbLJPJPoy~p;vX(za%7Cdn`XI^FXZv+?N0q
zuIR^>s)f{hXy|L)CEuwL$?+`ow_5|#U*oL<SO*e@Ji!4K=ng=ys}cUKm(3==VWH~Z
z1&@<1yllSe;A_)u_4-v)>Qw;iCn0!5&?3EE-TUilgxx;lK9%)cI2oXu&c`*zf1wCy
zK4<($gw{K-<xqd_LZ>OQ!I!4vXg<jo0Vn<&63CeoU!f*;Nx~r&UHl5*K+A2r9e1bE
zX(NaqNWgq8B)f1Fq*Bd4xp)EZDe(g;#ET5E7jSApuK`&7>lVMsA^VQUaQWu&$oSm4
zwYX0_M8q&ZqatH}0+&3Xs13+J-mnl2U_BN3)R<nX{>eb;h={l(u6B@ql7`8r7x1ab
zd9JGb$$%q)Kzl&f()_O~OHTiU?D7fQs)26WVj`m-AomSvD76~uSF!u8oCvDEg(jL$
zsw0Wn_`#W6FGv<w+67WGt^-pnqo=5*g6;aaz+Dftx67TE5Hf#u4RVC9X7E)`3A={@
z6N#K>aT+KKM{=g`E4>_LR-bqf%dv~36@n8$xC+KG@kUrPcf86fH*_jABRD`J_AcgW
zB)ZuaSiKHga{N7Q<I3eErf_(10z+AJTap8t3WsvI=r~HIt^sIl5F6mP^@UX?H14lj
zT-CXx#D}rOiu9!xt6Yy-LZRbCl1mHA0S^Lxi^>-ZZ!9RQs2;{gFD!?%ZM&QGks9-z
zM9i^<!Ze2%b>YXKY5-Cg6bSWWola<&h`RX-h9*DOB?r`BK>d~^-l#sOdS<^>f>0Ac
z0`X};6FLt{#QlZ!P4yS`Ax$hG77zVcw*brlZ;&J*-l+aU{gSk;YEMFck+&LQ&tJ?U
zzk0g?AI@(GDLjWHdW&Fns=TPDkx%B+SPKWDCVeH~B5|u~FUCjJ*ApdGb3hBWJ`t!(
z<(n?KBG6|6OK{&x?U6OcB$TVXwS&b6%HT!No?5M(TdB107<d>=5gZG1e}WX>s@z|h
zFGU>{BHO$}FdwzsD4(STj|KJ@w2V}K4K`3K8xxt9qMR8_s0~=<ui6q+iATNsY(GnC
zE16NT#$<A<X0NSNThT!Uz0?))LN+VSb9B>Kg+=O(fC!*B!X;z!D-X%7P$G#3)FE-G
z1?LaSwi=VEa&gL`<G7R>t4m4mUJ?a87^I=H7?=Py&Ng646a|d>E_`5GxBDgKiP8+r
z9=D|I3!v^$H(Vsbp{3EO@2~*(F4X1!$*t%zGVXTo@4;0aag|Ns>Zx(!!^1;YR%^_b
zVPq`T6kOvU9_kBay2L=?qIM5%L__WFHlzkVOqov`L<sINl2AwY&Cysm5&^ZFkhifS
z3t59Y!%6c=D3#)TW<=;m#3%_+JFykrT(lLcHj^6>_Z<^%;plfYu)*tnUX&{{dV4NY
zCCP;<<&?tAiu}(*lnS^=m$y`v4I&voN`s)}amT{*Mzo@<2@yA<k*~wDtC`HQ-j_zU
zu}*w{b}u;L4k;IX{Lq&>JTv|?o6J%(C>sAo^$@*fg*OXy`C`>MTD+=$eg5{mi=Jtt
zen~w(SHP>Z@9UBFFlz&_)SPil8&g4Q&QkNvcW|T(GPVNILS0yzyb(JTK2>YvpFTlC
z$B~@JrZ1t<pRw6P-)C|@k-#_}%JO&?@!vrre-+116304NW4SP{@Fx7HmOv|r4HhPJ
zsHV|H%*RqBqyok?iJ2#W-r@F1yvjbiwt&VwWC@R1IBcvJynzlM;I@i}?MOJ*=8Aq@
z;Rh;MxFp}K!rc~)s6^BBTK=t6E&WwPxX3+bJWk98je)cxA*?pK@T$Gr*1&U$5^4AA
z`i|N|;jx)@9~5<@&{N@WBu%(a6YZYm0|gD;h+a(8J}vG_xo}B;Nm)#_U(hh22Apr^
z^=ZIw-IC^@+pS!$m2F_rCl`hR>C+$!W-v|ZA<mlA01O;e$!I1;(3Y5-53~|$dG4C`
z8DAj1)Hucy62KNp(_1E}H6VH5uA0-^rB(_Yo>$A}ZvM)Mp`s(a_-kF^)KhN@O=Wl*
zCr&{YW#dn?P#+N9h>j@=@)rt4DX!!nMZl_D7wYnp1v<qzLjp-qj>a@opfnVVNHb)~
zC{^>`;&zXZ$7#rtX=6l#v7^ri^aI{+j0p?PfdMHK9jls1h<9T?da<AX&j>b+kqW^t
zb~g!xntKJVkUGc5%M*x5GSYF?(d?}DNQjO_q_m2`DFT<(yHIcF3OO|oGgsRO{B%i?
z>lG%*+gVtrAmb>YSxgKIhZL>q-<R_g#=ThKr8!U(dpEXGXW>w<4>Mg{y>mup{l0xG
zc50@rQg=$ic}8BU36%-tOzavanJ^+@EEnoV;hwvM6$Gp;UrQ4(_a78RX(fm%MRf*F
zh43thPGuB$`IZ7O6~6Ct)W<PEjDSB4$(VUkReFTJlNp!B9p!{Hx#jVV)DiT%#=1A+
zT<WV1#trh@&|#57d|$2yc}F~h;H>YPWc+Gta@N+D6_{Bj(C6xeY0Y7gg|vBla*@rj
zf;y6sKj6gg>us5n3(c7-+%N0Lsa58);~!K3FYHqlD4%!1kY3NJlM9G(D@)ER3_c|2
z%TtT~?>GSDRybkMck~WMbsq|QZTWx{7GEtTl4)clgtgsPy~!qd?pP0#)IUFa=Wqj2
zjN~NA${EdHBAT&Wf}4C9!t?u=FNGoZDXPVK;$tXiMh0oQOG=o1&77{8+Fqr?$l^-b
zPD7u@a64k&$V3j67h~-mFk#Cvg)#AIrv8~25qHtr@?_GQ?iUxxd>eNG%UkNQ-ZbMX
zKq2D7I=%6GaXjuzOP0v2KuhdrsL5W;u7^eS?*fC~M<lVwL7zfVvXc^Tgt1dU^S-p%
zbU>`yug(KGbJ#Dm?uDjW8YBz?DXK++akESSosb|^LAnBn+TPcm8W3EaAS0nU00L62
zH2x753fxK<;JFq6)#W6zBGF}WSBw-nNBlP7TFdMuED}8u`aQ{eH=?nQz7n)glPGYE
zyJc?2K3@z{4K(B~{Dy4zqdCR%liIa`%40qH6Xbg*Z~*oDd-qbEsB_QEd*xwKk2*7R
z0Cja}%`o+0U+^GJs8W}eKP!&{uj)SxSfJf|M@orC4+#l)IK*M8Pk4}ysi>nLPyhO$
zHn9q!=6YFE&@HfsUV<^ngDmV?7m-{uj*_Vqw_zIO1iVnny6MzkQP`LbS<9;_F|`+G
zRiFzwb!)TU+vNd3eF_2hZq#18wW#Ye-YN|Hg;EIJRkxK_KD=NpbP@*>^gXv9c$|O?
z1!Q{}R+Nu+pTZFzkEK|Nh;ob=ktZwuj$M%8t${48D7N#*oOj47hNYm0IsG<qaXOF)
zw(_{q?P8RfpehRfXWlQnRLx=k-;D|y%WD(uw6I%DZMEVMVuXVn+MF@tH2fXMD^A0Y
zVM2z(75Hxc{J{<3I1SO`K|RTD{g~k5^E=|6HCDj9yk()Bt!8gK7mAKLk%MRT?9)-&
z<B4DOMz91>&a|M(BrC8!Ml+fNG#>Fr%8q_o%xju(;SufrUib4BbkoAITgdia>{Dt|
zLW>Uci4^P^1U!SOs_OlM?^vuAp&&p2AyqOk4ON6q0`G9ECXmxf0#Jt=uR8f}kwu^8
z=p3oNA7Y5VDLTrC*tExCQ@y*P(@ppWHdR^qtAcc;y@Y<ihf=vx8=4K&RD?60>Vuk&
zg6!N--1{_WZQwfLC4t$T(&*uK6!XAf34b@+DULIU`Pd0qB8hO2A$(B(8&6{u<nTS6
z*5}s9I;CnTXTGfQNIkO1BMNF`F#`-e@%wSWyQ8bcETCwkg{~J<pN0t|fj~8(JBLk%
zoDT!);MSOm1$L~e1?IscU{=AIHryvqz$F3EdKOAL(xE4^$Y^ZtZ&K?;nV4+`t;Tzc
zyFSBTvWEw<^*I$(0k<KwLMP$MGqbo2tm0y@{^#Y*0xRg5$<#5wC}tCqP&rZO@`NX<
zWC!-$z(V;U-&pWA|JfM8^mDE(DRkMEKqqhK3!oBJRJ9BB;>*aP!(Y>wIweU&{VGB9
zVu9FMxV{kCM&%NNjhkI%sTUxx6kpF-bC6la%!|3;gG4DQp_7UR)^3P|$7D!xk3^VX
z4*qgjn8e&qbG}%O2dr+)UxQ|Pl(B*dRGZHYGyN{q{cQXo?K(L-^iI7p1v<GEP*BZW
zv-y>u&C6C|Q(1)$GNF7BXyw{Mr7$y4u$0)oqKRz2t=h(70j;gynN}9oTCr)ILHZ!=
z%;;lxXU4Sx6^pqF=VE3?#T!vS4Kkmfbv)F3vU4rC^D=*+(<lmTfCX-;ID1&ZY1xtP
zh6W=Q-}M}(4yGSZ9TolKWMAr~{Uf6-dMXD|F=tHS4D%zrds+c41l@^*gg%LV(NLjW
zh15q<+~IDOl))^ZLwYQ=eeIbtp;s{_{&^ToFF8-XV*yn;=dAB(cqq<zD8F~jDTl~F
zw8Hs35~*-sW@7pLm`7dsv3_`ZS}$+0seoocBZv-FS{)olM<>v*lIn<g<BslZxTH$N
zy)Y+D<iO#fbNVO}OWRLn-jhQV^B|DsVU9*)-C&Ev)_-RQj$*rEb2w*A?yk~!NW0L=
z-+T-+KXn(>*(BwQFXFzKrzUvH$8gr|2v2LM<T#&|sjO&Di?5I?J_;Ilp{0*k;VTTC
z@50{hZl_ZN7?fYE<KP8U(vt*Ppgn#zJ1i>sk@nx34(d!`Sz@kr8--V|Ug4{(Ir*YU
zzHB2`=L1l-MZm@^nLXXR`ZA=#*_|w&-m$U-q3=5nwAXB+n#}lvj(I%oLVI`b1Jm!k
zDD6VK*&OTNG#b&dTvHvr@^@jk)z-yLcgg@;?UzM>t%U$p`*^5wFkm4|)QpU{ug|QR
z<W^6llLCT4Y$5k)W1Z+`91{8t2@~d+H<E1TZ?z4*z7E$s;sGB{uOcb0j(8}i9}9IF
zomn(5SDpfysCVduc`8YOZp;zbnjBNp91dzS51DL`kMA(zL1nK|M!>8em`-RIOhGjQ
zL@Iv*e&wOsp#ukn#|^#BWru0_dphl6N&WtIM8l7vAPEx#ro_rye#Vn4y+G+=7$<N=
z15BV`7)DB@#2cNe7=r92z<~2E^oct8cgB5c$00m}F{&tDW)Dea`A3HA3WQZtF(Yuu
z6O-gmL_Eoow+MU3NVTgZ@Q9AH^KW#R1|$Z#BG4E&_yl?$^K+XjY_!-<RlEyzxk@UX
z;8gp<agQ@m94i~)0Y)XmR&2ucto7|L2hei&wx2QGuqB*Yx+VEiv99@P&W%|#y{zi?
zm`wHFyu$wlB%@Rm95`8T)OG<=p{2?dF3Tw@TStb<Lx%dMJ>DSoQX`1;pddP~o*L4M
zhx+1ysB306fjC{LAKx*Nh_bpy!wHKyaxzRvj5A0SUHm#zq3V-nkvt`p&fX%sC9+(G
z`dp`gK^mhoTWb}-C&sgF!_X(raamHwBPDun!pDKq_zgD{qu29nUXC-OLG<afr$12V
z@M$>tfyAY}b(bH{&W<m8$NzDB^zr)qvZh1_uH40qvSRRjHN7#n)eW6G>Hu&=SS;Kc
zy-Q+p98NL`aCCU|{<wG5>0KRP{&0NRJAC{0^7!gX8gj*O^kV5ZACJC2zV4kJemFKs
zBb0ZWR+c+GKRUcVIX~+{DjZ5g;<W5??+-7J-&!e?R_mM!-1kXBbOemZy7yho$Fp5L
zJUTkQy6Sy@{5K<*h4Jdj1uhfTVcC*ZuW^!Oj^r}+jxLX{p9ebgI3o?rw%>>w?ds&B
zG>cgHv)Zy@VV)IWQ|Kzl<?_$NfDu7w1(crqEb2nN)!uiTZqsd<SuQJv<{Xh?()xgN
zH{c!#>iN4qiS2g=T+_u<^vj^dbj%Z40%u+#Clq6s?UU7oETOghSNWjUOqYFr8{$4q
z+(@H@$pQKEc-m8c_f&4fzo_LVi^N`~;nO^BaHdUu8`9WKC>g89JkEoj{HYsa1L{q^
zfPzk$v~ruKV!2tp&ql8j9vPz3JL=`EsHLp5C>wniHpHm@0_u(@|BtCSHpM7K4<1r%
zQ`?+ZG|7e&br;K{P+K=&x-gzPrG2->!)X>To#Qj&{?dVDWL$A%MiE&4)gy7ZXdq{s
ze8v#Izc@6OG?GOhY05&i%sQrh&N^6CWSfr(hin5;@BZ-6B)}*^L;uT(m60qpZYUE&
zLjsmeUlh~|oyM1xU}4Sxbs_}%m<EiEwM8k1zOG8UrsbQLQYENs|5ldjOST^S5Ro{U
z0`W<t&adRkP(=*8$~|^BCSj}HxOpk;==2;!ZG9AxY(&N^ytFcc>MeWgl`@{Kb1hOP
zDR;ny<WR-^l36W{9ZR2CS^0bVHUM*yS|z;3BO!+qDs8+U)T+EA&A_7igSl~}c^?oV
z&de;ac+G_?O5x_E$df~=^H1S`%P}AETQmp^AXFd~2R%V|l}3Pp<U}#0<4CEmGk9j{
zHqH5~Y`W;hIG6&ap~*8_<mNfD<Y5r#RZOT@LQ{GaW2Qf;fSMc(rkn~=s^MW1AEJPG
zDlSc0aTuLI5@=vWQ^VxJ4p~z4{z(7>rV#ab#B@|p2rP7zA+KA55)QbkGSoE<%Cc4c
z*{uodBv-`>nh88ruJra?swr3b7XX&fvBiE`{l1~oUT%ZRM;(Na|HluQ1)uYP63nlb
zq;Uv*Fes)7Djt_q*-|yZifOf1ci(FNJV}#Li2wh!Q9Al2=j)h-jrBfHLx1K-AVy?3
z*+AFU7ouzD4Y!Yo=CNwXnONO)&B}kkLinVoz?ekhlS!MYPXdP=4J(oWv9bkX9&4if
zT2d712vTZica@X&@mF&+9P22KiLw+qg6eS1`nt{pX>t}y?a!^LQXfbpGS7`g5j(sO
z8Qsq_&dlcbtl7nva<U#Q?F5r`RG?o2|HjSfYINpcQq*5`(Z^vC(O5{+EKGjD*GB<i
zV@sWpKhI3fXyPgS;+Rb32%}{H-@lX=c*q9mvdr`<i4zu3X*U&OI(tcW1x<F$z=#FL
z8<SR_CPbyVzF|_CGO_4-!YdzQLZp?_t=Trf=KVde&<j$ZmU9~EoaNxc!^5UZtsP0t
zO;wNSAf{rJr!{Pi^cPj{D&a9jqr=D%h1pg9HTzPMT<E|wU)6G#Lov*ozX7njrJlJF
zS#ouO^-LQHC^|s|#-n0nsg6%Z-HDGQk}#d^B&J00P*gQzAm87Ay1xh4N|y`|51$?$
z>bjD|6K%qp5xF?rUScDUQn*A5Bhvrqt5N<-JVn8o3(K?f>*Fgoxl2An8%ys0+TY#X
zE8YLIyR+Z?djHRtc<%2VyyT-=DrQOVm0+y>&C1(;S=bB+`K`+Ho+WA5`S|VZ@LBfp
zm=bTKOrxX=^QCgReTgmJJmNe&)YgB`2h&9!UY?ztz3XC_lFyVwUSxTU@+$$P0)!!U
zn|N+R-!-!d9ti>$W*&t8d*WV0t2bZ&E$@{S^8rn$PKYdxRg+*d!K1{dI%_^p<63#x
zm?(~%Itzt;PNQK=d@9GXa54iP9x%Q}J&q%2lGE)#>UMK4Qg|`vih=_yH@n(d?I?hy
zi;R$YLLYgjruklus7cyUI)3rxISg+w5L9jA;Q0-c`=B`GG=karp@IX#%{VNxkE@{=
z15q7>GO%!n^Mrv!XqWE{|CWx)7$2J9G@nK>^@#G6+V?-T+@@>iDNHJ7$1>Nyo?^BU
zg%OA9bW<@Mhv}R9MdqI2GQ(sW3ghgQ5_Auwl%#jxvCxP5-~TSY%}zGS9|!Kg$$#pw
zl|;cj-rU%R-)txc?!VRHH%MYOzKH37-9i1pyg+`}?2c7Fki;8RwOn5?6>6Gm@>5v%
z_p^O_cz|0XU?5FW$S#-4;AA6V@F}+!T99gAc>3WEq0m<m<cQ4n0z=3G!Lcw4ZB{R^
zuwKJ*P*l12T-^CB0nJNgvU(WunEJEp$CqT`(w}UAz0Za%&mst0(&9N0P-h{=_2kS{
zne=x14;W#cs{lSpygy|}h^$MuWdE|Wz+_&UFxQN*_HRf&n3vjjK_1@<&7i<P-|-mw
z#JjmAu`f#Y*({cZZE_qJLjOJKKFc%(hN;L${0Gl=YX;*DlZrzs5Um`u0xvAhnYmzK
z{s~6Q-c0&u7&Hst;@B-6w5lwXE05hDJ!ms&-TpDhY9<|IHG!9o)!ej_s|?te9IHRt
z+Mj*q`G0yeob)Cn7H$$f_b%uq{-4h7Uitp#z1_~vSO3qKcqDVG4ezq=MZ0@xIB_H&
z)FuC#eS)JC6T9^B^0b!4ORet6nHPR#gUa&W=SJSFg_5N`_)TR5wIm|_1-9m(!^B~l
zjL@4<2X`ClsF4-AczOKp<m&qPvUhrZ^!@SM8es1RQh(bDc>-G_BEF~7GD1*Sc?s&<
z+cUW8tO?Q{%lfGUEhTizwUvKXh?(z7ij;_VefX|-dUADLO}tr>;gR_gxr%Fvq}-#Z
zzg;YrLqbYD&Fb8?yZZgdH^-M}$JfVK82@&4ad>oG=<jSgkOf_=UO9DqpthG)UZ<Il
z7EZF&P;0LRR8;ieO3kZAHg4$j1#GB#-GjVQ9a>jvRTeKdy0NU$)mr*4=Htb!sW3nE
zv`MfD{~H+xdGjF)eHtdPQ%&pn6Y|Qwq~<UP_$`$-<hF&()$!HU$@y6+Y*Nn+YaomF
z-I&{GW`=2n(%Gb3EKXD?kE0<KQdKGOl4Yo>m$8Uq7A6Cz|EqBSRk&i}xjOTkj_`YI
zo9bQ`ce`preAX_R)L`{8Zy;-+mZzgI<zsK^PFngU7E*iMA|XjC+z}Va$;D^H(%cvH
zS+R_`UqsRx)1suV{PT}q@(a&g{cl8rh<+CJZ;AfbYVCD)%KBetxAj&3`x4LnedAl0
zuyI$V0Ac}^ljmS8$%1E+zilA%HomPL-$f>}-#!705jbv5mz$?eD!Jt3Wl*_raZf;P
z6d8FeOP)_?95bJy3p))x*z0I-_EkDS_qLM*v-Wfv-`29z?xqdA#TI@^Nx%k-`aq%x
z@po%~r3yNhPh=aiF9P~h-P$YonA(S0RQRnF2P$w0&%v3%JSJdE2Qa-oyOL!wSTmyD
z_EO^H7iyV4fxVuY&ly$nQZT>JDx`y4<uvd%u$SF~)yK%L%?2<cLhnH+P{r*)yD*f#
zt%h+0&R{L0&c8}MwE$P)u`+bcPMSW}uS!N!m+E9^%gt@jM4toKETKx_>9eKWfMso*
z%AK<ZME$K-E!-5sa89WITOI1X`V%IQb%)&I%uv}y?P6JvOmLM`;jYp;zXqRox@z}J
z7uv|wT&Elppyy7twvbP=jhVi$PKS=l)}RTpbTDPvDgsoSkE%S>^Hc<RrOKjiUUHTy
zbNhCkZ5{I%c$!3McDs3IsW0o9Wzv^1%mX9lp|ph63R@cr5pyNWB^~n#%`dOVkV4z}
zxsVUb4*kNA@Obf_)x58vE!Y;7`7INw^Ay^gMcwUcE-$-!HEQLRb)^OhfEL`pIDfv?
z3ye8ucgJ~nsINZR(3$%}2R~@}b{IuQ#9=<ILLh_6^+|-a=A$mYjDfLU=B(Htc^lmW
zz=+a#3iW<Ksn5b;9kx&oLw!=8MQa<j=r0x6=GC{eo?9)QNEEKgP_}5KyvkULlHSHC
ztBq*upqOa^)eJ>5AXwCmP1$;*uJN4n-A0mGs2Q?WVP1rlkYO1_6xhA{SMjf+i+wBh
zqX<R~X^w*dDHnwt>;^33C4I)mTvV*{U>fFXy=*q0z&9nMQv=Ny2{LF1zuL`UGIBn$
z1Lpo;Ou%fq@v8Ybx{-xiN5-fxb_QFi?u>o?@MC+F<;Aso^s@P?^ZXteV$JIjwo=_A
z`<~_M9(@e6Q_IHl%R@XuBoZDi!!*rmD;Xxr>(G`Ib0rru)Mu;ZGJNLSwgyt+tgeJq
z_E*ou-6`P^WTzi7iB5LdF+b`ErGt(%yL!C-!fqLlJ~|`_OpdtvPphpGY%qKFTtxty
zi-=(hBUPr`HHOjdBuz#%OicDeRhY*R@}&w~VXGh)ZTVX%-Ox*)e;pAqLp@onJPLCN
zU0{Z4V7aclkr?PphR?2Jqkn+>rp^N>VB5$qCXj3x#EDbSKFv|Nb2R4eJS@Q?XVwBP
zt07~tOabgNJ}O>eZ|=!4fkOQ$cq8iFuy9z@OqZWu(n+2K=IQ=LYN4&=yj1PwHdrDF
z?9G=JY-Kbw&HW}<fxVsWZD?&*i?4ZNTK8%pO^O8B%+mR5m&xNKaM3BPYnH6pl@!&w
z4Uxw6svbN%6qlL8z}nYbxV4jHQxtEs=uZvbKDCd^=Umdl>vkjcIpbnoSYPbdm+=41
z^ZynP%RR4+#s1%Rr?azL_W$nfeLes2MV``@hdQ=)WX?d=@^f^M?+7lRv1&&o+vi<j
zhZf8gP&Ks?6FsUWP!6_5b+lJ4s}L(}@F3gFk%hWG*buV>bBh(qm>a8QF+-bN$1%5C
ztgm5)hdvP_{4Hn#j=qCXU9t#A=V#xYyz5;YUcc{scYfJBIXk&NkWFP4U4tfG>1=Bq
z>WvW})6#3VT&hZgbZ0Z+p%S8!&}rkanXfss#oerQz7B0?1RLM@ECwfnjr*#;>5+=S
zIxF0;lLXDHmhCn#i|UxOi45C1&cY1-FDXm5w&7lDt2ZnNz_~uY`~dY0Z^Qy$^+&gy
z#3aHh@PB+fxdvHIeGsEUR|HL*;zDKa^@49Sld`}+*jU3Kw}d5mb1T9_zF7*)kjtDy
zKz_t5B55=)yAO}S<Pt(R{*OO`Gsw>4H?kZ&@Xa@c4_O8s`01xV$)z{cL^Vu4n+fP(
zW6QJ7`sc8>=Tyxz{gkU_t#9iM-P#=d?d;zbnY`y9|L*+!-RW`f@Z#e1L}gRz9bF#3
zJwCfWIXt~OsILlM4G9ev<5iVn{Bt5!1>az%uQQ)Zx-4ICY4}U2gUjfa#`4|KmEnVv
zx8<=cw6mQ7SO?6E<IpUz?wH(AlMEeXqnLFSvjK0hP-hW_p9NQj9~QBTGij?+ERSj1
z{vK}6NB83L<cGuSW6gX9l?v1?Dr|3Ou>(ukvLZuqiNG_-iWkna!~g#A@>r7i{NtHQ
z6*e>3W?HPAbwxl`leUc4vKct{l=_?wsQ|o7#oX8D-yffqQJ4#HMN}5Go<}$?YPzDe
zb+|N+p*$CZ!DFo~;*BrF$y4Q*uwe<b$_?P%G1SSG4o7$~i;}z<sdf|^sw}^}sjGy<
zNx38Rj(T9ZbudZg-|a=Za7d^esktR>Dlwu#P=~Fp`5}eBLBg*vK>?~58coMZ1&t4i
z83g}cUh+&?eT$r<@*eScdQhP})v}wlPz^B}oEW8v&u_z?an>Fb!p6#9jUviJlTf5k
z-g=*@tkk>dW!E?tOUrL2-Gr$S@L?~Y6ROK*MkWgfJU1=_K0L)j1?_q!NG{;R?|3{W
zi4A?A-V{*D3swNM$X$YOl2;k8gJ}iRiS&$KbO3exZhccJQhwJNO{St9fqeK@gyy??
z(ep*9E{dxxxe8>DhoMRw_JQ0T4yiT5`h9Oq?t1#7x#CclD=up9vuLzGYDKZ96h(7w
zo_Skf;njlavV9FVpHQ=-*TfWt&F;!zOI~>w@@xBuKcR8L1hpHe4*KktUSFJFURUY8
zDrS5BvDSRzo1>{p0!Sll!SP#^O&Itptso3|ZJY2)tMv-$UNR4jama=t33?+E`T>nC
z%S5hSum+9~^+ptPud!iZ_9Eujp{#A89Z)D!)I^k+*TxMP+h()a{-&~XPR_2?GVtN>
zKYCd>{NeTW@rR4+tAkE6U+@G?8flmvp5+PVoS{Ap0x}dT<?I|cJi@sAc-H%Pc76En
z-SOL^1?)(=IjO#N?LhH-eU5pX#o${Pwbf_i@U5@8?W)z%)8ikGPs=E1trTVNK}-j|
z>@u|#aLLQgVv>DRc&scH?9&S~qM%63s@|!0YQSdCIb>gEju*^YmC|fvz(UyA67&~n
zL4D)Cl3gC^+kXO|8zz)$blu*f0FuZln83z8djLLwxo|Xyg8pGNt~>*TrHITO8FV4d
z4oV)=Z?p)!H^vh1g_2fmM5+CPF0vX*#k&wIkSi7_qN%?b$z6qUsrqAae-u;ZXKD<T
zjeDCn?It(wZ4O-xnMG3Fki>{}of4wb^JGi@a>M0_n?h3;BpEGku3`iVRTuZuaYD0T
z5_L)JH#Pmymhi?0v_SgDG?|d#VB^2l>~&@1UcG;S18B}HCH<I^8#7-6U4hB6^QPtu
z2+O3%jS2t}P#VE5{_-))qE?2TfKBLP2P#h?Vi6q>7MSJ7=)p$EVFEhln$s6%OONYl
zRfXIS$CoGH{jGO>^5OXW<MqMDeXHwi+!x<=osN-mXi_y&5hF&?Fs6~TC+qIF6)Sul
z;4jed>7)^+K_Jcf%DOtI$+wl2mKkR1Ai_aYQ$TH)I!+n~2QZ>RB+4n)Cp2b*=_e4F
zogVKm%x+xEFXP<8TramwP#CZvk*}nH-zXgSQ|7J$*i*5C2OC?4`1LXwAL>wriov%1
zmv36z@Y`>uONK?)v*E<<d)&v|G_9SE^4auLG41m^bzx4cy`$cGJf>;F^j%SG09#uc
zFdQ6U<!x-N_`1C#Ul(bP3)E&6=9^M87_$&hGxw)?P?1!72-<%^D&%aHOq#~D4uAQk
zZI5L$_Xg&O`~{k`Sjf^F_o~E0fddpD{c;R-CSZ%miSrxg-Po?fpa1;l`o?`>gp_je
z`3#QvuI{SoYrA1W$s*NC{X@O%j1klahk-+(E*jO98XI%o59{;x6YM>QvitM!;zYqY
zsL0c5wur^Vvn2O7-+-)ga&)ZSWe1H3i5qbmX6~Y5u2;R`Ych8fAZ4c;wZ}=)%7*>W
z$adAXi#2UO)od*tFj1&+ba-@pDWzYzut!`kE+ICe#HaB=U9R#xX20q?xZY3_(-=1H
zv3aAzf}zOA%hQ96`;4d$4HB`&q?LC<G&b(DK0g@Jh{nqHWa;2rrkMhah%koafw|!e
zSIH3zDEuh-&?@p!2NTEhlclL<Jvq6Mv`ymx{=fh0|8@imXkqB&YV8q^#*+Aoun(or
zih|fI{`F8V7WfZ%cYK`>-N(z*2WbB#Uli=ZzbOH*S!Yqby9vL6mnLW>cI)5_+VC6P
zk$5P!Ygrwg?e<o@KpQPfC(i_AS9w7{O;C)<5?N#(o^>nG;{Ey6wec<g!%@WaY(=_g
zadA-3nlZiWIvd&8=Zvj&C+Am*wk5c-&jk(0tR!a7xDa$=^47wkc6Uh9Pic}5NZkT7
zkDZ~UQ9)6lm8<IO@3NY!NZ2QcRIq&xzRIy}R<AkxnsZkU+i?0UM^?90pjmY|PN++5
zYfb#oE5hem51zUjJa#R3#7gkkb>I(Q1tjN7-m+#)N&L&Nb7a59{^DGc<{wbf8BSd+
z>1KqM)vbqF4`NYXnI;yArlRmEh@Oo61*x-0=18m>MI0X|cC^qjc4f64Up?cq4TL4=
z-QO>Rvnt9(1Xpi=wMkJ5>35%km+eW<e^l-!O8IR$JffH$XGN~CgmnO_Ue8_UJ33ir
zmM}!wv(|Qs&d9$F4-fbE#`Qk?z37e4G5({2?EZnDdGVil^5EwOfG#=zzu)SV^FQr3
z_d8$XKflCd$A6M25{)bf^lg59#Mda$#ZjO}S}xA9Q@*t<-v$OSS$5{+@`190xa0z_
zyopVfwDK5sGdLv)T3x-A%%^~Xx*VgZn%gS%C?Z<P-cp^YIL3fd-h_6<*>zI3&)gKY
zo7crBOfv0zCK4V`PuZ9yg}hg-rUhlTtnp&y7s<|CBKs5$lqjMjGE)%D<>0El{KD;g
z6<bJW`w9>!+-sr`3<~HzWy(Bh+N?Nr9x;7Zn?l)jamDSRmFCaP971}PX9t+T9FdOm
z&7uNr^dZ{~*PNnv-w;7@N2gvoH&Nfl@f9P|-rW=FxMCN}I&?no;8xW!syV3<3WKV9
zk=>-VY9GvHJFE0y@z&g&ARxe`7UtqPG=aUCM6?T=(ooo(Q%E@p=7kHbGTbZj*o+W;
zE~6Q7X_2UW7I4w^T-GM);#<5d+AO@CECV+~p>lMUzJ5DCD{P7vUKg{eRacm4N0ct)
zhgrS8;;=$4DqrTH%ytap;k%f4^a5`ay;2*11>_c%oJ)h*%LTKN75DiSETD458BVF7
zOF4bQBDq|Z(83bZ`4w%3`JBh=Z|cEA_lxT3YzniLF47>l-~scd^Ab~*idD_071%}0
z<&{=*MnqNjq2gG!Tg`JbOp*$E%|ccXz}6Y)RKyKT=!dS&goR9<ewP2wyq);N3Q({P
zPXAPtES9&RswD}~Pse?Sg)DhiLkp#Q#g({r>A<=tcV@Jz>Mk0w5+*d9bXOVCnIyJu
z?jv|vM0P?$D#S(1`?PEO@2ykqv(%nP(L9_%ezDko$C3`bPjw)U5kbG<HGWPDeuFW&
zgO*f}ezF>u<H<<ymIh>M3pfLPFV}ht9dauw+Pw#}i(LhDG0Fuf(TwP=(8r6IMb$DG
zCw+=>ch{qsiV+X|BEUKD%9V;B^_F}!$j%&)<w`{@nE31oj8g~*slO<PgFJE2i`e`_
zjd}^S=MQ@c;Aa{463j&dFLh4KX0Ve2S7@izt3TLl^u<E$_K~r8tA>r+s28{77NYp%
zP;Z-SVxDl12VJ;6x>zLZ3zw)?m{0SlP)xn%F3oSU(9SZ~7B9EE3^}8i|BSJ{=JHaj
z@AmDk<*!wNfEpxCywU~l)gYIi51xUXFI{s$Rum{7m!NSXuJUYj75J-r%^fUhwIgTU
zc^FK)P}-b+RG%6Mw($u4rEr<AO8Q;WQVJ!i6^DvuVk&qVdsK8QKxQ9vc(%4<uIVl5
z>spT~^9s7q-m=(UXU5cL>9`B^4|x4{y|yY3Jp$N2=;T{I^|CK^C$rH4>$zWeF=nZI
zMad=+QJ;z+0hYVZmjJHdHVfI`&zbbRPR;EO*f+D6AALvr+*6(vRm}bEkEv5^W<|)e
z#TJZA@g@P0U&&KV-J);U$cVkAtgy_NGgm+_6wk9`o@X2_s4H{9&mPO1zvyIpxpsq3
za#>W$`h{ZNlE`~=u`hwGx@bw&D}Sk43ubE1E-{OnCxe01@u!x5P`{~aE-U@mW)dFp
zfDflvkzA^ecqk_o3+?XCEmDQZe0Yz=EaX1D(z`f0GWOf5_6xNhPmF-ZW#_Q<vbw{0
zoyWE};vzW=7!lNJ&w5$ao?YiD?G=wenKxB_oO0>=f8@)qzCJV0y!a2i5XKpkkPWEN
zdqGcaW6Awr%~rFN|Et|>w!Yr~^+lf9i;m>LpZBGftZqAUoSHrjy=CV9wn@GFk9ecW
z*XJ?My!k(h$Y;p>r=BJAzt!GrmEym4cXs!_&i^m*lo$VqSa&oWk%-`h!;A{|@Zv;A
ziV62U(L2_{BLNGCjY%6_iiK#h!slWF`^Nz8(}XO8j%8~0*4W~*E&FCB74G()$Lv=g
zCM3Av{-Lfx<1ZKcW?}@e-D?sLX_8${RTZTNn7FPKsrMvvY0Sb)JN#<a*Dj@jRZ3SQ
zcdJy(OX+ILtzD_M%JS-SDX~T#`}IdpnEzzYJoz8<fI58^`YaqicOh6N|94yE`@i<v
zU-Q3ynWvmfp>(B)EqL%7v5)<@H!m?TD~lN}rQ1PZ>N>-}GM^se4jnu^nEMbfc|hMN
z9;-`bQpxUm`Lz<$&l1G{q+!MRnTRDcb)FDvZ7qRvw(G@)MC@J6(`dnX*UZB6gyAla
zvo*kv9#)YmGo@Q|G(yE#w-q2R2%xfvIWvmpKF#8_Hh=V7e#)~*{(mk5V2S*1w_5vU
z{eN%wtNi~W&mS)T7YKx}690FU_-UYA$Fsw4#oelaOgntr$rcFFg&#K~EU@`g&EECK
z_r8h8#3GCeEHt5UUv$x{{NrXSXrU%zUAbpojaH#vwZQ<^rRIf0g$NRfFx#toz0{xk
zd)Nw?NTB|0UF9YHcfoZOweHdUBE|bjO5U~wXh?|JZEgy5eH+}YL>ZA1zNM-Xt338#
zK_{x};pggJl{)xGi?grKBcFNezkLSexos@7|60xF%>B<hU;Tey<aypHq_T>TDFSLk
z`%x=+DM;kMz_HO}8qqGCN9323W;cn<4PBXcdSc#q{RaKL9U6K?LfP>viy_X3@>Ssf
z=XvJKf0a;0C#Cs4_kY{Xo$~(A{{H^%SNZ=X9yymA-!8ga`ID`yeu8fskGe8>t8f*7
zWnFH`h2lg&orRdUu)Y}3_BOzx<)+~Gv6r2th+0R0i-;D>t#+`!`e^Bx#>2U{M?baw
ziu0(rNw1pSwr)wU3j47S(|;Z(*?-nmdMN|VMDZ0yu_{7vHa5`a9*>6}Nj_g|#ltCc
zJpx}Xy8nvLvh}}sDClWwz>@X9GaLWa>U7#)*Z(i^e6GV}i<aeQIC7ntLurrqc+SoH
zMxK%@XFiC<d0hS}*S;(!rI0A+@#rtbMw!C*_s>i4`JNI#ph74Qthv8KZ#JA<%)e}S
z8DyK6o`YcFI^g9D8m0Y!c_$Z|gRIIY7sad_3#u*38&#}lH*kfH;!CNJh}q`tuPe@!
zxxg1sn=0%-3yUa-p5cuyoT((Wg$A=jzD~t))#!1jVawSV&D=;Z)ax@Htz9_2Su#&u
z*!*6=O64lm`r;qGh<$yY{4CM`zJ&k3v(qWZf9-X4zv_Qq<hh@{u+a>?+4Y^5%xjr9
z=E-VbL4*4u9)^;qWOZ$;R58<YX4ITg!Cd#MQoR=6+-SxpC}okXSbz%!XBOIJx`C?w
zL@jx?@+0y|mceAp^vtSVSh>oD=eauOwqw@llMCHf>&4Q(+Lf0pHB|#zQ1Dhz`YNkE
zy3<cr`z(*A$NbpNqPH4wsaW0L>)MMEpVi4$$u;<dv@E%jS?-I}BCT5lmZ(vxj%jUy
zB2~~O7bSlwX^N|LXr(Fc`%KPJ5=h`yy488Jx>P>r_I5?1Pc|N(CR{U9vU2#W4CIzw
zSh2bJUqr24qW_I~$P)fUzn^)Q=zlxy-QAh}zrC;LKflORq5m0qqFLaBW`Sku;5_xw
zS@}SjW;PZMU603<3)kc0#-vrBQ8nk4EGnQH^RIg7@1uv#;gg`0pt)ilSzL1!J++Wz
zdk(mTifaL_l~hw2`j{fq_=6s|46jN(R=V@u{H|<jN!`VH9_9cM-iYSu9MrE>8rSun
zbVqy%R1%1z!d<S}i|(U&Du<Pi@!qqrQ?D;6aw`jm8LQ8HC}3-!pMPuv7V6tYU*Ds#
zkE}auRYs%bLu=Q0Qls%KvEn&oT8Tn&HEmY0YUe=wnfEcVysBe<twNk)%|g@Jl5sVA
z&w!3~S3Oro(6Tk<bKX`klZx`mOU)w|n@21+U;WHq=&8)8*yzV3^hT~8S$Fz8AMmpH
z@4Z?7@BYsISN;D>JjBZ!d5#nU;gAM=*u#wAMy?2tOOraJx6Xi)B#ljuPE`s%Mm|X>
zykp5J>BD7qS+dmCA>lBwC;MR(X*C|yU1AR0#w^KFCl6RayKp3>4O*Q>KJhT2Qu)%C
zM3%E6Oj_A%rQ%oTxSW{sHcA#gIq2wzs-i{gO=+L18_=+LfecxZ8#=w^v0um-JY<RW
z%VX9Ll^#8NF_WRv0dpCpP8==mAKhgh4;v`0MPpvl*Tt2W)$+L~T&t=U9$87|Njg-t
zkwyV0zGyfNF%=0NH*`AA2APnA#EtfD^JS-_;q?MO<ZcuWGq_{I%J&)M9zIR>lhAXs
zZvb>mSkMKLMp7+*o#Uc7&*S4UOKjE?UHCC)K9h!fOohN@OS3wbn9JfhhoD`Z3hF;;
za(s#TUoHPLLGWDBkIypszu%rY|I=)JJ^%AX9_<b7X&KLx5sho1QBEz9--R=J3;Kts
z<yUez19pc8e()Cz*d2bxw{Oy6_5x=w4N2(HE_}#;<cCsxCX$%-(+W8X_O}{<&%Ja^
z!$jXc`_}%cmoeEUcBc#H@}KNAk9`_<YffQ7a|->bIiUV;AzgE-@T@sSTxyP{AzCOs
z)Y4I2IhIeT8dA2<RySi;H)GN@p7>hjDqXB(I+&L&b=fYAUi5B19p<Iy6&e@DQWq`~
zt`c_|j^t;Zw`eK)Hve>EIv~;(TBX54#fU}Ha8w-psG7Gtz8M7kc9n`nmdGj;U#p|^
zV#K1Jsq4TIACFT^(keBcZ1}|ui+Z_wmY0_woa{sG(Q8Jv{Ko?epG*B;D*t!(+hzH`
z*J^#0|6k%M=>Pv9inz)?>7LQM<O2(N>|P}?3x{X?BBld&2M-TUpC+VIS?>pw`pi-q
zzv|}y)phd~ILxrr3i^7+V1M+?{X9?gjT#>NEQ-H=7R&$EPN!4O|Fg5R|26;57kSnT
zPi-BJc&JoL0qeEW*P6=)4(bL@On*tKNF1Y2b>W-2-)aDC(1neolitP2#qsIM*>Ugc
z{Nv@(F&rE~0f{Jf*BvYMbfq4h&@id1rnGV5D0if4qWDgO-juM9&OdxOx$eEWJUlyk
zFCoj9Z;!t_{CH~KZYsDUA^kw&i9(?OzVegR0o};u@prwm!w<)B@IRpO_ro8X&a0pP
z&C&lT7=Qn@p;|Mr5;9b6ST8E@zdn42Q2)<~0{3^f`0thzd+M+4|F+S9Z@y84y*&T-
z<D=`|$IDYB>f@K7x*?7+3TE)G`tk>Lz@Rd>CpJr8VtyTqn`<?dbEm7BN#$J#s8)mi
z{O2xwyNH|fA~W2Wf11Zhd5Iz!t(sMIHYl6j7N1UNz$0l+%t3z!H-Os_4W*5xj#91A
zQ&VM3!juFvNXRvFwbsiu6?Nv+eH>v*0_;L#UlL!nnl;$^HdCEsW9lx{wfZRwd<UzD
zu2~?F?ewR<L}f&SvD0z)YXAuu>JH_=YPAW8nd~!udUtZ&J32i-JMLW^UcXnO<;};F
z)3;Z>w<nh~THfL5g%p}69}eFg%lXv>`>A)_*2{Vg;QjIGhu+7tlk4l_tLxsy>Bn~`
zXT2YeFRxC{&$>`=x*c~%mizwX>}~$O{M08+x7~D`Sn}hW<D=`-Ifd(!mfPN!Fl!<~
z^3)tis7Pv#*%hog5OI;15v$b#rWlsqB{cLkor=>DZ%W4jLRiv#mKwY&D(MUo2)MPH
zw3K_YkSKwy2AYA%07XGMWFfFnBqRuIy?B%=e!y{+?Z{?|za-m$;~3>|<9-qSAM9og
z1lb1++Zd|ME!dak)G4qMz}xeq?~gBg@6WHUyHHQOsM~1Vq<tEPG@+u~?(FY2>UPQN
z)2rUm@#Xc~lglpD3!mOzp8Rlp*#$nKaX_YR{C0A7ef;k7@cQKZtcQKPIDgx_JU%@>
zygKfk9=<s~?V9mE*su#<empxnzQmPsc2L!>ukNEV6nyU8(74-fx~-<$+H-ss`YMJh
zU_^8w?^QmD%XO6H)~5p=)1J*aB)U=8t2!Zf@SZK;5e<b1z)Rx*`b3QIFUO}7tbuP7
z2z{k%4-@COVg&V#`|I=XkI#D7f4ew-sAs?NIHS#J>u{p3;bgy3oOvdEU0FG@W#^Pb
z>55?4Q!mLmQY1VkL+TDW9|n{}OohDV1TizLVgB8?FHPPD1RSt1y=#!MzqgY$^36Bk
zjmF%Ef4iH5$6{Pr=x2z^AFg0SVUk1ofkefUI1gCHK|~xxWFZ2I1yqJt(8)tI1;KID
zg;56^ThXn*-7sT?4X97XccB3cX@Xp&KK>?6J%_@kXf$2?&!T8!xCwu;3g?jM9foBi
zeb3LnJ9%f?uPSVati?p(o$iOj!U4}Y&hel=;4$<Vun_K>uDjQK_!Ia%tLKDS7_;n<
zo=Q4bPxi^-IIZ9>(D3P`5vD-^?Z14}lH~5kl-&FYL_lc-EeSlN^~azf+YPx-#c#uy
zM&R7SB_;m!QH{x|p#?8Wb%HX{$WtklDe-|1Ad0D@Wi<7Hhg4$q_|;p9jGUJZ&&K4|
zRU$tXG}a!jO!}+;jR^}g{u<ImFZl2q5)3<YnT9Cbghj`@Onz8mezE+JfBtZI`ti8;
zx5E#oz3)y=k5Q<QK|<q#MEeU0m>*#coB>p`Ap9f;fZnkLnvdt*1%2pw0VQD?x!CzC
zmB&$%xmL4kA$@?P$%uvt^YlARMmDqRmDk1Dg>TMM(*>)lBda==d2;ps{8Ik^&?%x}
z-RYMPOc!sXuu9eQ0$tcR{CNHT`0V=RNa295u|R43x=?o;6BS1$iCeEA3SM@qvy}Sk
z7S7K`kNRo^!Nwh*#r5Bj42GAo#tcRD!UZMErb-p6FoJUZ!l;@RdSgVq8#1Ke%IOp*
zY(PA7r*K4)QKmW;^zU!oWcVw7pm!0AX^(|n*q4hE2?BoG)3-$H+iSCK7~5zO{@RT_
zgLr9NuR78!?t<ua8;y<ot4{CD$D{9$uOIMlX+bFM^78oNT$MDE%`WVUj!VYmS00jE
z)E)}8muO1SRGNh<@|i`M!c1<37chLiDLd1XE7`%umeh=u=e<wCaRMF=;Wxn5Hio)r
zpljgoZqXUwG#d5oO$|(n?Owvh^k8EP{ks45uflxH;cR952nHbfakm?PZ#f(HIgkhW
z%i#CWsDs0-t&JJ5_Kt%4ZKG;~VJVC(6_d(V+=Y|D8BZ=^DrlI@emx9s$y6w)mZVT%
z$2UHU!HGbnc4(+kx)mTg;6;D~`SJ4fp}|6*-YLPai&}4f`^{Xi?7)`i>k@w|O%1oP
zollsUMjZ1h-|5oeC}%+hc*l`z>c+j{!Ur2mF%3NfB10D(hj<24C#FPcdYjZ6aj0MO
zjLjq(f+akjLY#(O3pdH8h1sh7_!bs&{maXzxJgjo%;#zDiC8pKRjI1Es?87*L@cD;
zjr+2#zQW{^%7~?5J5r)Jw=5YseeUNwP2d<84P2aGUEA*mJRU<GSFi&q+W-ChjS|E4
znNl$w9E^!JKuQ2Ix%1=E`@_p?Ts?j|u-$X=%`8l-qA?3EkH1qjOCD3Ja)pbJM65B{
zF?&y<(SEtt+}mw6l9&yLG;U<BshWPH0+)pz*T;@x!8P%ZIF$GAPOeW6-}G=eu6oy(
zC-2@#13t4fpE9;@k1wt=Py9~@n8WE&qtbcVe%X1oH#;f-A*Hzo=4al|W{RF?wep^V
zv;i>SykfsWhob9X6MZ%@k2Pw%r4bE%8hTUb$|GUO!eMa->p#gR-S7C6_Wz`yWW$ih
z^fR`xB>tnhJ9GcvPV4LaPhaL)hYOM<G!8M>s~URr`2#9XEF2omK)AJaxE?WKcI*X+
z5e)(u2E4D1qp)!J0#EiNY(i0^w%(J_udPE!hsx&JiZGai`sys-+O`YlVK7DGK2j(_
zL}QS0#jUw-uX<Mrk16g@j>kNNAC9i1og`{<$~W-;3jLbf|21yl|ILfhup$3veu_!h
z$N}|<caugc!l3r8D{iCOw{D-@)V_6-aa8;Ef7I6D2NE-$3OIRtENZS6gf*A>lr&Vi
znEza>RoD&2+^L~wpz)6;k&5&G=>6f@yW`XIckbB#d~GbA|GUlRPI>>ov$xavI{&}K
zv%U_Krn|TAHesvXZ0|VDeW&$u8<*)~#Ba@6e$b<}@3!4$&4CZ(hC;w5G^9dY#Jo>2
zv_`7<EPtikO=&C@16bR6*{L~j==(;%z<|f#vjJwK&b*u$bt>>%F*zix?d<Qt*2nRf
zCUC?i3|^=5Z;wsbcFlnkCETPr$kPOPC{bsFDMlJe>?Fu!RK|O4XLldAu19=K1o#x*
z#WZ9zmVcg-gr_mQPVnO}a5!c|(bUU>pKA_$$L<iea$3^ZNk&x9I;~Pl^k2c&ztfnG
zr|>=vlUp9&!0Vq!`cDnk4xO$!dCu-U|G#pm!HkD#ZD)U9!oU&VbzAv}H}{?~;!U?@
zLCyGR*J*d240X?KwcPe+?eI?C;a#WsOw?Ky*sRAp&zU(0wplR&JRXJ=qcnSCa@UhK
zdPHI}rU|nA-piT;7cq~>P_|&sQtEWkfafp=F&}HE0<3lR_F?M-i4zvWxi6CVfB#Pw
z{ICD#240WxrOV|@j|J>z9wVCx0ujy-iKXt+1@|RRdl`8;Ie9uxyZs#UG~H$eKAIim
z+}e!wMYEeQU^MVmzvUOS|BV4*F4)32zy4JIi-g>Vt;2xcF#&Hl6N1s0!fS$WUhVH}
zXI*ONjMQ<Ot!H%UmBmNxoKS72wfiinl8vrSZ)N|{umyo(w6YjFE+G~2=coI7SGlqB
z(?<^vpYmG(ByDz(WjuJpgJ47gpT_X|j9=o3<ZaEgBQ6r$Z{iqjE30+N41=4f$S_Lw
z38npw(;#6{Kye>IR&2x8VH}eX{z`%y*%<lx7XR9=m?3y&J#c+zy_DoMoWO*{64Y)B
zwvI?Z`|zHGg2X<&_T*1@q<&WM_z@2$G)}-|RyX$-BR>rSPLjPHRF^~f$J)-`ZqA5<
zG{nhjqKfmKDqGU;wRAspz$sK`S(c0&A$RV+g01fY9y1cc8yb6~ga<yn9;jDt-@Mv>
z5+;(xy6DPCqCl2Ym+_e9vzfEDv%3ph-^J9YG4tR9jcE$62l}@=mcO_4n1?8Z<1q_K
zBKb@&b~X|L=aGcjROfBFz{X?hGm_8%rzL30E7_GZZd2mjge|{A{QfSyR{uV!;i?tp
zL~8RB3X*6N03V==K*K~bROc0Jeb0lR37n?hD1p~E&7a9lE*@HLJD<qSSI?NpFBb{C
zl}9(nt7YN!905~}*HcKZ5z8cB%V~WEf+5tVhT3sjZKwSlDZO9W-R~)lq__gSCl4js
ztVXi7v)g`DS!}0xTullJEv{+o_;kQR>gz)YW7LZ!96DrLDMnf9n3<E8lf2u`HQB3(
z5~;ch`LD-AbVg=ey!%RXamQ)3oc43LWiMakc3){8R8X5$viDK6(m<Oz(ANI5P}K?;
z^&#OA5BP9;6-lGzh=&pdCdsIT(b`U@Ed_x{rUd>*hVc4^#0ek9BpSV%r#RWG)+g(l
ztxxD4fhfl4XAm^O>EqKVrXEQsu4pXgAr5%v$yJUTwTzQ6OIB&5H=ZElK_Df#T&(2!
zD9crCzZaq{h(M51b5NaSAxs!iYSh|J`_(co%E&E2m~a$S7O$1{bwxcM`sj1&NObYX
z+Ro0)jNAEy#xX<ri`t88!aZc2Sjj*U5HXU~_F?OLDiw*N5fMCu*EjN)>)|g8os#03
z@N7gXX|lGnvsbx7pm}RuNP5J>gx)1a$Br^}+~aXfy(E}QSg&B~2X>S27*1IzmF)lZ
z|Bm5s6o`cS3A~=*w}9l6@TENoGn1vjRZpgK-bOYhn@)RYK^spbo^GXSwbFdX9No>0
zq*0pq{5I?vi+&K0Ax^Df!24<%sPn)o0o2+~XIHARcWeyT#7p7zI3ZqI)nf^M%+xH1
z`@~Zd&8PizIF#>9?4s;s8@5iwn9u+&xF9}(>zMaByk-&p)avoisYsLqKre}?ktbX^
zNb!sDhETtXwbphzJFxYh#3b<HZ5rOt0A7!L{6jWzRaA&=K_H}NM}3^a*4DC=DL+Uh
z8Q=X0$b>ULlRXn2q+_boY4x{?P*ICa$U|utB}!VUM%H%Pd&>nwm1oFHQW6AH%bX-q
z`MR-Gh_#*O4r~pWxEV>y{<Zl_f|Ozjk0%?W!qp?5>8&vhrG^>~VXgCWFPnzvF%_d5
z7Q$<h(3|$FY7dKK1{#g%n8qY<bRZ_sJ2I9Q3+gud44|v`^n`YHnb!duGbGSXC+G5h
zjMGGx<Z0rgln+>VBP7W8Qqp?rB%3v2Ydf8n3$@SPeS11T!>zODcHB+|buSl0&xYEz
zpc-78ub$^R=~z0(UM6aqFQ2FQwJoT-In@1UI<_pRJ2}+7=i%D4Myr#JR&&p3K8LPN
z<AW<%AZQ({4R0+k1SF%Fr^69^p9RnwJw$2`YGKq&+}x`<a4iJ^3&BLKR;YPsZ)+fH
zJI!57%&9mzb#u1SiCLJdEZKx<F7YB7Cx_H3@G@>QYt<Z<ukiY72`VRXJ7?WJr}=cZ
z)^5R>xZBCW?mkcJZWf?6EvV1&!DTME84*b$wY;I=Qb%wt1wnoZ<tnBwl|78T5lg5i
z+lIBytC#tJWI6MY{EEdaH5mPRB6sXr&FM`!32#4#M}nZDeljAGe?#a~6w|@P>_cWt
z#+b%KwP3t5UMwBx2W-~WEM&Q+#U2^Ocb-G>UF8&>or1@hTo+U_T~vuvK_OuwvlV$i
z9rqm;GD(z|a`v34yEfH4M4bi$>MfNfn~q40klRU9C6pFy{dYQn6CowQ>tE@F$-k->
z&edq9wJi)PGqECO{pNCj=pFS^Id~WVt>Z{Qohy^mG**L!0wCeY7GuIfT|y$AZ365V
zJ+$q#+E2F?Tf4?7fI#<ipslBmc54^yPXlx>2iko4($LyPh1mez&44yvJqzegu7zvu
zPX%B>L}OH(RmsaYhew&F6vcePq#nA~k*3f!8^e3v?+bW6;{AkWp7g4<rv3r>Ll5bu
z#<r1$*?t-i&3@XZ;)6}e1e<kO>+Dr80cK0iL@z;~%8AeqxOby=2CVSnj5XIfyHdQo
z<(|k=4%jPB<|#xo)vPWz_M%vrXaaoh$*IuFhiNAtrk79mh_!az&hI!(pO2adt~!O&
z?@j4WPU-!p+oi2t-1c7F5A^@=v0ToG(e&3kyL+(phKBHl`!pOgbk@A?_w!$wYQNLY
zaou|suK7M=6f=%lyS#u1ftxpL9dyTQFxhe}v@rH~D74*2yqF6CV-m7~7Uw%1*y;zw
zyGfW&;dS<>*|izOlm^q{zP~6Lx(T<Pn`@oj9fK?vg5?VypU@Z+)?|(kWm9K<qP5O$
z3$`vu60;llfhYWb|4(`YuP1RrZXEB|%ox>C1fZh`GOn=}zG9$4r?UrJA4rmn7!mM>
zq%pi6yM2<z^9@LCLg&`>2V7+{1&JF&x6pU=hj}bxe^hr+`RTYjZVTNy?!McWMfYLr
zn%tyQ0%v@fdLss}laR%h_v<a5$B~uruq5!RE%VOK-cmq@;I>Py$Z*ym?Cj<hJtFjm
ziY}g;27f#JaEdWlvdYfVNs%ddvOOxr75Zsnt_Em#(E#CWYUQ(O_gONwnaw6C{%nmb
zTbzKK$Ts86=(JzK*6HE*TqI1uYx9@YFI3w+u9NB@;~34(Xu6r>rPFGopbR(Vm_$@6
zx2O~2jAnyO+~RMMV8paicSqDNy4LQrVe4=-CO!!mT#d+pQ3|h#dK0i}2LC8DYj$ky
zv+cI_+*gvz0v0CbTq^v``zR{f^VrOcP%|H)ooC3q9Tho{4^c^uWNtSYlRGv}$616B
zS_!u-2&CW>RQc8rear7|`SjL0J1y8c^kYUtc*l7xhnC<^cZfgd%Lh`3MTesk*^orf
z#JS^Ej>wl+7Am_(sB;Z#oz5$>4=+c;oSdkb;O)K44L9#{CO!bY9Sv$fdPV~7ESq4R
zSNZUDin``^j~l*Ml@`!jCJ+~$mOZ<kL1`LFKCN{+`_&AqJ=*HR38^2bo!*3-L#PS4
z;~^hQ0oKW!<sIWJ$37Lz{zvxdW$p&+<Tgpu+NrEiuhKZs)7At}WTTR(1G57jkJaC6
zoz@O)y&bb8W>dII_>_cv0<ZNO^Fj)oo0kHGrwRZV^O)wYOUY(h&vId{)7*!xBgy-J
zO9zy}Yi~O6sW%;%_1(_`@<Hf;eAF)$2`Y{CPUffR>}$VO+iAAuY(+>i<fpMTF)drH
zv!9R9ydB0XJTYwrTSzbi5(rx2owfzFnL{ls7LOeF{mKw8ytspS7&U!M`(_J0kdrm<
znz0C5XuCeut=HNyW@ZIxqnM9rGNP%l)E`Jg%**eaozG6Yqv|h6(P~))M#0Ngp*U53
z^Ws?z30JCm-w_t5ddkqZ)(yFq;JF&@RgmjQJ0GQ8w__2gGk+pIs+$^g+X8La%Iwjs
zNcUaW#<i6L%xtPh18i9UGwx_T!?fQq{(>38Y4suvvo%O4y+(5Ihf7pLURtW2$w>-B
z8q$~~JT8f=wN7haO@@+!t>|C1jk(ro?!ngg(}2QXY4R)Tg*UhAuU5YF?6^%Q_A&xD
zoz^qxp@CJ?gb5XqWOmK^TuNsXFNPlEe3u{A+Am*aNOrOTYrb;YPgX#8(8yn~$mKdD
zrt4RWq;?p7$~=UhFuDqN0DtA<K12F@R0y18trl#(qdXqMDM=G5SBnw69?CaC_9CZ$
zJMY@dXE?-mbTD~YT*h?5WTE#=Bs`v;vN20wt^Mj1Y+Z76{k@B6NE3J+<4<>pKP?7n
z<p@5<?B8*#y|Z|bMJ}e*Q5$Svj2@{}uC-qoYlYszUr9VBA-o=YxA<3%b2G<z?->Tm
zjyo@o7Tw_4{xk;5OXX6f<@0#xrE!c)`&#=|by$SS%G}knKU+-uv1FLcNh8$8H<L30
zo&V(#77_K>V2XZeZ$$kxpfN@=^UyYsBks$RuAEp>+u>stG7sL+3GseO3B30E`p=Av
z?N>P&cb_rz9k<oa)sFVd9O`pym5$}_FVXgb2r;w2t+(9dYME_Z&~Pa2gSGanX08Cf
zKBE&p7`%LCG&MAo4axZcSm?6}^HYL}YWgA%zse6_<XYic`(+ch-g7C*Q#ekCG=v`l
z;=}9FBp?`s`cY)Ol<(=_?3FE}WR!pOWy9f6&Iy(P6ME<w^<k~OyQf03;fj)2z-uA@
zA-ARvD$bY$rFBKmE!kGY{apR<w1eqWoQ8+uqoDC8#N(4BLx6e6N$@V_X(axC_O5L?
zajZLEkDg-5GZotjU?h(2s;M*vxvl@lK!Mzj)9G@{Xxk`_B}#{O^H;9&CV7@r-Yd1%
zK1qNNGu`P)GS-a^NZNa^eOTW*e*)7+0riOyKCSEvNNI^jKon;bv_i5Zk%W9~<496R
zdZ*aO(kEB|Zqm<`(*z*ll{8{^^rCBg1IuqH0lCD=3j0hkG}G?3AK$LPE3KXTD^C4V
zY*|UMWs^0Ew}(do>B9WvCd?8)S#O(=sbz)6Y>k9bV*1_ur6FA9Nfzc-rg&4*wL6Wc
zb$wgTn%;U9lQW8GckP!dcWn*digL^5kfilnQU$5p`&*tcVJS83PUmGK?>=(OAUrN8
zAt+9s;5ID@?u1QpoIvN&wn~7`?sT_W?<*X*f&T1H>zPfY{LZ4!q!o_mC^bx--r(G+
z-Qxk#Q66Ttw3*bu$=}y%2ocRMo-g}q8_qc4_cyiFcKaA5<0MS8(2rm?U&Qe(o>=^!
z`D2TPmR=!6xgb)Ki`8czKc{E08+zd10{k1&`&IcGlL24sY(H9;&nuipK8s2Ov2ERx
zZ*cOn8U-J}Rld|-Y}lU-E47X!5!!##Zd%Wu+Z&61#xfpRFiFBM;ga1kC!PCC>53wh
z1KUR$vKP~CHok#TY@GM`O&(>r7|Y*n*+xvetucqC$Xzt%?iK=`qBghX;>LemW+O!@
zc`EwLWwG!D5BFw))TNnrtM$lQC$1r)p;ac=g`bd5sf<{#TbjSs^#Hryw4S&bRQOEH
z^E8X^WzZ+}_%WxJ06vwoS9~HZ1P?ux^={(iGrq%qTJ%NfYCdPH3?lZRiPco{pmnTA
z`-DtV-k#j^2`1WIRN@2+0rA9tVE^^+@K=Ay?r(f}yZX%kJA4`0US`u&&ZgX?`4DCc
zWz`W*Sa!3^ft()&34_1*Nf1UnwvN83{VRQ=&NQp5X;F}Me*4l^V0vpYl0H=%Xo?Db
z64j;Gncc9EhbK`0Z~er-$<v~<Z9z`i1vODHv5p^8naaURl_d@KG4uKh23v6XvO1c8
zPe?h=*HxSrT=;Nd7wqQ}?}PAP<xZ`_!&RAIaT(inHNPx@3CkGDt`WRlvaesiatGxt
z&?s=`C=M8S@scId%gE|>;ozUyI)^I;Z)b~q8Lrv-8|YFnXv;KL+%gs+JSVeP6Gf~r
z5{4JzH9C`_(zlzoRySI0P2(q=yl~i?LAeE`qojywTNWG){4Zeu(>SFdh5$b$^kJtS
zTRbXa3~(_nm(sl2pXnuRHQ}I_WQ#n3%aGkLT*>&U-Fh;lyr9gFZ{gEMmaRNo1}H&E
z+m~%yD%dlkiN#6A(^1$g{DLG&)Xx@vv{7Yt4}04sM>TG~(&@Ivi7M<`5<^;@NA~x#
z>%yjV!A4a8RFZdDgt#w3ew4)&BYYd<`gbQ^+SphF4o?5`KW@Sp&i%~)g5-v`xBg8S
z-^<T>TetM`Xy`5YTbHjbWR#a{Rc$f`PuXgT61RSUMOhNER6a<HPcq&5@e{{n@hHzw
zxG`<34hJU`i`rkrYj}IJo;!}C$F9M+6wqEY)I$88rD3fUh@=-tz^fjE@bxRgaEr7_
z+_i%9`Rbe{nJ{BXJMV^R-L&g^Qwt1h9g`Sgt7boyYaEffbgq*BVaqLP11mAhEQVDQ
zXKaobX)2Eqi+oCj_emMzmBml%`1oa{E4U6?mL7v5-Fu~dq-cGf9CUo)O)k9ap?mIn
zJOb^n7bnhi<ao~PdNLjkuRZtN8DDr{wstFG1^e7J#BNJ<sLnYYcBo#pyN@piK9**I
zk=6BBgd3!MbhAc}e6}u>Pr0~Dni?q`5xI(SM7Pi(7N*rHz&EYt>P=h{I=HBd1jh|#
zwL4F%EOEDSODw)w_J>?8P)e_fgIQ_pXeqJzX9#bl!7O1J={rNABevRYqY8s0UQvcM
zYLN!O4=CZ)$0KtdkofX2=8}Y5D*?+yOcdT4FNL#!_!(!dqqHo?it;F4@KyBt=t{sF
z3A2ck@Nc;9mIRmlJd3L+Xp!Z_Pbsyt#OKnkZ(4RopVD}j7!##$z+p(1ZCb6i=3axp
zfS-cT&-FlbNLQ&slGf>Novl@oDUN_=(G!sHMCAMgC%BW%n^vn;@`%Dyg&w|z{bCN-
z{Xz%ZO(|*7sYIj`Q43NC)E-gX8OkCbF!x?)D9igVkE(f;`FD3LP+1qOrd)9(X~aS~
zqgKqk=rv-sae_``lq#zEio}#45OG)f-3p~xZMCbrdVO?@CuN$e{@o@1oZaS2NV9l_
z6jNtZM?c(=4<lVvP}F=8CtUMGFPf(^7Jythtww8GRlzdt1BUkyA3VwLSA41L#sIZC
zQcOu<ZQZXncR?tsDX9p`a?MktabF?<CrMFW@NZS#>854lbX=0Jy*S#Dyfm6OJQWGd
z8WODeX`0_NaC_&%mCdrOVi$zKx63LctkxFcuxEx{r(tWymX;oNOHRj=udq0mF)dqZ
z;F{`?M>yPk(L0ban3mPh@2D5v@v?r@$v$g?Y1O;ZLxkg$O)=D}TN*@28C>~vnS>pD
zk;tUC4E?lVMex%!yyJ#EvwO^QglIlpz#ye~iDt9VVDXnitDP5*5ouLdu?!7OtA?bN
zI3>A0J-(HzitzWWp*=L146T_bEMQR<`pXo|w(RY0v!(V?HJjZ6#GEy*`@Q~|bM201
zPXA)+@b>t3vxffKJT4&F5~@@Y-Ju9j5eI<wK1#tPo53@bI;KUb@tlTp8i-226qY22
zo_&=ED8eITpF6DY%l*`$$>wDzhHl>(%^Yzuccdw#KOT8g_vFHJNAGI)f%v(r7TeMf
zBRF?GAb>}~3Gz*dxp2vi#-7`E!0bv@To_5QPVhr9m1T5kc2pjjTVg=#3KeCTQDUB$
zyNzZA*?QM<Cax)xqY3>S1YtriSeJ4^mUug5YkOuox^mriJ7QdG<|o2;QOG4#2($eZ
z{AEJ*BXF|7>^2nwtTkJ53N1N>o^Xnkd{+6P2!5pj4FQl-6q)HvNH-4!y}a6GF^fB8
z-|)kF84D(}5T=hP@ROjJ7e}V9D^XwQPIbC24Ohr^jrg9jcd?b9Fi_bSk<<8hoZp+B
z77f^+e+GZGDpbcPBp(N})BJra`<V$uK5cgG|7}?-U$5_VZRGzfpJd;ujc4mWH=3LI
zf9+Q1HUH<2xPJZ_1{}At1o|w=!rO3;M_POf<0QNbBlrgxhI1CB%rH)hWy!g3uMomd
zYVT_mxQcUW<{-{?moO&vG`A#V&{HhACvCDZ*TqKhXuOK^1XjF40=?iirx4+Op%i)w
zX?}AbW*Oz^DK>97U#VrC#*=!DQb?3hF13V((Z)kUsXY%@A+Z4jP4R8^;3v!|!lj$_
z_DHd#iHI>y!n;LQfh^3HtRkW{GM2EEBs$K94H{o*Fg1ks8{<P(kmi)lZku+4{<tt9
zM9G?Ad?<bW@!;v=nZZ0hx>?3IM_kA~QWo_?!@%xrn0t6RB<{hIurv%<3OOnIv1=bt
zB0JK6;o||-pgu%OW{WU23bh-;R8C4D-ax=A{K7;o=Jbv6q2Gs-tLm%=&01ZLWG-%;
z^ZRNz4)Lz^=w@9_{i9~BesowfjB83#E&OiMMVv1KWZ7%*Q%=k<!CA@Jy_CIo0l3=r
zpMvR?&;Nn*-WiT3=g!Fcjv1hz%m3c6x9UGz4g2-{{}Goy{;7x(f^GzY{FqL&)G(}?
zE{|ENUCC=_@>&m{K7A5p(BL~2)|9U`>>78PlT|)<G*&35DSrQ>$@+ihD(`<GmVW0p
zp4tC)y|an`8udo=b^rf}%Udu~O$g`!2j{MLXc+x?wI)ad2lGRe$-7k&%!_c#nCK(|
zVM_4oW-ZZHg<`!ab?U-T?pTFX%h4KE+=>$4WPV7;j1Tj8wKfD?Q0R*T$TW@TA(<P>
ziVrH*00+pt_h#aWy~7Guk@`zRFn0M9X{6$u@Jp72WCE!GFE4|AkUx{7gD~7J7zcH!
z!Gk3#)Xxgs$3b|De;EynidUtJN<q0+LHH)X31Pt_a(7rRjd{EZd3a^9cNKvTc~*u@
zkcbp+4-1j#MvWv)joUnl!gRp_a1cWpR~`q98e+dO438p|<1dWH!Y5b&CF%lBKp{1R
z!cabsffe<55ZfB~l^jlj&8L}9ibPn&2?w$p!>k#GcjmxseCl2HrVh9>m`um--GMWJ
zz1|Gm*<J-MUGHps;lX8ZI_-_TD;S?bZ*)b4b1UHd(`4$*W-y)_?)hZsI)e(hqyF$>
z;EvwG$%O}_u?J+&bOzv!0UH#ra-A8z?A)35&w3-Tcj69R@2X;)y50!ic{-j#4<@~-
z=k_m#y(vsCrjzl^f!=5Uqw&Zcolf1+JBPp#xFZ;i!FlhDJeZyJhC^)1=v{bc<0<wJ
z`s2yf)O~m6!P$5?aHcajabW27PKFL|YIFttVb49Uz@T^Dd*{$oWADtF8h9J;9bBF{
z_!YL-8$qw{x#JNIgCJ|K?^VDXPd)YMr8{#f(3`q5B*^J>d|ok-oa0lx#U0^uBZt2Q
zNe!hL8Bgi+#mrGJgn`o=x}$e9a7U%-s~LX^eEk3YD)awy|1-m*_4~H*oc^b6w>J5I
zv-4X2>4#jpz8qIQ%Oc(IkG~2VxUqQ){0g<~es#3zn^pbg;IX$I8b)n$HXdEQk?u$A
zT0LiMfAvO|Db{Zibp^3s0sFG^neFxujh}vocf#Q*x+9DDmPeHF)7u?SLRC08RKoz;
z4g0v=Ifj2Re)>t}X!zw|t9OU|4$80*Mt4;TwyaW$SC+sYRXzRq_qEcWJ^l>06;#P~
zBm$$4R97iJn%}0VO?MUxHW|i_VZ4Fyj7s<-;eI*b6}xiszpJM3Z;&Oh|KUx(TCwEK
z$9?>N89&hfhr3@l7+;Qt<KE!<VmgFhVegp&^<}TYERL7y*1|b@V&UvsWnx5!ym<WH
z&VJ&=3nxOH_+Ji+{XPUg-Mw1gs!FSpRza8$wRYT&_wzE3=@9ldn%IMCj9+d&wTDm1
zV)wgm_<{SseExGY<o9mlIr*>I*sT9&cN(wf{|~t?DV+$rBXcH~9fXW0VY?6;UWLS0
zA@Nm6d=(OZtB_c&Rt@7cPRL4@Ey5&#m7h?I%>62k$mmASE~_}9J*<+rZk$6E$QE(R
zjKXuc)He)D_+U(SONvP1=aound9&s>JVY!JE6?y(6x>XqVe-{~9^tmk|CJ^1ySDM1
z{ioU7lK&d@_ACGY5!YrCC!M1U89|r|S19h_n1a7?JK1-lIpe!_9p_0Qc;A>WbCe)!
zfcu{kixpCoRbVC3L9s6(dw>u4aEXCy>u(Ux(^|op&3%~VA0aK3mhxfEFqCbJo3<vr
tInMRqL(yG#quH_<^sx3vPtxo4dc9t+*Z;uv-vIys|Nk|+M=t>00RR*=(ZB!z
diff --git a/chart/charts/gitlab-runner-0.68.0.tgz b/chart/charts/gitlab-runner-0.68.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..720c51dc022d6187f0d42a9613f6dfedd5c701fe
GIT binary patch
literal 27777
zcmV(_K-9k<iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POwWdfPa%D2lIZJw-+KwC!G@{@PBW8PAU6xD&5-9RF;m*Ph+o
zKLsKo32lnt5TI<e<Nci%*mvh8&c(SsFR=ELoF_RS3IGXGlq}mxdS<P#zb|c(K%r15
z6sih^!idR`47?<bBAPT0#w3xA8JUFt@)@62tJT`w-p2p8TCMW`Tf5!PzqGe^cb;{g
zJ?pmH|I%uApY68(1zMjIiA7H;BuW0I_2{<Bo%<(wNX&ksiC{eH!L(f?ah&~ZKWlUw
zty(~ZpRicsyEjZ8lL4F|yVRJk-i@V<MX%Y^tkm%Nq?yJcCxK{sO)(RaPMUGTf1|!^
zk|~iSX?Av6&%52G=DL2!N4yb7quM2%UGXFky_yFjCTkw}tmZ*L<B-p46T%`%SVR*n
zKqrKSJrHRe^F+SPTdx5`WI{7!k0QTO({BpgUK2b`e2Ty-`e4fPWYqN4v=Gf=?Yk;1
zDjjfNG@L4C>eZ%}?ybh|^G2)ob;iFq|EDBOsrcLiVEO#t?Q~o1(){1<w4Z&O|6k)-
zTPx0KIGT_Vt*x!q*4E(F3<5eNX()lo4FRcO(FhVcVnQaf#tMAjBVo)U>P>HcIy^f+
zdVg}O;9iYsLLqwvOn@YpG=gEmCy*~f`gbmqV900~7~~Q<tdu>AP-*(yh>yPQL9_Fs
z`@H+#coNX$)okx%|J~ttf+up12>&}lN#c)x{&mlGA%9~qIN_4^;AjXlo`OFn(TIW^
zQ(%gOAUXa>2WcczNN7ljP=p2j1U%Z1FyzUIN>$dWFQ}g;OwJB?B<Z#Mb6!b~sW9*b
zBxwXZf`AQ&G@+4%RH*TLEgA|xEYzz(He9``fvbUrmWjrB$px?ml8kzg4dqQk57B-$
zFt@igh2+1FX=IqB$W(7>XvP(;m>d`7u$K;)XZo~xhahI2A2b)$t{CAhg%*xUBqRw#
zB9V;<3k3|QPf|hQV~|b;9*da#s5mj=5@O<Ck`WDnMfr#};4QzRQ<^-5kCH_UOUDTn
zG?I$sa4}{Ad>#$iC{1)rS1b&Hgdx9L+-EgxLa_k7jzi`%8P0%4WDsg@P$=?Y)?_3k
zB>}$4@vfzUUa*MuU`RqiaWKwf>a*bth{paj4Z~9&GJmF+4k4=r6*N9(jh)a)s=6Ed
z;T4&Q4PZlE`+|&AZ#P0BsgN5_frdgcDzfgz(eQ-JQ%#AD!sK8Q0!}qiNgRhWRsJ_V
zfNZD)gd~mpF%4ia1F1+zuc@C(o*+>_s1b_OFzm;Oy&?hptg#l2%XC1Kh)ODcbtVzR
z@t6}5dEo}*xDG3h@o6j_))7s^OlxsMJ=HJ`%t&R^DyOBI{(0YBx~oZWWDB2DKcP~n
z=}O>~D-i}iX4qIAMu5ocW(XN^VmTTv=`07-cx)&07Ii08hlR%0<B><am}`NXbCKyx
zucoAuXLPMPenxtEx_%w0als~(r}C*9H9>tI1>z|(V92I4qCx<P0!Szc82*YAKA=Le
zH?gc4V>k5|1MXZy>cKWPa$x41o-h{jsj5&b{OZBYEuyVv4I|-e8j@KCY`2BqVwx}>
zWN+L0tw?>J3UM(`s2KAw=s_FbD_N2z)Op{<_mU<P7NHb)lMtVt7NK@q6_{sa(5M%G
zekI%$R&V(gOh`0yMgRqro~e3nK|+<ZBC3^QB_0NFrazu5rq|+z33#2!7+f*0NQB}e
zp^7OH;*_b?<Si4DC$nQVVG{eGg)6m-$~jG@G=UFi$FPaZNt|%WeI9Os924mPR#S#*
zVQ0ERMns9wxoNXNEBE<iLZU!4SrpLg##m0mwW1)mjcB6iZy%CyPBoeFH1PtiWG*&<
zoqBzEdUklQe{uM_haEiAlU%PI7aUb0o&X5~B@!ZfWfoLnwTl8pDurITW0W?1X1XVu
z5xwgB3B?BcS3J2KhWrY<X$Bd~xo9C)J*d~SQ88=${n6D6<|Ng_F;M(36Go>r(2AcT
znXQ8BcjVIs97)s{$4bLeEh<qF0SVP?nPp>61A}`mAvdq6(YnTDs{ZsXZxRVJDxbn2
zm2gEf{!uG0iGW@+AytR4y)Bn8IWg9d93P^L=SUcuLQ2yZay7+skzhvZLmUtdI^)m{
z0cdW5u?K-CRXT-MT^z>FWIJj+T#?hZM*|eHIL_*CH3cm3$;^PV#10)|>q&&#rH`s>
z#3K*Mp(te6VE7Pav!K|QijKpCNj6eigq8_Rh?LH+Vh^5<X;hq$`ESFDJ&;LCb9Gfn
z9>+zrpTdYul@<Y#O^^szgrTkuObVsGXoj}rZG7#~M4?Auq}G*T8e$(Hp?^=Qkd5Ul
zkAkO$H%WadTph&rGUU++XvEXeI8zk!WuVaS41sWV{}EghY!s1D)b3g+cUyV^I9JN%
zn1W9eDYOo9LMBSH2Q=UmYB3Q4{8UIj!E!_9Bde*76fF`xy%Fuxgil$Zq>pw8p+=(x
znM)wuB)lK|Mtx}w1EGql@**ZaeX6YuWNQT;$rbZBRcbSqZ;ttdmh93-$xK!KYeK*h
z>Z@gNb;>$y)s&&|1PzCtA~Oy2R55xc4LpwiJmC#_;uiB%<IGUalSCP(N;Q;Y>KQBr
z%5FWmN<-1BP-!OQnoZIPMCoKe6D6#bHku}Au&SB#u<nsyssvQv6<+IJBC;VL5Y$Ai
zw9T8%REm=fC!?7{8c7x+-b0?4xiwB@z^@|UF*Q?GNd*Bsl_*x}wGs-dPMmP1X5C{h
zJg!R?wZ7C^aSwFAUelpc8y%G!#{3HSP|`?SNz}iz^Fi^sTB!#q3xlsW8VZG@NYZ3V
zLaTP>oKu*q8v;T;8Y#gV(kTraus<a%L<3nnEP*7n2LT<VBV}j|`BS(eN%RzGlJMjy
z42dM+Q;12#{IAu+HHGxC!nZsv7IkjOlL?WFdS{m=Nw4Ko_)TCdU#}-WAaZwg<(x*!
zM16gJVkg0uM^0dyuSIkha#j@iJc={`P=>Xd02jySa7k%Ql(py-5MQqwd86;h_5Mhi
z)a{*#*0T5Qnl>O}40=1pm^w;(7*OLfp#j7R<B3(bSv2LomRWqL-Y8&&)yB%K+FETb
zPUxW`Wz1P5&#{pnd{TxY^~W6QV;Y9MUhpkljj0?L4J<L{X&8WzO6$?yOo5t@$ZQlP
zphy}@R64Z7%CNFgq_kqD>ltH@3F8wBo?5S10>0AD8DbEdMVvsK4npRe{~etwcszlG
zhBM%L(WcjuCJ_nY=oCmQIRs4jd`c6o#$f9N@nt^U_kEs5M%6H@I_h5vlBzvXpS5|Q
zR{<U<fEriyb}Q9F={+<G4DO2W^oZnm7W&((f$gvL=>e<(i6Sm>Kn1!3&^K#^fBSi>
zg>P7-`*+F{*@Ne;7hQa9yRBcpXeqr4VC^UZp9or{cf<7lVise!Pk2C8y#^c&(U}+E
z8WTL#1hk(sek8)^9oTYYKKG#8QrO^2+i^6X)Qgal;1vng%t_8s6FVc(h>9M51@NHV
z=rp>G?Pj-wAbuht3yhHL!9kcRHUH@JDZHg52&oWHGsK?4u>-vZ;PkIo{HBKN2cE#$
ztNjD(nd{Y(0r3$L%lwRrjQt6m@sOf6p#FHpA~b-_R2Wcedg=N{L#-ns;)=M&jrvg;
zCLf=|$0Fx7bmfm090>*51E!YYe_dH|`bT7!kJwfXOw$e%S^WUHZ$u-d)zF}d-LKR{
z(DfZO(R|V!k#>6sXL7wDSsKbNP?~Wam}VI>MGX~P*T*UDji9|<?!1DKdA)0pBYZxG
zuXakfJq($UYMv!&s4X1DnL(iSa+FyE;zOdwE>>0uP5{x+Fb;`7#+tc%R#myAGhrCP
z0}``02~T6u%QnjDb=Xwn?;9IeEhh<u{nH~DsiIqo9N1JeQo}_jv79w5Kx>1z0Kcy<
ztum#_VAbNf&KV^EOcYjRptM-+dNdLW9Vd!hMpzDc81gGrzF2hWKv_lgu%3M3xTRg&
z-L8++n(riLo--7-ImD<3KmS?-P{N=<sGsX}N+T)i_A6ML{9IQYP=5;bD<b`IeL?li
zeyaqbCx8MH(2z>H2ujR@rS)y~r}Yt)4iJZjey%$J=72Yel*Av`pXy(VwpHyZ=uh)j
zW9<3UdE{4bH{_$m4IzaWki={xtWK4u^)wF1Vj3IaK=h=q1Y9I;Rqf^Y==x@&q<Rh*
z!8RZQb*X%7CRYRoEMyXQxAab0b3!7u$~*g9e5egx1nuk9%DYlZ3r~PY;S9mCDEB8Q
z@vY1KI}4Pkqe5g`d<f=)aU12cwBWJ8{(_N_+ONTedSzoG(^9lEg9*J&tNm4*f@<+-
zmY=OhNo_4ND%O}xZq?kib>=EMsGyg+BA%*dm3fYC8mF*G{V@;$^inj)g#6AUawW7#
z;vw}&5*fkyleVoUWTsu5YUnsFrPk`w(z`F?un)sD(iQ^~z$V!?Es5ih(VzkEn9=S2
zo^q)*1G^KhDEky>V`LgG5@Fxb==673f_o3@>R)mtdW=kZy_*|o=#DhBP0=t@<0ydJ
z+n%b{oG-)3M5!sb#^2u7m&$a7fyPDe9$bp1-UDtb4SbZcfHsK`+-F2m&-BeRSa=En
zy_=A?u_6mOgF44ai%F=I;(TVr=tsm@3efwt72RC6VXC*Bn=ubO8<gRhcQtUqo84fP
zD|32#E>jiBg)Zflg3*fn&m)uyxJZ{bUbPLP7(Y(Ku;g*a!iz?<qN|dKOVP~NVb#@4
zW;yRmBimdfK`_5#EV)O@MejfK<qpq{|J+uz(hQ2me^EU|Z&~5Z5?#Jnb%7SIt6#i-
z{l15uX{&xIJw8{!tF-TnvGFh)1F+Pbbxd1RL21rP^Uim0lnk=A0x?2eIGVf_I}|=v
zYvdn4f~1pJ&12h_$m-A7?0yh1HJ?am9S>!BJdgMnkjUS}@q@&%3F)|77*}``{!>e!
z6~qRMBpvB#beiyq5(%k*36%-+1<-5UK1o*DXEzqmghx#Bghiv~TEQFW@gZ)j7}%bI
z<7}>&*A;%Cf`v=+%_`h&F^DQOZLiheTGcXN4TRI&W5yF{H)t%R6$#<A(SsMAosI#X
zQ<NyX-_-Z?9tuzFtb3=aqlBIgk|U|)0hPu*%ZC~ox)J?^=zUt;m1@8l{d>w1YW#wh
z2@T+UGjBjce$^;x4yN78^;+8o4t;WA7?J@EvtS0>lo{fzNdv&b(Uq)bQUvXY$;Ch`
zp_b>aeV_3K(o2tHG9@8wqBOl?f;t0|hxh6^y;W+Zz~OndZ0_c-tQaaf!i&GwG){f}
zw$N0Dr*+~KWKlN$Gz;|s;g9Krq9A{&QB>ke{ZRz0%k`kHJ~^OMj7B6N!*a}~odTty
zSVo!=ljBs+dxzV7KAEHule6ZSh7-@6A{c~x(3}t!*<%GtCVEaaA&Gx!Kl(|K|6>K4
z!AJ+{7rQG%q32$KE0oUh;p_-vBF85BI-Z}^K8et=h?LebI7Q&9dJpPNQz573e&%X>
zho8<Ua=pd`c{>aK6l4;IG>eI0(TJi|{be~%W86<PUWNljv3C;}bry}x`Y_kU)jMZp
z)|c&Du~TzxmAX?B&U5loPpC{FXJXef$&?WV<8GmD74C&gSV6$L^0hPpbN@k6lvaYM
zQdH;QR0z+4=+s7mpKmDu(?R|LM|~Uv#0Uhlh)kHTRHb|9JDG85-BDgd<rPmZm5yNE
zHP`$x=SpAoFm8}vMIMVi5(H{J$UEX&1m}I<B;!|ClXJGdoWRU7fj(C!Y-=8i9i;8s
zqtk4L71WW8{2?d7z--GLof^*6;eJ^^j-4`}9sjTjcwwKaK>552mh@&$9i2jgTUlye
zVelbAU!Gp{zu*9nE8#`qz%x4-)qN=JwdDg+SbU9?kh9oI2xq&kdXr7@+@TpJrGI|*
z&fx~47^_K=m9v_^LNsGJiJN>G!i)QtFNF~gD5}L~;$tXiMh0cMD@xdX&77{8+Fqr?
zsN!1LPNRS(a5ZNB*hUVO7h~fcuwlyyg$W60rvBL&k;byM<-w%2-7hYX`8MtnmUq-;
zvuVb4fI`fLbH?LKaXjuzE0)NtKu7FnsHtAeuZKnT?-YaH$3(j0V9u&&*-42%#@MOf
z_(0igCLmVtSLcD8IqauK_d-)G4JCt6iE1G+Zk7q4Qxc{+NLK*S+xx~-1A^;wW+bx5
zL_n#P)<41`fm;bfJpBToyDVcT5?vK<h_NQ;m|sb5w9LL_vFMX1=quj46wNjCm7skp
z<IuD2mW3Vrd@)EhFpzuj3EA#vd)DVyy=w!Nhkwi`$oEcQ59&8JjWd1ju5n`DYY&Tl
z^vRk%sOzI`mZ|p#f`_T3T3y!utUL<5s{b%#p>gjWXeAmwBqZd~2#2LU<zYIZqK<w%
z^Xr}7#43cEn`KQycfjuZ5@V8wS=hBHqPS)f%b60lQ5xn1Jk`p&?bN@cu(2Dmj#pD*
z>MqW@Ko4^2*5<vpcLx9sD1_X<)O+pDqHa!t>oDx6S|Mz#x~;tO;RR=*Q#jb5?}h!q
z;{;?RAlu7uqI`_|6b|@gqQpu}v}44IJXP@vc0qx62C}fCxXvGY-XW_Pm4YG`^xMY8
znLr}g%;QG4icw~Q>L~c%_@L}kwJ8C<7!?eb7dF~yX}6f(YQ-VM2nRK^Ib$Yi^aaN&
zNuv*uB%{#^e7AW1;D&ILM(FXNzT&q*LU8f<g1Bdm6)-PvS!idg-P_KEqNh*f;E6u>
zbd>RU;#ac~tN@hrF&Hwb3T%MUjP?MHPyDgAqaPOYno2HwV%*<rLEeICT6k^?+1`tL
zN=-><(S-p~f<1$PCpC3dvtRH7ON=5Eh6o^{S_Y<(j<AvN2DfTLHJuayeFXBnoBtMB
z^l6UHf!_NemiQZ@tBr^acN{kKyGuITfbU>KmsP(iNLSiR7=(PJlq<cV*+fl6c$1kq
z&gp5$-X+DoPm9(%t`oit?dFt054WS34;D-K#cro~-Z0@4FJw{?VJ|~?ul_flCOXLB
zM>?x7tdVs}*U-*<RpXv|WRXWS)aG&q82RGMalo5{^W`j{X=8-0pU{9tl95oLn$TOo
zCL_*AA@y);OveIyPSpbQ;1MvV;9MJx2T#B|0;0_<RCJ^xUu2Qd*xcWg){8PR+YDNb
z_m+2kj=xk7_f+c(D(C`@rqT*M$+c%@c^g=zfx-Hpmp2QnU}h%M$Nb`iO^KvxqAuhK
zUsTBs?7M}9@<Y9G;BEY~F@WvoLRnJivMYg(UN06vC93FZr~1X$kwg2xrwR2+l86RX
zg6QcIv9ol2A*zkaB?cR}yUI#0Kwc@nUa;mMvrL$uaKVRCD=CqeiYC@>3ds{PqPRyQ
z>@N?0c`T9%57L}3R^tJu8;jSVxgKS#U<1__bHiM}3w1vmKPbCS%?`6uuT6n&ZUq!n
zvxeRL%FpIyE3vJtLkF4AJ_xjOU7=E#87NpvY+untHs4llW4VAf*6&;^OKYvzG|nJ%
zkalkLvAc8QT7ingT!nKnbED#qX^@7Q&(Ap?YCpNT78;B4gP_wW4qbo+ZmBqXSix!8
zk?y7eqZHq@9Ht4TpUgZR{o`d{>ZSc7t1bFEQ&BOqOyLakJ-mBH0WAdG2}z=WB!Ot^
zP_9CPBqi=}w@S%i7Sa(tRNB7rOxe(@gp%NW6wb~#mp`zO>dbV`_cYoUCp=Q$d-jw=
zY#}<~d_IYFxG%G@d_ltF9{gP2KR&LPx7c(*GoTSfM>_cq4x?uhXgH~N#G-LWcQ%|+
zE#jWqlO}55@X$HE7m1bar}OivAxd}{D)TT$qq%0WMPi%3vjazo+ps;HGa=XKX)>Zc
zXy<P}M46wu2l{N1_Qe-*U(QogJmq6K>uQXrHFOG{&&pIzG^fK?$Q2(1O?uEa$E)xa
zhR*k3cW0;DtpN<nFV=AILaOLV!Yt4pKieG^og&HjZ*2!nzOXEP*P4sMix)5ORo0w(
zQ6yisk!$h+Xxk!W6DH?R_pZJS>2P*0i>LRTTtevk&I9cYo9HGp{-6_{%zDt-*?q^%
zJ3mf)&}p?M<~NPUbfVT&&#e4C*lBl6aoe3Tz;@?(5ny{MK;1qbsvHhk#H5~)F%Qg{
zHJbwKfppS9Fo-SU0d1}k(~L)=z$1}lo_(XpX8+dP&}(aO!DAls(d;}{^6G#`YWlIr
zq|up2^K9iQkcoPaPMNQh1enG=fvu@Awaww6%0<XzgM4_65f3_hjWz=2{lIieqi_bg
z5g<zW6Yx8a^bQ?(C_FCdRW3Vh!#~nl4@;W&S7RD|hy;;L44D=yulWg==VpO2#V}6b
zoQ9Y{!7_}JNYWo4>llLUCBTsL9t?;+`FFwt>c$~Ff-$NnUS<zPW%Wmf><Wa{Q!yiO
z#HCFIC}J+N<SoM8G1Bd72|T8g?ED)Yr6EZ`tq3&14L*UM$Nb!;4jV1@Qy1?+U9FN@
zCpb2~aNOgRnqyTXJjAGE*i3A=p0mFFbr0H&-K|GVH*5)~mT5`7)U0cN+H+$LP0y;j
zJs~r*H?Q%33UZu^f&(Y(jovO`I<!=~!c{p<W#`CHdB{-TbjKT%UTOuA85BgPVWx(%
z;-S8LAnJyhZ6Hn$>W9}%NKsbTXf$OBM^1(*NpJ><qKn_;Gt_-DERv_BGTB>Hw?vll
z(46ZOFiaD4W*e;n_|$r~T^Q!XIW9~3c%(wFA^9ZK8o%X+V)S~R&CBz~G>kuf_Vfq(
z96pVvKar%A-R|te$;sha|M0&b9(=fXe^%3?16S_iMp-d<zM9^c+v<|eJbeH-CM*$+
z8oibYIgF;61UT3~czf7C@Al6R&we^Q>+ipQeRg<$t_-<iIC`=4s}Bc19$xfM_TL@a
zq!HS?O)JYCzdzW&IC_85gH(8w2<f%ma&Py~4qrPdlUD1T4%`ojBqjnzWZnBA;gk6;
z?jIZ+o}c%BJp7v#%))wg)dH6Z>!@tW>eo0)GDmWmdIx8R7mov-d7P03cH3{vt#);E
zTAD>H`b}@yuqe+8upvwp<Z|`re#nTR^8(7ueHQni-tIhWv>L5O+s<-TF|y}~G?Uhc
zoHs)5ldzt@8<50(XTh}^c#8fmXbGKgNlW1DOXP%N?6P~Zx{yn>mj5ar)SByZz^@|Q
zr%9S=ESVaRzf5L*{dZsIHvFqzZn8-1RT@6d;|Ay2<W~_*8j_NUZp`OA?5m%qAvUD`
z%nvD;lu0YMX)BhSHT!JzT=LiwonBKvXGJ4rl||Vcu&61<^`}txeDyD;;@A-56g_xI
zu?=H$o>Q3(C+aSaN1?W6zw}@-^Gf?}%ZJl0UM3T0%!4}zl95Tpkr_>3^;e%H(XxS@
zZ}JgC`1W+)TGB`sbEGK?)w1iD@j07dRgrBzN)FiuqS^i7kxhV6f`<N=BPSzSYTZya
zhK7Vp&Yl+33X|-Ylwe`b0DU3^2ABqnO^ijUhQ6*#H*Cw7&y`A0H~y_G)t72L2_Pnk
zoB;_)tk19H%1}iNyUsm!Jt0xM)4Y5x-01WiL~U&xlWasLEIM;Cf|@OR=an{|opUWp
zCTVxTsp3%0{fb!~jU7v$IJx`#=FR|nl3J(5#v>v7Q>tvdpY*D{t<1op`h&S~lzAT#
zAx`Wpad@o(=aj<bbCD;9)aRd~Ay;EQ=2vJCSU{*iY7TmU?y8Ic3(1QUN++>aU+3`5
z(rw!FSJ`wii*YyuOhc1rw#dzMWXb(7G^?1<v4pntIKfPRN&&Sw7;HHmq*TMhCIQ4D
z@pW99vf?m0fk<d#MO(vW%Z`{VdjAxFA=8NZJZ2^;C;}FF+K@M`K?w(3RT=7<7G>3{
z`P`@p=OkCf3YrN#U9R-@y;4)o^Dh8Q(uu=<M*Y5|vwm)asz)D$Q2*iw%$3i1ND1aw
zlW7tG9}bHtf{Mo_b+%MPuwwG<)!nzoKTlFQj_}{#o28>~YQ9cb)La|zGz#X91Y$&n
zmko4nZ7I5Lc5(NJXdbJEoQc(K*PQ$ZEP{__3QR~WKH9XI<|J^$(Xb*Ch?6Z4vt1MI
z*HWU;M37Q9yQ`YC_rJiS={ZMnY?P(Q5!8ok*49iWNSm`zX@8BHF7=MYBJ<oh6mi4*
zkkNxY<IH@1&zf8OPEIz1Wt?EDjt=x|;@`MAU5(BHOp5x8DSAIFVwwnLnnm&_e0>lS
zHgVJ$_4CBmjHkZFFG<KujWAjU@Z)o3fk$kJF3U`>QaE7&opw_rX0n%L7u96P46ImS
zyg6+Ts3bbg^(9lvl#N9<6JGleB~eyNujbkS8#gz=B0o$6TFz-?GMhsKZf`eqYVBBQ
zZn}CxhY1zqJgs4SY`*Av=aMHBjSeeEG-l`d*X&D4a-jp$e$~re4#hHW{szG9mVOpS
zWU18!)-r7*r04_@7>|mPr6xWZbtgWFiDV|*NkWO>k*I3MLcY2Acyj{{CtWh!-hRBj
zt(!^;PqYbZR^;Mv`_e@orErNBR;2&Y7pVM`KShz4i@}rk7l-E!c`ZLf8+Y9Q^=xNn
zw{-u{&i1q2Z}<OvjpydZ!%IG@<z1G}UW>fi-<*u>X9YKZ#IJM)_bmOo$+Yk0eb4fW
zCzSYOZS=?<ES9(B_7%2x^N4qQTU+~*4<>@#KRY=(dDFuHq=0ExyT~#W<;nh)YJ<UZ
z8+ana+%>ZSJ_*AH%smMGOX6Nbdp2L$9lw+k;31XNq&ik+s7;+I@sRMb$%oI=q*fj_
zCW<4cPdQ<q(|DASfU2=9oVkG8Ta291kLL+0bGq#*t!?2I2~QVXKCp-7=GQT&9SyK_
zkr6Ua6d>=^4Bx8}wdpuY2P?ilhvD4>g6i!VJegs$8Wg9TK`=WRRB$acG7ifu-)bn<
z^wUS2EG!)2JQW}j#+f_Ezoi2();nf7Eue8ieWHD!?)^{gMyugwAe5D}<1VMZnPRSa
zgt3JB+)^>ohV5J9tIR#iWtPd-HOATbBk1iZDM_z?U{L_|Uw#qaXJ?kwkG;mfs{hqt
zQ^w&U-dx{;PcD?b#=q9#6Uc;3P7^w0*HGWHFOc62yJMAiMEc{Zmg`HVLd|eZe!lAF
zX1;H?w{S%S43)77+2v9hoNOd4KIQfz2U6`TPe0uI6XueE9Fh56U~pI{I2LA+%jyLd
zHfvZ8ifZRw1NU@GK=V?WtR6)?p~3w6@ikev^d}o)@3Udc^8>=BvSp40)LDcPJ2^8|
zrnBAp14h_nA%Kqx?~mExAm`F8)xYeNFIkiTtYJskcrFwlEK1tDBtvh7W>DatA9w--
z;$L2oBoHObYaUC>HaU(<p?^ub&ofPdVJb2W|G~4}nZbC&q~?$cL@URvzzcU~!(1{j
z{{*AuZWH}844Q*)aqR9Kw5t4*E05hDJ!o?Y+x{`fYA(@ZHG%IOtAz<8R~fLcIaYtP
zwLkwX^8fT{H0@7GA{sJ&>|M}z_<y>)+pUuSXLqOj&HwXN9>tt`E4%D_F^*gsO+Cd2
zb;ZAS2jJkyMkReXJFaDsP^&v~76n$hpt6kixsf+-p=1dSKIvSajzr`MY|_8O<^q(M
z*iYpcJqmSbY(X8hvicTmMqI+?n1~<gtlS=$oaXhdtwJ{r-yEG^9G>-$-yi&V___v2
z3XQ^2XgWQCf>!RBNuHpLw~Qzz-cmt#{9yTK-2?kwi<}arFZSQ`kB`nTswq8BUpzTq
zqHS^EQ6#?CP;C{9<&cn44>M5<qw(X1SBGaOhZl$E7zTHKx_@w3=<j@1kR@HLUS>_0
zpfRp>dZ)RM4o<4o$f&vnRCEyFO3mv=)-UPoDXi;yy}i6q6Jb|sRTVEcx_(!qtF`n)
z!Y9jH)6stDmQ!FQ{~MWvdGisA0vbu!uBP?knS1WuRkI(4{E8}rbIU>I{P6tz=>174
zdeY1dXCRB$-q=fN=7wp7(%GamlVaf>qN?i|NQI15S`KB2s_JDd;)F$V2=zaS#-Bt(
zO#OyQ0A~XI?%Srmo~5x>H6cE0mu!ZxdYLznHBcoq!I<iC_jadk^AZc`t!^QSOhseN
zg*-a_j9A)hgFY*kF%ODJI%8Ut)RljJ>Ggl1{x_y!Oh1eIcZdGhZtr%=`+vLL-PSk#
z?`u3aH_h*1$|gOX+=qo!&4;~-A`6~2{=SL)*!;eBcpclAefMlD#?~}yrraWJQi~cd
zFN69*1NQ{<Mv)b<s^t4AO%fJRbYZ8F54&CC%|1_u=-&2nV9uUS^ZQzMj@`C__tV1P
zQxdWvqXCdOM*JJKf2SHcmY1px)fWK+s_)|!d_vvhDmt)M&2Sx(geTl=$Q=`~X+o1;
zpPZ|*7={^Bf9p=-<X2_cK7qSL+0PkO@=~z4&?=;ZT#K~u*0Gnpz17Fat<8ooCc^AN
zXi&xNK({cIzO9CF1<v5CjNYG=>REuR@mLwUVJAZ$=T{}8>FaW`Q{(oYXJSrx8<x<e
z@LbuQ+<;|WoXVYZ2SopE79!jf!az-^|7#uU{rUqYkaIiS@|;iE73|`!9@(%dufknr
z)OZ6v?{wAfmnpQKX|7&5Ccw;{Y6T#lX6ti(U!4wJorl2?<j%oVWvd8KZ4v77*2+97
z$b`zGjlASMRTlQ`BHKFV3Gh_LX?AaUW~txRGsmPaW0(g<EJEoHRx506XhiH~D`#}V
zr!>Eo9)ks4=jT#BEIafIL&B5gdsd6SMy_C6R_0SCR2S)}Ig2*7s=2)E>NTj9SJssp
zC;(b=v*P0URxdE-g54eO_O`zIWJ71}Qxp7P<lBB6TM>tuvI>C=I*TU}&YF+v^<4~%
z^)mm%I?3DU?E%J$CNroHLP`S`jq0$8av18<`aD`&=xUnBHm|;w_1tOcNTF~+Myf?C
z<#jGnl=Lo6S#3ny1jWn>sAeeI0l}h;#Fni$>juvS-(4h`gPJ9473M`)l8nkA;?V8g
zpTwU;5BpZ^M-hx3(i{g1QY{KO*mbyzm(1xIdj+w{aA}#V{k+wB0N<4CNCPxuB*>s4
z{A$mE&9!;Y4%nN0F}1So#*5bH=tdSq9a}rS*coi4x-;&@!uRb_mhsl@(eu`e?&Eu8
ziM6Ol*h+Pe+#8gud-Ng7&LdlAE|2hVkdQpS3)3{Kt!0=fuS1(k%$2;xP@k`s%ka5x
zTLwsl|G5%U*#$ipcc+Czn4N3H^f=iu#{3W?l#Vdc>{9XiQ@3S2)aa2gwAtV4zpl1Q
zutI8d9s6f57luuYQJHPk7)G#@RE}vRZAL>~m?seNJ5{&B20<>=^0!K^q02r0IwoR{
zZmL+B{tHN4V1sI4xt6;wE%ZAE&aLC3zo)lIFved4+d@vUA!MU4kzPIfv_RR;(O9^R
za0eDSn-*|c4H<`73SjTzpyIXk_U;=SA~cwRKc@aAi$*oWZuyxclekG>?(M%T{j+^H
zFIBs&EtW_EcPFI{n;8vlbDxy_-`(EYg7#Lm;94Z0O|O>Hq)3pBEJeR@mfTPF7Cp?S
zX336SNky%@5NT4c>cQ=8ae*letb27uqjn@WMDdo2!OZgQL;I*5$R+)|?lw|iFfPs|
z^u>OCJ^$Y#|8Maa+~e9<?*HxVwmRLi|95w{^UeSJHJ;KghCYyXU{5#J@)L59Z}Qze
zZ}lcewspJ0rYqRXooae-CB9cnpdD<>>KLzDRw2>Y;1RXCBMWtNupwa*vxXJQ*t@7z
zF-x0V$FcWTtUbZp4Fe*^_*+m3p1EC6U!MpE?@xX>decAMzj)jK;r&_v=;Y{PPc@ZU
zbWJM#(y7%t)SF{Ip{3W2a;Yi}vN50I4pkAIUd|YYt$gK~FW$&X=d00HMzG0cz!LCc
zSih<2o4t<?E;uAqCX7z0$q!_X0B4+$vfyczFGxF8C#jG+zzlD>&F}B;ji~$xF-;~6
z<*dzvx-T#Rf_5-5p|~X)(Wh`lVTjqfB^5GD#(zciEh{M=uh#nq4!%q{h~}p#bmD;h
z(<9sHk=7eN`e_n=%u*)}2@8ek8)l${qt{B2Q2I~ig0Udp+dCT()dJ0O6h0iiM*Sfb
z6d0xmHa?+Z8#aMAC>-^!_+G^+bGsOdsh=IF`R+S7*grTtyVz?^NzzPGo0e9T&Zige
z=WqI?;V04sGo~b<$zEOQX*^-Sn;f05C`o7n>zh82aKARRK4`8Y%)&iBoE`72-((%V
zZIYNZr|o9WD$Qz<lt~8>^GMLW^-VQ=@c;fF|EDKdNFxcJ=M$eMQZYFa<rXtiseVCy
z{YL+FTL;g(N|>acGV_1=CHm8iB6i>B0lkIw8yC~tEsZ@J!p}d$`lci-1TSjCU;gqJ
zsIOaG>RaH261H0{`1RL6tI>@NVb@G%XEWwT>+b8Z@3SD!q?=j4{frWQ7VNEWVqTf7
zDfk4VgvQ`;*!a2Sy&&H3*I#a)|8nc)zqVKY)$aUqyRl{3&ycc>dQqha_7;tgw|-OA
zhub=Q0x>3?on4Vm;1iImOW3&44zcxijsP}VPx|XO87jS2uid$=!(SH(uI3y`O-O(q
zI6np_u|d<#Xtq=mIuTU&4RwJn6AflL_U|c^n_F;WdU?sh5WI`Svv*Km_s1*@w1_q>
z%Y?*O1^#~@jxIoz(;vjR&=o<YSJc4mC4}&uS$A0&?5#h+A6JCQytx(O;Zk@fFiS3b
zv`Vx6IhByci&ByC1Z?6nJGs1JmOP}HB@9!7$^DR}`zp^fyKc{?E!#7qYYz6-f~t91
zvU1g|^{oPr&ExN0RZwy5zyjpoynp}Z_^`i!dU|}MQ@`~O&JJH6o?IO5AD{2lR|T(!
zgoexUs=5#1b0Ss+-(n`L$XkG7mfXBF{G~kSWpqnp`R3r<^1;#T@>mwy*~$Q{X(8m%
zEDQLATvB^;1E@wZMKq=^-(-<Vc@Dn`u02{<#4XMQ@Q7l0%rW^(w6z%B)3c+W_Ad?%
z^I23XP<N=XwUtFU-NBX>>C{UEp3AJhbe`@1j}K>uip1|foanrUbCYeZ#mZS%1XML?
z%Xr;20~e;$SkNIICVZxu`{MnNhbLte7D8MRm1V8xLEFoku4ruy&aAIH_q$p=o|Hwr
zb?<uly&ffOn1pt@0lesndbu6t2|r=6%$re`RH32D@^?3NE|n!v>Il82J~*Cg%&7Z|
zyGR$#J(h#dHzNvlF{WWyht18!fzO{n@^j3lqT|Oknx2;mn(P(Ro&Hi@@@!di<)x>S
zwDDxNS78s<vTFcQ4Y5Y47^gDeS5e>YKkXHQTgzXqZOtQ_{ismhd7oL~)W7U!cg`0}
zt8X?pj;#>#Q9q<pYRYEbGZqbb?llYf=okwX90qftydfX`z>^7)F7%;(Q$QszSOL%>
zcL~1Dv}fI^wiV2M)VF%k9@KkITeecHx02>GnTmD<^5JU{+3)&AKM;|=)v~hWDv*61
zMLNsjJ9520qRt4L_x%aE?weaNi$h(mxU9X;qS5|r6ve()6zv_K_HBWMR}1;gwrU&s
zgqk0{7Uo-R^;QO3+GuP*e#a;YrZkaEP`82V(DYvE_38Vwiz>ZWpDbB?Qa_*g_O!j0
z05><4F;zCB0Lmr|&;JA_EWcxez@64Bq<hKZW&K@j6p^q$CQ%U5#Ia1&+67O*3!vVN
z6Ye+HEzEw*f;yD7Ewlp)Wr~`J7W2lq0c+cA6x-j>cFxhsg<b~U?f>_Fc4%k+;^Oe#
z>Bae8x0Nq=g34wZW%&TO!~|J1fMG~RLg&X`u)l~f&OV&<Kb&0bzj<@`y6DvN6y3bk
zToJjadA`2DW0##2a&DEZ&z}}@zUJ;Yqm~{Y{&aX;M!{&MD0}x3I_zgRKdyjFUUnXn
z?3>2Jl?wMgkcE`ly89@Woy<j&SJ6Pf)5AJ{W-I$LcT{TL_Eg3t0~W#hrl5a^Hq_T|
zDw*oGzV&Aac)|JL?$82}YNAS5zhSq)hp-Ti0a4IWtX`I<zH!u*g@i-j`TWr3=aa0i
zfmdNU%Rr%|6BJfzzo4<KhEnl**9zo{1&U~zZ&tonVO*+yU))z_TgVO)x=_|{T;6n>
zT)%NSbTwp_$$m=`EBs9^oJ#+cyFQc~E{7TxnmQ$Nyu7)J5hzq$-cQeq?6OMqz1QE>
z%tv<}u%4nNYeYijl!SZh|E=b(KI=F7{VnW4Yi_|AB$Qm*`5KxEOqE?UHRnJ$hDUCC
z0Em#%7<TYifQe&`%It+~N|)~(@f2bf(;;D@U8JnGY&9V!plfe#erh8cxCztO$o+J9
zcJ#yF`WHv<4&Q&c*jvA8_q_F+;@h6rwNefZuVyL|#3<H2;UUx;-&g1Xb%4J@GoaIE
zl!l=)`YY?2WKQ2#R=Uf4(}$||T808TUc~d#B;12B4P#NhHDXE=Hk^F~ffsJzm8{t%
zlKK6@o7`@+z>tMfy;1^xy>QN18^s!6Uk6R^t#4Z5*UMzQtwR+m7TeBWziV&7r%$#^
zmPOaH;l%FyJiw$}?d`7i><m&d8}Ms=2Uxqat>5}Qp{Zo%`a3p+%}oOs_V%#y7B*IV
z-Pu;Ji!{dtYNHDC4W&O!ScGXD2D3bxQYl9St;8@DYPKpSO%qy&zkb(o$Fi0C40A;O
z3axo8RO$5_UE;RD0h*8geh76YV3Vkc^9d6UZPno~fB8#&{iZNNS_S!BW=Rca;{uO(
z)%<n6HId?xYTf^~UiR4t8i2>Zqfi&k>PpS^1@A}oh5HzePoV52z4xvlZs@5hM+b+-
zt9HNr!6Kw=N6a{;6s=s?xB2GXR<Wk*&YG`f0>%n8%x>m<;nI%fDtneU*t}JB!BS*}
z9Y|*v@Ya$B_az^6iZ@eD0mejFdvnj;T8PW!n1vL6#%;>H$ZZ{L9OJK!s+#rW=(J)N
zG^Y?$?T8jXSL}`!3jB9?b9j*t-G{T|Tj=~XUlrWKW@mDv&f<D+qr6f1>n}I$r`=y}
ze`&1xOMy^Wf!E%uW$l=(-&ba*KD$<f3CONAgh47%_NfwC95WvFEzs}n`|}Iyw*H5s
zqV1WcrJqVP%zJh4h8_3>*CZJUhb~6M?A5boZ0~yBdd4sLWH1Vs_q#&d5q8<<g4$%4
z9~)s)2-LIryJ6pWQWWWDROSOxcK|J#0#H)JpeO{(Rn0Y^S<O|X@&m*$xbBQV-!)*D
zyaijP3s)Q0+WIVK_Dx2V>JY}rl-e@t`$J+&KFb>N&=usq>&HD-kNd72fB4FwIA8IW
zGh<3ihWff-y)f9HzE`CA2b6S{Q<qD+Iiclr>vrBbS(I0{iDjaxD0~W{CnJAB>MWBv
z3ae%j$NPyLBXq1WT5bGS&-iR_;tup~ZtjA!D#}F!S8so{Nl`ig)p!VAu9H6hQMpm6
z<hSD`i4%I56*<Qe&T-LtJ@?9Qo7BQt#w2Y7J3BSzW|A$qy}h}yUj6y+MMr;*@gE(M
z{O$RQ&!YJMJbC=%4*=Ye|K-_sw;ccftlirF7XSY>9yk7<#Ia~*hX7vZ7Xy7e1+e@S
zfR+Et)25a0qs;fr0c_&51?kzK>?ben1XSL!sY^O}Y<n4;(wb0Ry_BD=fPudDsAz1s
zM#4BIHj$$4M8#n?T(@i-Op;v`=x!a@!fx}X_>?K8eanR8$?TX-m@K3+Y_}XJ^JO(e
z;am|ucRlz+I8dR8{@6_AkqMD>WOCx!UwSj%jKNYmyO%pb;l?VBU|2x+Ayei-(`Ln~
zbC2n>+7!wz0xj-}tu%k;<`B}WJUhTfF^P1N@0k^7W0EYaH*6M_#w#KyZfw;{=jQ5L
zIKFvU`ut{|lXPU!@!hJ!v<p(>6b9AwBD*7T)jrs3)K=-i@*T<r5mSIkjqH`8Xw>@&
ziD?ful<BjvppbTZEQ+mKWw=-5u{k07SVptr(jig#MEJ6c7oEN2<@Yl>v{`!ZWCm`I
zLgi32e@ufk)OUR3r3$Z$2{NlI%(Wwm=gJBaaq(fbTvR^KLD^j?#-le0@#!hv6Me4t
zK?}$&ExC{e^Vh~^B`a=fE!cGBigTP&L6>s+oMm#kDxr}hr1Q%+E%SNz*WdJmNmrKD
zGud?JE1jlcc*;ZO&lcqxE)}bqPb;vCSja2w)|`l{?n6adjz%@l%`r(T=mm>dK>#~B
zFjA2;F-I#pYbA@A&VHf(&HT6c!->;y5@-Bclq`<_qpBqZFi0l@k3~#As-dOQz2dTS
zw{+;-fIc@`Rdtt*SP2svO?#`1=v)%>M(*`^UPN|EBPzsc!UweH?npRUP3Eb+h@yE^
zhx+2M{k9_=_<)*tBrAeG;RUT;8$Q8=Tti!_N549atMOzcd`&|#a|N7*zME^kg$^|;
zD!RP~yP01FbUDfeDDj-=t<cAdn8npH7$?0xfO|1cs2KAwC<0snuUx4J(nKaygX}H<
zS*}zBSq?%kR9$h!fqN}u4{oAjA|;dr>;a5li0i38El2e{kZFt9{6leV3AM+wZ3*CK
z;oB0-WsIwIX2<4n^VC;p*VWn!xH`t^QtkYnA(gA15pYp2ZjvrV@xgKZF4rVna-WAi
zxHvdnwpJCc_pUJi7Ez&?I<#?Tey*i<qP<Z6ZoAQvGfwz#7|3m})pq*s-aB6YS{2V}
zKvL;@#bZj<An(j?F$XzcdKZAKC{R8dLlY^^^K7aW`1`4leBxnAryVux-bdlA2c>X<
zd-bV_V4L^QzY5pP>w73lT2`S%wc=B`CJ3G;J{7$RklDu^o~y0d3*<}ohS9^yyn-&k
z*DP_@nF$S8I_W|E9i8xGR<EtfL-zpo4?6koo_g6Ax0Bguf%Dufz1X?by`p4Oi0Ds6
zkN|hP|L*`?!EFw*U(Ol!xK1tXj(V7+6EP1{wTJiCFFev)Q3W7IX>p%A#b#E7JYQ_d
z$P_QP5&4yJ)zmHewyliVy^|I0@<lBa&`ZVh{Fvt%vkU6VLh$ova2GE++3vdA;DcN)
zm9l=Rn0F-d?n3NKV5=?))b+|=s@8(J+Ve}y^5)5KsC4|9<KHxIs+!A6-?tgbV;=I+
z>^xRW^#PC6q+*fV-GxP}5LpcGzL-Tkpyy^6Do4hBTh)G{*8PbQ(xmL%c3xI@IInZx
z_QqVu{g4qso%WoURqeTT9@1X%B%6Ix<%cSlzWGPKtnmvxi{d}<jxTRQA~vML>;*lv
zjXUmtY_(fE#rTg-tJV3I|M9Cl^LN*&fqy?xTBg3h&hu*K==i3cJ6ksO`d7N7>f7_h
zo<;M29FxzG`Bgu6%>Q<0w_S?=+S%Uy7XS5Cp7P=u6X%Ye0}>OwaGp`o*griokz%6p
zmY5xD;ggU>qvo`OF1bQ9S>bc>0+agy9#Bc{f{tZs?$+4yvTgUWJss}$mM83Y9!V0O
z@?hW8pvl*ZeX}tF*zN^MMpS0E4OT_z0cQCtMe04s+?cTF%niSq_f;!t;FL1e$n`4K
z@=~Unb_-XkeX6|vT*^X{$A10M6XrkJvq=6YJfz-$MFEROk6j4vlK(sH?Q;BYXZPFv
z-(Te^r<5pNDdh?t{6^e^OpVLu7?_pC43}~fAuxSI?Z2~t?&A&@+}_$NZqIl~Uuhnz
zD`is4?t1yP7SoRs#Q&sW#rY|ZJ80@XAk^Af0@Z9ciw%j{n}nzFlJTzDh35goT^?s=
zfbTu5BGqO}ujUzqim`4hKwJ_)<q&gj6m2fz;<aXf^jv<(vrPVfE(72W`QK@`pOy9h
z-JNgp|EoNIxcpxt5WY$LFDUWTP`h5|hu?|2)d87q__miV5TXY^Z^T$&<JX$IYmDy$
z8;^-a7!_D(N|S-;p;z|jja1M=O~kr#&$$|{LcMB(0di}$cuW#OA`#|$Rj-%&b8`cm
zArlhn-`8~#*MAe-L{Xa_EiO{LrK;p@TY`pynBC^7LD#pSk(DSTQo^@XRbiFy-7o1x
zRXzM%-K$au|7dac?YZZ(X#IE3fIPO1yX?Pqt2KB3|IRo6-&c7acM7SjB4mny-Vnam
z3SJ7b_%Cp5RL)}BgZDA{drGsLq!xyLEIK{0XuLkbV0W8Fevwda{Ks;Li=liI`2TsH
z#qwXLh%sq)zU2OIr?uUl+y8BKzsdiv@u<1n{C?Tp`X60g^&@=Wyw{can}vH59P4sZ
zEfhxr>MX+ajrHY#wzdG4EjI<fkGt&LiKue~xQJ-6+-e8wtB;mWXi^BE`z-BOoJYk?
zdfn_6W^`YkK)@cR|2$5z|E#O@oeVS=1y>lwstCLJ*gBVcd>;8ke!kX<hdUN}1io2x
z{}rFR*8k$6nun<YcdY;2`S`DPcf0j%{r?)z=Q@nFY*~JUBiEZd)OCN4=fX^O<RQ6o
z7K2!x$K{`L?aN|P3W;*=kN%z5XjAy+=5Z-Y-%=8UR0!>XwU?ck&4#1X#aGVX1=;1L
z#~@g^6#i}ojnhHM{G(IDK~CkP(_+?*CDoSYjVji28#qTt@tIOc#C-Ga*A-{VLg34%
zO%?W^g+(+(-||KePITJcLW9{MS+C-_XMDfYq~-jQc5X-v_4-UlQ<si!mY&oUw!fFK
zQn^aCzW7HkV&9$zKX>SVU&H_3-R_p-zjnL3-}Jw)^4!edZfS?!?)olD=5?1h=D})T
zL4*4$9)^;qWOZ$;R58<Y=G2^0!Cd#MQoWX6b7{vXEM<|bSbz%!=N8(#bOT-cfm-r>
z<$L6lEQ86G>A6+AuyU0PFLHG(Y{#zAN2jK*&Wk(y>Q=s6si_*!f`Ye#(pOpS-kpB9
z+UIyYeHJ8c7QNMgE5+*O#?)Sp_`FWGO0K~Nq&3Nv%yM6p7U|rJaEBVD>)6(oC{hJo
za#`|}lBT#?hgO>6LBP};C7}ZDq+4Ayt4rl`Ztqky`e5VnVZt>tB`b%|$*Jzxg%z8d
z|3%c=JM_N^kC@~S^!wT84*hStv$Io<|9|%E+xgG0@>J-5R-PCZcxPDPE_HB``sl5E
zpv*8Ei$)EfCzOkZ&nL}kyFRCCE-G16Kn>>K^w2M(hc4igu#}*=VjWpta}_<ckYsxS
zxTT6~0j-r(QyK-BBGdYV?zarDN<CJ(Am9G3Z0e4>%kv~G03!S`&C?<1U#m23>OJT}
z{Sqh{ii5(Hw%Lo`y?H8!m5=f6qp;Jj&nR*$i$)o%&wVIh>z<##ZvzhMTSZ^ry|Is-
zt9x}upu30Gt@EHplX+q#3&^w*g_3I8tYXzJfcP69U}AY)$NpM{IK`TUrn4pEeEyyR
z6YH*fu8p9()|AhATftl^#|JMp_gHN1vD|#~Gk>M0G9zJgkdVk9H_XU3W{>j$-xdG8
zJMaH}wzKn1|Nj~f@iRxBr-VQ>q9GskF(bH@E5hf>q>kv7H>5<SiOq4TOTmXYAd<ox
zCXdMg&aykBm97qw!_=MZ`*Cd4c+j__d2p35nWY{cvXJ)RKuH_4I<0)-k)%rbGS^;~
zvm#8}*=w!hSLcYF+VU<+4n8^P_@}C(MeJ?qfa*Kluy}zCS&>URyW&Yu$hbRV()r~x
z=Z8*@p1qjM@aTcPUehFAR`!qSGEYWLl-8oTC~4~Q%6HWYxGx$`RU<sIlFV0hsAwaN
zLrwzG^qOKOB%L%(I?E=R5=oL~XQ%bN+cog|As_KZ9E~!#6T-^(8RQ;5L-wP{Z)D#9
z=!CGa2O^D?TK+P}MRT6dCle-J))PJWIcGkb#(F}9z-7y@I+j?-;yH()U7ZRVJZN%!
zjrjpqEUD99E&nq?@L180&t3BWS!eG2Ppk9o{Lfc;j5oAzWIUH+n$#kzoH`=E2PgCj
z%nwn^ujKHC>>3aJ;4c`mYy6CFU!|k$1<qa?k;tb#c$fdk52XZ5$b=2j3ONeyw;Dje
z{d7VjY3|c~?fx{&m}(Qd(}VZwf7xrE1T^W@yuyO!75Y>2K>zC?UGu8&ta(LTYM!AX
zS}1+g(otS{j!&o>Qnt`mH{({fW74yp_*&&EU94m~n3pYe*)5D-^xhyH<)s%DniR&;
z6fP335_cMn)n}8p=uY%q{^=!jNR%zKN`r-pF^iSqs5$svHLrMbISl#LDiw<?kyR+Z
z)<@~Zn8kft*MkE-nWUKHRB1ff@QX_p_jC0uFRwm$*@xP_*NkfUj|Ub$m->IF{NH}o
zDa-%e_OoyD|7$!2{r?|C5!cx#8z=NyzGD$j8s{=$(ddMqCUnTI;r7-WP)RD4^+8B!
zz#OIVn{NJJT{mBW!z@d!ps!~P_D9d$&+}B@Na3^3qWGI<x%_W$ce~~MKik{SzUBY<
zD$iQssja~QkF-iDV69gAT5GVOhq{56(7&ftNYCn1J@{_nw;BK&_F(<ssDFBNdU$+v
za@aqA|KaT55cc+<j+OeRQlCy~B<s2<W1M)}9jTirzB8aV6zqfd@7^6<^k1FrpB%hZ
zkk!lAhd=CpIJR#$G+ZIcAXIpwP$+<}{N!}NG;((ML;qy|-68D#PiX$K|8vWG@$0{O
z=6@Q-FTXc+YZjIyBi)Acq5}Vm{Wl2p|3B5>erXi{zv(5u{%h;MtvBJj?=)f0-v8U-
z!A1YW*)bCJ{!38Z62}?^b9h&M`GY!OQCZj%m!;1zzmCJrwVKYk(=*JZ^Dczcs6l`E
zOAo$Z#?5(=Id059E#joSM3Ib6%_=%ul<jUyK&Le1u`(wXpg)Hjz}1*W%Er=1saEKz
ztui4|O2RoL)S9_k>*bo7It%LFk1!<xc51LMiLYAC8EkW#sY$XiYb@2Z1}O^z537it
zT_BO|%%_1uWlY0~*KItj0Z1}39m;{#YEzOh)o1+l=IEk-aQyz{uz$LL@m7nLS09d!
zU!V71ADzu<dHctwN@yOv+kbPY=2s8gr`~O}pVw;uZx4^(^*@{(U0fWVU-VCpKfF0Q
z>Hl<ic7F8!qzCm@qubb4<$gRmd7Zy6KlN#=(P=eWSn|WG!-I?C1%>O=cBAu5!K?|1
z<f(ZesgO0#?h4jCh`Eq<#A>yWX@;fOl171{Q*k=tP3bs52uqpIN`u!$6`er=fkv&S
zEako`BuXHwfo5PbKyjFkSOhE*l7ykF7mriT4>+!>9o0<nmtq_6JgXe8-z=m5t=p`H
zp!$Ge8zY^$1^aS0bqcHm@cRA1kB4Xdx9`s{dQg{s+-o*3(*aE)Dyisoy3cl+b+_cj
z@p=E?@a*FC(OD1bg-@@~j($2k>j9tABqXyAemgq3IDB)qe{uBwq>p_(egC?Dc6fZa
ze}33M-hXv?+_U4ox9%1``*3n{c!n$G{GjSxU(-izC<NTUq)D&SYP4I8_O2JOD9|xf
zAtRy(d9U(GT&|-nw*ejUg!Wy|A@QZYUe$}Zhxb$gk7*=C2!5J`Fd$-#e|Z6&Vhwzw
zL6|FD`<OVVA;wT&zqxq-<KapF;%}#ixAp8d9%pnpZ4Hj}HJ0pmiZjoKuWKtuwd@^p
zC|wb(dg{xZBZcG%8PUdw^HE4i%yh_GP7pi8n)d(eH>JsYi-1EGrPoa|33j)$M!x$F
z{PBbb@UPbk@K}y3i-HVM^`jx!NZ90%L8wr1B+f0C@emOY5m}0WW&xey6-@FFLqYI7
zec{sH`eu9;Y&GpzVFUV;^<5YMBPx-L^v6%i)bl88h-RyS|2Y(GjyB-0PT?F9y~eO?
zr0@HaACBJG_Nxk8A{#MLcxU?Iv1rJ1j`Mt|4|xK81}uV`R->`oy8SZ*JgetLSs1hG
zkeNy*S5NlI<2bG0uh0zWv>Byg2%W!v*H+{nB$QnK8AM2F3~dEGqV@ZrpxTXiK*gs~
zLSyi*;Ea-BcCW_N)G&e<r8+^GXyvIA%9I4ahY%;!GcuY6z$2=#y8r5}MMlocmS+=k
z)zBh86*Ms(u1xyte<p-Q8GntaGz&g_LV{su&e8~ln{eoOoyiYJ%rBQ8>d&9{k3Sst
z|F-|`xc|e^@gWKoGL$qaNVLDAfcY7ofH#C{7KC5b0MKhDp>==WUDAiXA5s#faRWPF
zrSf=MGS_NOEu;^SRE}vRnQz`<GP1c<ue>hKFMJD@njSb+Jyq3n%#-uC@6Xh~`(6<Z
z=T5wQV0w5Pg;T1Y7wEzI{)daVhbI?D2O0-_jRi{M*MoYaIn{Awin#R(qTpqrCQE6c
zZ?XJr^r){!5NzBFSW^FjWU#!HHD)Pd7A`1RHdU%ng%OnN7gp7*&>LgoUy>1phMG=^
zWJBWHJ9%Rw$C>I_(7(TL$kFfkfnLWfp?wzh;F(&KNEq^~zPV-D-2R$%!`ep6@HcMk
zImAojdfruLaSued*KDreoOk=LJ{<gbcyWt=D+@wvmuH8k?{!Hl+1$bn(QS|k`JG4P
z3bltq?K?E3c&5xk9r?`SOkpNh!Vej~-cX(CtCehTeN$=1+Vei3;CUgBM(_!6wN0Qd
zn&=w%rBQSSc+F;gYr_CjV!JQdgzl|xqF?u4|0L|k9L{F8k6;0!A9t(yOWRw&$${Le
zUlzaHW*t1{Y;DYeb$1jR-#4o^8196TrDD?AihFQ0JmK;*p@K$o{_B2tMP@=nbtHub
zJGl&40$vO{wL?>n(v<+w1wRHH$PZ`7w@nrW^jZskQ`C9$>65*n*n>?!FeUz6ni`Gf
zRz6`88gtC6d~HgDr=0~A;5|>Rsp~hE3vXR4#VqnIhzwouJmOnSy@V32>1|Md%%Oh4
zGd5Fb2qt+lgCvc54sMD~3$s=G@f|GG`j?kaag(6Fk<ZiI6R~Wj>QYs6)tDh9j9El`
z>o;XveTB)Tlo3b6_LM~Nu9zHq10Li%P2gD<4V=C|zi{6Vc`|`Iu3&pgwEx@tS6U3$
z=Sn4XxHloj04V{;<j&6rZ}-nGaP|0g&vnnKH}f!^iq<SVJN!Y{EO|_w$`vj?60_!X
z+wMJyX6N~CYj>yJlnEP+XwuAFQ#JEO2QCXUuJ;|qf@|U*aVT%z99<mmzv|;~ocAxz
zj^4ac27G2|K4ffPAD*6Pp7>w)Fo)B<My30_^St|FcYag=B1&@)%x`><%@i}wYUMoz
zWdmTqdBuK%2}L)-CgyBn9&6NmO=B7bH1cQOxlf{qMWf;l)_;;sx-a;Y_WzWiWTS{D
z^fR_`NBl=?XYT&L?e@3(pT5qs2B$<ynnalERS!M-`~j6G7LBZCAR4tbxEM2GckBg-
zF%3f)g?yloqp)c76i@a@Hl?UhJMT#p)Yc%PBW?3+#u&^&1AUh7$yNj2N8t>O`&gp{
zF-<_pl}4@c`n-QGc|viAax&o&{B&@x>?BcBQ@)A+YV>Q3!S6{E|Ftj1qo(@D{uI-w
znFAUS|1ynrghB25hPaAr-!}&2vi5yLPU714|FgCRKaqs-RKU^eLs4rOL0D_BfRd&z
zm+;?ewF<kznmaZ03^f1IBvNtyAH3Z^d2@LD{!L>Ne7-i8&;Olnr&Esq>h5lTi~ss6
z&)OPHTaDf4jTUTnTAgjL_1tT{*urJH81Y;4?mp<ze%9zVS~U;$gTRUj81e+-gb%0}
zDsvqqO(rbTQec!2pQ?GzcmPkfpKrrvOd>AeCH~LzwrU={p%G0~!#XkvSfC}8u@01s
zDxxIE2~S63kYfsOmFll!f}U)*pXrX}amh6g&Pl{1`<;T$u?8js8XTRfZX{F)g;`tI
zbOV=b9=t<aNJ$WAHFme3s(*Lz-(8F)YBhGBDRJhHsQ?yXm=x$OQ3Z6j=Gmm%G@2^2
zUjQ3|z6t@DP;{HJfFf-=u=#H(iQwP3_>cb!&QkU}obd@wIK2GrH!jH-M-7MbS)*--
z^O@J#eZ+8f8tn|~?q`GAcA)MwI-dz@tI^4zZa2E01?q02-EMRp!nSg-?dOjotePk9
z$R&l4O=(1hI8~Db*+!YdEPtilvT33eXvGQLiWwHLA!cpQb^|avTi~~15><Gz{cIOD
zKTIZ6!U3Byc$uodeKuukx*cgHK(YztsRSM=)Y))`5qSzb1yW6|BHmB7cb>uK#h6cs
zfPliAghq@e>d#{$d78jWi62Ly$1!WrR>frefn6hP?cAq{C&$#RPR8_7=)Zu?f1?SV
z%;0Sr$t#{*!pq;r=FhFlnVRLc&+p05j%S$j#6H=6_RL`<hdo=*9>++X&x+cPJ0Dw*
zn>p?*&scod>$Dy<%N-UUQh(-$6nLzI%L+WrA{_J}yU18|v<sW>NaE8F4w*j=X#y`N
z_`ChQ)!8yrAfN&BiKId44uBj!67R`&dj~duAOl7sIQPd9Wq|@XBm<H7ix@Gn7Z>YH
z{<s5-+#j(}brKnmgo0}w_JSq}L1X*L_Os`(c}@ni<o7X&;9?fd24qI3@KV^9TR9c+
zsx3a$p)eR^N`VAQ>`Sg^!+`jZ@DP{E3B%befC$u(3#STH({0#15)(p0IOT!_1TGRj
z;P8^g_)~t~39^&(%Z}ISK8g!lm6*LY`<aq!=Y(Px$3?2pF%^pkeQF-~W1iqa7m0Ml
z5j?VKGW4jb_kv8QBB$X)T%|2pMME{vfz5Z!AJb5&3zCK*hnEw4(GcdvmLoITIZ0X%
zCke`owgWb!^!8&G9|T*arTILHC>{vtPsnwjjFc&skO`HzYV1C*d2pKWn2b~l_Sn9i
zad_l^nDB`i9C*^*eTH*bvIyP>LMH$Ff3fgC{_jhi$dW}3u3q{qWS5Jkpj~6M28mdj
zE}f#rxVxK?r<;?f>vcMhAy3AM1$@j5Q5>>iMZ*RR84Uy7Z}kOT&DK|C?{dVD^1)2~
z9|`#kHupn%%>=ySYBtk^!b^g0UOd~*8L5*qQrBy>AJL^34j*-LLUp|M&ZD3zHoCCA
zRsBaFDhNEWp^D)i8Kgq}{CIQI&^spiLD$>ckNJf&iZ<I??87S_hGP<<m_FfWnEb*@
z{V^93LmTvJqN;Vv43kT1tv(1Xq$g=8SsYT_vQ`y4u(_WkB!Yh@;iYPf{C0(ZZB@(=
zdMy(IT;Ds4s#>PEKiS@C!{z}A=>Xo6NRT9em%jSh80()^Jbu8VDNQ8UOFZm~gZwlM
zIgz{D=$VPsA5XS-cXCD?rV&n7dw?Ymig1;s-L~n6Iokl$3H=r0#>kyJFJSYBkSA)X
zd_@y~EO{8f%b|YN7}!@^55h#TSP#ACG7eQaW9*pbvzhZ`dq=I<2@Pn%d}V0S6kZO^
z@5V&^-ZEnz;lgCB%4lQ;ynsZ=d8}Zz^wG{9u*rl5j7S>dw6trzT@)<iwiMni*bKTP
z80^4H{r?9wT(z_vO_YU4l_r6{Ha<ixTP-{AWV`zUHh<*dZv>80e=OnUW$QO`nTv;Z
zuA6oqW3}%#o-Y%4E01oDSKGnsF#@I<uZNJ{AeKqKw%7g)1VgAT1GVe5J6`88Qu<kC
zcYmZbR^m$Qi73(Lm9!_@JDq!#tyY-!jku<X7tkS#Xy9t)2#1cCu`5xQdUodI<rMFB
za%1p3rbJnPLjB+85$=0sT)gwbaB<gbx4q6|xMeqA<aS;d9@J1<RkHV9v@$?jInefF
zjKN*2fT5Bf^N^2b=drT;4|t?dV2X@d7(LnUc9b9xaz@~9WCSlSNh0|uA@TUdBE`vF
zwLUsGI(|e?Jj4kev{9NdPM?6r3Dt%ajixN&5e|5^X{bGJdKo8CmKWJdZ#=BbLuI7l
zVx`tcRjw-1s}R^n1cFqWgYK--?HSQ()RXPbi@UfeBeymnwWWZ{;)Ql#oKv4i0h(1^
zg)aVhvc3I0<90r!Ny1S6qW03Tk%g*GqGg~6i5RPD&tUUMsuYQXF%dk1mzU~S!^d9*
zo35a^N}i2KB~6}eZ|_!n7?t_#+<kq(BT28N)v@DD9rt;XP+x{K1?vTD{=_aNPvDqE
zO3D6@|7QaG<4{N%NO(ELZz0Ji;d6HqW+qF4s~$|}yp3#1w!F^vk~SVlJkv_cY31Sm
zi`~XfZX}IU8Sty9Z=GVpkc@C@jY2-q(?F-5(76VmY<G8*8hgzqa6$YOUQQ(O)2bdT
z@MzJiHB6cLIMD(+NJk^}&W6dWPIm4z>=nG<QlYI~yCkAUF1g-|({`|Nj?kcrwVrHu
zw_)=wNk|yL>omHgA-o(1_=jrZyr>Ynf<PF*g_^>yiB6;GPfAI~cYg*l<t)f#&y<Jh
zglctK|E+@|^&%7TNZCbFODo;TlkLv#-GZUYx$4W5gyGCFCkeW792Mfpc553phfG|K
zsgUr}{-r=Fv4oj0tWnW0BcAE435}G78javd_xWx%4c{kJj4xRPFNLI+ofp+U7{v@U
z9@7a;Na&fEf1uZ75{D+{*&H`-nD7x{{KfWl$R-R4wB60Qe30NYQ6+gQ1C;V1i!RaO
zfg2>gJ~Ul$s&t<()joHgxzqU(?#JCmH}|mb?B;^#(NH@MREult#p7HjT}Q{*%|uP>
z`QsEnXPaebCx`m%F%Gp|cbjErJBPaaI9yxKXmzvEYVCTh$I!K9o#Q171g&EoTV>>h
z$oBVs%+6|LTV~cX2!@GUyEP9klptUc*aH$3Y989#2FR1`){Z0QbV#=L&03w<I0}ms
zrgevV-#R&zRxu!cBb&8)4y#vFnhezJZRI5H<gB~vwI1%)+9@~_ce**)oyTe2tpe1R
z1NAXJxJAz3{eZ->ytC^l2<l6uRxy2l`F`S$nWVmI8=iDuJkJLtOV5hr*DU6!!RXf$
zxns|1&cuHxc+YZpBn&I+%P~>>8^M60m=32l<Rx1&CNvr81>=SFVwsq7VDsL0p~|%!
z_Q)u{{TPbxXs7V}6g<Q{?x6Fwqe`3#3X(<4Rpf(oGVoZ$6j7e5*>j|?b=LC`bs9Xo
z<)}2-bVO=I+|AFeptNE0f6yr$2_*qu{!XV%{Z+kiu0}JXZQ-814NJ7^H*UJnYwD+J
z@bIjS30XAz^=g_XdazIcn5~(@j(+!fwlA`6_0W#j?mXO9Z0}g700MoM18qNiwA(vq
ze_EisIndU_mxlHZD$Ew>P6o8~;!!}ib1mFxe>&FJ*$Pu7&tB~xWSUYQHqlk4&;^^o
zTRs>Fcsb?+$uduR)ml?GF&%nHHw?DTG|IN5d1SYwH#8q?C??pb!;|iA^%7urwQZm*
z45*q2gOK}|dS}2n$&#_=lkScZFR!^Tvg|hQij#Q?(M+|g%cZ+07ABg2fct7HwDV!w
z&WGvw!#!f{9XIahvk%kfqb7o@&KCHkDc#K}{p{g(X?q7FN0#>k{Xcx7mNQ~C{U_a>
zUD$j@BY4FF8ci5FYhDfp`L9g1-|pnNJ|YG{ttlB-#0le=Akq(s5V(2sq>Ju&114LJ
z?GCulBVp`5;wM}Pn2?AKjX2-#!sZ|({-tCAg_qf%cGqT@P#VsPVFsdP=t^D)Iq2?e
zTV%NqEMM^WlqQ%PEpvQmn>zCoJ?ZYWVe^#8gk8c<T=M_@zvv~roF<Z7dj9X3F=|80
zvPd(-HO|6UjP>bucVY7#k#fw4fLA0<;N_$-AZfDLfHWp_ZcV?#RW?(QxHWVOeMf(o
z&ocH$bqAH7ZezRAMz>DmS)-$hK7-8*a+%HuobXZVj~Tp_5lbBJ*K0ibsVd>QeBf14
z1l{f3I{{gOyDqsR!#RVny^~k;i7*=~rg&}|{B8f;F^2o9D%*EXicG;%?NKGJ@^FkN
zUG3;uG(b3;+WBnSd6bN8WwS|%KUX8m7AN2~h}wEHx}6uWdA$E47m^8hY5#Kig=(A6
zP5w4y9IM$`O*eDAblV*il+lJ7lb9;y7Ik8r(QKHBTl_5~9?sF~F2-MEMW1xK9oXC-
zPe?#Q2IpfkWR${7qTht9n!!H^!<t=J`|LE@yNwr$%R&}On*srT;{y~GokeVBN2ryL
z(Dozb-L{S#$cLyTM>4k?Ovp8xq?0Vj4y}YM7KTdj395Z-h`!@@cYJzJy4!8o+z%2)
zBY4AkqK1~>&&CLUE|w3ZaO?>Vj#NV!X=IL6;Z}~wmsb{PyGQ6FbWgh77j_?Bjf6d<
zS24jmyO|sA|6}jVmK#U1v#%RZk<fJfCH+HE1i-Z-CM=4AN}Q%h1xb}Gmpe)zkR;&(
zku(;m*x@U`iJ!&c_i~(*8@OnxR=LKW7H=d`KrSbj^PT;%I)H3OggKgUd-To?SbOe(
zIc>ds&L-A8|F-38@0Ebg!W73MDuAd;KpbiC`^j{i=Kc*UG}^qj5#R%E>CKqTcaV8s
zS<IGjfjLT9?nq@h&S^vJ|He7Bv>MFOGD)>ysoVpv@+1<+Ryt2?`qPE+j3rCqapqVx
za(K23vm{)TamLnO%<jpF_(pyK7tWVfikByM09dkwYSkrdGl8=z#B{1na@d8vf1A%}
zNKX9qETH~+rXBxe>=#Kz>=)uoPJ+F{x})?IPE+Wu>~ht5#1sK!(1E{#m<3tPY3dbv
z%)&Uv<QxTO3utEMMJe6dJ9eSfs%~|IS$yNVH}|@DVT~xy#{iuNI+Z5$2o9^Bnv@7F
zlwE(XTF<IUF>?=TR|#9vY(ew10DnjxV+oi*T0R}y;qO0@4ZI)`NPwrfP?B@K`DR!k
zv<p!0+zTWA9vAcrd;@q1hHwh40`L)AuTovOmvaI+j~}FOnx<≦KE-m9){kknZ(L
zajceZP{~x^+@MuxQ0)%u6{3Aj>I-%qJ~_O|W5t6~j%#2CUycxlv<gs9roSe09x1|-
zZTDZtYVyOd1+Y2&_n9$Gr`jNgzpNulZfN!!;=(Tv{5MOpo?4|^PJBh+YT0@PJw#*s
zX%eQ~BS~7#rVMUp=`V&FWNqaqrrm0*K{{%|s_nA<y8&noh5RR&oW_t?8HO`Sp)kBt
z8p1pDu0jjoZ)`aYk^VkSQ#@prMGikumdr`t%QFhxVnI&k@J*z?(Db+U)LO4lh}A?q
z#`blY(EAV`x(L&ZCF_2;3^QWd?KU|aF;xA1NN7wma+2Vml{x-d*dUf3;A_PGT4ld>
z7GoxXneO-62xn600Z?h$Z7HqL2Xf;jOD`rTOaB3X(_^mcF*jZzu+%D#`O%^pT-m2F
z-UPrU&j9PQ*w2#$S-WYs_q#>N0s!yD=~v8jn!tupN}7}#zC$<>sQlkv;dDj)aJELh
zw7;N19?=9nnOR&EkXI~#Co6EU0PV147>7PNrT3oyuenD~f~ojbk<o5zGS*+Q^iIXH
zHSDlky4BanDo#P)zeU?CFHLvs+l7!iWw@a69OMJjZdWw`JQ>h?Hk-BD5~-n}EJ@C0
zB#eXbJ`8dXbD~XC?S7?Wm^3Oh?N*f>UNE@HbK>T68k3Ka7m$<1edM7N>UFC2lD6sK
z>4l#0W`tj+&~ZG6GZA8N9bfv82E?@M4epXn#?(tva+1Oi??KLi`x$%D7GDu(3nLs^
zpy7uv6ijzX9(U5~lqPpLjyoVjge5P$=tIKtReDEE8wAuRX85$SFF>UwTmdo5FzyRw
zNhAsS*s@qsM|!8&ZRry%05|GqHZ#%y;gvLEH}$4-UcvGmB_MCGvcfr249&DLI`Wa@
zN_bJvOK-)gzY)f~q1dv~8pZpAs{nOjUNQ}{#7ow@CS>ecp)p${VUU=9H-B-2t31lW
z+{(nZC0(0GJUy=K+i}*MtXB-3QB1pKzf`$vYxq`_Tehbpt>2O=K;_PFc|wJy)U=z;
zm(9HO$Th<wtdtT0Q?el3#x22}uu+Z^=v>-X5zyJq)=uwTg#)+HpWUoKbBL7RS^NdH
z!psM$VdQqsF5Su!E{LY`Fter2r1~m<U&|39npeDE-l=0a=7fK@t);dbZIFzUFwI0T
z8)GxLvG_0kW19uHUZEO>AX1Wx-DkI-)3ex)p7?8kzazb0m9H@x@WsjY;`Qcz1<S}+
zQHdb7tw-_-CqK(6`1q~zNPDrtc($z6I+8?a|4qAQJ%4X+ZTd0Icx1s<65fXqol`gU
zy-2#E2<5=;l?Lp^v}?{Q7{%6opHK5R%f(#&-;Qm>v>O_8Sc=?5WA1(-;3;ZzTP_^@
z$7MEDl%l7i7e&PyOFXj(4Wus3wCnXp_BwJ6k$6KT4PST(`jpCu1-q{KTUAf6^{V~E
z&7i_(!q3x;EoIy^j`%UBmVn%CCQ7<PEd-C=mZjBL@&($kpB8;Vy7GOx%1BHfG_h(*
z9<<tewok|;o5z!TK9MW!E-G<?1%UX<d!YaI@8lORqRXjAPF7#|Z$~d9+ska4%Gs2g
zG#|oju^kF(*IFFNd2x_X@>eej!kEX_;Ww3k!Ee-^X0<de3bM|(Z*2vpcQzyHQ?-Gn
zsL)4IU3#6_js-kCi34)tCEheoi_W$MIb|Qz1i{2=Kc+I3la(q<oa|%f^%qRG;PPcP
zH36THa@?;gmKI$2U}G2T=MwJ|;lIkAT7`$JGQYw$wySD=X+o}OMnQIs$w@@Ne*MZF
zly^X*z?lOUP%>c=O{ABR)oPK$f1>N0+){EfUgS}@rt4SGrC`vO85Ox@ECzUvX0IBE
zSYa#-FUV_j(p;r)H*KwMv>KYmPdItOw6}wD3ra^x5!1FTa(L$5hXEO}6oVK7_$$Fb
z_Uf_4t0Kk#HY3lw!e-<{cdWOtRU?O;BwOSOxe4i%!cK<28ucfG&I`(XHY0ai2_5q=
z3P6IAwlCYZRIq1^3k!=3x1+FGcm+uksh=&pc&niK0gSeVj%wU|r7Js#8&%k~B!-l^
zV|LE>v-`rv%=AWC092HBX$-gzlgnfbV}xf6_J8l{z5$&%<na7I|6>|5a_ME>J&+r-
z6@+Xl|JKL4uD6GykKng%Ut7p1FW0KtXbc|FRRj{Zeu2hW64F$@h?`F`-D>-ZYqEHi
zXCT~|wpAsErx=UcU9dGdnXY};b@kje7?%Rti>6wL-?KEVl>(9U0ttA5eVK-#2*WMZ
zCUMsa&gaWMO)_D|l6KxL)4FL_^`RCR)@q{|VXJQMHp}Uuy3|*BW})Z0w1I6f%Z!m#
z!ZPXuMjFX$#6q7^;eE0R@ixUztKEJX=?bocmZj&QNcT}`A2C{==b;{6Pp+;fpZmSb
z-h@Y>{c?Tkjt1_;9e=(W_WPeFy-Rm^Jt1a&zamz!&wW#D)zyHioWsF@s%5+N_;%oP
zsTCMmRnJAZLCROR%fZQat3vsdi>IWi5i{SRs~AUg3msx%TFnA{(`v5HRS$&@F6sio
z;ec6<=F=)mIBnb#3oXm>psNK)=@oG?D~%m)CF*}6;Y=FL5}KjDGZZ>vtI;sZ<Sbz;
zOy-F_;sp2wCA|80WX=N+UtY#sl8}2PpqYq?f=5{-oCU<cVbz*S%hFbq2l0aMqTfeX
z1l~ZH1xv!;;M_$Bm%Kb<We~K`a^j^}ML^<nY1cO`yQyz!cuLF((>K60B+E9fdLeb!
z*<Xp55|7{Off$f3hzKOD;?p`YxFQpa2~XH6AmOP<FHPKFF1t6adVRwq3T_pAc}Ct9
z(~Z9?46sp?k`~@dNIDU<Aca8f5yhRMEc5~EEro`1^Zey;Igc}MKBs}ox?t7hjzdX<
z3FVC1F@Di&#A?6-oimUs%J~Y#lpqjsSGsM5QmlqL)h)e0TE&|(&DHoYk=!hgNSd(~
zP)yxXP5p9Hz6^9xK~esKC0z4^4f&~z1wa>0%c<|GDrlyCz~C9=gQxj&#kb0S3{a^8
z#gr7*(Bo=w7lfjk66<Y6Yo3LZ`w|H_iHh=qf2;CNH!T~M;|6{0#nlev#o4^)sYuA!
zkzmbB(|k!uuX8C}*(}Q{4nYWf`>Zm;YHcA7duG~IoVIpssq1Oi<#IgPgvGgxY1v8x
zS5ucfz~S19+5pC2T9%{Rs219I**L0bpS6i;Ra??SgyWQLG1RJB8bnALT={gFh#fqU
z$fOg6URtmscxf8WxgpPNwRw&Z&8G_(WFuapRx5N^{7<3R=8NYDw5qCD21nD%k+c%G
zB-f`im9r4>_t?=M8dQeX_z4YYoP}PL60;#kyWec7eN@d_s{k>_&gX8Yd*OcW4aRQw
zdgSu{_;+JRe{Hr4NOl8Ns)+7T1gMA$Kzkph#6+9HGn8uMrqp;&!#NE^rC$n75<t(M
z$^#U`74nWdtiO}zsfmltD;)KEU3V~c#m(H5rjYJ%Fd6kuuP431hsrV#|8A+x7I|Sz
zE_)M#01tx`WJ`d#V9O1LlU~;)W=pE#!dQxRf**>d+{!D~RC#1($bi-*tp78{#5|0<
zjb;Vedf#?Nt|{^h3jG`j!UP*wZ=@aG;O&_3@R{Xk$$i^uig~T6mk8fQA(xa%n7vDh
z7bRG#2o{T&t(roBm0Ddcp(U4aBAg;6pH+S+f?sJsg8<|lL}t7bcG8sT?bX;6v$#|C
zlwZ~n6HI0yOdoOJB|$MSj?DhJL4Bb+)#<u4TtVA4;Csy8MOR)ziAwYfoW`4Tes4DG
zIAPEKLcG<gP>88e=Yp8c+V9)h&nzJDX|rYjZ%dH;cmCPR|Gas<e5XF1t^e=Tw)4N+
zjrv>u=O6L;)1Sy02a_}*U7BR!4D)FMOCKiTJdDYoNk8;yoKnL$<@#psddVGbg=BnM
z`B*8DTb4`P1G1ZWLa9`q%n<qGTQpgsir4UUv1z!kZdncjK32%V24*?N?RHh4@MM}#
zmtmIi?3jh_4fiYdtkcuts6jM{GfZ%n&@kS5Nobn=a24X+3`mB}vIj4rMiIkI*Sj-?
zfhHpGHwov9tVFUfi)cxNP-HZrDT-N~HySv<jmcC1Z*R>H?&mbe6mz?@JL?V$3xbra
z7{;fKuYWy!x_ENnv*T&RrpH|JJXU7zBg25<Y}sIVIXv!GlF&2^Xi9R_zQfQyftYlx
zx%jV#$MDS&P%>MDsZpri6Q*)e0?`7Zo$#KDT>R;K<5RawPH)TO4yjeDdM3Vj(C5!p
zU>>5a^mw{1r`~a`QawJZ7{+HTQXrgR(gn+-0Ql${gmffkn82!FCUGth??Y9U&wmI`
zw0ZxZxgXvB@aobXOul0UfamIeIQCBcf2&q~yZ?X0M_>O~L=TWKpfi3=r&($kRz;Ub
z-l$#7YbWzsKX-R`q6{YaPKA|avxZ&ao@}zp^PbKM<&?$$|JG#vKl9l<|3X&$&V4*{
z{_SdW8~-`gn*DbEf5d09pr|hp(19FY_9jP$(PgVOLK<@DAAz9UDx<Vqgj>dyj_eOp
zgjdtGL|Y{cz{Y&03on_|66$;7HCb`f2AgJHh}Voqe70H}0xl@@#Q|iRGCxEcz@|0=
zi}jF0VBQB~@y5YXiR&%B$PkQO{tMMaEJys3B_Y}+N`#jegE7c|qxXTZrY$H3b*aH4
z7)m(K5?Qh!oWW0u)579~>7rE7c$EOY32=f~@ECm%qR8;sD&#Sb#nF`nKIEwqGC?BL
zf;}um_8B#kFg0d*5{K!61K@y>l$9O_j2dFUH;f5}4YPZSbKwgtfD#S?7NC%?L18G5
z2d0X8Y=CVI_)1PEf$r1HL+u_}v4jKJt!Y*aV{+k=@$h_d(;2y>Hzrr3;m6*YdqxgA
zW6~QRl*mnQaxuJ~kekkE)EP`}$?%+X2Dex^y+qu9yc)UVF&U1G-sM%l=bn{FZ_w>u
zpY;YG$m#Wj42BbeMn?CHOojwH6ixNqF*J7Rj=C3}!K8EA>-Q$NCF8s|89<xo!x8C_
ztIlZB>t6ReBXV^;x*CpM(ixnQ!En$UoR4~g4=#cu(i@P$khmY+!Gw%2I{iL$Wpu75
z7sC;Zk93Dux1-*NiwU_H_RrkWn4G$#-|L+AUEbB;mUR1_-erlLbuK#}TzqRdxo}4Y
zJjO>yZZ2H-3i|5|NT)mL4F@m{gsh$Jq(mme(L}v^(;K@b(i!!}K#=p%@Umn8Ifv))
zNN)h|4P4#|keY0)$Z&*zUyohYAUSh8{odfinDho4%U3b}5cv4-{j<scFTF1muGa6{
z$8-9hhF#z0|Fz~@{l6db(e*{SKKS!TcQl6E;UE4Y4AaK;Bjhink}X%q+YVFZpAR2v
z?Z_}HR~N&<?R)7HL_e$djNPx^%QE%4B~e!v#ud=}z3=Sye`NghCs{rWm|;vGcHNYW
zpHB9?Ny@_Opd1FI;n?j)vrYcl_~|E=IN|5RozWffCot_r7|+WX0a?bpt27}8SoQkX
z|6keoalqf<3j8t}bVRiBu^K7{E%V0|weiVf!9K&-GmZCTIK~q0K)9a|dBw&Yo#M(V
z`8Sd!<lU$D`D#Uz_rJb_-y`;bzaQ;y?reB7=np$*pRY%K@)vR-B|DL<v@&OG9#L-<
zrbV@raOKMwi_)EqbNs}{*|*EYjE>6QGHBEe_Kp)4zNhQM{d`y)_Yv{Z{k!EvRoa%c
z3c>`bwdZkoo|pMe`{ZD&ivv<-@a4{12k_Qn$pZ4{ua7+N1JD2F{m*TK-@A|J<iDD;
zUH{c?I&b&?5Bc0+jt@FV8zYw;gp4O)yAT`Rgv2)?@l8m46B55wNGzAjhH=gkw320u
zFbT-YOE7R{xneOI-OvMN#S%QjDzoa=Jyasuf~C|bya!u-%b)}=GPGM_m=M3ORG!J{
znm_Om(?sk%!&_m*F~)1jrvEs??I!<MmcZ}Y$8+|dT5U)EbFA7M|Njx6?aWF#aTYLw
zFctnu-0LtU-qz!2--&(7PwkrJNg<-%@S_|g$O?h;kJ-KodBaL%C2};;`;b16Pw?^v
z1J~Byfca^qV9e%@#qx)cmNvHXQN=KnZHt?>u6TEx>yb}IAKI;MH_f0&mA~~Oy?x$3
YZ=bi%|G?+J0{{U3|8%-Ft^n!*0J!k!r~m)}
literal 0
HcmV?d00001
diff --git a/chart/charts/gitlab/charts/geo-logcursor/Chart.yaml b/chart/charts/gitlab/charts/geo-logcursor/Chart.yaml
index 5397f891b..5547cc11d 100644
--- a/chart/charts/gitlab/charts/geo-logcursor/Chart.yaml
+++ b/chart/charts/gitlab/charts/geo-logcursor/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: geo-logcursor
-version: 8.2.9
-appVersion: v17.2.9
+version: 8.3.6
+appVersion: v17.3.6
description: GitLab Geo logcursor
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/gitaly/Chart.yaml b/chart/charts/gitlab/charts/gitaly/Chart.yaml
index f33bf56b5..6eeba3ba1 100644
--- a/chart/charts/gitlab/charts/gitaly/Chart.yaml
+++ b/chart/charts/gitlab/charts/gitaly/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: gitaly
-version: 8.2.9
-appVersion: 17.2.9
+version: 8.3.6
+appVersion: 17.3.6
description: Git RPC service for handling all the git calls made by GitLab
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml b/chart/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml
index baa0ccaf9..a21bbf7bc 100644
--- a/chart/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml
+++ b/chart/charts/gitlab/charts/gitaly/templates/_configmap_spec.yaml
@@ -31,22 +31,25 @@ data:
prometheus_listen_addr = "0.0.0.0:{{ default .Values.metrics.port .Values.metrics.metricsPort }}"
{{- end }}
+ # Graceful shutdown timeout, how long to wait for in-flight requests to complete
+ graceful_restart_timeout = "{{ .Values.gracefulRestartTimeout | toString | duration }}"
+
{{- if $.Values.global.gitaly.tls.enabled }}
[tls]
certificate_path = '/etc/gitlab-secrets/gitaly/gitaly.crt'
key_path = '/etc/gitlab-secrets/gitaly/gitaly.key'
{{- end }}
+ # Storage configuration
{{- if .storage }}
{{- /*
Passing in "skipStorages=true" below prevents changes in the Gitaly replica counts from modifying
the contents of the ConfigMap, which would cause existing pods to restart unnecessarily.
*/}}
- {{ if not .skipStorages }}
+ {{- if not .skipStorages }}
{% $storages := coll.Slice {{ include "gitlab.praefect.gitaly.storageNames" . }} %}
{{- end }}
-
{% $hostname := .Env.HOSTNAME | strings.TrimSpace %}
{% if coll.Has $storages $hostname %}
[[storage]]
@@ -62,10 +65,9 @@ data:
Passing in "skipStorages=true" below prevents changes in the Gitaly replica counts from modifying
the contents of the ConfigMap, which would cause existing pods to restart unnecessarily.
*/}}
- {{ if not .skipStorages }}
+ {{- if not .skipStorages }}
{% $storages := coll.Slice {{ include "gitlab.gitaly.storageNames" . }} %}
{{- end }}
-
{% $index := index (.Env.HOSTNAME | strings.Split "-" | coll.Reverse) 0 | conv.ToInt64 %}
{% if len $storages | lt $index %}
[[storage]]
diff --git a/chart/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml b/chart/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml
index 94a540fad..04b7ef3e0 100644
--- a/chart/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml
+++ b/chart/charts/gitlab/charts/gitaly/templates/_statefulset_spec.yaml
@@ -54,7 +54,7 @@ spec:
{{- toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- include "gitlab.priorityClassName" . | nindent 6 }}
- terminationGracePeriodSeconds: 30
+ terminationGracePeriodSeconds: {{ .Values.gracefulRestartTimeout | int | add 5 }}
initContainers:
{{- if .Values.cgroups.enabled }}
- name: init-cgroups
diff --git a/chart/charts/gitlab/charts/gitaly/values.yaml b/chart/charts/gitlab/charts/gitaly/values.yaml
index be51bcf54..4f2b7783e 100644
--- a/chart/charts/gitlab/charts/gitaly/values.yaml
+++ b/chart/charts/gitlab/charts/gitaly/values.yaml
@@ -67,17 +67,23 @@ tolerations: []
## The Gitaly StatefulSet's priorityClassName
# priorityClassName:
+# Gitaly shutdown grace period, how long to wait for in-flight requests to complete (seconds)
+# Pod `terminationGracePeriodSeconds` is set to this value + 5 seconds
+gracefulRestartTimeout: 25
+
logging:
format: "json"
# level:
# sentryDsn:
# sentryEnvironment:
+
git: {}
# catFileCacheSize:
## Amend the default configuration Gitaly is using when spawning Git
## commands. Accepts configuration as documented in git-config(1).
# config:
# - {key: "pack.threads", value: 4}
+
prometheus: {}
# grpcLatencyBuckets: "[1.0, 1.5, 2.0, 2.5]"
diff --git a/chart/charts/gitlab/charts/gitlab-exporter/Chart.yaml b/chart/charts/gitlab/charts/gitlab-exporter/Chart.yaml
index 4262cdf85..e6ab539bb 100644
--- a/chart/charts/gitlab/charts/gitlab-exporter/Chart.yaml
+++ b/chart/charts/gitlab/charts/gitlab-exporter/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v1
name: gitlab-exporter
-version: 8.2.9
+version: 8.3.6
appVersion: 15.0.0
description: Exporter for GitLab Prometheus metrics (e.g. CI, pull mirrors)
keywords:
diff --git a/chart/charts/gitlab/charts/gitlab-exporter/templates/_helpers.tpl b/chart/charts/gitlab/charts/gitlab-exporter/templates/_helpers.tpl
new file mode 100644
index 000000000..2e3a08482
--- /dev/null
+++ b/chart/charts/gitlab/charts/gitlab-exporter/templates/_helpers.tpl
@@ -0,0 +1,20 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return the URL desired by GitLab Exporter
+
+If global.redis.queues is present, use this. If not present, use global.redis
+*/}}
+{{- define "gitlab.gitlab-exporter.redis.url" -}}
+{{- if $.Values.global.redis.queues -}}
+{{- $_ := set $ "redisConfigName" "queues" }}
+{{- end -}}
+{{- include "gitlab.redis.url" $ -}}
+{{- end -}}
+
+{{- define "gitlab.gitlab-exporter.redis.sentinelsList" -}}
+{{- if $.Values.global.redis.queues -}}
+{{- $_ := set $ "redisConfigName" "queues" }}
+{{- end -}}
+{{- include "gitlab.redis.sentinelsList" . }}
+{{- end -}}
diff --git a/chart/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml b/chart/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml
index cde874db1..d5498aaa1 100644
--- a/chart/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml
+++ b/chart/charts/gitlab/charts/gitlab-exporter/templates/configmap.yaml
@@ -50,10 +50,10 @@ data:
- probe_retries
- probe_stats
opts:
- redis_url: {{ template "gitlab.redis.url" . }}
+ redis_url: {{ include "gitlab.gitlab-exporter.redis.url" . }}
redis_enable_client: false
probe_non_namespaced: true
- {{- $sentinels := include "gitlab.redis.sentinelsList" . }}
+ {{- $sentinels := include "gitlab.gitlab-exporter.redis.sentinelsList" . }}
{{- if $sentinels }}
redis_sentinels:
{{- $sentinels | nindent 12 }}
diff --git a/chart/charts/gitlab/charts/gitlab-pages/Chart.yaml b/chart/charts/gitlab/charts/gitlab-pages/Chart.yaml
index 5826f190e..38f1fb36c 100644
--- a/chart/charts/gitlab/charts/gitlab-pages/Chart.yaml
+++ b/chart/charts/gitlab/charts/gitlab-pages/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: gitlab-pages
-version: 8.2.9
-appVersion: 17.2.9
+version: 8.3.6
+appVersion: 17.3.6
description: Daemon for serving static websites from GitLab projects
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/gitlab-pages/templates/configmap.yml b/chart/charts/gitlab/charts/gitlab-pages/templates/configmap.yml
index 68421fc17..9e58facc5 100644
--- a/chart/charts/gitlab/charts/gitlab-pages/templates/configmap.yml
+++ b/chart/charts/gitlab/charts/gitlab-pages/templates/configmap.yml
@@ -158,6 +158,10 @@ data:
{{- if .Values.rateLimitTLSDomainBurst }}
rate-limit-tls-domain-burst={{ .Values.rateLimitTLSDomainBurst }}
{{- end }}
+ {{- if not (empty .Values.rateLimitSubnetsAllowList) }}
+ {{- $rateLimitSubnetsAllowList := .Values.rateLimitSubnetsAllowList | join "," }}
+ rate-limit-subnets-allow-list={{ $rateLimitSubnetsAllowList }}
+ {{- end }}
{{- if .Values.serverReadTimeout }}
server-read-timeout={{ .Values.serverReadTimeout }}
{{- end }}
diff --git a/chart/charts/gitlab/charts/gitlab-pages/values.yaml b/chart/charts/gitlab/charts/gitlab-pages/values.yaml
index 3adf692df..97e74a6c3 100644
--- a/chart/charts/gitlab/charts/gitlab-pages/values.yaml
+++ b/chart/charts/gitlab/charts/gitlab-pages/values.yaml
@@ -247,3 +247,4 @@ affinity:
# rateLimitTLSSourceIPBurst:
# rateLimitTLSDomain:
# rateLimitTLSDomainBurst:
+# rateLimitSubnetsAllowList:
diff --git a/chart/charts/gitlab/charts/gitlab-shell/Chart.yaml b/chart/charts/gitlab/charts/gitlab-shell/Chart.yaml
index c166e37df..9c61f662c 100644
--- a/chart/charts/gitlab/charts/gitlab-shell/Chart.yaml
+++ b/chart/charts/gitlab/charts/gitlab-shell/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: gitlab-shell
-version: 8.2.9
-appVersion: 14.37.0
+version: 8.3.6
+appVersion: 14.38.0
description: sshd for Gitlab
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/gitlab-shell/templates/configmap.yml b/chart/charts/gitlab/charts/gitlab-shell/templates/configmap.yml
index 2250bb7e2..e5f808d2d 100644
--- a/chart/charts/gitlab/charts/gitlab-shell/templates/configmap.yml
+++ b/chart/charts/gitlab/charts/gitlab-shell/templates/configmap.yml
@@ -90,13 +90,15 @@ data:
gssapi:
# Enable the gssapi-with-mic authentication method. Defaults to false.
enabled: {{ .Values.config.gssapi.enabled }}
- # Library path for gssapi shared library - defaults to libgssapi_krb5.so.2
+ # Library path for gssapi shared library - defaults to libgssapi_krb5.so.2
libpath: {{ .Values.config.gssapi.libpath }}
# Keytab path. Defaults to "", system default (usually /etc/krb5.keytab).
keytab: "/etc/krb5.keytab"
# The Kerberos service name to be used by sshd. Defaults to "", accepts any service name in keytab file.
service_principal_name: {{ .Values.config.gssapi.servicePrincipalName }}
{{- end }}
+ lfs:
+ pure_ssh_protocol: {{ .Values.config.lfs.pureSSHProtocol }}
krb5.conf: |
{{- .Values.config.gssapi.krb5Config | nindent 4 }}
# Leave this here - This line denotes end of block to the parser.
diff --git a/chart/charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml b/chart/charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml
index 5983f6667..8961b67ab 100644
--- a/chart/charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml
+++ b/chart/charts/gitlab/charts/gitlab-shell/templates/traefik-tcp-ingressroute.yaml
@@ -1,6 +1,7 @@
{{- if .Values.enabled -}}
{{- if eq .Values.global.ingress.provider "traefik" -}}
-apiVersion: traefik.containo.us/v1alpha1
+{{- $traefikApiVersion := dict "global" .Values.global.traefik "local" .Values.traefik "context" . -}}
+apiVersion: "{{ template "traefik.apiVersion" $traefikApiVersion }}"
kind: IngressRouteTCP
metadata:
name: {{ $.Release.Name }}-gitlab-shell
@@ -13,6 +14,10 @@ spec:
- {{ .Values.traefik.entrypoint }}
routes:
- match: HostSNI(`*`)
+ {{- with .Values.traefik.tcpMiddlewares }}
+ middlewares:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
services:
- name: {{ template "fullname" . }}
namespace: {{ .Release.Namespace }}
diff --git a/chart/charts/gitlab/charts/gitlab-shell/values.schema.json b/chart/charts/gitlab/charts/gitlab-shell/values.schema.json
index 603b84113..e6d346ecf 100644
--- a/chart/charts/gitlab/charts/gitlab-shell/values.schema.json
+++ b/chart/charts/gitlab/charts/gitlab-shell/values.schema.json
@@ -146,6 +146,16 @@
},
"title": "GSS-API related settings",
"type": "object"
+ },
+ "lfs": {
+ "properties": {
+ "pureSSHProtocol": {
+ "title": "Enable LFS pure SSH protocol support",
+ "type": "boolean"
+ }
+ },
+ "title": "LFS related settings",
+ "type": "object"
}
},
"required": [
diff --git a/chart/charts/gitlab/charts/gitlab-shell/values.yaml b/chart/charts/gitlab/charts/gitlab-shell/values.yaml
index 071cd8c7d..7d7a6b0ea 100644
--- a/chart/charts/gitlab/charts/gitlab-shell/values.yaml
+++ b/chart/charts/gitlab/charts/gitlab-shell/values.yaml
@@ -66,6 +66,8 @@ maxReplicas: 10
# When using traefik ingress
traefik:
entrypoint: gitlab-shell
+ apiVersion: ""
+ tcpMiddlewares: []
hpa:
# targetAverageValue: 100m # DEPRECATED: in favor of `hpa.cpu.targetAverageValue` below
@@ -141,6 +143,8 @@ config:
key: keytab
krb5Config: ""
servicePrincipalName: ""
+ lfs:
+ pureSSHProtocol: false
## Allow to overwrite under which User and Group the Pod will be running.
securityContext:
diff --git a/chart/charts/gitlab/charts/kas/Chart.yaml b/chart/charts/gitlab/charts/kas/Chart.yaml
index ae71595ee..3914af5b0 100644
--- a/chart/charts/gitlab/charts/kas/Chart.yaml
+++ b/chart/charts/gitlab/charts/kas/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: kas
-version: 8.2.9
-appVersion: 17.2.9
+version: 8.3.6
+appVersion: 17.3.6
description: GitLab Agent Server
keywords:
- agent
diff --git a/chart/charts/gitlab/charts/kas/templates/_helpers.tpl b/chart/charts/gitlab/charts/kas/templates/_helpers.tpl
index e13c3f16e..01d090181 100644
--- a/chart/charts/gitlab/charts/kas/templates/_helpers.tpl
+++ b/chart/charts/gitlab/charts/kas/templates/_helpers.tpl
@@ -24,7 +24,10 @@ Build Redis config for KAS
{{- $_ := set $ "redisConfigName" "sharedState" -}}
{{- end -}}
{{- include "gitlab.redis.selectedMergedConfig" . -}}
-{{- if .redisMergedConfig.password.enabled -}}
+{{- if .redisMergedConfig.user }}
+username: {{ .redisMergedConfig.user }}
+{{- end -}}
+{{- if .redisMergedConfig.password.enabled }}
password_file: /etc/kas/redis/{{ printf "%s-password" (default "redis" .redisConfigName) }}
{{- end -}}
{{- if not .redisMergedConfig.sentinels }}
diff --git a/chart/charts/gitlab/charts/mailroom/Chart.yaml b/chart/charts/gitlab/charts/mailroom/Chart.yaml
index b807cb217..90909322a 100644
--- a/chart/charts/gitlab/charts/mailroom/Chart.yaml
+++ b/chart/charts/gitlab/charts/mailroom/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: mailroom
-version: 8.2.9
-appVersion: v17.2.9
+version: 8.3.6
+appVersion: v17.3.6
description: Handling incoming emails
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/migrations/Chart.yaml b/chart/charts/gitlab/charts/migrations/Chart.yaml
index 055687c32..450a3b992 100644
--- a/chart/charts/gitlab/charts/migrations/Chart.yaml
+++ b/chart/charts/gitlab/charts/migrations/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: migrations
-version: 8.2.9
-appVersion: v17.2.9
+version: 8.3.6
+appVersion: v17.3.6
description: Database migrations and other versioning tasks for upgrading Gitlab
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/praefect/Chart.yaml b/chart/charts/gitlab/charts/praefect/Chart.yaml
index 1ee9e41b2..c80195073 100644
--- a/chart/charts/gitlab/charts/praefect/Chart.yaml
+++ b/chart/charts/gitlab/charts/praefect/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: praefect
-version: 8.2.9
-appVersion: 17.2.9
+version: 8.3.6
+appVersion: 17.3.6
description: Praefect is a router and transaction manager for Gitaly, and a required
component for running a Gitaly Cluster.
keywords:
diff --git a/chart/charts/gitlab/charts/sidekiq/Chart.yaml b/chart/charts/gitlab/charts/sidekiq/Chart.yaml
index b9f01eeae..380652828 100644
--- a/chart/charts/gitlab/charts/sidekiq/Chart.yaml
+++ b/chart/charts/gitlab/charts/sidekiq/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: sidekiq
-version: 8.2.9
-appVersion: v17.2.9
+version: 8.3.6
+appVersion: v17.3.6
description: Gitlab Sidekiq for asynchronous task processing in rails
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/spamcheck/Chart.yaml b/chart/charts/gitlab/charts/spamcheck/Chart.yaml
index 3ddb9ccef..8c364c529 100644
--- a/chart/charts/gitlab/charts/spamcheck/Chart.yaml
+++ b/chart/charts/gitlab/charts/spamcheck/Chart.yaml
@@ -1,6 +1,6 @@
apiVersion: v1
name: spamcheck
-version: 8.2.9
+version: 8.3.6
appVersion: 1.2.3
description: GitLab Anti-Spam Engine
keywords:
diff --git a/chart/charts/gitlab/charts/toolbox/Chart.yaml b/chart/charts/gitlab/charts/toolbox/Chart.yaml
index d98043bf6..7e2808e65 100644
--- a/chart/charts/gitlab/charts/toolbox/Chart.yaml
+++ b/chart/charts/gitlab/charts/toolbox/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: toolbox
-version: 8.2.9
-appVersion: v17.2.9
+version: 8.3.6
+appVersion: v17.3.6
description: For manually running rake tasks through kubectl
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/toolbox/templates/_helpers.tpl b/chart/charts/gitlab/charts/toolbox/templates/_helpers.tpl
index 62a85a4cd..10c03cc69 100644
--- a/chart/charts/gitlab/charts/toolbox/templates/_helpers.tpl
+++ b/chart/charts/gitlab/charts/toolbox/templates/_helpers.tpl
@@ -45,11 +45,13 @@ Usage:
*/}}
{{- define "toolbox.backups.objectStorage.config.secret" -}}
{{- if eq .backend "gcs" -}}
+{{- if .config -}}
- secret:
name: {{ .config.secret }}
items:
- key: {{ default "config" .config.key }}
path: objectstorage/{{ default "config" .config.key }}
+{{- end -}}
{{- else if eq .backend "azure" -}}
- secret:
name: {{ .config.secret }}
diff --git a/chart/charts/gitlab/charts/webservice/Chart.yaml b/chart/charts/gitlab/charts/webservice/Chart.yaml
index b594657de..3944a3cb6 100644
--- a/chart/charts/gitlab/charts/webservice/Chart.yaml
+++ b/chart/charts/gitlab/charts/webservice/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
name: webservice
-version: 8.2.9
-appVersion: v17.2.9
+version: 8.3.6
+appVersion: v17.3.6
description: HTTP server for Gitlab
keywords:
- gitlab
diff --git a/chart/charts/gitlab/charts/webservice/templates/_helpers.tpl b/chart/charts/gitlab/charts/webservice/templates/_helpers.tpl
index 37bb4b4a4..a320e36ee 100644
--- a/chart/charts/gitlab/charts/webservice/templates/_helpers.tpl
+++ b/chart/charts/gitlab/charts/webservice/templates/_helpers.tpl
@@ -269,7 +269,11 @@ Return the workhorse redis configuration.
{{- include "gitlab.redis.selectedMergedConfig" . -}}
[redis]
{{- if not .redisMergedConfig.sentinels }}
-URL = "{{ template "gitlab.redis.scheme" $ }}://{{ template "gitlab.redis.host" $ }}:{{ template "gitlab.redis.port" $ }}"
+{{- $userinfo := "" }}
+{{- if .redisMergedConfig.user }}
+{{- $userinfo = printf "%s@" .redisMergedConfig.user }}
+{{- end }}
+URL = "{{ template "gitlab.redis.scheme" $ }}://{{ $userinfo }}{{ template "gitlab.redis.host" $ }}:{{ template "gitlab.redis.port" $ }}"
{{- else }}
SentinelMaster = "{{ template "gitlab.redis.host" $ }}"
Sentinel = [ {{ template "gitlab.redis.workhorse.sentinel-list" $ }} ]
diff --git a/chart/charts/gitlab/templates/_rails.redis.tpl b/chart/charts/gitlab/templates/_rails.redis.tpl
index 071c4ae29..41aaf227d 100644
--- a/chart/charts/gitlab/templates/_rails.redis.tpl
+++ b/chart/charts/gitlab/templates/_rails.redis.tpl
@@ -5,17 +5,38 @@ Render a Redis `resque` format configuration for Rails.
Input: dict "context" $ "name" string
*/}}
{{- define "gitlab.rails.redis.yaml" -}}
+{{- $connect_timeout := include "gitlab.redis.connectTimeout" .context }}
+{{- $read_timeout := include "gitlab.redis.readTimeout" .context }}
+{{- $write_timeout := include "gitlab.redis.writeTimeout" .context }}
{{- if $cluster := include "gitlab.redis.cluster" .context -}}
{{ .name }}.yml.erb: |
production:
{{- include "gitlab.redis.cluster.user" .context | nindent 4 }}
{{- include "gitlab.redis.cluster.password" .context | nindent 4 }}
{{- $cluster | nindent 4 }}
+ {{- if $connect_timeout }}
+ connect_timeout: {{ $connect_timeout }}
+ {{- end }}
+ {{- if $read_timeout }}
+ read_timeout: {{ $read_timeout }}
+ {{- end }}
+ {{- if $write_timeout }}
+ write_timeout: {{ $write_timeout }}
+ {{- end }}
id:
{{- else -}}
{{ .name }}.yml.erb: |
production:
url: {{ template "gitlab.redis.url" .context }}
+ {{- if $connect_timeout }}
+ connect_timeout: {{ $connect_timeout }}
+ {{- end }}
+ {{- if $read_timeout }}
+ read_timeout: {{ $read_timeout }}
+ {{- end }}
+ {{- if $write_timeout }}
+ write_timeout: {{ $write_timeout }}
+ {{- end }}
{{- include "gitlab.redis.sentinels" .context | nindent 4 }}
{{- $password := include "gitlab.redis.sentinel.password" .context }}
{{- if $password }}
diff --git a/chart/charts/gitlab/templates/_redis.tpl b/chart/charts/gitlab/templates/_redis.tpl
index d284c21eb..8f5841e5f 100644
--- a/chart/charts/gitlab/templates/_redis.tpl
+++ b/chart/charts/gitlab/templates/_redis.tpl
@@ -52,6 +52,33 @@ Return the redis url.
{{ template "gitlab.redis.scheme" . }}://{{ template "gitlab.redis.url.user" . }}{{ template "gitlab.redis.url.password" . }}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{- end -}}
+{{/*
+Return the Redis connection timeout.
+*/}}
+{{- define "gitlab.redis.connectTimeout" -}}
+{{- if .Values.global.redis.connectTimeout -}}
+{{ .Values.global.redis.connectTimeout }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the Redis read timeout.
+*/}}
+{{- define "gitlab.redis.readTimeout" -}}
+{{- if .Values.global.redis.readTimeout -}}
+{{ .Values.global.redis.readTimeout }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the Redis write timeout.
+*/}}
+{{- define "gitlab.redis.writeTimeout" -}}
+{{- if .Values.global.redis.writeTimeout -}}
+{{ .Values.global.redis.writeTimeout }}
+{{- end -}}
+{{- end -}}
+
{{/*
Return the user section of the Redis URI, if needed.
*/}}
diff --git a/chart/charts/nginx-ingress/templates/clusterrole.yaml b/chart/charts/nginx-ingress/templates/clusterrole.yaml
index fa6013472..930662a5d 100644
--- a/chart/charts/nginx-ingress/templates/clusterrole.yaml
+++ b/chart/charts/nginx-ingress/templates/clusterrole.yaml
@@ -20,6 +20,14 @@ rules:
verbs:
- list
- watch
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
- apiGroups:
- coordination.k8s.io
resources:
diff --git a/chart/charts/nginx-ingress/templates/controller-deployment.yaml b/chart/charts/nginx-ingress/templates/controller-deployment.yaml
index b897aa816..2860c4afe 100644
--- a/chart/charts/nginx-ingress/templates/controller-deployment.yaml
+++ b/chart/charts/nginx-ingress/templates/controller-deployment.yaml
@@ -79,7 +79,13 @@ spec:
containers:
- name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{ include "gitlab.image.tagSuffix" $ }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+ {{- $tag := .tag }}
+ {{- $digest := .digest }}
+ {{- if and (not $.Values.rbac.create) (not .disableFallback) }}
+ {{- $tag = .fallbackTag }}
+ {{- $digest = .fallbackDigest }}
+ {{- end }}
+ image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ $tag }}{{ include "gitlab.image.tagSuffix" $ }}{{- if ($digest) -}} @{{$digest}} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
diff --git a/chart/charts/nginx-ingress/templates/controller-role.yaml b/chart/charts/nginx-ingress/templates/controller-role.yaml
index 9924d61c1..010601447 100644
--- a/chart/charts/nginx-ingress/templates/controller-role.yaml
+++ b/chart/charts/nginx-ingress/templates/controller-role.yaml
@@ -95,6 +95,14 @@ rules:
verbs:
- create
- patch
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
diff --git a/chart/charts/nginx-ingress/values.yaml b/chart/charts/nginx-ingress/values.yaml
index d0c0ae8dd..857acbf38 100644
--- a/chart/charts/nginx-ingress/values.yaml
+++ b/chart/charts/nginx-ingress/values.yaml
@@ -12,12 +12,15 @@ controller:
image:
registry: registry.gitlab.com
image: gitlab-org/cloud-native/mirror/images/ingress-nginx/controller
- tag: "v1.3.1"
- digest: sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974
+ tag: "v1.11.2"
+ fallbackTag: "v1.3.1"
+ fallbackDigest: "sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974"
+ digest: "sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"
pullPolicy: IfNotPresent
# www-data -> uid 101
runAsUser: 101
allowPrivilegeEscalation: true
+ disableFallback: false
# Use an existing PSP instead of creating one
existingPsp: ""
diff --git a/chart/charts/registry/index.md b/chart/charts/registry/index.md
index 1e6668f89..a3cf66658 100644
--- a/chart/charts/registry/index.md
+++ b/chart/charts/registry/index.md
@@ -1,4 +1,4 @@
-Forked from https://github.com/helm/charts/tree/master/stable/docker-registry
+Forked from <https://github.com/helm/charts/tree/master/stable/docker-registry>
With a few tweaks to make it play nicely with GitLab, including Minio S3
storage and GitLab authentication endpoint.
@@ -10,4 +10,4 @@ this chart also introduces some additional configuration. See [additional option
## Development
-For more details, see [development notes](../../doc/development/index.md#verifying-registry)
+For more details, see [development notes](../../doc/development/index.md#verifying-registry)
diff --git a/chart/charts/registry/templates/_redis.tpl b/chart/charts/registry/templates/_redis.tpl
index 241178cd9..784309598 100644
--- a/chart/charts/registry/templates/_redis.tpl
+++ b/chart/charts/registry/templates/_redis.tpl
@@ -1,18 +1,23 @@
{{/*
-Helper for Sentinels as a string
+Helper for List of addresses as a string
-Expectation: input contents has .sentinels, which is a List of Dict
+Expectation: input contents has .sentinels or .cluster, which is a List of Dict
in the format of [{host: , port:}, ...]
*/}}
-{{- define "registry.redis.host.sentinels" -}}
-{{- $sentinels := list -}}
-{{- range .sentinels -}}
-{{- $sentinels = append $sentinels (printf "%s:%d" .host (default 26379 .port | int)) -}}
+{{- define "registry.redis.host.addresses" -}}
+{{- $addresses := list -}}
+{{- if .sentinels -}}
+{{- range .sentinels -}}
+{{- $addresses = append $addresses (printf "%s:%d" .host (default 26379 .port | int)) -}}
+{{- end -}}
+{{- else if .cluster -}}
+{{- range .cluster -}}
+{{- $addresses = append $addresses (printf "%s:%d" .host (default 6379 .port | int)) -}}
+{{- end -}}
{{- end -}}
-{{ join "," $sentinels }}
+{{ join "," $addresses }}
{{- end -}}
-
{{- define "gitlab.registry.redisCacheSecret.mount" -}}
{{- if .Values.redis.cache.password.enabled }}
- secret:
@@ -64,10 +69,10 @@ redis:
cache:
enabled: {{ .Values.redis.cache.enabled | eq true }}
{{- if .Values.redis.cache.sentinels }}
- addr: {{ include "registry.redis.host.sentinels" .Values.redis.cache | quote }}
+ addr: {{ include "registry.redis.host.addresses" .Values.redis.cache | quote }}
mainname: {{ .Values.redis.cache.host }}
{{- else if .redisMergedConfig.sentinels }}
- addr: {{ include "registry.redis.host.sentinels" .redisMergedConfig | quote }}
+ addr: {{ include "registry.redis.host.addresses" .redisMergedConfig | quote }}
mainname: {{ template "gitlab.redis.host" . }}
{{- if .redisMergedConfig.sentinelAuth.enabled }}
sentinelpassword: {% file.Read "/config/redis-sentinel/redis-sentinel-password" | strings.TrimSpace | data.ToJSON %}
@@ -118,13 +123,15 @@ redis:
ratelimiter:
enabled: {{ .Values.redis.rateLimiting.enabled | eq true }}
{{- if .Values.redis.rateLimiting.sentinels }}
- addr: {{ include "registry.redis.host.sentinels" .Values.redis.rateLimiting | quote }}
+ addr: {{ include "registry.redis.host.addresses" .Values.redis.rateLimiting | quote }}
mainname: {{ .Values.redis.rateLimiting.host }}
- {{- else if .redisMergedConfig.sentinels }}
- addr: {{ include "registry.redis.host.sentinels" .redisMergedConfig | quote }}
- mainname: {{ template "gitlab.redis.host" . }}
+ {{- else if .Values.redis.rateLimiting.cluster }}
+ addr: {{ include "registry.redis.host.addresses" .Values.redis.rateLimiting | quote }}
{{- else if .Values.redis.rateLimiting.host }}
addr: {{ printf "%s:%d" .Values.redis.rateLimiting.host (int .Values.redis.rateLimiting.port | default 6379) | quote }}
+ {{- else if .redisMergedConfig.sentinels }}
+ addr: {{ include "registry.redis.host.addresses" .redisMergedConfig | quote }}
+ mainname: {{ template "gitlab.redis.host" . }}
{{- else }}
addr: {{ printf "%s:%s" ( include "gitlab.redis.host" . ) ( include "gitlab.redis.port" . ) | quote }}
{{- end }}
diff --git a/chart/doc/.vale/gitlab_base/BadPlurals.yml b/chart/doc/.vale/gitlab_base/BadPlurals.yml
new file mode 100644
index 000000000..77225c884
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/BadPlurals.yml
@@ -0,0 +1,14 @@
+---
+# Warning: gitlab.BadPlurals
+#
+# Don't write plural words with the '(s)' construction. 'HTTP(S)' is acceptable.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Rewrite '%s' to be plural without parentheses."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#s
+level: warning
+ignorecase: true
+nonword: true
+tokens:
+ - '(?<!http)\(s\)'
diff --git a/chart/doc/.vale/gitlab_base/British.yml b/chart/doc/.vale/gitlab_base/British.yml
new file mode 100644
index 000000000..432ed302e
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/British.yml
@@ -0,0 +1,120 @@
+---
+# Error: gitlab.British
+#
+# Checks that US spelling is used instead of British spelling.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "Use the US spelling '%s' instead of the British '%s'."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#language
+level: error
+ignorecase: true
+swap:
+ aeon: eon
+ aeroplane: airplane
+ ageing: aging
+ aluminium: aluminum
+ anaemia: anemia
+ anaesthesia: anesthesia
+ analyse: analyze
+ annexe: annex
+ apologise: apologize
+ authorise: authorize
+ authorised: authorized
+ authorisation: authorization
+ authorising: authorizing
+ behaviour: behavior
+ busses: buses
+ calibre: caliber
+ categorise: categorize
+ categorised: categorized
+ categorises: categorizes
+ categorising: categorizing
+ centre: center
+ cheque: check
+ civilisation: civilization
+ civilise: civilize
+ colour: color
+ cosy: cozy
+ cypher: cipher
+ dependant: dependent
+ defence: defense
+ distil: distill
+ draught: draft
+ encyclopaedia: encyclopedia
+ enquiry: inquiry
+ enrol: enroll
+ enrolment: enrollment
+ enthral: enthrall
+ # equalled: equaled // Under discussion
+ # equalling: equaling // Under discussion
+ favourite: favorite
+ fibre: fiber
+ fillet: filet
+ flavour: flavor
+ furore: furor
+ fulfil: fulfill
+ gaol: jail
+ grey: gray
+ humour: humor
+ honour: honor
+ initialled: initialed
+ initialling: initialing
+ instil: instill
+ jewellery: jewelry
+ labelling: labeling
+ labelled: labeled
+ labour: labor
+ libellous: libelous
+ licence: license
+ likeable: likable
+ liveable: livable
+ lustre: luster
+ manoeuvre: maneuver
+ marvellous: marvelous
+ matt: matte
+ meagre: meager
+ metre: meter
+ modelling: modeling
+ moustache: mustache
+ neighbour: neighbor
+ normalise: normalize
+ offence: offense
+ optimise: optimize
+ optimised: optimized
+ optimising: optimizing
+ organise: organize
+ orientated: oriented
+ paralyse: paralyze
+ plough: plow
+ pretence: pretense
+ programme: program
+ pyjamas: pajamas
+ rateable: ratable
+ realise: realize
+ recognise: recognize
+ reconnoitre: reconnoiter
+ rumour: rumor
+ sabre: saber
+ saleable: salable
+ saltpetre: saltpeter
+ sceptic: skeptic
+ sepulchre: sepulcher
+ signalling: signaling
+ sizeable: sizable
+ skilful: skillful
+ sombre: somber
+ smoulder: smolder
+ speciality: specialty
+ spectre: specter
+ splendour: splendor
+ standardise: standardize
+ standardised: standardized
+ sulphur: sulfur
+ theatre: theater
+ travelled: traveled
+ traveller: traveler
+ travelling: traveling
+ unshakeable: unshakable
+ wilful: willful
+ yoghurt: yogurt
diff --git a/chart/doc/.vale/gitlab_base/CIConfigFile.yml b/chart/doc/.vale/gitlab_base/CIConfigFile.yml
new file mode 100644
index 000000000..5cbd02e79
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/CIConfigFile.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.CIConfigFile
+#
+# Checks that the `.gitlab-ci.yml` file is referenced properly.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Change the file name to be exactly '.gitlab-ci.yml'."
+link: https://docs.gitlab.com/ee/development/documentation/versions.html
+level: error
+scope: raw
+raw:
+ - '(?!`\.gitlab-ci\.yml`)`.?gitlab.?ci.?ya?ml`'
diff --git a/chart/doc/.vale/gitlab_base/CodeblockFences.yml b/chart/doc/.vale/gitlab_base/CodeblockFences.yml
new file mode 100644
index 000000000..27159f7e7
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/CodeblockFences.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.CodeblockFences
+#
+# Ensures all codeblock language tags use the full name, not aliases.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Instead of '%s' for the code block, use yaml, ruby, plaintext, markdown, javascript, shell, go, python, dockerfile, or typescript."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#code-blocks
+level: error
+scope: raw
+raw:
+ - '\`\`\`(yml|rb|text|md|bash|sh\n|js\n|golang\n|py\n|docker\n|ts)'
diff --git a/chart/doc/.vale/gitlab_base/CommandStringsQuoted.yml b/chart/doc/.vale/gitlab_base/CommandStringsQuoted.yml
new file mode 100644
index 000000000..531595ed1
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/CommandStringsQuoted.yml
@@ -0,0 +1,14 @@
+---
+# Error: gitlab.CommandStringsQuoted
+#
+# Ensures all code blocks wrap URL strings in quotation marks.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "For the command example, use double quotes around the URL: %s"
+link: https://docs.gitlab.com/ee/development/documentation/restful_api_styleguide.html#curl-commands
+level: error
+scope: raw
+nonword: true
+tokens:
+ - '(curl|--url)[^"\]\n]+?https?:\/\/[^ \n]*'
diff --git a/chart/doc/.vale/gitlab_base/CurrentStatus.yml b/chart/doc/.vale/gitlab_base/CurrentStatus.yml
new file mode 100644
index 000000000..9972573b4
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/CurrentStatus.yml
@@ -0,0 +1,13 @@
+---
+# Warning: gitlab.CurrentStatus
+#
+# Checks for words that indicate a product or feature may change in the future.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Remove '%s'. The documentation reflects the current state of the product."
+level: warning
+ignorecase: true
+link: https://docs.gitlab.com/ee/development/documentation/versions.html#promising-features-in-future-versions
+tokens:
+ - currently
diff --git a/chart/doc/.vale/gitlab_base/DefaultBranch.yml b/chart/doc/.vale/gitlab_base/DefaultBranch.yml
new file mode 100644
index 000000000..86c627bcf
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/DefaultBranch.yml
@@ -0,0 +1,14 @@
+---
+# Warning: gitlab.DefaultBranch
+#
+# Do not refer to the default branch as the 'master' branch, if possible.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use 'default branch' or `main` instead of `master`, when possible."
+level: warning
+ignorecase: true
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#default-branch
+scope: raw
+raw:
+ - '\`master\`'
diff --git a/chart/doc/.vale/gitlab_base/Dropdown.yml b/chart/doc/.vale/gitlab_base/Dropdown.yml
new file mode 100644
index 000000000..c656d1209
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Dropdown.yml
@@ -0,0 +1,14 @@
+---
+# Suggestion: gitlab.Dropdown
+#
+# Catches many ways the phrase 'dropdown list' can be fumbled.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use 'dropdown list'."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#dropdown-list
+level: warning
+ignorecase: true
+tokens:
+ - drop-down( [\w]*)?
+ - dropdown(?! list)
diff --git a/chart/doc/.vale/gitlab_base/EOLWhitespace.yml b/chart/doc/.vale/gitlab_base/EOLWhitespace.yml
new file mode 100644
index 000000000..153786443
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/EOLWhitespace.yml
@@ -0,0 +1,13 @@
+---
+# Warning: gitlab.EOLWhitespace
+#
+# Checks that there is no useless whitespace at the end of lines.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Remove whitespace characters from the end of the line."
+link: https://docs.gitlab.com/ee/development/documentation/versions.html
+level: warning
+scope: raw
+raw:
+ - ' +\n'
diff --git a/chart/doc/.vale/gitlab_base/ElementDescriptors.yml b/chart/doc/.vale/gitlab_base/ElementDescriptors.yml
new file mode 100644
index 000000000..fd3acace7
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/ElementDescriptors.yml
@@ -0,0 +1,14 @@
+---
+# Warning: gitlab.ElementDescriptors
+#
+# Suggests the correct way to describe a button.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "If possible, rewrite to remove 'button'."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#button
+level: warning
+ignorecase: true
+scope: raw
+raw:
+ - \*\*[^*]+\*\*\s+button
diff --git a/chart/doc/.vale/gitlab_base/FutureTense.yml b/chart/doc/.vale/gitlab_base/FutureTense.yml
new file mode 100644
index 000000000..c8be170d0
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/FutureTense.yml
@@ -0,0 +1,15 @@
+---
+# Warning: gitlab.FutureTense
+#
+# Checks for use of future tense in sentences. Present tense is strongly preferred.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Instead of future tense '%s', use present tense."
+ignorecase: true
+nonword: true
+level: warning
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#future-tense
+tokens:
+ - (going to|will|won't)[ \n:]\w*
+ - (It?|we|you|they)'ll[ \n:]\w*
diff --git a/chart/doc/.vale/gitlab_base/GitLabFlavoredMarkdown.yml b/chart/doc/.vale/gitlab_base/GitLabFlavoredMarkdown.yml
new file mode 100644
index 000000000..532f1afd8
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/GitLabFlavoredMarkdown.yml
@@ -0,0 +1,14 @@
+---
+# Warning: gitlab.GitLabFlavoredMarkdown
+#
+# Checks for unclear use of GLFM or GLM instead of GitLab/GitHub Flavored Markdown
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "Use '%s' instead of '%s' when possible."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html
+level: warning
+ignorecase: true
+swap:
+ GLFM: "GitLab Flavored Markdown"
+ GFM: "GitLab Flavored Markdown' or 'GitHub Flavored Markdown"
diff --git a/chart/doc/.vale/gitlab_base/HeadingContent.yml b/chart/doc/.vale/gitlab_base/HeadingContent.yml
new file mode 100644
index 000000000..9fe9610ab
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/HeadingContent.yml
@@ -0,0 +1,19 @@
+---
+# Warning: gitlab.HeadingContent
+#
+# Checks for generic, unhelpful subheadings.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Rename the heading '%s', or re-purpose the content elsewhere."
+level: warning
+link: https://docs.gitlab.com/ee/development/documentation/topic_types/concept.html#concept-topic-titles
+ignorecase: true
+nonword: true
+scope: raw
+tokens:
+ - '\#+ How it works'
+ - '\#+ Limitations'
+ - '\#+ Overview'
+ - '\#+ Use cases?'
+ - '\#+ Important notes?'
diff --git a/chart/doc/.vale/gitlab_base/HeadingDepth.yml b/chart/doc/.vale/gitlab_base/HeadingDepth.yml
new file mode 100644
index 000000000..000baf633
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/HeadingDepth.yml
@@ -0,0 +1,13 @@
+---
+# Suggestion: gitlab.HeadingDepth
+#
+# Checks that there are no headings greater than 3 levels
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Refactor the section or page to avoid headings greater than H5."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#heading-levels-in-markdown
+level: suggestion
+scope: raw
+raw:
+ - '(?<=\n)#{6,}\s.*'
diff --git a/chart/doc/.vale/gitlab_base/HeadingLink.yml b/chart/doc/.vale/gitlab_base/HeadingLink.yml
new file mode 100644
index 000000000..0755d9152
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/HeadingLink.yml
@@ -0,0 +1,18 @@
+---
+# Error: gitlab.HeadingLink
+#
+# Do not include links in a heading.
+# Headings already have self-referencing anchor links,
+# and they're used for generating the table of contents.
+# Adding a link will break the anchor linking behavior.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Do not use links in headings."
+level: error
+ignorecase: true
+nonword: true
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/#links
+scope: raw
+tokens:
+ - ^#+ .*\[.+\]\(\S+\).*$
diff --git a/chart/doc/.vale/gitlab_base/InclusiveLanguage.yml b/chart/doc/.vale/gitlab_base/InclusiveLanguage.yml
new file mode 100644
index 000000000..c3b7160df
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/InclusiveLanguage.yml
@@ -0,0 +1,22 @@
+---
+# Warning: gitlab.InclusiveLanguage
+# Suggests alternatives for non-inclusive language.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "Use inclusive language. Consider '%s' instead of '%s'."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html
+level: warning
+ignorecase: true
+swap:
+ blacklist(?:ed|ing|s)?: denylist
+ dummy: placeholder, sample, fake
+ (?:he|she): they
+ hers: their
+ his: their
+ mankind: humanity, people
+ manpower: GitLab team members
+ master: primary, main
+ sanity (?:check|test): check for completeness
+ slave: secondary
+ whitelist(?:ed|ing|s)?: allowlist
diff --git a/chart/doc/.vale/gitlab_base/LatinTerms.yml b/chart/doc/.vale/gitlab_base/LatinTerms.yml
new file mode 100644
index 000000000..dd858564e
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/LatinTerms.yml
@@ -0,0 +1,17 @@
+---
+# Warning: gitlab.LatinTerms
+#
+# Checks for use of Latin terms.
+# Uses https://github.com/errata-ai/Google/blob/master/Google/Latin.yml for ideas.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "Use '%s' instead of '%s', but consider rewriting the sentence."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html
+level: warning
+nonword: true
+ignorecase: true
+swap:
+ '\b(?:e\.?g[\s.,;:])': for example
+ '\b(?:i\.?e[\s.,;:])': that is
+ '\bvia\b': "with', 'through', or 'by using"
diff --git a/chart/doc/.vale/gitlab_base/Level.yml b/chart/doc/.vale/gitlab_base/Level.yml
new file mode 100644
index 000000000..5eba926ce
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Level.yml
@@ -0,0 +1,18 @@
+---
+# Suggestion: gitlab.Level
+#
+# Avoid variations on the phrase "instance level" and "group level"
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Avoid using 'level' when referring to groups, instances, or projects: '%s'"
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#level
+level: suggestion
+ignorecase: true
+tokens:
+ - 'instance level'
+ - 'instance-level'
+ - 'group level'
+ - 'group-level'
+ - 'project level'
+ - 'project-level'
diff --git a/chart/doc/.vale/gitlab_base/MeaningfulLinkWords.yml b/chart/doc/.vale/gitlab_base/MeaningfulLinkWords.yml
new file mode 100644
index 000000000..5d5cc7c38
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/MeaningfulLinkWords.yml
@@ -0,0 +1,17 @@
+---
+# Warning: gitlab.MeaningfulLinkWords
+#
+# Checks for the presence of semantically unhelpful words in link text.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Improve SEO and accessibility by rewriting the link text for '%s'."
+level: warning
+ignorecase: true
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#text-for-links
+scope: raw
+nonword: true
+tokens:
+ - '\[here\](?=\(.*\))'
+ - '\[this\](?=\(.*\))'
+ - '\[this page\](?=\(.*\))'
diff --git a/chart/doc/.vale/gitlab_base/MergeConflictMarkers.yml b/chart/doc/.vale/gitlab_base/MergeConflictMarkers.yml
new file mode 100644
index 000000000..54e044f19
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/MergeConflictMarkers.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.MergeConflictMarkers
+#
+# Checks for the presence of merge conflict markers.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Remove the merge conflict marker '%s'."
+link: https://docs.gitlab.com/ee/development/code_review.html#merging-a-merge-request
+level: error
+scope: raw
+raw:
+ - '\n<<<<<<< .+\n|\n=======\n|\n>>>>>>> .+\n'
diff --git a/chart/doc/.vale/gitlab_base/MultiLineLinks.yml b/chart/doc/.vale/gitlab_base/MultiLineLinks.yml
new file mode 100644
index 000000000..32fe38277
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/MultiLineLinks.yml
@@ -0,0 +1,14 @@
+---
+# Error: gitlab.MultiLineLinks
+#
+# Checks that links are all on a single line.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Put the full link on one line, even if the link is very long."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links
+level: error
+scope: raw
+raw:
+ - '\[[^\[\]]*?\n[^\[\]]*?\]\([^\)]*?\)|'
+ - '\[[^\[\]]*?\]\([^\)]*?\n[^\)]*\)'
diff --git a/chart/doc/.vale/gitlab_base/NonStandardQuotes.yml b/chart/doc/.vale/gitlab_base/NonStandardQuotes.yml
new file mode 100644
index 000000000..6161a4cc0
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/NonStandardQuotes.yml
@@ -0,0 +1,14 @@
+---
+# Warning: gitlab.NonStandardQuotes
+#
+# Use only standard single and double quotes, not left or right quotes.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use standard single quotes or double quotes only. Do not use left or right quotes."
+level: warning
+ignorecase: true
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#punctuation
+scope: raw
+raw:
+ - '[‘’“â€]'
diff --git a/chart/doc/.vale/gitlab_base/OutdatedVersions.yml b/chart/doc/.vale/gitlab_base/OutdatedVersions.yml
new file mode 100644
index 000000000..cd77ebeaa
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/OutdatedVersions.yml
@@ -0,0 +1,14 @@
+---
+# Suggestion: gitlab.OutdatedVersions
+#
+# Checks for references to versions of GitLab that are no longer supported.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "If possible, remove the reference to '%s'."
+link: https://docs.gitlab.com/ee/development/documentation/versions.html
+level: suggestion
+nonword: true
+ignorecase: true
+tokens:
+ - "GitLab v?(2|3|4|5|6|7|8|9|10|11|12|13|14)"
diff --git a/chart/doc/.vale/gitlab_base/OxfordComma.yml b/chart/doc/.vale/gitlab_base/OxfordComma.yml
new file mode 100644
index 000000000..81a9ae5c1
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/OxfordComma.yml
@@ -0,0 +1,12 @@
+---
+# Warning: gitlab.OxfordComma
+#
+# Checks for the lack of an Oxford comma. In some cases, will catch overly complex sentence structures with lots of commas.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use a comma before the last 'and' or 'or' in a list of four or more items."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#punctuation
+level: warning
+raw:
+ - '(?:[\w-_` ]+,){2,}(?:[\w-_` ]+) (and |or )'
diff --git a/chart/doc/.vale/gitlab_base/Possessive.yml b/chart/doc/.vale/gitlab_base/Possessive.yml
new file mode 100644
index 000000000..64c9481ac
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Possessive.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.Possessive
+#
+# The word GitLab should not be used in the possessive form.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Remove 's from %s."
+level: error
+ignorecase: true
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#gitlab
+tokens:
+ - GitLab's
diff --git a/chart/doc/.vale/gitlab_base/Prerequisites.yml b/chart/doc/.vale/gitlab_base/Prerequisites.yml
new file mode 100644
index 000000000..239f9277c
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Prerequisites.yml
@@ -0,0 +1,14 @@
+---
+# Error: gitlab.Prerequisites
+#
+# The "Prerequisites:" line should always be plural.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Pluralize 'Prerequisites', even if it includes only one item."
+link: https://docs.gitlab.com/ee/development/documentation/topic_types/task.html#task-prerequisites
+level: warning
+nonword: true
+scope: text
+raw:
+ - '^Prerequisite:'
diff --git a/chart/doc/.vale/gitlab_base/ReadingLevel.yml b/chart/doc/.vale/gitlab_base/ReadingLevel.yml
new file mode 100644
index 000000000..e0d2d4fd0
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/ReadingLevel.yml
@@ -0,0 +1,15 @@
+---
+# Suggestion: gitlab.ReadingLevel
+#
+# Checks the Flesch-Kincaid reading level.
+#
+# https://docs.errata.ai/vale/styles#metric
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: metric
+message: "The grade level is %s. Aim for 8th grade or lower by using shorter sentences and words."
+link: https://docs.gitlab.com/ee/development/documentation/testing/vale.html#readability-score
+level: suggestion
+formula: |
+ (0.39 * (words / sentences)) + (11.8 * (syllables / words)) - 15.59
+condition: "> 1"
diff --git a/chart/doc/.vale/gitlab_base/Repetition.yml b/chart/doc/.vale/gitlab_base/Repetition.yml
new file mode 100644
index 000000000..cdeb29e7d
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Repetition.yml
@@ -0,0 +1,12 @@
+---
+# Error: gitlab.Repetition
+#
+# Checks for duplicate words, like `the the` or `and and`.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: repetition
+message: "Remove this duplicate word: '%s'."
+level: error
+alpha: true
+tokens:
+ - '[^\s]+'
diff --git a/chart/doc/.vale/gitlab_base/SentenceLength.yml b/chart/doc/.vale/gitlab_base/SentenceLength.yml
new file mode 100644
index 000000000..48ebf02bc
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/SentenceLength.yml
@@ -0,0 +1,13 @@
+---
+# Suggestion: gitlab.SentenceLength
+#
+# Counts words in a sentence and alerts if a sentence exceeds 25 words.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: occurrence
+message: "Improve readability by using fewer than 25 words in this sentence."
+scope: sentence
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#language
+level: suggestion
+max: 25
+token: \b(\w+)\b
diff --git a/chart/doc/.vale/gitlab_base/SentenceSpacing.yml b/chart/doc/.vale/gitlab_base/SentenceSpacing.yml
new file mode 100644
index 000000000..6548c3564
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/SentenceSpacing.yml
@@ -0,0 +1,14 @@
+---
+# Error: gitlab.SentenceSpacing
+#
+# Checks for incorrect spacing (no spaces, or more than one space) around punctuation.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use exactly one space between sentences and clauses. Check '%s' for spacing problems."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#punctuation
+level: error
+nonword: true
+tokens:
+ - '[a-z][.?!,][A-Z]'
+ - '[\w.?!,\(\)\-":] {2,}[\w.?!,\(\)\-":]'
diff --git a/chart/doc/.vale/gitlab_base/Simplicity.yml b/chart/doc/.vale/gitlab_base/Simplicity.yml
new file mode 100644
index 000000000..fd9b1c5e5
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Simplicity.yml
@@ -0,0 +1,18 @@
+---
+# Warning: gitlab.Simplicity
+#
+# Checks for words implying ease of use, to avoid cognitive dissonance for frustrated users.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Remove '%s'. Be precise instead of subjective."
+level: warning
+ignorecase: true
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html
+tokens:
+ - easy
+ - easily
+ - handy
+ - simple
+ - simply
+ - useful
diff --git a/chart/doc/.vale/gitlab_base/Spelling.yml b/chart/doc/.vale/gitlab_base/Spelling.yml
new file mode 100644
index 000000000..459803d9d
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Spelling.yml
@@ -0,0 +1,16 @@
+---
+# Warning: gitlab.Spelling
+#
+# Checks for possible spelling mistakes in content, not code. Results from links using angle brackets (<https://example.com>) should be corrected.
+#
+# If a word is flagged as a spelling mistake incorrectly, such as a product name,
+# you can submit an MR to update `spelling-exceptions.txt` with the missing word.
+# Commands, like `git clone` must use backticks, and must not be added to the
+# exceptions.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: spelling
+message: "Check the spelling of '%s'. If the spelling is correct, ask a Technical Writer to add this word to the spelling exception list."
+level: warning
+ignore:
+ - gitlab_base/spelling-exceptions.txt
diff --git a/chart/doc/.vale/gitlab_base/SubstitutionWarning.yml b/chart/doc/.vale/gitlab_base/SubstitutionWarning.yml
new file mode 100644
index 000000000..4901c7576
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/SubstitutionWarning.yml
@@ -0,0 +1,77 @@
+---
+# Warning: gitlab.SubstitutionWarning
+#
+# Checks for misused terms or common shorthand that should not be used at GitLab, but can't be flagged as errors.
+# Substitutions.yml also exists.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "Use '%s' instead of '%s' when possible."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html
+level: warning
+ignorecase: true
+swap:
+ active user: "billable user"
+ active users: "billable users"
+ agnostic: "platform-independent' or 'vendor-neutral"
+ air(?:-| )?gapped: "offline environment"
+ bullet: "list item"
+ (?<!right-)click(?!-through): "select"
+ cancelled: "canceled"
+ cancelling: "canceling"
+ code base: "codebase"
+ config: "configuration"
+ confirmation box: "confirmation dialog"
+ confirmation dialog box: "confirmation dialog"
+ deselect: "clear"
+ deselected: "cleared"
+ dialog box: "dialog"
+ distro: "distribution"
+ docs: "documentation"
+ e-mail: "email"
+ emojis: "emoji"
+ ex: "for example"
+ file name: "filename"
+ filesystem: "file system"
+ fullscreen: "full screen"
+ info: "information"
+ installation from source: self-compiled installation
+ installations from source: self-compiled installations
+ it is recommended: "you should"
+ log in: "sign in"
+ log-in: "sign in"
+ logged in user: "authenticated user"
+ logged-in user: "authenticated user"
+ machine-learning: "machine learning"
+ modal dialog: "dialog"
+ modal window: "dialog"
+ modal: "dialog"
+ n/a: "not applicable"
+ navigate to: "go to"
+ normally: "usually' or 'typically"
+ normal: "typical' or 'standard"
+ OAuth2: "OAuth 2.0"
+ omnibus gitlab: "Linux package"
+ 'omnibus(?!\))': "Linux package"
+ once that: "after that"
+ once the: "after the"
+ once you: "after you"
+ open telemetry: "OpenTelemetry"
+ pack file: packfile
+ pack files: packfiles
+ pop-up window: "dialog"
+ pop-up: "dialog"
+ popup: "dialog"
+ repo: "repository"
+ signed in user: "authenticated user"
+ signed-in user: "authenticated user"
+ since: "because' or 'after"
+ source (?:install|installation): self-compiled installation
+ source (?:installs|installations): self-compiled installations
+ sub-group: "subgroup"
+ sub-groups: "subgroups"
+ timezone: "time zone"
+ utiliz(?:es?|ing): "use"
+ VSCode: "VS Code"
+ we recommend: "you should"
+ within: "in"
diff --git a/chart/doc/.vale/gitlab_base/Substitutions.yml b/chart/doc/.vale/gitlab_base/Substitutions.yml
new file mode 100644
index 000000000..4c48d5bfb
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Substitutions.yml
@@ -0,0 +1,69 @@
+---
+# Error: gitlab.Substitutions
+#
+# Checks for misused terms that should never be used at GitLab.
+# SubstitutionWarning.yml also exists.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "Use '%s' instead of '%s'."
+link: https://handbook.gitlab.com/handbook/communication/top-misused-terms/
+level: error
+ignorecase: true
+swap:
+ admin user: administrator
+ admin users: administrators
+ administrator permission: administrator access
+ administrator permissions: administrator access
+ administrator role: administrator access
+ at least the Owner role: the Owner role
+ can login: can log in
+ can log-in: can log in
+ can setup: can set up
+ can signin: can sign in
+ can sign-in: can sign in
+ codequality: code quality
+ Customer [Pp]ortal: Customers Portal
+ developer access: the Developer role
+ developer permission: the Developer role
+ developer permissions: the Developer role
+ disallow: prevent
+ frontmatter: front matter
+ GitLab self hosted: GitLab self-managed # https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#gitlab-self-managed
+ GitLab self-hosted: GitLab self-managed # https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#gitlab-self-managed
+ GitLabber: GitLab team member
+ GitLabbers: GitLab team members
+ GitLab-shell: GitLab Shell
+ gitlab omnibus: Linux package
+ golang: Go
+ guest access: the Guest role
+ guest permission: the Guest role
+ guest permissions: the Guest role
+ maintainer access: the Maintainer role
+ maintainer permission: the Maintainer role
+ maintainer permissions: the Maintainer role
+ owner access: the Owner role
+ owner permission: the Owner role
+ owner permissions: the Owner role
+ param: parameter
+ params: parameters
+ pg: PostgreSQL
+ 'postgres$': PostgreSQL
+ raketask: Rake task
+ raketasks: Rake tasks
+ rspec: RSpec
+ reporter access: the Reporter role
+ reporter permission: the Reporter role
+ reporter permissions: the Reporter role
+ rubocop: RuboCop
+ self hosted GitLab: GitLab self-managed # https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#gitlab-self-managed
+ self-hosted GitLab: GitLab self-managed # https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#gitlab-self-managed
+ styleguide: style guide
+ the administrator access level: administrator access
+ to login: to log in
+ to log-in: to log in
+ to setup: to set up
+ to signin: to sign in
+ to sign-in: to sign in
+ x509: X.509
+ yml: YAML
diff --git a/chart/doc/.vale/gitlab_base/ToDo.yml b/chart/doc/.vale/gitlab_base/ToDo.yml
new file mode 100644
index 000000000..079f13baa
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/ToDo.yml
@@ -0,0 +1,14 @@
+---
+# Warning: gitlab.ToDo
+#
+# You should not use "To Do", unless it refers to the UI element.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "Use 'to-do item' in most cases, or 'Add a to do' if referring to the UI button."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#to-do-item
+level: warning
+ignorecase: false
+swap:
+ '[Tt]o [Dd]o [Ii]tems?': to-do item
+ '\w* [Aa] [Tt]o [Dd]o': Add a to do
diff --git a/chart/doc/.vale/gitlab_base/UnclearAntecedent.yml b/chart/doc/.vale/gitlab_base/UnclearAntecedent.yml
new file mode 100644
index 000000000..e5d43b6ab
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/UnclearAntecedent.yml
@@ -0,0 +1,22 @@
+---
+# Warning: gitlab.UnclearAntecedent
+#
+# Checks for words that need a noun for clarity.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Instead of '%s', try starting this sentence with a specific subject and verb."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html#this-these-that-those
+level: warning
+ignorecase: false
+tokens:
+ - 'That is'
+ - 'That was'
+ - 'These are'
+ - 'These were'
+ - 'There are'
+ - 'There were'
+ - 'This is'
+ - 'This was'
+ - 'Those are'
+ - 'Those were'
diff --git a/chart/doc/.vale/gitlab_base/Units.yml b/chart/doc/.vale/gitlab_base/Units.yml
new file mode 100644
index 000000000..5eb2d9551
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Units.yml
@@ -0,0 +1,15 @@
+---
+# Warning: gitlab.Units
+#
+# Recommends a space between a number and a unit of measure.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Add a space between the number and the unit in '%s'."
+link: 'https://docs.gitlab.com/ee/development/documentation/styleguide/'
+nonword: true
+level: warning
+ignorecase: true
+tokens:
+ - \d+(?:B|kB|KiB|MB|MiB|GB|GiB|TB|TiB)
+ - \d+(?:ns|ms|μs|s|min|h|d)\b
diff --git a/chart/doc/.vale/gitlab_base/Uppercase.yml b/chart/doc/.vale/gitlab_base/Uppercase.yml
new file mode 100644
index 000000000..99aae636d
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Uppercase.yml
@@ -0,0 +1,268 @@
+---
+# Suggestion: gitlab.Uppercase
+#
+# Checks for use of all uppercase letters with unknown reason.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: conditional
+message: "Instead of uppercase for '%s', use lowercase or backticks (`) if possible. Otherwise, ask a Technical Writer to add this word or acronym to the rule's exception list."
+link: https://docs.gitlab.com/ee/development/documentation/testing/vale.html#vale-uppercase-acronym-test
+level: suggestion
+ignorecase: false
+# Ensures that the existence of 'first' implies the existence of 'second'.
+first: '\b([A-Z]{3,5})\b'
+second: '(?:\b[A-Z][a-z]+ )+\(([A-Z]{3,5})\)'
+# ... with the exception of these:
+exceptions:
+ - ACL
+ - AJAX
+ - ALL
+ - AMI
+ - ANSI
+ - APAC
+ - API
+ - ARIA
+ - APM
+ - ARM
+ - ARN
+ - ASCII
+ - ASG
+ - AST
+ - AWS
+ - BETA
+ - BMP
+ - BSD
+ - CAS
+ - CDN
+ - CGI
+ - CIDR
+ - CLI
+ - CNA
+ - CNCF
+ - CORE
+ - CORS
+ - CPU
+ - CRAN
+ - CRIME
+ - CRM
+ - CRUD
+ - CSRF
+ - CSS
+ - CSV
+ - CTE
+ - CVE
+ - CVS
+ - CVSS
+ - CWE
+ - DAST
+ - DDL
+ - DHCP
+ - DML
+ - DNS
+ - DSN
+ - DOM
+ - DORA
+ - DSA
+ - DSL
+ - DUOPRO
+ - DUOENT
+ - DVCS
+ - DVD
+ - EBS
+ - ECDSA
+ - ECS
+ - EFS
+ - EKS
+ - ELB
+ - ENA
+ - EOL
+ - EWM
+ - EXIF
+ - FAQ
+ - FIDO
+ - FIFO
+ - FIPS
+ - FLAG
+ - FOSS
+ - FQDN
+ - FREE
+ - FTP
+ - GCP
+ - GDK
+ - GDPR
+ - GET
+ - GID
+ - GIF
+ - GKE
+ - GLEX
+ - GLFM
+ - GNU
+ - GPG
+ - GPL
+ - GPS
+ - GPT
+ - GPU
+ - GUI
+ - HAML
+ - HAR
+ - HDD
+ - HEAD
+ - HIPAA
+ - HLL
+ - HSTS
+ - HTML
+ - HTTP
+ - HTTPS
+ - IAM
+ - IANA
+ - IBM
+ - ICO
+ - IDE
+ - IID
+ - IIS
+ - IMAP
+ - IOPS
+ - IRC
+ - ISO
+ - JPEG
+ - JPG
+ - JSON
+ - JVM
+ - JWT
+ - KICS
+ - LAN
+ - LDAP
+ - LDAPS
+ - LESS
+ - LFS
+ - LRU
+ - LSIF
+ - LTM
+ - LTS
+ - LVM
+ - MIME
+ - MIT
+ - MITRE
+ - MVC
+ - NAS
+ - NAT
+ - NDA
+ - NFS
+ - NGINX
+ - NOTE
+ - NPM
+ - NTP
+ - OCI
+ - OIDC
+ - OKD
+ - OKR
+ - ONLY
+ - OSS
+ - OTP
+ - OWASP
+ - PAT
+ - PCI-DSS
+ - PDF
+ - PEM
+ - PEP
+ - PGP
+ - PHP
+ - PID
+ - PKCS
+ - PNG
+ - POSIX
+ - POST
+ - PROXY
+ - PUT
+ - QPS
+ - RAID
+ - RAM
+ - RBAC
+ - RDP
+ - RDS
+ - RDS
+ - REST
+ - RFC
+ - RHEL
+ - RPC
+ - RPM
+ - RPO
+ - RPS
+ - RSA
+ - RSS
+ - RTC
+ - RTO
+ - RVM
+ - SAAS
+ - SAML
+ - SAN
+ - SAST
+ - SATA
+ - SBOM
+ - SBT
+ - SCIM
+ - SCM
+ - SCP
+ - SCSS
+ - SDK
+ - SELF
+ - SEO
+ - SES
+ - SFTP
+ - SHA
+ - SKI
+ - SLA
+ - SLI
+ - SLO
+ - SMS
+ - SMTP
+ - SOAP
+ - SOC
+ - SOX
+ - SPDX
+ - SPDY
+ - SPF
+ - SQL
+ - SRE
+ - SSD
+ - SSG
+ - SSH
+ - SSL
+ - SSO
+ - STI
+ - SUSE
+ - SVG
+ - SVN
+ - TCP
+ - TIFF
+ - TIP
+ - TLD
+ - TLS
+ - TODO
+ - TOML
+ - TOTP
+ - TPS
+ - TTL
+ - UBI
+ - UDP
+ - UID
+ - UID
+ - UNIX
+ - URI
+ - URL
+ - USB
+ - UTC
+ - UTF
+ - UUID
+ - VCS
+ - VPC
+ - VPN
+ - WAF
+ - WEBP
+ - WIP
+ - WSL
+ - XML
+ - XSS
+ - YAML
+ - ZAP
+ - ZIP
diff --git a/chart/doc/.vale/gitlab_base/Wordy.yml b/chart/doc/.vale/gitlab_base/Wordy.yml
new file mode 100644
index 000000000..9c472f665
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Wordy.yml
@@ -0,0 +1,19 @@
+---
+# Suggestion: gitlab.Wordy
+#
+# Suggests shorter versions of wordy phrases.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: substitution
+message: "%s"
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/word_list.html
+level: suggestion
+ignorecase: true
+swap:
+ a number of: "Specify the number or remove the phrase."
+ as well as: "Use 'and' instead of 'as well as'."
+ note that: "Remove the phrase 'note that'."
+ please: "Use 'please' only if we've inconvenienced the user."
+ respectively: "Remove 'respectively' and list each option instead."
+ and so on: "Remove 'and so on'. Try to use 'like' and provide examples instead."
+ in order to: "Remove 'in order' and leave 'to'."
diff --git a/chart/doc/.vale/gitlab_base/Zip.yml b/chart/doc/.vale/gitlab_base/Zip.yml
new file mode 100644
index 000000000..69ff980b8
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/Zip.yml
@@ -0,0 +1,15 @@
+---
+# Warning: gitlab.Zip
+#
+# Recommends all instances of something.zip be wrapped in backticks
+# due to the .zip top-level domain
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Wrap '%s' in backticks to prevent unintentional links to .zip domain names."
+link: 'https://docs.gitlab.com/ee/development/documentation/styleguide/index.md#backticks-in-markdown'
+nonword: true
+level: error
+ignorecase: true
+tokens:
+ - '\b\w*\.zip'
diff --git a/chart/doc/.vale/gitlab_base/spelling-exceptions.txt b/chart/doc/.vale/gitlab_base/spelling-exceptions.txt
new file mode 100644
index 000000000..518de5248
--- /dev/null
+++ b/chart/doc/.vale/gitlab_base/spelling-exceptions.txt
@@ -0,0 +1,1235 @@
+accessor
+accessors
+ACLs
+Adafruit
+Airbnb
+Airtable
+Akismet
+Alertmanager
+Algolia
+Alibaba
+aliuid
+Aliyun
+allowlist
+allowlisted
+allowlisting
+allowlists
+AlmaLinux
+AMIs
+anonymization
+anonymized
+Ansible
+Anthos
+Anycast
+apdex
+API
+APIs
+Apparmor
+Appetize
+approvers
+Appsec
+architected
+architecting
+archiver
+Arel
+arity
+Arkose
+armhf
+ARNs
+Artifactory
+Asana
+Asciidoctor
+asdf
+Assembla
+Astro
+async
+Atlassian
+auditability
+auditable
+Auth0
+authenticator
+Authy
+autocomplete
+autocompleted
+autocompletes
+autocompleting
+autogenerated
+autoloaded
+autoloader
+autoloading
+automatable
+autoscale
+autoscaled
+autoscaler
+autoscalers
+autoscales
+autoscaling
+autovacuum
+awardable
+awardables
+Axios
+Ayoa
+AZs
+Azure
+B-tree
+backfilling
+backfills
+backport
+backported
+backporting
+backports
+backtrace
+backtraced
+backtraces
+backtracing
+badging
+balancer
+balancer's
+Bamboo
+Bazel
+bcrypt
+Beamer
+Bhyve
+Bitbucket
+Bitnami
+Bittrex
+blockquote
+blockquoted
+blockquotes
+blockquoting
+boolean
+booleans
+Bootsnap
+bot
+bot's
+Bottlerocket
+browsable
+bugfix
+bugfixed
+bugfixes
+bugfixing
+Bugzilla
+Buildah
+Buildkite
+buildpack
+buildpacks
+bundler
+bundlers
+burndown
+burnup
+burstable
+CA
+cacheable
+Caddy
+callout
+callouts
+callstack
+callstacks
+camelCase
+camelCased
+Camo
+canonicalization
+canonicalized
+captcha
+CAPTCHAs
+Capybara
+Casdoor
+CDNs
+CE
+CentOS
+Ceph
+Certbot
+cgo
+cgroup
+cgroups
+chai
+changeset
+changesets
+ChaosKube
+chatbot
+chatbots
+ChatOps
+checksummable
+checksummed
+checksumming
+Chemlab
+chipset
+chipsets
+CIDRs
+Citrix
+Citus
+Civo
+Cleartext
+ClickHouse
+CLIs
+Clojars
+clonable
+Cloudwatch
+clusterized
+CMake
+CMK
+CMKs
+CNAs
+CNs
+Cobertura
+Codeception
+Codecov
+codenames
+Codepen
+CodeSandbox
+Codey
+Cognito
+Coinbase
+colocate
+colocated
+colocating
+commit's
+CommonMark
+compilable
+composable
+composables
+Conda
+config
+Configs
+Consul
+Contentful
+Corosync
+corpuses
+Cosign
+Coursier
+CPU
+CPUs
+CRAN
+CRI-O
+cron
+crond
+cronjob
+cronjobs
+crons
+crontab
+crontabs
+crosslinked
+crosslinking
+crosslinks
+Crossplane
+Crowdin
+crypto
+CSSComb
+CSV
+CSVs
+CTAs
+CTEs
+CUnit
+customappsso
+CVEs
+CWEs
+cybersecurity
+CycloneDX
+Dangerfile
+DAST
+Database Lab Engine
+Database Lab
+Databricks
+Datadog
+datasource
+datasources
+datastore
+datastores
+datestamp
+datetime
+DBeaver
+Debian
+debloating
+decodable
+Decompressor
+decryptable
+dedupe
+deduplicate
+deduplicated
+deduplicates
+deduplicating
+deduplication
+delegators
+deliverables
+denormalization
+denormalize
+denormalized
+denormalizes
+denormalizing
+dentry
+denylist
+denylisted
+denylisting
+denylists
+Depesz
+deployer
+deployers
+deprovision
+deprovisioned
+deprovisioning
+deprovisions
+dequarantine
+dequarantined
+dequarantining
+deserialization
+deserialize
+deserializers
+deserializes
+desugar
+desugars
+desynchronized
+Dev
+devfile
+devfiles
+DevOps
+Dhall
+dialogs
+Diffblue
+disambiguates
+discoverability
+dismissable
+Disqus
+Distroless
+Divio
+DLE
+DNs
+Docker
+Dockerfile
+Dockerfiles
+Dockerize
+Dockerized
+Dockerizing
+Docusaurus
+dogfood
+dogfooding
+dogfoods
+DOMPurify
+dotenv
+doublestar
+downvoted
+downvotes
+Dpl
+dput
+Dreamweaver
+DRIs
+DSLs
+DSN
+Dynatrace
+Ecto
+eden
+EGit
+ElastiCache
+Elasticsearch
+Eleventy
+enablement
+Encrypt
+enqueued
+enqueues
+enricher
+enrichers
+enum
+enums
+Enviroments
+ESLint
+ESXi
+ETag
+ETags
+Etsy
+Excon
+exfiltrate
+exfiltration
+ExifTool
+expirable
+Facebook
+failover
+failovers
+failsafe
+Falco
+falsy
+Fanout
+Fargate
+fastlane
+Fastly
+Fastzip
+favicon
+favorited
+Fediverse
+ffaker
+Figma
+Filebeat
+Filestore
+Finicity
+Finnhub
+Fio
+firewalled
+firewalling
+fixup
+flamegraph
+flamegraphs
+Flawfinder
+Flickr
+Fluentd
+Flutterwave
+Flycheck
+focusable
+Forgerock
+formatters
+Fortanix
+Fortinet
+FQDNs
+FreshBooks
+frontend
+Fugit
+Fulcio
+fuzzer
+fuzzing
+Gantt
+Gbps
+Gemfile
+Gemnasium
+Gemojione
+Getter
+Getters
+gettext
+GIDs
+gists
+Git
+Gitaly
+Gitea
+GitHub
+GitLab
+gitlabsos
+Gitleaks
+Gitpod
+Gitter
+GLab
+globals
+globbing
+globstar
+globstars
+Gmail
+Godep
+Golang
+Gollum
+Google
+goroutine
+goroutines
+Gosec
+GPUs
+Gradle
+Grafana
+Grafonnet
+gravatar
+Grype
+GUIs
+Gzip
+Hackathon
+Haml
+HAProxy
+HAR
+hardcode
+hardcoded
+hardcodes
+HashiCorp
+Haswell
+heatmap
+heatmaps
+Helm
+Helmfile
+Heroku
+Herokuish
+heuristical
+hexdigest
+Hexo
+HipChat
+hostname
+hostnames
+hotfix
+hotfixed
+hotfixes
+hotfixing
+hotspots
+HTMLHint
+http
+https
+hyperparameter
+hyperparameters
+iCalendar
+iCloud
+idempotence
+idmapper
+Iglu
+IIFEs
+Immer
+inclusivity
+inflector
+inflectors
+Ingress
+initializer
+initializers
+injective
+innersource
+innersourcing
+inodes
+Instrumentor
+interdependencies
+interdependency
+interruptible
+inviter
+IPs
+IPython
+irker
+issuables
+Istio
+Jaeger
+jasmine-jquery
+Javafuzz
+JavaScript
+Jenkins
+Jenkinsfile
+Jira
+Jitsu
+jq
+jQuery
+JRuby
+JSDoc
+jsdom
+Jsonnet
+JUnit
+JupyterHub
+JWT
+JWTs
+Kaminari
+kanban
+kanbans
+kaniko
+Karma
+KCachegrind
+Kerberos
+Keycloak
+keyless
+keyset
+keyspace
+keystore
+keytab
+keytabs
+Kibana
+Kinesis
+Klar
+Knative
+KPIs
+Kramdown
+Kroki
+kubeconfig
+Kubecost
+kubectl
+Kubernetes
+Kubesec
+Kucoin
+Kustomize
+Kustomization
+kwargs
+Laravel
+LaunchDarkly
+ldapsearch
+Lefthook
+Leiningen
+Lemmy
+LLM
+LLMs
+libFuzzer
+Libgcrypt
+Libravatar
+liveness
+lockfile
+lockfiles
+Lodash
+Lograge
+logrotate
+Logrus
+Logstash
+lookahead
+lookaheads
+lookbehind
+lookbehinds
+Lookbook
+lookups
+loopback
+LSP
+Lua
+Lucene
+Lucidchart
+macOS
+Mailchimp
+Maildir
+Mailgun
+Mailroom
+Makefile
+Makefiles
+malloc
+Maniphest
+Markdown
+markdownlint
+Marketo
+matcher
+matchers
+Matomo
+Mattermost
+mbox
+memoization
+memoize
+memoized
+memoizes
+memoizing
+Memorystore
+mergeability
+mergeable
+metaprogramming
+metric's
+microformat
+Microsoft
+middleware
+middlewares
+migratable
+migratus
+minikube
+MinIO
+misconfiguration
+misconfigurations
+misconfigure
+misconfigured
+misconfigures
+misconfiguring
+mitigations
+mitmproxy
+mixin
+mixins
+MLflow
+Mmap
+mockup
+mockups
+ModSecurity
+Monokai
+monorepo
+monorepos
+monospace
+MRs
+MSBuild
+multiline
+mutex
+nameserver
+nameservers
+namespace
+namespace's
+namespaced
+namespaces
+namespacing
+namespacings
+Nanoc
+NAT
+navigations
+negatable
+Neovim
+Netlify
+NGINX
+ngrok
+njsscan
+Nokogiri
+nosniff
+noteable
+noteables
+npm
+NuGet
+nullability
+nullable
+Nurtch
+NVMe
+nyc
+OAuth
+OCP
+Octokit
+offboarded
+offboarding
+offboards
+OIDs
+OKRs
+OKRs
+Okta
+OLM
+OmniAuth
+onboarding
+OpenID
+OpenShift
+OpenTelemetry
+Opsgenie
+Opstrace
+ORMs
+OS
+osquery
+OSs
+OTel
+outdent
+Overcommit
+Packagist
+packfile
+packfiles
+Packwerk
+paginator
+parallelization
+parallelizations
+parsable
+PascalCase
+PascalCased
+passthrough
+passthroughs
+passwordless
+Patroni
+PDFs
+performant
+PgBouncer
+pgFormatter
+pgLoader
+pgMustard
+pgvector
+Phabricator
+phaser
+phasers
+phpenv
+Phorge
+PHPUnit
+PIDs
+pipenv
+Pipfile
+Pipfiles
+Piwik
+plaintext
+podman
+Poedit
+polyfill
+polyfills
+pooler
+postfixed
+Postgres
+postgres.ai
+PostgreSQL
+Praefect's
+prebuild
+prebuilds
+precompile
+precompiled
+preconfigure
+preconfigured
+preconfigures
+prefetch
+prefetching
+prefill
+prefilled
+prefilling
+prefills
+preload
+preloaded
+preloading
+preloads
+prepend
+prepended
+prepending
+prepends
+prepopulate
+prepopulated
+presentationals
+Prettifier
+Pritaly
+Priyanka
+profiler
+Prometheus
+ProseMirror
+protobuf
+protobufs
+proxied
+proxies
+proxyable
+proxying
+pseudocode
+pseudonymization
+pseudonymized
+pseudonymizer
+Pulumi
+Puma
+Pumble
+PyPI
+pytest
+Python
+Qualys
+queryable
+Quicktime
+Rackspace
+railties
+Raspbian
+rbenv
+rbspy
+rbtrace
+Rclone
+Rdoc
+reachability
+Realplayer
+reauthenticate
+reauthenticated
+reauthenticates
+reauthenticating
+rebalancing
+rebar
+rebase
+rebased
+rebases
+rebasing
+rebinding
+reCAPTCHA
+recoverability
+Redcarpet
+redirection
+redirections
+Redis
+Redmine
+refactorings
+referer
+referers
+reflog
+reflogs
+refname
+refspec
+refspecs
+regexes
+Rego
+reimplementation
+reimplemented
+reindex
+reindexed
+reindexes
+reindexing
+reinitialize
+reinitializing
+Rekor
+relicensing
+remediations
+renderers
+renderless
+replicables
+repmgr
+repmgrd
+reposts
+repurposing
+requestee
+requesters
+requeue
+requeued
+requeues
+requeuing
+resolver
+resolver's
+Restlet
+resync
+resynced
+resyncing
+resyncs
+retarget
+retargeted
+retargeting
+retargets
+reusability
+reverified
+reverifies
+reverify
+reviewee
+RIs
+roadmap
+roadmaps
+rock
+rollout
+rollouts
+routable
+RPCs
+RSpec
+rsync
+rsynced
+rsyncing
+rsyncs
+Rubinius
+Rubix
+RuboCop
+Rubular
+RubyGems
+Rugged
+ruleset
+rulesets
+runbook
+runbooks
+runit
+runtime
+runtimes
+Salesforce
+sandboxing
+sanitization
+SBOMs
+sbt
+SBT
+scalar's
+scalers
+scatterplot
+scatterplots
+schedulable
+Schemastore
+scriptable
+scrollable
+SDKs
+segmentations
+SELinux
+Semgrep
+Sendbird
+Sendinblue
+Sendmail
+Sentry
+serializer
+serializers
+serializing
+serverless
+setuptools
+severities
+SFCs
+sharded
+sharding
+SHAs
+shfmt
+Shippo
+Shopify
+Sidekiq
+Sigstore
+Silverlight
+Sisense
+Sitespeed
+skippable
+skopeo
+Slack
+Slackbot
+SLAs
+SLIs
+Slony
+SLOs
+smartcard
+smartcards
+snake_case
+snake_cased
+Snapcraft
+snapshotting
+Snowplow
+Snyk
+Sobelow
+Solargraph
+Solarized
+Sourcegraph
+Spamcheck
+spammable
+sparkline
+sparklines
+Speedscope
+spidering
+Splunk
+SpotBugs
+Squarespace
+SREs
+SSDs
+SSGs
+Stackdriver
+Stackprof
+stageless
+starrer
+starrers
+storable
+storages
+strace
+strikethrough
+strikethroughs
+stunnel
+stylelint
+subchart
+subcharts
+subcommand
+subcommands
+subcomponent
+subfolder
+subfolders
+subgraph
+subgraphs
+subgroup
+subgroups
+subkey
+subkeys
+sublicense
+sublicensed
+sublicenses
+sublicensing
+submodule
+submodule's
+subnet
+subnets
+subnetting
+subpath
+subproject
+subprojects
+subqueried
+subqueries
+subquery
+subquerying
+Subreddit
+substring
+substrings
+subtask
+subtasks
+subtest
+subtests
+subtransaction
+subtransactions
+subtree
+subtrees
+sudo
+sunsetting
+supercookie
+supercookies
+supergroup
+supergroups
+superset
+supersets
+supertype
+supertypes
+SVGs
+swappiness
+swimlane
+swimlanes
+syncable
+Sysbench
+syscall
+syscalls
+syslog
+systemd
+tablespace
+tablespaces
+Tamland
+tanuki
+taskscaler
+tcpdump
+teardown
+templated
+Thanos
+thoughtbot
+throughputs
+Tiller
+timebox
+timeboxed
+timeboxes
+timeboxing
+timecop
+timelog
+timelogs
+Tiptap
+todos
+tokenizer
+Tokenizers
+tokenizing
+tolerations
+toolchain
+toolchains
+toolkit
+toolkits
+toolset
+tooltip
+tooltips
+transactionally
+transpile
+transpiled
+transpiles
+transpiling
+Trello
+Trendline
+triaged
+triages
+triaging
+Trivy
+Truststore
+truthy
+Twilio
+Twitter
+Typeform
+TypeScript
+TZInfo
+Ubuntu
+Udemy
+UI
+UIDs
+unapplied
+unapprove
+unapproved
+unapproving
+unarchive
+unarchived
+unarchives
+unarchiving
+unary
+unassign
+unassigning
+unassigns
+unban
+unbans
+uncached
+uncheck
+unchecked
+unchecking
+unchecks
+uncomment
+uncommented
+uncommenting
+uncordon
+underperforming
+unencode
+unencoded
+unencoder
+unencodes
+unencrypted
+unescaped
+unfollow
+unfollowed
+unfollows
+Unicorn
+unindexed
+unlink
+unlinking
+unlinks
+unmappable
+unmapped
+unmergeable
+unmerged
+unmerges
+unmerging
+unmocked
+unoptimize
+unoptimized
+unoptimizes
+unoptimizing
+unparsable
+unpatched
+unpause
+unprioritized
+unprotect
+unprotected
+unprotecting
+unprotects
+unprovision
+unprovisioned
+unprovisions
+unpublish
+unpublished
+unpublishes
+unpublishing
+unpullable
+unpushed
+unreferenced
+unregister
+unregistered
+unregisters
+unreplicated
+unresolve
+unresolved
+unresolving
+unreviewed
+unrevoke
+unsanitized
+unschedule
+unscoped
+unsetting
+unshare
+unshared
+unshares
+unstage
+unstaged
+unstages
+unstaging
+unstar
+unstars
+unstarted
+unstash
+unstashed
+unstashing
+unsynced
+unsynchronized
+untarred
+untracked
+untrusted
+unverified
+unverifies
+unverify
+unverifying
+uploader
+uploaders
+upstreams
+upvote
+upvoted
+upvotes
+urgencies
+URIs
+URL
+UUIDs
+Vagrantfile
+validator
+validators
+vCPUs
+vendored
+vendoring
+versionless
+viewport
+viewports
+virtualized
+virtualizing
+Vite
+VMs
+VPCs
+VSCodium
+Vue
+Vuex
+waitlist
+walkthrough
+walkthroughs
+WebdriverIO
+Webex
+webpack
+WEBrick
+webserver
+Webservice
+websocket
+websockets
+whitepaper
+whitepapers
+wireframe
+wireframed
+wireframes
+wireframing
+Wireshark
+Wordpress
+Workato
+workstream
+worktree
+worktrees
+Worldline
+Xcode
+Xeon
+XPath
+Yandex
+YouTrack
+ytt
+Yubico
+Zabbix
+ZAProxy
+Zeitwerk
+Zendesk
+ZenTao
+Zoekt
+zsh
+Zstandard
+Zuora
diff --git a/chart/doc/.vale/gitlab_docs/AlertBoxStyle.yml b/chart/doc/.vale/gitlab_docs/AlertBoxStyle.yml
new file mode 100644
index 000000000..5d796cafe
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/AlertBoxStyle.yml
@@ -0,0 +1,20 @@
+---
+# Error: gitlab.AlertBoxStyle
+#
+# Makes sure alert boxes are used with block quotes. Checks for 3 formatting issues:
+#
+# - Alert boxes inside a block quote ('>')
+# - Alert boxes with the note text on the same line
+# - Alert boxes using words other than 'NOTE' or 'WARNING'
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Update the format of the '%s' alert box. View the style guide for details."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#alert-boxes
+level: error
+nonword: true
+scope: raw
+tokens:
+ - '^ *> *(NOTE|WARNING)'
+ - '(?<=\n\n)(NOTE|WARNING):[^\n]+\n'
+ - '(?<=\n\n) *(> )?\**([Nn]ote|TIP|[Tt]ip|CAUTION|[Cc]aution|DANGER|[Dd]anger|[Ww]arning):.*'
diff --git a/chart/doc/.vale/gitlab_docs/Badges-Offerings.yml b/chart/doc/.vale/gitlab_docs/Badges-Offerings.yml
new file mode 100644
index 000000000..4a70abc56
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/Badges-Offerings.yml
@@ -0,0 +1,13 @@
+# Warning: gitlab.Badges-Offerings
+#
+# Tests the offering information in the tier badges that appear below topic titles.
+#
+# For a list of all options, see https://docs.gitlab.com/ee/development/documentation/styleguide/#available-product-tier-badges
+extends: existence
+message: "Offerings should be comma-separated, without `and`, and must be capitalized. Example: `GitLab.com, Self-managed, GitLab Dedicated`."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/#available-product-tier-badges
+level: error
+nonword: true
+scope: raw
+tokens:
+ - ^\*\*Offering:\*\* (Dedicated|[^\n]*(SaaS|self-managed|Self-Managed|GitLab dedicated|and|GitLab Dedicated,|, GitLab\.com|, Dedicated))
diff --git a/chart/doc/.vale/gitlab_docs/Badges-Tiers.yml b/chart/doc/.vale/gitlab_docs/Badges-Tiers.yml
new file mode 100644
index 000000000..d9e6a5991
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/Badges-Tiers.yml
@@ -0,0 +1,13 @@
+# Warning: gitlab.Badges-Tiers
+#
+# Tests the tier information in the tier badges that appear below topic titles.
+#
+# For a list of all options, see https://docs.gitlab.com/ee/development/documentation/styleguide/#available-product-tier-badges
+extends: existence
+message: "Tiers should be capitalized, comma-separated, and ordered lowest to highest."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/#available-product-tier-badges
+level: error
+nonword: true
+scope: raw
+tokens:
+- ^\*\*Tier:\*\*.*(free|premium|ultimate|, Free|Ultimate,)
diff --git a/chart/doc/.vale/gitlab_docs/HistoryItems.yml b/chart/doc/.vale/gitlab_docs/HistoryItems.yml
new file mode 100644
index 000000000..f9d31a4e2
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/HistoryItems.yml
@@ -0,0 +1,14 @@
+---
+# Warning: gitlab.HistoryItems
+#
+# Ensures history items are properly formatted.
+#
+extends: existence
+message: "History items must always start with '> -', one item per line, even if there is only one item."
+link: https://docs.gitlab.com/ee/development/documentation/versions.html#add-a-version-history-item
+level: error
+nonword: true
+scope: raw
+tokens:
+ - '(?<=^#+[^\n]*\n\n)> [^-]'
+ - '^> - [^\n]*\n[^\n>`]'
diff --git a/chart/doc/.vale/gitlab_docs/HistoryItemsOrder.yml b/chart/doc/.vale/gitlab_docs/HistoryItemsOrder.yml
new file mode 100644
index 000000000..353c61bcf
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/HistoryItemsOrder.yml
@@ -0,0 +1,13 @@
+---
+# Warning: gitlab.HistoryItemsOrder
+#
+# Ensures history items come before the Details block.
+#
+extends: existence
+message: "History items must follow the tier, offering, or status details."
+link: https://docs.gitlab.com/ee/development/documentation/versions.html#add-a-version-history-item
+level: error
+nonword: true
+scope: raw
+tokens:
+ - '^\>[^\n]*\n\nDETAILS'
diff --git a/chart/doc/.vale/gitlab_docs/InternalLinkCase.yml b/chart/doc/.vale/gitlab_docs/InternalLinkCase.yml
new file mode 100644
index 000000000..fded73581
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/InternalLinkCase.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.InternalLinkCase
+#
+# Checks that anchor fragments on internal links are in lower-case.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use lowercase for the anchor link."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#anchor-links
+level: error
+scope: raw
+raw:
+ - '[^\`]\[[^\[\]]+\]\((https?:){0}[\w\/\.]*?#[^\s]*?[A-Z][^\) ]*\)[^\`]'
diff --git a/chart/doc/.vale/gitlab_docs/InternalLinkExtension.yml b/chart/doc/.vale/gitlab_docs/InternalLinkExtension.yml
new file mode 100644
index 000000000..364263f90
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/InternalLinkExtension.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.InternalLinkExtension
+#
+# Checks that internal links have .md extenstion and not .html extension.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Link to a file and use the .md file extension instead of .html."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links
+level: error
+scope: raw
+raw:
+ - '\[[^\]]+\]\([^:\)]+(\/(#[^\)]+)?\)|\.html(#.+)?\))'
diff --git a/chart/doc/.vale/gitlab_docs/InternalLinkFormat.yml b/chart/doc/.vale/gitlab_docs/InternalLinkFormat.yml
new file mode 100644
index 000000000..fe8fae055
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/InternalLinkFormat.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.InternalLinkFormat
+#
+# Checks that internal link paths don't start with '/' or './'.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Edit the link so it does not start with '/' or './'."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links
+level: error
+scope: raw
+raw:
+ - '\[[^\]]+\]\(\.?\/(?!uploads|documentation).*?\)'
diff --git a/chart/doc/.vale/gitlab_docs/InternalLinksCode.yml b/chart/doc/.vale/gitlab_docs/InternalLinksCode.yml
new file mode 100644
index 000000000..cf2e6c263
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/InternalLinksCode.yml
@@ -0,0 +1,12 @@
+# Error: gitlab.InternalLinksCode
+#
+# Checks that internal links don't link to files outside the docs directory
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use full URLs for files outside the docs directory."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links
+level: error
+scope: raw
+raw:
+ - '\[[^\]]*\]\([\.\/]*(ee|app|bin|config|db|data|fixtures|gems|lib|locale|qa|scripts|spec)\/'
diff --git a/chart/doc/.vale/gitlab_docs/ReferenceLinks.yml b/chart/doc/.vale/gitlab_docs/ReferenceLinks.yml
new file mode 100644
index 000000000..77e8438d4
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/ReferenceLinks.yml
@@ -0,0 +1,14 @@
+---
+# Error: gitlab.ReferenceLinks
+#
+# Checks for reference-style links that should be converted to inline links.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Put this link inline with the rest of the text."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links
+level: error
+nonword: true
+scope: raw
+tokens:
+ - '^\[[^\]]*\]: .*'
diff --git a/chart/doc/.vale/gitlab_docs/RelativeLinks.yml b/chart/doc/.vale/gitlab_docs/RelativeLinks.yml
new file mode 100644
index 000000000..c2ec32f1d
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/RelativeLinks.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.RelativeLinks
+#
+# Checks for the presence of absolute hyperlinks that should be relative.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Use a relative link instead of a URL, and ensure the file name ends in .md and not .html."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links
+level: error
+scope: raw
+raw:
+ - '\[[^\]]+\]\(https?:\/\/docs\.gitlab\.com\/charts.*\)'
diff --git a/chart/doc/.vale/gitlab_docs/RelativeLinksDoubleSlashes.yml b/chart/doc/.vale/gitlab_docs/RelativeLinksDoubleSlashes.yml
new file mode 100644
index 000000000..5b22363aa
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/RelativeLinksDoubleSlashes.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.RelativeLinksDoubleSlashes
+#
+# Checks for the presence of double slashes in relative URLs.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Do not use double slashes '//' or '../doc' in the link path"
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links
+level: error
+scope: raw
+raw:
+ - '(\.//)|(\.\.\/doc\/)'
diff --git a/chart/doc/.vale/gitlab_docs/TabsLinks.yml b/chart/doc/.vale/gitlab_docs/TabsLinks.yml
new file mode 100644
index 000000000..97f75046f
--- /dev/null
+++ b/chart/doc/.vale/gitlab_docs/TabsLinks.yml
@@ -0,0 +1,13 @@
+---
+# Error: gitlab.TabsLinks
+#
+# Checks for the presence of links to individual GitLab UI tabs.
+#
+# For a list of all options, see https://vale.sh/docs/topics/styles/
+extends: existence
+message: "Do not include tabs query parameters in links."
+link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#tabs
+level: error
+scope: raw
+raw:
+ - '\[[^\]]+\]\(.*?\.md\?tab=.*?\)'
diff --git a/chart/doc/advanced/external-db/external-omnibus-psql.md b/chart/doc/advanced/external-db/external-omnibus-psql.md
index f1e25de36..27a74e6d7 100644
--- a/chart/doc/advanced/external-db/external-omnibus-psql.md
+++ b/chart/doc/advanced/external-db/external-omnibus-psql.md
@@ -23,7 +23,7 @@ Follow the installation instructions for the [Linux package](https://about.gitla
Create a minimal `gitlab.rb` file to be placed at `/etc/gitlab/gitlab.rb`. Be very explicit about what is enabled on this node, use the contents below.
-*Note*: This example is not intended to provide [PostgreSQL for scaling](https://docs.gitlab.com/ee/administration/postgresql/index.html).
+_Note_: This example is not intended to provide [PostgreSQL for scaling](https://docs.gitlab.com/ee/administration/postgresql/index.html).
_**NOTE**: The values below should be replaced_
@@ -60,6 +60,7 @@ gitlab_workhorse['enable'] = false
nginx['enable'] = false
prometheus_monitoring['enable'] = false
redis['enable'] = false
+gitlab_kas['enable'] = false
```
After creating `gitlab.rb`, we'll reconfigure the package with `gitlab-ctl reconfigure`. Once the task has completed, check the running processes with `gitlab-ctl status`. The output should appear as such:
diff --git a/chart/doc/advanced/external-gitaly/external-omnibus-gitaly.md b/chart/doc/advanced/external-gitaly/external-omnibus-gitaly.md
index 62b8c21a9..0f5570864 100644
--- a/chart/doc/advanced/external-gitaly/external-omnibus-gitaly.md
+++ b/chart/doc/advanced/external-gitaly/external-omnibus-gitaly.md
@@ -24,7 +24,7 @@ the Linux package installation, **_do not_** provide the `EXTERNAL_URL=` value.
## Configure Linux package installation
Create a minimal `gitlab.rb` file to be placed at `/etc/gitlab/gitlab.rb`. Be
-*very* explicit about what's enabled on this node, using the following contents
+_very_ explicit about what's enabled on this node, using the following contents
based on the documentation for
[running Gitaly on its own server](https://docs.gitlab.com/ee/administration/gitaly/configure_gitaly.html#run-gitaly-on-its-own-server).
diff --git a/chart/doc/advanced/external-object-storage/aws-iam-roles.md b/chart/doc/advanced/external-object-storage/aws-iam-roles.md
index 8a82427d9..be4a101f9 100644
--- a/chart/doc/advanced/external-object-storage/aws-iam-roles.md
+++ b/chart/doc/advanced/external-object-storage/aws-iam-roles.md
@@ -137,7 +137,7 @@ gitlab:
#### Using chart-owned service accounts
-The `eks.amazonaws.com/role-arn` annotation can be applied to _all_ ServiceAccounts
+The `eks.amazonaws.com/role-arn` annotation can be applied to *all* ServiceAccounts
created by GitLab owned charts by configuring `global.serviceAccount.annotations`.
```yaml
diff --git a/chart/doc/advanced/external-redis/index.md b/chart/doc/advanced/external-redis/index.md
index e237d61f4..04ed22830 100644
--- a/chart/doc/advanced/external-redis/index.md
+++ b/chart/doc/advanced/external-redis/index.md
@@ -136,9 +136,13 @@ The flip side of the flexibility of `redisYmlOverride` is that it is less user f
## Troubleshooting
+<!-- markdownlint-disable line-length -->
+
### `ERR Error running script (call to f_5962bd591b624c0e0afce6631ff54e7e4402ebd8): @user_script:7: ERR syntax error`
You might see this error in the logs of `webservice` and `sidekiq` pods if you use external Redis 5 with Helm chart 7.2 or later. Redis 5
[is not supported](https://docs.gitlab.com/ee/install/requirements.html#redis).
To fix it, upgrade your external Redis instance to 6.x or later.
+
+<!-- markdownlint-enable line-length -->
diff --git a/chart/doc/advanced/ubi/index.md b/chart/doc/advanced/ubi/index.md
index 3e46cfbac..f7f8c3a35 100644
--- a/chart/doc/advanced/ubi/index.md
+++ b/chart/doc/advanced/ubi/index.md
@@ -8,7 +8,10 @@ info: To determine the technical writer assigned to the Stage/Group associated w
GitLab offers [Red Hat UBI](https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image)
versions of its images, allowing you to replace standard images with UBI-based
-images. These images use the same tag as standard images with `-ubi9` extension.
+images. These images use the same tag as standard images with `-ubi` extension.
+
+NOTE:
+The UBI-based images prior to GitLab 17.3 use the `-ubi8` extension.
The GitLab chart uses third-party images that are not based on UBI. These images
are mostly offer external services to GitLab, such as Redis, PostgreSQL, and so on.
diff --git a/chart/doc/charts/gitlab/gitaly/index.md b/chart/doc/charts/gitlab/gitaly/index.md
index f785497e3..69e393559 100644
--- a/chart/doc/charts/gitlab/gitaly/index.md
+++ b/chart/doc/charts/gitlab/gitaly/index.md
@@ -78,7 +78,7 @@ the `helm install` command using the `--set` flags.
| `containerSecurityContext` | | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the Gitaly container is started |
| `containerSecurityContext.runAsUser` | `1000` | Allow to overwrite the specific security context under which the Gitaly container is started |
| `tolerations` | `[]` | Toleration labels for pod assignment |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `persistence.accessMode` | `ReadWriteOnce` | Gitaly persistence access mode |
| `persistence.annotations` | | Gitaly persistence annotations |
| `persistence.enabled` | `true` | Gitaly enable persistence flag |
@@ -130,8 +130,8 @@ the `helm install` command using the `--set` flags.
| `cgroups.initContainer.image.repository` | `registry.com/gitlab-org/build/cng/gitaly-init-cgroups` | Gitaly image repository |
| `cgroups.initContainer.image.tag` | `master` | Gitaly image tag |
| `cgroups.initContainer.image.pullPolicy` | `IfNotPresent` | Gitaly image pull policy |
-| `cgroups.mountpoint` |`/etc/gitlab-secrets/gitaly-pod-cgroup` | Where the parent cgroup directory is mounted.|
-| `cgroups.hierarchyRoot` |`gitaly` | Parent cgroup under which Gitaly creates groups, and is expected to be owned by the user and group Gitaly runs as.|
+| `cgroups.mountpoint` | `/etc/gitlab-secrets/gitaly-pod-cgroup` | Where the parent cgroup directory is mounted.|
+| `cgroups.hierarchyRoot` | `gitaly` | Parent cgroup under which Gitaly creates groups, and is expected to be owned by the user and group Gitaly runs as.|
| `cgroups.memoryBytes` | | The total memory limit that is imposed collectively on all Git processes that Gitaly spawns. 0 implies no limit.|
| `cgroups.cpuShares` | | The CPU limit that is imposed collectively on all Git processes that Gitaly spawns. 0 implies no limit. The maximum is 1024 shares, which represents 100% of CPU. |
| `cgroups.cpuQuotaUs` | | Used to throttle the cgroups’ processes if they exceed this quota value. We set cpuQuotaUs to 100ms so 1 core is 100000. 0 implies no limit. |
@@ -139,6 +139,7 @@ the `helm install` command using the `--set` flags.
| `cgroups.repositories.memoryBytes` | | The total memory limit imposed on all Git processes contained in a repository cgroup. 0 implies no limit. This value cannot exceed that of the top level memoryBytes. |
| `cgroups.repositories.cpuShares` | | The CPU limit that is imposed on all Git processes contained in a repository cgroup. 0 implies no limit. The maximum is 1024 shares, which represents 100% of CPU. This value cannot exceed that of the top level cpuShares. |
| `cgroups.repositories.cpuQuotaUs` | | The cpuQuotaUs that is imposed on all Git processes contained in a repository cgroup. A Git process can’t use more then the given quota. We set cpuQuotaUs to 100ms so 1 core is 100000. 0 implies no limit. |
+| `gracefulRestartTimeout` | `25` | Gitaly shutdown grace period, how long to wait for in-flight requests to complete (seconds). Pod `terminationGracePeriodSeconds` is set to this value + 5 seconds. |
## Chart configuration examples
@@ -228,37 +229,7 @@ tolerations:
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
### annotations
diff --git a/chart/doc/charts/gitlab/gitlab-exporter/index.md b/chart/doc/charts/gitlab/gitlab-exporter/index.md
index 77e09e98f..79c4adbda 100644
--- a/chart/doc/charts/gitlab/gitlab-exporter/index.md
+++ b/chart/doc/charts/gitlab/gitlab-exporter/index.md
@@ -34,7 +34,7 @@ to the `helm install` command using the `--set` flags.
| Parameter | Default | Description |
| ----------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `annotations` | | Pod annotations |
| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. |
| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. |
@@ -148,37 +148,7 @@ image:
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
### annotations
diff --git a/chart/doc/charts/gitlab/gitlab-pages/index.md b/chart/doc/charts/gitlab/gitlab-pages/index.md
index d37819279..a83ab22d2 100644
--- a/chart/doc/charts/gitlab/gitlab-pages/index.md
+++ b/chart/doc/charts/gitlab/gitlab-pages/index.md
@@ -39,7 +39,7 @@ configurations that can be supplied to the `helm install` command using the
| Parameter | Default | Description |
| ----------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `annotations` | | Pod annotations |
| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. |
| `deployment.strategy` | `{}` | Allows one to configure the update strategy used by the deployment. When not provided, the cluster default is used. |
@@ -148,14 +148,15 @@ configurations that can be supplied to the `helm install` command using the
| `zipCache.refresh` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/ee/administration/pages/index.html#zip-serving-and-cache-configuration) |
| `zipOpenTimeout` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/ee/administration/pages/index.html#zip-serving-and-cache-configuration) |
| `zipHTTPClientTimeout` | int | See: [Zip Serving and Cache Configuration](https://docs.gitlab.com/ee/administration/pages/index.html#zip-serving-and-cache-configuration) |
-| `rateLimitSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). To enable rate-limiting use `extraEnv=["FF_ENFORCE_IP_RATE_LIMITS=true"]` |
+| `rateLimitSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). |
| `rateLimitSourceIPBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits) |
-| `rateLimitDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). To enable rate-limiting use `extraEnv=["FF_ENFORCE_DOMAIN_RATE_LIMITS=true"]` |
+| `rateLimitDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). |
| `rateLimitDomainBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits) |
-| `rateLimitTLSSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). To enable rate-limiting use `extraEnv=["FF_ENFORCE_IP_TLS_RATE_LIMITS=true"]` |
+| `rateLimitTLSSourceIP` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). |
| `rateLimitTLSSourceIPBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits) |
-| `rateLimitTLSDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). To enable rate-limiting use `extraEnv=["FF_ENFORCE_DOMAIN_TLS_RATE_LIMITS=true"]` |
+| `rateLimitTLSDomain` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits). |
| `rateLimitTLSDomainBurst` | | See: [GitLab Pages rate-limits](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits) |
+| `rateLimitSubnetsAllowList` | | See: [GitLab Pages rate-limits](#rate-limits) |
| `serverReadTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) |
| `serverReadHeaderTimeout` | `1s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) |
| `serverWriteTimeout` | `5m` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) |
@@ -342,6 +343,26 @@ GitLab Pages supports only one URL scheme at a time: Either with wildcard DNS, o
WARNING:
GitLab Pages does not update the OAuth application, and the default `authRedirectUri` is updated to `https://pages.<yourdomaindomain>/projects/auth`. While accessing a private Pages site, if you encounter an error 'The redirect URI included is not valid', update the redirect URI in the GitLab Pages [System OAuth application](https://docs.gitlab.com/ee/integration/oauth_provider.html#create-an-instance-wide-application) to `https://pages.<yourdomaindomain>/projects/auth`.
+### Rate limits
+
+You can enforce rate limits to help minimize the risk of a Denial of Service (DoS) attack. Detailed [rate limits documentation](https://docs.gitlab.com/ee/administration/pages/index.html#rate-limits) is available.
+
+To allow certain IP ranges (subnets) to bypass all rate limits:
+
+- `rateLimitSubnetsAllowList`: Sets the allow list with the IP ranges (subnets) that should bypass all rate limits.
+
+#### Configure rate limits subnets allow list
+
+Set the allow list with the IP ranges (subnets) in `charts/gitlab/charts/gitlab-pages/values.yaml`:
+
+```yaml
+gitlab:
+ gitlab-pages:
+ rateLimitSubnetsAllowList:
+ - "1.2.3.4/24"
+ - "2001:db8::1/32"
+```
+
### Configuring KEDA
This `keda` section enables the installation of [KEDA](https://keda.sh/) `ScaledObjects` instead of regular `HorizontalPodAutoscalers`.
@@ -373,34 +394,4 @@ Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-dep
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
diff --git a/chart/doc/charts/gitlab/gitlab-shell/index.md b/chart/doc/charts/gitlab/gitlab-shell/index.md
index e3201c8b0..a388c555f 100644
--- a/chart/doc/charts/gitlab/gitlab-shell/index.md
+++ b/chart/doc/charts/gitlab/gitlab-shell/index.md
@@ -36,7 +36,7 @@ controlled by `global.shell.port`.
| Parameter | Default | Description |
| ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `annotations` | | Pod annotations |
| `podLabels` | | Supplemental Pod labels. Will not be used for selectors. |
| `common.labels` | | Supplemental labels that are applied to all objects created by this chart. |
@@ -57,7 +57,8 @@ controlled by `global.shell.port`.
| `config.gssapi.keytab.key` | `keytab` | Key holding the keytab in the Kubernetes secret |
| `config.gssapi.krb5Config` | | Content of the `/etc/krb5.conf` file in the GitLab Shell container |
| `config.gssapi.servicePrincipalName` | | The Kerberos service name to be used by the `gitlab-sshd` daemon |
-| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) |
+| `config.lfs.pureSSHProtocol` | `false` | Enable LFS Pure SSH protocol support |
+| `opensshd.supplemental_config` | | Supplemental configuration, appended to `sshd_config`. Strict alignment to [man page](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html) |
| `deployment.livenessProbe.initialDelaySeconds` | 10 | Delay before liveness probe is initiated |
| `deployment.livenessProbe.periodSeconds` | 10 | How often to perform the liveness probe |
| `deployment.livenessProbe.timeoutSeconds` | 3 | When the liveness probe times out |
@@ -123,6 +124,7 @@ controlled by `global.shell.port`.
| `sshDaemon` | `openssh` | Selects which SSH daemon would be run, possible values (`openssh`, `gitlab-sshd`) |
| `tolerations` | `[]` | Toleration labels for pod assignment |
| `traefik.entrypoint` | `gitlab-shell` | When using traefik, which traefik entrypoint to use for GitLab Shell. Defaults to `gitlab-shell` |
+| `traefik.tcpMiddlewares` | `[]` | When using traefik, which TCP Middlewares to add to IngressRouteTCP resource. No middlewares by default |
| `workhorse.serviceName` | `webservice` | Workhorse service name (by default, Workhorse is a part of the webservice Pods / Service) |
| `metrics.enabled` | `false` | If a metrics endpoint should be made available for scraping (requires `sshDaemon=gitlab-sshd`). |
| `metrics.port` | `9122` | Metrics endpoint port |
@@ -254,37 +256,7 @@ tolerations:
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
### annotations
diff --git a/chart/doc/charts/gitlab/gitlab-zoekt/index.md b/chart/doc/charts/gitlab/gitlab-zoekt/index.md
index 29d9bdfa1..db229492f 100644
--- a/chart/doc/charts/gitlab/gitlab-zoekt/index.md
+++ b/chart/doc/charts/gitlab/gitlab-zoekt/index.md
@@ -96,3 +96,8 @@ To configure Zoekt for a top-level group in GitLab:
```
Zoekt can now index projects in that group after any project is updated or created.
+
+## Enable exact code search
+
+After you install and configure Zoekt, you can
+[enable exact code search](https://docs.gitlab.com/ee/integration/exact_code_search/zoekt.html#enable-exact-code-search) in GitLab.
diff --git a/chart/doc/charts/gitlab/index.md b/chart/doc/charts/gitlab/index.md
index ff6bba960..ab5cb3d97 100644
--- a/chart/doc/charts/gitlab/index.md
+++ b/chart/doc/charts/gitlab/index.md
@@ -47,3 +47,45 @@ Use these charts as optional additions:
- [Prometheus](https://artifacthub.io/packages/helm/prometheus-community/prometheus)
- [_Unprivileged_](https://docs.gitlab.com/runner/install/kubernetes.html#running-docker-in-docker-containers-with-gitlab-runner) [GitLab Runner](https://docs.gitlab.com/runner/) that uses the Kubernetes executor
- Automatically provisioned SSL from [Let's Encrypt](https://letsencrypt.org/), which uses [Jetstack](https://venafi.com/jetstack-consult/)'s [cert-manager](https://cert-manager.io/docs/) with [certmanager-issuer](../certmanager-issuer/index.md)
+
+## GitLab Helm subchart optional parameters
+
+### affinity
+
+> - [Introduced](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3770) in GitLab 17.3 (Charts 8.3) for all GitLab Helm subcharts except `webservice` and `sidekiq`.
+
+`affinity` is an optional parameter in all GitLab Helm subcharts. When you set it, it takes precedence over the [global `affinity`](../globals.md#affinity) value.
+For more information about `affinity`, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+
+NOTE:
+The `webservice` and `sidekiq` Helm charts can only use the [global `affinity`](../globals.md#affinity) value. Follow [issue 25403](https://gitlab.com/gitlab-com/gl-infra/production-engineering/-/issues/25403) to learn when the local `affinity` is implemented for `webservice` and `sidekiq`.
+
+With `affinity`, you can set either or both:
+
+- `podAntiAffinity` rules to:
+ - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
+ - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
+ (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
+ applied or set it to `hard` so that the required mode is applied.
+- `nodeAffinity` rules to:
+ - Schedule pods to nodes that belong to a specific zone or zones.
+ - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
+ (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
+ rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
+
+`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
+
+The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
+
+```yaml
+nodeAffinity: "hard"
+antiAffinity: "hard"
+affinity:
+ nodeAffinity:
+ key: "test.com/zone"
+ values:
+ - us-east1-a
+ - us-east1-b
+ podAntiAffinity:
+ topologyKey: "test.com/hostname"
+```
diff --git a/chart/doc/charts/gitlab/kas/index.md b/chart/doc/charts/gitlab/kas/index.md
index e8028b453..1b0300221 100644
--- a/chart/doc/charts/gitlab/kas/index.md
+++ b/chart/doc/charts/gitlab/kas/index.md
@@ -67,7 +67,7 @@ You can pass these parameters to the `helm install` command by using the `--set`
| Parameter | Default | Description |
| -------------------------------------------- | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `annotations` | `{}` | Pod annotations. |
| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. |
| `containerSecurityContext.runAsUser` | `65532` | Override container [securityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#securitycontext-v1-core) under which the container is started |
@@ -208,34 +208,4 @@ Refer to the [KEDA documentation](https://keda.sh/docs/2.10/concepts/scaling-dep
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
diff --git a/chart/doc/charts/gitlab/mailroom/index.md b/chart/doc/charts/gitlab/mailroom/index.md
index ea4f79269..8a1b4af7f 100644
--- a/chart/doc/charts/gitlab/mailroom/index.md
+++ b/chart/doc/charts/gitlab/mailroom/index.md
@@ -80,7 +80,7 @@ serviceAccount:
| Parameter | Description | Default |
| -------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `deployment.strategy` | Allows one to configure the update strategy utilized by the deployment | `{}` |
| `enabled` | Mailroom enablement flag | `true` |
| `hpa.behavior` | Behavior contains the specifications for up- and downscaling behavior (requires `autoscaling/v2beta2` or higher) | `{scaleDown: {stabilizationWindowSeconds: 300 }}` |
@@ -244,34 +244,4 @@ as described in the [secrets guide](../../../installation/secrets.md#imap-passwo
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
diff --git a/chart/doc/charts/gitlab/migrations/index.md b/chart/doc/charts/gitlab/migrations/index.md
index 04f279c3e..fa243d860 100644
--- a/chart/doc/charts/gitlab/migrations/index.md
+++ b/chart/doc/charts/gitlab/migrations/index.md
@@ -46,7 +46,7 @@ Table below contains all the possible charts configurations that can be supplied
| `init.image.containerSecurityContext` | init container securityContext overrides | `{}` |
| `enabled` | Migrations enable flag | `true` |
| `tolerations` | Toleration labels for pod assignment | `[]` |
-| `affinity` | [Affinity rules](#affinity) for pod assignment | `{}` |
+| `affinity` | [Affinity rules](../index.md#affinity) for pod assignment | `{}` |
| `annotations` | Annotations for the job spec | `{}` |
| `podAnnotations` | Annotations for the pob spec | `{}` |
| `podLabels` | Supplemental Pod labels. Will not be used for selectors. | |
@@ -139,37 +139,7 @@ image:
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
## Using the Community Edition of this chart
diff --git a/chart/doc/charts/gitlab/praefect/index.md b/chart/doc/charts/gitlab/praefect/index.md
index bbbe7ae93..8009ed695 100644
--- a/chart/doc/charts/gitlab/praefect/index.md
+++ b/chart/doc/charts/gitlab/praefect/index.md
@@ -298,7 +298,7 @@ the `helm install` command using the `--set` flags.
| `metrics.separate_database_metrics` | `true` | If true then metrics scrapes will not perform database queries, setting to false [may cause performance problems](https://gitlab.com/gitlab-org/gitaly/-/issues/3796) |
| `metrics.path` | `/metrics` | Metrics endpoint path |
| `metrics.serviceMonitor.enabled` | `false` | If a ServiceMonitor should be created to enable Prometheus Operator to manage the metrics scraping, note that enabling this removes the `prometheus.io` scrape annotations |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `metrics.serviceMonitor.additionalLabels` | `{}` | Additional labels to add to the ServiceMonitor |
| `metrics.serviceMonitor.endpointConfig` | `{}` | Additional endpoint configuration for the ServiceMonitor |
| securityContext.runAsUser | 1000 | |
@@ -309,34 +309,4 @@ the `helm install` command using the `--set` flags.
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
diff --git a/chart/doc/charts/gitlab/sidekiq/index.md b/chart/doc/charts/gitlab/sidekiq/index.md
index 6d1a122f8..fc358ed9f 100644
--- a/chart/doc/charts/gitlab/sidekiq/index.md
+++ b/chart/doc/charts/gitlab/sidekiq/index.md
@@ -576,8 +576,8 @@ places. This examples adds the following network policy:
*Note the example provided is only an example and may not be complete*
-_Note that the Sidekiq service requires outbound connectivity to the public
-internet for images on [external object storage](../../../advanced/external-object-storage)_
+*Note that the Sidekiq service requires outbound connectivity to the public
+internet for images on [external object storage](../../../advanced/external-object-storage)*
```yaml
networkpolicy:
diff --git a/chart/doc/charts/gitlab/spamcheck/index.md b/chart/doc/charts/gitlab/spamcheck/index.md
index 9f47b171d..396dad920 100644
--- a/chart/doc/charts/gitlab/spamcheck/index.md
+++ b/chart/doc/charts/gitlab/spamcheck/index.md
@@ -47,7 +47,7 @@ The table below contains all the possible charts configurations that can be supp
| Parameter | Default | Description |
| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
-| `affinity` | `{}` | [Affinity rules](#affinity) for pod assignment |
+| `affinity` | `{}` | [Affinity rules](../index.md#affinity) for pod assignment |
| `annotations` | `{}` | Pod annotations |
| `common.labels` | `{}` | Supplemental labels that are applied to all objects created by this chart. |
| `deployment.livenessProbe.initialDelaySeconds` | 20 | Delay before liveness probe is initiated |
@@ -155,37 +155,7 @@ tolerations:
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
### annotations
diff --git a/chart/doc/charts/gitlab/toolbox/index.md b/chart/doc/charts/gitlab/toolbox/index.md
index f2ec97afc..f0debd80a 100644
--- a/chart/doc/charts/gitlab/toolbox/index.md
+++ b/chart/doc/charts/gitlab/toolbox/index.md
@@ -67,7 +67,7 @@ gitlab:
| Parameter | Description | Default |
|---------------------------------------------|----------------------------------------------|------------------------------|
-| `affinity` | [Affinity rules](#affinity) for pod assignment | `{}` |
+| `affinity` | [Affinity rules](../index.md#affinity) for pod assignment | `{}` |
| `annotations` | Annotations to add to the Toolbox Pods and Jobs | `{}` |
| `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` |
| `antiAffinityLabels.matchLabels` | Labels for setting anti-affinity options | |
@@ -222,34 +222,4 @@ gitlab-rake gitlab:env:info
### affinity
-`affinity` is an optional parameter that allows you to set either or both:
-
-- `podAntiAffinity` rules to:
- - Not schedule pods in the same domain as the pods that match the expression corresponding to the `topology key`.
- - Set two modes of `podAntiAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). Using the variable `antiAffinity` in `values.yaml`, set the setting to `soft` so that the preferred mode is
- applied or set it to `hard` so that the required mode is applied.
-- `nodeAffinity` rules to:
- - Schedule pods to nodes that belong to a specific zone or zones.
- - Set two modes of `nodeAffinity` rules: required (`requiredDuringSchedulingIgnoredDuringExecution`) and preferred
- (`preferredDuringSchedulingIgnoredDuringExecution`). When set to `soft`, the preferred mode is applied. When set to `hard`, the required mode is applied. This
- rule is implemented only for the `registry` chart and the `gitlab` chart alongwith all its subcharts except `webservice` and `sidekiq`.
-
-`nodeAffinity` only implements the [`In` operator](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#operators).
-
-For more information, see [the relevant Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
-
-The following example sets `affinity`, with both `nodeAffinity` and `antiAffinity` set to `hard`:
-
-```yaml
-nodeAffinity: "hard"
-antiAffinity: "hard"
-affinity:
- nodeAffinity:
- key: "test.com/zone"
- values:
- - us-east1-a
- - us-east1-b
- podAntiAffinity:
- topologyKey: "test.com/hostname"
-```
+For more information, see [`affinity`](../index.md#affinity).
diff --git a/chart/doc/charts/globals.md b/chart/doc/charts/globals.md
index d4c3441c7..7d397036d 100644
--- a/chart/doc/charts/globals.md
+++ b/chart/doc/charts/globals.md
@@ -47,6 +47,7 @@ for more information on how the global variables work.
- [Pod priority and preemption](#pod-priority-and-preemption)
- [Log rotation](#log-rotation)
- [Jobs](#jobs)
+- [Traefik](#traefik)
## Configure Host settings
@@ -461,6 +462,9 @@ global:
| Name | Type | Default | Description |
|:------------------ |:-------:|:------- |:----------- |
+| `connectTimeout` | Integer | | The number of seconds to wait for a Redis connection. If no value specified, the client defaults to 1 second. |
+| `readTimeout` | Integer | | The number of seconds to wait for a Redis read. If no value is specified, the client defaults to 1 second. |
+| `writeTimeout` | Integer | | The number of seconds to wait for a Redis write. If no value is specified, the client defaults to 1 second. |
| `host` | String | | The hostname of the Redis server with the database to use. This can be omitted in lieu of `serviceName`. |
| `serviceName` | String | `redis` | The name of the `service` which is operating the Redis database. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Redis as a part of the overall GitLab chart. |
| `port` | Integer | `6379` | The port on which to connect to the Redis server. |
@@ -841,7 +845,7 @@ Administrators can chose to use Gitaly nodes in the following ways:
See [Repository Storage Paths](https://docs.gitlab.com/ee/administration/repository_storage_paths.html)
documentation for details on managing which nodes will be used for new projects.
-If `gitaly.host` is provided, `gitaly.internal` and `gitaly.external` properties will *be ignored*.
+If `gitaly.host` is provided, `gitaly.internal` and `gitaly.external` properties will _be ignored_.
See the [deprecated Gitaly settings](#deprecated-gitaly-settings).
The Gitaly authentication token is expected to be identical for
@@ -852,7 +856,7 @@ See [issue #1992](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1992) for
The `internal` key currently consists of only one key, `names`, which is a list of
[storage names](https://docs.gitlab.com/ee/administration/repository_storage_paths.html)
-to be managed by the chart. For each listed name, *in logical order*, one pod will
+to be managed by the chart. For each listed name, _in logical order_, one pod will
be spawned, named `${releaseName}-gitaly-${ordinal}`, where `ordinal` is the index
within the `names` list. If dynamic provisioning is enabled, the `PersistentVolumeClaim`
will match.
@@ -863,7 +867,7 @@ This list defaults to `['default']`, which provides for 1 pod related to one
Manual scaling of this item is required, by adding or removing entries in
`gitaly.internal.names`. When scaling down, any repository that has not been moved
to another node will become unavailable. Since the Gitaly chart is a `StatefulSet`,
-dynamically provisioned disks *will not* be reclaimed. This means the data disks
+dynamically provisioned disks _will not_ be reclaimed. This means the data disks
will persist, and the data on them can be accessed when the set is scaled up again
by re-adding a node to the `names` list.
@@ -913,9 +917,9 @@ All Gitaly nodes **must** share the same authentication token.
| Name | Type | Default | Description |
|:---------------------------- |:-------:|:------- |:----------- |
-| `host` *(deprecated)* | String | | The hostname of the Gitaly server to use. This can be omitted in lieu of `serviceName`. If this setting is used, it will override any values of `internal` or `external`. |
-| `port` *(deprecated)* | Integer | `8075` | The port on which to connect to the Gitaly server. |
-| `serviceName` *(deprecated)* | String | | The name of the `service` which is operating the Gitaly server. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Gitaly as a part of the overall GitLab chart. |
+| `host` _(deprecated)_ | String | | The hostname of the Gitaly server to use. This can be omitted in lieu of `serviceName`. If this setting is used, it will override any values of `internal` or `external`. |
+| `port` _(deprecated)_ | Integer | `8075` | The port on which to connect to the Gitaly server. |
+| `serviceName` _(deprecated)_ | String | | The name of the `service` which is operating the Gitaly server. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Gitaly as a part of the overall GitLab chart. |
### TLS settings
@@ -1682,8 +1686,8 @@ Defaults to `[]`.
This property has two sub-keys: `secret` and `key`:
-- `secret`: *(required)* The name of a Kubernetes `Secret` containing the provider block.
-- `key`: *(optional)* The name of the key in the `Secret` containing the provider block.
+- `secret`: _(required)_ The name of a Kubernetes `Secret` containing the provider block.
+- `key`: _(optional)_ The name of the key in the `Secret` containing the provider block.
Defaults to `provider`
Alternatively, if the provider has no other configuration than its name, you may
@@ -2122,7 +2126,7 @@ The UBI-based `update-ca-trust` utility does not seem to have the same requireme
You can provide any number of Secrets or ConfigMaps, each containing any number of keys that hold
PEM-encoded CA certificates. These are configured as entries under `global.certificates.customCAs`.
All keys are mounted unless `keys:` is provided with a list of specific keys to be mounted. All mounted keys across all Secrets and ConfigMaps must be unique.
-The Secrets and ConfigMaps can be named in any fashion, but they *must not* contain key names that collide.
+The Secrets and ConfigMaps can be named in any fashion, but they _must not_ contain key names that collide.
## Application Resource
@@ -2588,3 +2592,17 @@ helm <command> <options> --set global.job.nameSuffixOverride=$(date +%Y-%m-%d-%H
| Name | Type | Default | Description |
| :--------------------| :--: | :------ | :-------------------------------------------------------- |
| `nameSuffixOverride` | String | | Custom suffix to replace the automatically generated hash |
+
+## Traefik
+
+The Traefik settings can be configured via `globals.traefik`.
+
+```yaml
+global:
+ traefik:
+ apiVersion: ""
+```
+
+| Name | Type | Default | Description |
+| :------------| :----- | :------ | :------------------------------------------------------ |
+| `apiVersion` | String | | Overrides the default `apiVersion` of Traefik resources |
diff --git a/chart/doc/charts/minio/index.md b/chart/doc/charts/minio/index.md
index 2817ab166..0c3d6744c 100644
--- a/chart/doc/charts/minio/index.md
+++ b/chart/doc/charts/minio/index.md
@@ -241,7 +241,7 @@ defaultBuckets:
| Name | Type | Default | Description |
|:-------- |:-------:|:--------|:------------|
-| `name` | String | | The name of the bucket that is created. The provided value should conform to [AWS bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html), meaning that it should be compliant with DNS and contain only the characters a-z, 0-9, and – (hyphen) in strings between 3 and 63 characters in length. The `name` property is _required_ for all entries. |
+| `name` | String | | The name of the bucket that is created. The provided value should conform to [AWS bucket naming rules](https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html), meaning that it should be compliant with DNS and contain only the characters a-z, 0-9, and – (hyphen) in strings between 3 and 63 characters in length. The `name` property is *required* for all entries. |
| `policy` | | `none` | The value of `policy` controls the access policy of the bucket on MinIO. The `policy` property is not required, and the default value is `none`. In regards to **anonymous** access, possible values are: `none` (no anonymous access), `download` (anonymous read-only access), `upload` (anonymous write-only access) or `public` (anonymous read/write access). |
| `purge` | Boolean | | The `purge` property is provided as a means to cause any existing bucket to be removed with force, at installation time. This only comes into play when using a pre-existing `PersistentVolume` for the volumeName property of [persistence](#persistence). If you make use of a dynamically created `PersistentVolume`, this will have no valuable effect as it only happens at chart installation and there will be no data in the `PersistentVolume` that was just created. This property is not required, but you may specify this property with a value of `true` in order to cause a bucket to purged with force `mc rm -r --force`. |
diff --git a/chart/doc/charts/nginx/fork.md b/chart/doc/charts/nginx/fork.md
index 52c38ff8f..afbbadffe 100644
--- a/chart/doc/charts/nginx/fork.md
+++ b/chart/doc/charts/nginx/fork.md
@@ -42,3 +42,27 @@ The following adjustments were made to the NGINX fork:
- `controller.service.enableShell`.
- `controller.service.internal.enableShell`.
(follows the exisiting chart pattern of `controller.service.enableHttp(s)`)
+- Add the following new RBAC rules. This is necessary while our chart is on 4.0.6, but we've bumped the controller image to 1.11.2. Once we bring the chart to 4.11.2, we can remove this patch. It was required because the controller now uses endpointslices to track endpoints.
+ This was added to both: `charts/nginx-ingress/templates/clusterrole.yaml` and `charts/nginx-ingress/templates/controller-role.yaml`:
+
+ ```yaml
+ - apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - list
+ - watch
+ - get
+ ```
+
+ Additionally, to support migration from v1.3.1 to v1.11.2, for those users that set their own RBAC rules, we've also
+ added these values which will be removed, once we drop the v1.3.1 fallback, which is scheduled for 8.8 release.
+
+ ```yaml
+ controller:
+ image:
+ fallbackTag: "v1.3.1"
+ fallbackDigest: "sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974"
+ disableFallback: false
+ ```
diff --git a/chart/doc/charts/registry/index.md b/chart/doc/charts/registry/index.md
index 0e9b1c757..1378e3907 100644
--- a/chart/doc/charts/registry/index.md
+++ b/chart/doc/charts/registry/index.md
@@ -282,6 +282,7 @@ If you chose to deploy this chart as a standalone, remove the `registry` at the
| `redis.rateLimiting.enabled` | `false` | When set to `true`, the Redis rate limiter is enabled. This feature is under development. |
| `redis.rateLimiting.host` | `<Redis URL>` | The hostname of the Redis instance. If empty, the value will be filled as `global.redis.host:global.redis.port`. |
| `redis.rateLimiting.port` | `6379` | The port of the Redis instance. |
+| `redis.rateLimiting.cluster` | `[]` | List of addresses with host and port. |
| `redis.rateLimiting.sentinels` | `[]` | List sentinels with host and port. |
| `redis.rateLimiting.mainname` | | The main server name. Only applicable for Sentinel. |
| `redis.rateLimiting.username` | | The username used to connect to the Redis instance. |
@@ -958,16 +959,13 @@ profiling:
### database
-DETAILS:
-**Status:** Beta
-
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5521) in GitLab 16.4 as a [beta](https://docs.gitlab.com/ee/policy/experiment-beta-support.html#beta) feature.
+> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/423459) in GitLab 17.3.
The `database` property is optional and enables the [metadata database](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#database).
-This is a [beta](https://docs.gitlab.com/ee/policy/experiment-beta-support.html#beta) feature.
-See the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/423459)
-and associated documentation before enabling this feature.
+See the [administration documentation](https://docs.gitlab.com/ee/administration/packages/container_registry_metadata_database.html)
+before enabling this feature.
NOTE:
This feature requires PostgreSQL 12 or newer.
@@ -1013,11 +1011,6 @@ more information about creating the database.
The `gc` property provides [online garbage collection](https://gitlab.com/gitlab-org/container-registry/-/blob/master/docs/configuration.md#gc)
options.
-NOTE:
-The online garbage collection is a beta feature from version 16.4 and later. Please
-review the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/423459)
-and associated documentation before enabling this feature.
-
Online garbage collection requires the [metadata database](#database) to be enabled. You must use online garbage collection when using the database, though
you can temporarily disable online garbage collection for maintenance and debugging.
@@ -1072,6 +1065,23 @@ redis:
idletimeout: 300s
```
+#### Cluster
+
+The `redis.rateLimiting.cluster` property is a list of hosts and ports
+to connect to a Redis cluster. For example:
+
+```yaml
+redis:
+ cache:
+ enabled: true
+ host: redis.example.com
+ cluster:
+ - host: host1.example.com
+ port: 6379
+ - host: host2.example.com
+ port: 6379
+```
+
#### Sentinels
The `redis.cache` can use the `global.redis.sentinels` configuration. Local values can be provided and
diff --git a/chart/doc/charts/registry/metadata_database.md b/chart/doc/charts/registry/metadata_database.md
index 302179701..ddc7274f5 100644
--- a/chart/doc/charts/registry/metadata_database.md
+++ b/chart/doc/charts/registry/metadata_database.md
@@ -9,9 +9,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w
DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** Self-managed
-**Status:** Beta
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/5521) in GitLab 16.4 as a [beta](https://docs.gitlab.com/ee/policy/experiment-beta-support.html#beta) feature.
+> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/423459) in GitLab 17.3.
The metadata database enables many new registry features, including
online garbage collection, and increases the efficiency of many registry operations.
@@ -22,7 +22,8 @@ This page contains information on how to create the database.
You can migrate existing registries to the metadata database, and use online garbage collection.
Some database-enabled features are only enabled for GitLab.com and automatic database provisioning for
-the registry database is not available. Review the feature support table in the [feedback issue](https://gitlab.com/gitlab-org/gitlab/-/issues/423459#supported-feature-status)
+the registry database is not available. Review the feature support section in the
+[administration documentation](https://docs.gitlab.com/ee/administration/packages/container_registry_metadata_database.html#metadata-database-feature-support)
for the status of features related to the container registry database.
## Create the database
@@ -86,7 +87,7 @@ there will be some variation in how you connect.
Prerequisites:
-- GitLab 16.4 or later.
+- GitLab 17.3 or later.
- PostgreSQL database version 12 or later, accessible from the registry pods.
- Access to the Kubernetes cluster and the Helm deployment locally.
- SSH access to the registry pods.
diff --git a/chart/doc/development/index.md b/chart/doc/development/index.md
index e5c4b3311..499b93e43 100644
--- a/chart/doc/development/index.md
+++ b/chart/doc/development/index.md
@@ -179,7 +179,7 @@ can not resolve the MinIO domain name and find the correct endpoint (you can see
Developers may encounter unique issues while working on new chart features.
[Refer to the troubleshooting guide](troubleshooting.md) for
-information if your **_development_** cluster seems to have strange issues.
+information if your ***development*** cluster seems to have strange issues.
NOTE:
The troubleshooting steps outlined in the link above are for development
diff --git a/chart/doc/installation/command-line-options.md b/chart/doc/installation/command-line-options.md
index db7e6e4f9..0f3f35441 100644
--- a/chart/doc/installation/command-line-options.md
+++ b/chart/doc/installation/command-line-options.md
@@ -232,6 +232,9 @@ See the [instructions for creating secrets](secrets.md).
| `nginx-ingress.rbac.createRole` | Create and use namespaced role | true |
| `prometheus.rbac.create` | Create and use RBAC resources | true |
+If you're setting `nginx-ingress.rbac.create` to `false` to configure the RBAC rules by yourself, on
+GitLab chart v8.5.0+, you'll [need to also configure extra rules](../releases/8_0.md#upgrade-to-85x).
+
## Advanced NGINX Ingress configuration
Prefix NGINX Ingress values with `nginx-ingress`. For example, set the controller image tag using `nginx-ingress.controller.image.tag`.
diff --git a/chart/doc/installation/deployment.md b/chart/doc/installation/deployment.md
index 33278b488..52715cf41 100644
--- a/chart/doc/installation/deployment.md
+++ b/chart/doc/installation/deployment.md
@@ -36,8 +36,7 @@ helm upgrade --install gitlab gitlab/gitlab \
--timeout 600s \
--set global.hosts.domain=example.com \
--set global.hosts.externalIP=10.10.10.10 \
- --set certmanager-issuer.email=me@example.com \
- --set postgresql.image.tag=13.6.0
+ --set certmanager-issuer.email=me@example.com
```
Note the following:
@@ -93,7 +92,7 @@ kubectl get secret <name>-gitlab-initial-root-password -ojsonpath='{.data.passwo
By default, the Helm charts use the Enterprise Edition of GitLab. The Enterprise Edition is a free, open core version of GitLab with the option of upgrading to a paid tier to unlock additional features. If desired, you can instead use the Community Edition which is licensed under the MIT Expat license. Learn more about the [difference between the two](https://about.gitlab.com/install/ce-or-ee/).
-*To deploy the Community Edition, include this option in your Helm install command:*
+_To deploy the Community Edition, include this option in your Helm install command:_
```shell
--set global.edition=ce
diff --git a/chart/doc/installation/migration/package_to_helm.md b/chart/doc/installation/migration/package_to_helm.md
index 1a29d4f80..74089495d 100644
--- a/chart/doc/installation/migration/package_to_helm.md
+++ b/chart/doc/installation/migration/package_to_helm.md
@@ -44,10 +44,10 @@ Before the migration, a few prerequisites must be met:
1. [Create a backup tarball](https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html) and [exclude all the already migrated directories](https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#excluding-specific-directories-from-the-backup).
- The backup file will be stored under `/var/opt/gitlab/backups`, unless you
- [explicitly changed](https://docs.gitlab.com/omnibus/settings/backups.html#manually-manage-backup-directory)
- it.
-
+ For local backups (default), the backup file is stored under `/var/opt/gitlab/backups`, unless you
+ [explicitly changed the location](https://docs.gitlab.com/omnibus/settings/backups.html#manually-manage-backup-directory).
+ For [remote storage backups](https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#upload-backups-to-a-remote-cloud-storage),
+ the backup file is stored in the configured bucket.
1. [Restore from the package-based installation](../../backup-restore/restore.md)
to the Helm chart, starting with the secrets. You will need to migrate the
values of `/etc/gitlab/gitlab-secrets.json` to the YAML file that will be
diff --git a/chart/doc/installation/version_mappings.md b/chart/doc/installation/version_mappings.md
index fec8ac100..f3b842594 100644
--- a/chart/doc/installation/version_mappings.md
+++ b/chart/doc/installation/version_mappings.md
@@ -33,24 +33,30 @@ The table below maps some of the key previous supported chart versions and suppo
| Chart version | GitLab version |
|---------------|----------------|
-| 8.2.9 | 17.2.9 |
-| 8.2.8 | 17.2.8 |
-| 8.2.7 | 17.2.7 |
-| 8.2.6 | 17.2.6 |
-| 8.2.5 | 17.2.5 |
-| 8.2.4 | 17.2.4 |
-| 8.2.3 | 17.2.3 |
+| 8.3.6 | 17.3.6 |
+| 8.3.5 | 17.3.5 |
+| 8.3.4 | 17.3.4 |
+| 8.3.3 | 17.3.3 |
+| 8.3.2 | 17.3.2 |
+| 8.3.1 | 17.3.1 |
+| 8.3.0 | 17.3.6 |
| 8.2.2 | 17.2.2 |
| 8.2.1 | 17.2.1 |
| 8.2.0 | 17.2.0 |
+| 8.1.4 | 17.1.4 |
+| 8.1.3 | 17.1.3 |
| 8.1.2 | 17.1.2 |
| 8.1.1 | 17.1.1 |
| 8.1.0 | 17.1.0 |
+| 8.0.6 | 17.0.6 |
+| 8.0.5 | 17.0.5 |
| 8.0.4 | 17.0.4 |
| 8.0.3 | 17.0.3 |
| 8.0.2 | 17.0.2 |
| 8.0.1 | 17.0.1 |
| 8.0.0 | 17.0.0 |
+| 7.11.8 | 16.11.8 |
+| 7.11.7 | 16.11.7 |
| 7.11.6 | 16.11.6 |
| 7.11.5 | 16.11.5 |
| 7.11.4 | 16.11.4 |
@@ -58,6 +64,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.11.2 | 16.11.2 |
| 7.11.1 | 16.11.1 |
| 7.11.0 | 16.11.0 |
+| 7.10.9 | 16.10.9 |
| 7.10.8 | 16.10.8 |
| 7.10.7 | 16.10.7 |
| 7.10.6 | 16.10.6 |
@@ -67,6 +74,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.10.2 | 16.10.2 |
| 7.10.1 | 16.10.1 |
| 7.10.0 | 16.10.0 |
+| 7.9.10 | 16.9.10 |
| 7.9.9 | 16.9.9 |
| 7.9.8 | 16.9.8 |
| 7.9.7 | 16.9.7 |
@@ -77,6 +85,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.9.2 | 16.9.2 |
| 7.9.1 | 16.9.1 |
| 7.9.0 | 16.9.0 |
+| 7.8.9 | 16.8.9 |
| 7.8.8 | 16.8.8 |
| 7.8.7 | 16.8.7 |
| 7.8.6 | 16.8.6 |
@@ -86,6 +95,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.8.2 | 16.8.2 |
| 7.8.1 | 16.8.1 |
| 7.8.0 | 16.8.0 |
+| 7.7.9 | 16.7.9 |
| 7.7.8 | 16.7.8 |
| 7.7.7 | 16.7.7 |
| 7.7.6 | 16.7.6 |
@@ -95,6 +105,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.7.2 | 16.7.2 |
| 7.7.1 | 16.7.1 |
| 7.7.0 | 16.7.0 |
+| 7.6.9 | 16.6.9 |
| 7.6.8 | 16.6.8 |
| 7.6.7 | 16.6.7 |
| 7.6.6 | 16.6.6 |
@@ -104,6 +115,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.6.2 | 16.6.2 |
| 7.6.1 | 16.6.1 |
| 7.6.0 | 16.6.0 |
+| 7.5.9 | 16.5.9 |
| 7.5.8 | 16.5.8 |
| 7.5.7 | 16.5.7 |
| 7.5.6 | 16.5.6 |
@@ -113,12 +125,14 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.5.2 | 16.5.2 |
| 7.5.1 | 16.5.1 |
| 7.5.0 | 16.5.0 |
+| 7.4.6 | 16.4.6 |
| 7.4.5 | 16.4.5 |
| 7.4.4 | 16.4.4 |
| 7.4.3 | 16.4.3 |
| 7.4.2 | 16.4.2 |
| 7.4.1 | 16.4.1 |
| 7.4.0 | 16.4.0 |
+| 7.3.8 | 16.3.8 |
| 7.3.7 | 16.3.7 |
| 7.3.6 | 16.3.6 |
| 7.3.5 | 16.3.5 |
@@ -127,6 +141,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.3.2 | 16.3.2 |
| 7.3.1 | 16.3.1 |
| 7.3.0 | 16.3.0 |
+| 7.2.10 | 16.2.10 |
| 7.2.9 | 16.2.9 |
| 7.2.8 | 16.2.8 |
| 7.2.7 | 16.2.7 |
@@ -137,6 +152,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.2.2 | 16.2.2 |
| 7.2.1 | 16.2.1 |
| 7.2.0 | 16.2.0 |
+| 7.1.7 | 16.1.7 |
| 7.1.6 | 16.1.6 |
| 7.1.5 | 16.1.5 |
| 7.1.4 | 16.1.4 |
@@ -144,6 +160,7 @@ The table below maps some of the key previous supported chart versions and suppo
| 7.1.2 | 16.1.2 |
| 7.1.1 | 16.1.1 |
| 7.1.0 | 16.1.0 |
+| 7.0.9 | 16.0.9 |
| 7.0.8 | 16.0.8 |
| 7.0.7 | 16.0.7 |
| 7.0.6 | 16.0.6 |
diff --git a/chart/doc/releases/8_0.md b/chart/doc/releases/8_0.md
index 5fde79732..becaf7b7e 100644
--- a/chart/doc/releases/8_0.md
+++ b/chart/doc/releases/8_0.md
@@ -20,6 +20,33 @@ See [GitLab 17 changes](https://docs.gitlab.com/ee/update/versions/gitlab_17_cha
To upgrade to the `8.0` version of the chart, you first need to upgrade to the latest `7.11.x`
release of the chart. Check the [version mapping details](../installation/version_mappings.md) for the latest patch.
+### Upgrade to 8.5.x
+
+If you haven't modified the GitLab chart `nginx-ingress.rbac.create` value, or it's set to `true`,
+you can skip this section.
+
+In v8.5.0, the Ingress NGINX Controller image was bumped to v1.11.2, but the Ingress NGINX Controller chart version is
+still on 4.0.6. The old `v1.3.1` controller image is now deprecated and schedule for removal in GitLab chart 8.8.
+
+By default the `v1.11.2` will be set. The chart will automatically fallback to `v1.3.1` if the you're setting
+`nginx-ingress.rbac.create` to `false`. This is because `v1.11.2` requires new RBAC rules, which we added to our
+[NGINX forked chart](../charts/nginx/fork.md).
+
+If you're using managing NGINX RBAC rules by yourself, and want to use the new `v1.11.2`, apply
+[the new RBAC rules to your cluster](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/3901/diffs?commit_id=93a3cbdb5ad83db95e12fa6c2145df0800493d8b)
+, and enable `v1.11.2` with:
+
+```yaml
+nginx-ingress:
+ rbac:
+ create: false
+ controller:
+ image:
+ disableFallback: true
+```
+
+If you're setting `nginx-ingress-geo.rbac.create: false`, the same applies.
+
### Runner workflow changes
The legacy runner registration workflow is now disabled by default. You must
diff --git a/chart/doc/troubleshooting/index.md b/chart/doc/troubleshooting/index.md
index e084e0308..d1413ec60 100644
--- a/chart/doc/troubleshooting/index.md
+++ b/chart/doc/troubleshooting/index.md
@@ -300,6 +300,8 @@ To fix this, either:
Note that for optional keys, an empty map (`{}`) is a valid value.
+<!-- markdownlint-disable line-length -->
+
## Restoration failure: `ERROR: cannot drop view pg_stat_statements because extension pg_stat_statements requires it`
You may face this error when restoring a backup on your Helm chart instance. Use the following steps as a workaround:
@@ -328,6 +330,8 @@ follow the same steps above to drop and re-create it.
You can find more details about this error in issue [#2469](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2469).
+<!-- markdownlint-enable line-length -->
+
## Bundled PostgreSQL pod fails to start: `database files are incompatible with server`
The following error message may appear in the bundled PostgreSQL pod after upgrading to a new version of the GitLab Helm chart:
diff --git a/chart/doc/troubleshooting/kubernetes_cheat_sheet.md b/chart/doc/troubleshooting/kubernetes_cheat_sheet.md
index e8933ff81..15f55a9ea 100644
--- a/chart/doc/troubleshooting/kubernetes_cheat_sheet.md
+++ b/chart/doc/troubleshooting/kubernetes_cheat_sheet.md
@@ -2,6 +2,7 @@
stage: Systems
group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
+ignore_in_report: true
---
# Kubernetes cheat sheet
diff --git a/chart/examples/ubi/values.yaml b/chart/examples/ubi/values.yaml
index 8205704bf..50624ddaa 100644
--- a/chart/examples/ubi/values.yaml
+++ b/chart/examples/ubi/values.yaml
@@ -31,7 +31,7 @@ global:
image:
pullPolicy: Always # You can drop this if you're using release tags.
- tagSuffix: -ubi9
+ tagSuffix: -ubi # -ubi8 for GitLab 17.2 and earlier
# See: https://gitlab.com/gitlab-org/charts/gitlab/blob/master/doc/installation/tls.md#option-2-use-your-own-wildcard-certificate
ingress:
diff --git a/chart/requirements.lock b/chart/requirements.lock
index 9e767bf41..125611c09 100644
--- a/chart/requirements.lock
+++ b/chart/requirements.lock
@@ -22,7 +22,7 @@ dependencies:
version: 12.5.2
- name: gitlab-runner
repository: https://charts.gitlab.io/
- version: 0.67.0
+ version: 0.68.0
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 16.13.2
@@ -44,5 +44,5 @@ dependencies:
- name: kubernetes-ingress
repository: https://haproxytech.github.io/helm-charts
version: 1.32.0
-digest: sha256:642f2e9e5128bfb4a30a2ee52e8cb65ffbc8bf646dde8a6fd45ff2ba4ed179ce
-generated: "2024-08-27T11:52:01.979946-04:00"
+digest: sha256:fcd079349bece4434313e692c222833250c0d4391aa9d06c5dc50f4a79df2375
+generated: "2024-10-28T13:29:21.577997-05:00"
diff --git a/chart/requirements.yaml b/chart/requirements.yaml
index d459424a2..be9873f82 100644
--- a/chart/requirements.yaml
+++ b/chart/requirements.yaml
@@ -21,7 +21,7 @@ dependencies:
repository: https://charts.bitnami.com/bitnami
condition: postgresql.install
- name: gitlab-runner
- version: 0.67.0
+ version: 0.68.0
repository: https://charts.gitlab.io/
condition: gitlab-runner.install
- name: redis
diff --git a/chart/spec/configuration/gitaly_spec.rb b/chart/spec/configuration/gitaly_spec.rb
index 49823e999..fd9e36e7f 100644
--- a/chart/spec/configuration/gitaly_spec.rb
+++ b/chart/spec/configuration/gitaly_spec.rb
@@ -267,7 +267,7 @@ describe 'Gitaly configuration' do
config = t.dig('ConfigMap/test-gitaly', 'data', 'config.toml.tpl')
toml = render_toml(config, 'HOSTNAME' => 'default')
- expect(toml.keys).to match_array(%w[auth bin_dir git gitlab gitlab-shell hooks listen_addr logging prometheus_listen_addr storage])
+ expect(toml.keys).to match_array(%w[auth bin_dir git gitlab gitlab-shell hooks listen_addr logging prometheus_listen_addr storage graceful_restart_timeout])
expect(toml['storage']).to eq([{ 'name' => 'default', 'path' => '/home/git/repositories' }])
expect(toml['auth']['token'].length).to eq(32)
end
@@ -311,7 +311,7 @@ describe 'Gitaly configuration' do
config = t.dig('ConfigMap/test-gitaly-praefect', 'data', 'config.toml.tpl')
toml = render_toml(config, 'HOSTNAME' => 'test-gitaly-default-0')
- expect(toml.keys).to match_array(%w[auth bin_dir git gitlab gitlab-shell hooks listen_addr logging prometheus_listen_addr storage])
+ expect(toml.keys).to match_array(%w[auth bin_dir git gitlab gitlab-shell hooks listen_addr logging prometheus_listen_addr storage graceful_restart_timeout])
expect(toml['storage']).to eq([{ 'name' => 'test-gitaly-default-0', 'path' => '/home/git/repositories' }])
expect(toml['auth']['token'].length).to eq(32)
end
@@ -681,4 +681,83 @@ describe 'Gitaly configuration' do
end
end
end
+
+ context 'gracefulRestartTimeout' do
+ let(:values) do
+ YAML.safe_load(%(
+ gitlab:
+ gitaly:
+ gracefulRestartTimeout: #{graceful_restart_timeout}
+ )).merge(default_values)
+ end
+
+ let(:gitaly_stateful_set) { 'StatefulSet/test-gitaly' }
+ let(:gitaly_configmap) { 'ConfigMap/test-gitaly' }
+
+ context 'when default' do
+ let(:graceful_restart_timeout) {}
+
+ it 'sets pod termination grace period' do
+ t = HelmTemplate.new(values)
+ # STS
+ gitaly_set = t.resources_by_kind('StatefulSet').select { |key| key == gitaly_stateful_set }
+ gitaly_termination_grace_period = gitaly_set[gitaly_stateful_set]['spec']['template']['spec']['terminationGracePeriodSeconds']
+
+ expect(gitaly_termination_grace_period).to eq(30)
+ end
+
+ it 'sets gitaly config termination grace period' do
+ t = HelmTemplate.new(values)
+ # ConfigMap
+ gitaly_config = t.resources_by_kind('ConfigMap').select { |key| key == gitaly_configmap }
+ config_toml = gitaly_config[gitaly_configmap]['data']['config.toml.tpl']
+
+ expect(config_toml).to include "graceful_restart_timeout = \"25s\""
+ end
+ end
+
+ context 'when seconds' do
+ let(:graceful_restart_timeout) { 45 }
+
+ it 'sets pod termination grace period' do
+ t = HelmTemplate.new(values)
+ # STS
+ gitaly_set = t.resources_by_kind('StatefulSet').select { |key| key == gitaly_stateful_set }
+ gitaly_termination_grace_period = gitaly_set[gitaly_stateful_set]['spec']['template']['spec']['terminationGracePeriodSeconds']
+
+ expect(gitaly_termination_grace_period).to eq(50)
+ end
+
+ it 'sets gitaly config termination grace period' do
+ t = HelmTemplate.new(values)
+ # ConfigMap
+ gitaly_config = t.resources_by_kind('ConfigMap').select { |key| key == gitaly_configmap }
+ config_toml = gitaly_config[gitaly_configmap]['data']['config.toml.tpl']
+
+ expect(config_toml).to include "graceful_restart_timeout = \"45s\""
+ end
+ end
+
+ context 'when minutes' do
+ let(:graceful_restart_timeout) { 120 }
+
+ it 'sets pod termination grace period' do
+ t = HelmTemplate.new(values)
+ # STS
+ gitaly_set = t.resources_by_kind('StatefulSet').select { |key| key == gitaly_stateful_set }
+ gitaly_termination_grace_period = gitaly_set[gitaly_stateful_set]['spec']['template']['spec']['terminationGracePeriodSeconds']
+
+ expect(gitaly_termination_grace_period).to eq(125)
+ end
+
+ it 'sets gitaly config termination grace period' do
+ t = HelmTemplate.new(values)
+ # ConfigMap
+ gitaly_config = t.resources_by_kind('ConfigMap').select { |key| key == gitaly_configmap }
+ config_toml = gitaly_config[gitaly_configmap]['data']['config.toml.tpl']
+
+ expect(config_toml).to include "graceful_restart_timeout = \"2m0s\""
+ end
+ end
+ end
end
diff --git a/chart/spec/configuration/gitlab_exporter_spec.rb b/chart/spec/configuration/gitlab_exporter_spec.rb
index 670534cee..d5550ff29 100644
--- a/chart/spec/configuration/gitlab_exporter_spec.rb
+++ b/chart/spec/configuration/gitlab_exporter_spec.rb
@@ -23,7 +23,10 @@ describe 'gitlab-exporter configuration' do
let(:password) { ERB::Util.url_encode(RuntimeTemplate::JUNK_PASSWORD) }
def render_erb(raw_template)
- yaml = RuntimeTemplate.erb(raw_template: raw_template, files: RuntimeTemplate.mock_files)
+ files = RuntimeTemplate.mock_files
+ files['/etc/gitlab/redis/queues-password'] = RuntimeTemplate::JUNK_PASSWORD
+
+ yaml = RuntimeTemplate.erb(raw_template: raw_template, files: files)
YAML.safe_load(yaml, aliases: true)
end
@@ -108,6 +111,35 @@ describe 'gitlab-exporter configuration' do
])
end
+ context 'when Redis Sentinel is defined for the queues config' do
+ let(:values) do
+ YAML.safe_load(%(
+ redis:
+ install: false
+ global:
+ redis:
+ host: global.host
+ queues:
+ host: queues.redis.host
+ sentinels:
+ - host: sentinel1.example.com
+ port: 26379
+ - host: sentinel2.example.com
+ port: 26379
+ )).deep_merge(default_values)
+ end
+
+ it 'configures Sentinels' do
+ expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}"
+ expect(sidekiq_config['opts']['redis_url']).to eq("redis://:#{password}@queues.redis.host:6379")
+ expect(sidekiq_config['opts']['redis_sentinels']).to eq(
+ [
+ { 'host' => 'sentinel1.example.com', 'port' => 26379 },
+ { 'host' => 'sentinel2.example.com', 'port' => 26379 }
+ ])
+ end
+ end
+
context 'with Sentinel password as secret' do
let(:values) do
YAML.safe_load(%(
diff --git a/chart/spec/configuration/gitlab_shell_spec.rb b/chart/spec/configuration/gitlab_shell_spec.rb
index edbf1a102..19804a8b6 100644
--- a/chart/spec/configuration/gitlab_shell_spec.rb
+++ b/chart/spec/configuration/gitlab_shell_spec.rb
@@ -178,4 +178,53 @@ describe 'gitlab-shell configuration' do
expect(t.dig('ServiceAccount/test-gitlab-shell', 'metadata', 'labels')).to include('global' => 'shell')
end
end
+
+ context 'for LFS Pure SSH protocol support' do
+ let(:lfs_pure_ssh_protocol) { nil }
+
+ let(:values) do
+ YAML.safe_load(%(
+ gitlab:
+ gitlab-shell:
+ config:
+ lfs:
+ pureSSHProtocol: #{lfs_pure_ssh_protocol}
+ )).deep_merge(default_values)
+ end
+
+ let(:config) { t.dig('ConfigMap/test-gitlab-shell', 'data', 'config.yml.tpl') }
+
+ let(:rendered_config) do
+ rendered = RuntimeTemplate.gomplate(raw_template: config)
+ YAML.safe_load(rendered, aliases: true)
+ end
+
+ context 'when unset' do
+ it 'renders lfs.pure_ssh_protocol as disabled by default' do
+ expect_successful_exit_code
+
+ expect(rendered_config['lfs']['pure_ssh_protocol']).to eq(false)
+ end
+ end
+
+ context 'when disabled' do
+ let(:lfs_pure_ssh_protocol) { false }
+
+ it 'renders lfs.pure_ssh_protocol as disabled' do
+ expect_successful_exit_code
+
+ expect(rendered_config['lfs']['pure_ssh_protocol']).to eq(false)
+ end
+ end
+
+ context 'when enabled' do
+ let(:lfs_pure_ssh_protocol) { true }
+
+ it 'renders lfs.pure_ssh_protocol as enabled' do
+ expect_successful_exit_code
+
+ expect(rendered_config['lfs']['pure_ssh_protocol']).to eq(true)
+ end
+ end
+ end
end
diff --git a/chart/spec/configuration/kas_spec.rb b/chart/spec/configuration/kas_spec.rb
index 68829a143..50c637080 100644
--- a/chart/spec/configuration/kas_spec.rb
+++ b/chart/spec/configuration/kas_spec.rb
@@ -301,7 +301,21 @@ describe 'kas configuration' do
end
context 'when redisConfigName is empty' do
- context 'when global redis has no password' do
+ context 'when global redis has a username' do
+ let(:kas_values) do
+ default_kas_values.deep_merge!(YAML.safe_load(%(
+ global:
+ redis:
+ user: redis-user
+ )))
+ end
+
+ it 'sets username' do
+ expect(config_yaml_data.dig('redis', 'username')).to eq('redis-user')
+ end
+ end
+
+ context 'when global redis has no password or user' do
let(:kas_values) do
default_kas_values.deep_merge!(YAML.safe_load(%(
global:
@@ -311,8 +325,9 @@ describe 'kas configuration' do
)))
end
- it 'does not set password_file' do
+ it 'does not set password_file or username' do
expect(config_yaml_data['redis']).not_to have_key("password_file")
+ expect(config_yaml_data['redis']).not_to have_key("username")
end
end
diff --git a/chart/spec/configuration/pages_spec.rb b/chart/spec/configuration/pages_spec.rb
index 2626775fe..8d2e04242 100644
--- a/chart/spec/configuration/pages_spec.rb
+++ b/chart/spec/configuration/pages_spec.rb
@@ -39,6 +39,11 @@ describe 'GitLab Pages' do
HelmTemplate.new(values.merge(pages_enabled_values))
end
+ it 'renders cert-manager.io/issuer annotation correctly' do
+ annotations = pages_enabled_template.dig('Ingress/test-webservice-default', 'metadata', 'annotations')
+ expect(annotations).to include({ 'cert-manager.io/issuer' => 'test-issuer' })
+ end
+
it 'creates all pages related required_resources' do
required_resources.each do |resource|
resource_name = "#{resource}/test-gitlab-pages"
@@ -508,6 +513,9 @@ describe 'GitLab Pages' do
rateLimitTLSSourceIPBurst: 51
rateLimitTLSDomain: 1000.5
rateLimitTLSDomainBurst: 20001
+ rateLimitSubnetsAllowList:
+ - "10.1.1.0/24"
+ - "10.1.2.0/24"
serverReadTimeout: 1h
serverReadHeaderTimeout: 2h
serverWriteTimeout: 3h
@@ -562,6 +570,7 @@ describe 'GitLab Pages' do
rate-limit-tls-source-ip-burst=51
rate-limit-tls-domain=1000.5
rate-limit-tls-domain-burst=20001
+ rate-limit-subnets-allow-list=10.1.1.0/24,10.1.2.0/24
server-read-timeout=1h
server-read-header-timeout=2h
server-write-timeout=3h
diff --git a/chart/spec/configuration/redis_spec.rb b/chart/spec/configuration/redis_spec.rb
index 25676c0e1..dd5db4230 100644
--- a/chart/spec/configuration/redis_spec.rb
+++ b/chart/spec/configuration/redis_spec.rb
@@ -1,5 +1,6 @@
require 'spec_helper'
require 'helm_template_helper'
+require 'runtime_template_helper'
require 'yaml'
describe 'Redis configuration' do
@@ -7,6 +8,45 @@ describe 'Redis configuration' do
HelmTemplate.defaults
end
+ let(:template) { HelmTemplate.new(values) }
+ let(:resque_yml_erb) { template.dig('ConfigMap/test-webservice', 'data', 'resque.yml.erb') }
+ let(:resque_yml) { render_erb(resque_yml_erb) }
+
+ def render_erb(raw_template)
+ yaml = RuntimeTemplate.erb(raw_template: raw_template, files: RuntimeTemplate.mock_files)
+ YAML.safe_load(yaml, aliases: true)
+ end
+
+ describe 'global.redis.{connect,read,write}Timeout' do
+ context 'default values' do
+ let(:values) { default_values }
+
+ it 'renders no timeout values' do
+ expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}"
+ expect(resque_yml["production"].keys).not_to include("connect_timeout", "read_timeout", "write_timeout")
+ end
+ end
+
+ context 'timeouts set' do
+ let(:values) do
+ YAML.safe_load(%(
+ global:
+ redis:
+ connectTimeout: 3
+ readTimeout: 4
+ writeTimeout: 5
+ )).merge(default_values)
+ end
+
+ it 'renders {connect,read,write}_timeout values' do
+ expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}"
+ expect(resque_yml.dig('production', 'connect_timeout')).to eq(3)
+ expect(resque_yml.dig('production', 'read_timeout')).to eq(4)
+ expect(resque_yml.dig('production', 'write_timeout')).to eq(5)
+ end
+ end
+ end
+
describe 'global.redis.auth.enabled' do
let(:values) do
YAML.safe_load(%(
@@ -659,6 +699,40 @@ describe 'Redis configuration' do
end
end
+ context 'When timeouts are defined' do
+ let(:values) do
+ YAML.safe_load(%(
+ global:
+ redis:
+ connectTimeout: 3
+ readTimeout: 4
+ writeTimeout: 5
+ host: resque.redis
+ auth:
+ enabled: false
+ clusterCache:
+ user: cluster-cache-user
+ password:
+ enabled: true
+ cluster:
+ - host: s1.cluster-cache.redis
+ - host: s2.cluster-cache.redis
+ redis:
+ install: false
+ )).merge(default_values)
+ end
+
+ let(:redis_cluster_yml_erb) { template.dig('ConfigMap/test-webservice', 'data', 'redis.cluster_cache.yml.erb') }
+ let(:redis_cluster_yml) { render_erb(redis_cluster_yml_erb) }
+
+ it 'timeouts are populated' do
+ expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}"
+ expect(redis_cluster_yml.dig('production', 'connect_timeout')).to eq(3)
+ expect(redis_cluster_yml.dig('production', 'read_timeout')).to eq(4)
+ expect(redis_cluster_yml.dig('production', 'write_timeout')).to eq(5)
+ end
+ end
+
context 'When top level user and password are defined' do
let(:values) do
YAML.safe_load(%(
diff --git a/chart/spec/configuration/registry_spec.rb b/chart/spec/configuration/registry_spec.rb
index e171e366b..30a65a9b3 100644
--- a/chart/spec/configuration/registry_spec.rb
+++ b/chart/spec/configuration/registry_spec.rb
@@ -945,6 +945,70 @@ describe 'registry configuration' do
end
end
+ context 'when customer provides a redis rate-limiting cluster configuration' do
+ let(:values) do
+ YAML.safe_load(%(
+ registry:
+ redis:
+ rateLimiting:
+ enabled: true
+ cluster:
+ - host: redis1.cluster.example.com
+ port: 16379
+ - host: redis2.cluster.example.com
+ )).deep_merge(default_values)
+ end
+
+ it 'populates the redis rate-limiter settings with the list of host:port' do
+ t = HelmTemplate.new(values)
+ expect(t.exit_code).to eq(0), "Unexpected error code #{t.exit_code} -- #{t.stderr}"
+ expect(t.dig('ConfigMap/test-registry', 'data', 'config.yml.tpl')).to include(
+ <<~CONFIG
+ redis:
+ ratelimiter:
+ enabled: true
+ addr: "redis1.cluster.example.com:16379,redis2.cluster.example.com:6379"
+ CONFIG
+ )
+ end
+ end
+
+ context 'when customer provides a redis rate-limiting cluster configuration in presense of global sentinels' do
+ let(:values) do
+ YAML.safe_load(%(
+ global:
+ redis:
+ host: redis.example.com
+ sentinels:
+ - host: global1.example.com
+ port: 26379
+ - host: global2.example.com
+ port: 26379
+ registry:
+ redis:
+ rateLimiting:
+ enabled: true
+ cluster:
+ - host: redis1.cluster.example.com
+ port: 16379
+ - host: redis2.cluster.example.com
+ )).deep_merge(default_values)
+ end
+
+ it 'populates the redis rate-limiter settings with the local cluster host:port instead of global.redis.sentinels' do
+ t = HelmTemplate.new(values)
+ expect(t.exit_code).to eq(0), "Unexpected error code #{t.exit_code} -- #{t.stderr}"
+ expect(t.dig('ConfigMap/test-registry', 'data', 'config.yml.tpl')).to include(
+ <<~CONFIG
+ redis:
+ ratelimiter:
+ enabled: true
+ addr: "redis1.cluster.example.com:16379,redis2.cluster.example.com:6379"
+ CONFIG
+ )
+ end
+ end
+
context 'when customer provides a custom redis rate-limiter and cache configuration' do
let(:values) do
YAML.safe_load(%(
diff --git a/chart/spec/configuration/securitycontext_spec.rb b/chart/spec/configuration/securitycontext_spec.rb
index 184f2cab8..4deff29b6 100644
--- a/chart/spec/configuration/securitycontext_spec.rb
+++ b/chart/spec/configuration/securitycontext_spec.rb
@@ -126,4 +126,25 @@ describe 'security context' do
end
end
end
+
+ describe 'container security context configuration' do
+ let(:template) do
+ values = HelmTemplate.with_defaults(%(
+ upgradeCheck:
+ enabled: true
+ containerSecurityContext:
+ fsGroupChangePolicy: "OnRootMismatch"
+ ))
+ HelmTemplate.new(values)
+ end
+
+ it 'renders successfully' do
+ expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}"
+ end
+
+ it 'applied fsGroupChangePolicy to the upgrade-check job' do
+ policy = template.dig("Job/test-gitlab-upgrade-check", 'spec', 'template', 'spec', 'containers', 0, 'securityContext', 'fsGroupChangePolicy')
+ expect(policy).to eq("OnRootMismatch"), "Unexpected fsGroupChangePolicy #{policy}"
+ end
+ end
end
diff --git a/chart/spec/configuration/workhorse_spec.rb b/chart/spec/configuration/workhorse_spec.rb
index 23bc9ebe1..d8c27b583 100644
--- a/chart/spec/configuration/workhorse_spec.rb
+++ b/chart/spec/configuration/workhorse_spec.rb
@@ -234,6 +234,70 @@ describe 'Workhorse configuration' do
end
end
+ context 'with global Redis user' do
+ let(:values) do
+ YAML.safe_load(%(
+ global:
+ redis:
+ host: global.redis
+ auth:
+ enabled: true
+ secret: global-secret
+ user: redis-user
+ redis:
+ install: false
+ )).merge(default_values)
+
+ it "adds the username to the URL" do
+ toml = render_toml(raw_toml)
+
+ expect(toml.keys).to match_array(%w[shutdown_timeout listeners image_resizer redis])
+
+ redis_config = toml['redis']
+ expect(redis_config.keys).to match_array(%w[URL Password])
+ expect(redis_config['URL']).to eq('redis://redis-user@workhorse.redis:6379')
+ expect(redis_config['Password']).to eq(workhorse_redis_password)
+ expect(template.dig("ConfigMap/test-workhorse-default", 'data', 'workhorse-config.toml.tpl')).to include('redis/workhorse-password')
+ expect(template.dig('ConfigMap/test-workhorse-default', 'data', 'configure')).to include('init-config/redis/workhorse-password')
+ end
+ end
+ end
+
+ context 'with Workhorse Redis user' do
+ let(:values) do
+ YAML.safe_load(%(
+ global:
+ redis:
+ host: global.redis
+ auth:
+ enabled: true
+ secret: global-secret
+ user: redis-user
+ workhorse:
+ host: workhorse.redis
+ password:
+ enabled: true
+ secret: workhorse
+ user: workhorse-redis-user
+ redis:
+ install: false
+ )).merge(default_values)
+ end
+
+ it "overrides global redis config" do
+ toml = render_toml(raw_toml)
+
+ expect(toml.keys).to match_array(%w[shutdown_timeout listeners image_resizer redis])
+
+ redis_config = toml['redis']
+ expect(redis_config.keys).to match_array(%w[URL Password])
+ expect(redis_config['URL']).to eq('redis://workhorse-redis-user@workhorse.redis:6379')
+ expect(redis_config['Password']).to eq(workhorse_redis_password)
+ expect(template.dig("ConfigMap/test-workhorse-default", 'data', 'workhorse-config.toml.tpl')).to include('redis/workhorse-password')
+ expect(template.dig('ConfigMap/test-workhorse-default', 'data', 'configure')).to include('init-config/redis/workhorse-password')
+ end
+ end
+
context 'with redis sentinel' do
let(:values) do
YAML.safe_load(%(
diff --git a/chart/spec/runtime_template_helper.rb b/chart/spec/runtime_template_helper.rb
index 01448c02b..2fcc53272 100644
--- a/chart/spec/runtime_template_helper.rb
+++ b/chart/spec/runtime_template_helper.rb
@@ -72,6 +72,7 @@ class RuntimeTemplate
"#{path}/postgres/psql-password-main" => JUNK_PASSWORD,
"#{path}/postgres/psql-password-ci" => JUNK_PASSWORD,
"#{path}/redis/redis-password" => JUNK_PASSWORD,
+ "#{path}/redis/clusterCache-password" => JUNK_PASSWORD,
"#{path}/redis-sentinel/redis-sentinel-password" => JUNK_PASSWORD,
"#{path}/gitaly/gitaly_token" => JUNK_TOKEN,
# registry notification has a special format ...
diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 8c03298fe..31c784c43 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -147,6 +147,20 @@ redis:
https://docs.gitlab.com/charts/installation/upgrade.html#use-of-globalredispassword
{{- end -}}
+{{- /* If the user is managing RBAC externally with NGINX chart 4.0.6 */}}
+{{- if or (and (index .Values "nginx-ingress" "enabled") (not (index .Values "nginx-ingress" "rbac" "create")))
+ (and (index .Values "nginx-ingress-geo" "enabled") (not (index .Values "nginx-ingress-geo" "rbac" "create"))) }}
+{{ $WARNING }}
+NGINX Ingress Controller: Default RBAC rules creation has been disabled.
+Updates to NGINX Ingress Controller require RBAC changes. Without these,
+the installation will fallback to version v1.3.1.
+
+Read more on https://docs.gitlab.com/charts/releases/8_0.html#upgrade-to-85x
+
+From GitLab chart 8.8+ the NGINX controller image 1.11.2+ will be the default for
+any configuration.
+{{- end -}}
+
{{- /* run removals */}}
{{ include "gitlab.removals" . }}
{{- /* run checkConfig */}}
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index 186cd1a68..3b8de4209 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -514,6 +514,16 @@ emptyDir: {{ toYaml $values | nindent 2 }}
{{- end -}}
{{- end -}}
+{{/*
+Return upgradeCheck container specific securityContext template
+*/}}
+{{- define "upgradeCheck.containerSecurityContext" }}
+{{- if .Values.upgradeCheck.containerSecurityContext }}
+securityContext:
+ {{- toYaml .Values.upgradeCheck.containerSecurityContext | nindent 2 }}
+{{- end }}
+{{- end }}
+
{{/*
Return init container specific securityContext template
*/}}
diff --git a/chart/templates/_traefik.tpl b/chart/templates/_traefik.tpl
new file mode 100644
index 000000000..86144c357
--- /dev/null
+++ b/chart/templates/_traefik.tpl
@@ -0,0 +1,23 @@
+{{/*
+Return the appropriate apiVersion for Traefik.
+
+It expects a dictionary with three entries:
+ - `global` which contains global Traefik settings, e.g. .Values.global.traefik
+ - `local` which contains local Traefik settings, e.g. .Values.traefik
+ - `context` which is the parent context (either `.` or `$`)
+
+Example usage:
+{{- $traefikApiVersion := dict "global" .Values.global.traefik "local" .Values.traefik "context" . -}}
+apiVersion: "{{ template "traefik.apiVersion" $traefikApiVersion }}"
+*/}}
+{{- define "traefik.apiVersion" -}}
+{{- if .local.apiVersion -}}
+{{- .local.apiVersion -}}
+{{- else if .global.apiVersion -}}
+{{- .global.apiVersion -}}
+{{- else if .context.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" -}}
+{{- print "traefik.io/v1alpha1" -}}
+{{- else -}}
+{{- print "traefik.containo.us/v1alpha1" -}}
+{{- end -}}
+{{- end -}}
diff --git a/chart/templates/upgrade_check_hook.yaml b/chart/templates/upgrade_check_hook.yaml
index d9b32debf..5552ad10e 100644
--- a/chart/templates/upgrade_check_hook.yaml
+++ b/chart/templates/upgrade_check_hook.yaml
@@ -68,8 +68,7 @@ spec:
image: {{ include "gitlab.configure.image" (dict "root" $ "image" .Values.upgradeCheck.image) | quote }}
command: ['/bin/sh', '/scripts/runcheck']
{{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }}
- securityContext:
- {{- toYaml $.Values.containerSecurityContext | nindent 12 }}
+ {{- include "upgradeCheck.containerSecurityContext" . | indent 10 }}
env:
- name: GITLAB_VERSION
value: '{{ coalesce .Values.global.gitlabVersion .Chart.AppVersion }}'
diff --git a/chart/values.yaml b/chart/values.yaml
index 325c5c57b..388ce5b69 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -57,7 +57,7 @@ global:
edition: ee
## https://docs.gitlab.com/charts/charts/globals#gitlab-version
- gitlabVersion: "17.2.9"
+ gitlabVersion: "17.3.6"
## https://docs.gitlab.com/charts/charts/globals#application-resource
application:
@@ -188,6 +188,9 @@ global:
# secret:
# key:
+ # connectTimeout: 1
+ # readTimeout: 1
+ # writeTimeout: 1
# host: redis.hostedsomewhere.else
# port: 6379
# user: webservice
@@ -820,7 +823,7 @@ global:
certificates:
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/certificates
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
init:
@@ -869,7 +872,7 @@ global:
kubectl:
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/kubectl
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
securityContext:
@@ -884,7 +887,7 @@ global:
# 1. UBI does not have the newly required /scripts/set-config template generator in its entrypoint.
# a. trying gitlab-base per https://repo1.dso.mil/dsop/gitlab/gitlab/gitlab-base/-/issues/77
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base
- tag: "17.2.9"
+ tag: "17.3.6"
pullSecrets:
- name: private-registry
@@ -937,6 +940,10 @@ global:
## https://docs.gitlab.com/charts/charts/globals/#jobs
job:
nameSuffixOverride:
+
+ traefik:
+ apiVersion: "" # newer apiVersion: "traefik.io/v1alpha1"
+
## End of global
# Needed for upgradeCheck containerSecurityContext values
@@ -963,6 +970,7 @@ upgradeCheck:
# capabilities:
# drop:
# - ALL
+ containerSecurityContext: {}
tolerations: []
annotations:
sidecar.istio.io/inject: "true"
@@ -1260,7 +1268,7 @@ redis:
image:
registry: registry1.dso.mil/ironbank/bitnami
repository: analytics/redis-exporter
- tag: v1.64.1
+ tag: v1.65.0
pullSecrets: []
resources:
limits:
@@ -1449,7 +1457,7 @@ registry:
memory: 1024Mi
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
ingress:
@@ -1583,7 +1591,7 @@ gitlab:
app: gitaly
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
init:
@@ -1660,7 +1668,7 @@ gitlab:
- ALL
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
metrics:
@@ -1705,7 +1713,7 @@ gitlab:
memory: 1.5G
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
securityContext:
@@ -1754,7 +1762,7 @@ gitlab:
memory: 2.5G # = 2 * 1.25G assuming there are 2 workerProcesses configured
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
workhorse:
@@ -1767,7 +1775,7 @@ gitlab:
cpu: 600m
memory: 2.5G
image: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
metrics:
@@ -1786,12 +1794,12 @@ gitlab:
serviceMonitor:
enabled: true
helmTests:
- enabled: false
+ enabled: false
## https://docs.gitlab.com/charts/charts/gitlab/sidekiq
sidekiq:
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
init:
@@ -1828,7 +1836,7 @@ gitlab:
gitaly:
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitaly
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
init:
@@ -1869,7 +1877,7 @@ gitlab:
gitlab-shell:
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
init:
@@ -1913,7 +1921,7 @@ gitlab:
mailroom:
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom
- tag: 17.2.9
+ tag: 17.3.6
pullSecrets:
- name: private-registry
containerSecurityContext:
@@ -1930,7 +1938,7 @@ gitlab:
type: ClusterIP
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages
- tag: 17.2.9
+ tag: 17.3.6
containerSecurityContext:
capabilities:
drop:
@@ -1941,7 +1949,7 @@ gitlab:
praefect:
image:
repository: registry1.dso.mil/ironbank/gitlab/gitlab/gitaly
- tag: 17.2.9
+ tag: 17.3.6
init:
resources:
limits:
@@ -2131,8 +2139,8 @@ networkPolicies:
istio: ingressgateway
# See `kubectl cluster-info` and then resolve to IP
controlPlaneCidr: 0.0.0.0/0
- egressPort:
- gitalyEgress:
+ egressPort:
+ gitalyEgress:
enabled: false
additionalPolicies: []
diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md
index 814bb5255..b2320fdd9 100644
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -1,18 +1,21 @@
# Files that require bigbang integration testing
-### See [bb MR testing](./docs/test-package-against-bb.md) for details regarding testing changes against bigbang umbrella chart.
+### See [bb MR testing](./docs/test-package-against-bb.md) for details regarding testing changes against bigbang umbrella chart
There are certain integrations within the bigbang ecosystem and this package that require additional testing outside of the specific package tests ran during CI. This is a requirement when files within those integrations are changed, as to avoid causing breaks up through the bigbang umbrella. Currently, these include changes to the istio implementation within gitlab (see: [istio templates](./chart/templates/bigbang/istio/), [network policy templates](./chart/templates/bigbang/networkpolicies/), [service entry templates](./chart/templates/bigbang/serviceentries/)).
-Be aware that any changes to files listed in the [Modifications made to upstream chart](#modifications-made-to-upstream-chart) section will also require a codeowner to validate the changes using above method, to ensure that they do not affect the package or its integrations adversely.
+Be aware that any changes to files listed in the [Modifications made to upstream chart](#modifications-made-to-upstream-chart) section will also require a codeowner to validate the changes using above method, to ensure that they do not affect the package or its integrations adversely.
Be sure to also test against monitoring locally as it is integrated by default with these high-impact service control packages, and needs to be validated using the necessary chart values beneath `istio.hardened` block with `monitoring.enabled` set to true as part of your [dev-overrides.yaml](./docs/dev-overrides.yaml).
# Notice about updating postgres via renovate
+
Currently, we do not update postgresql via renovate bot unless the [upstream gitlab documentation](https://docs.gitlab.com/ee/install/requirements.html#postgresql-requirements) updates beyond our current supported version of postgres. Due to local in-place image upgrades not working because of limitations around the data directory being initialized by a previous major postgresql version, this requires a manual `pg_dump` from current & `pg_restore` to new updated postgres pod locally (RDS and other non docker DBs will do this automatically). We try to keep all local in-cluster/CI DBs on the same version and upgrade once all are recommended and tested to be on the next major version.
# How to upgrade the Gitlab Package chart
+
BigBang makes modifications to the upstream helm chart. The full list of changes is at the end of this document.
+
1. Read release notes from upstream [Gitlab Releases](https://about.gitlab.com/releases/categories/releases/). Be aware of changes that are included in the upgrade, you can find those by [comparing the current and new revision](https://gitlab.com/gitlab-org/charts/gitlab/-/compare?from=master&to=master). Take note of any manual upgrade steps that customers might need to perform, if any.
1. Do diff of [upstream chart](https://gitlab.com/gitlab-org/charts/gitlab) between old and new release tags to become aware of any significant chart changes. A graphical diff tool such as [Meld](https://meldmerge.org/) is useful. You can see where the current helm chart came from by inspecting `/chart/Kptfile`.
1. Create a development branch and merge request tied to the Repo1 issue created for the Gitlab package upgrade. The association between the branch and the issue can be made by prefixing the branch name with the issue number, e.g. `56-update-gitlab-package`. DO NOT create a branch if working `renovate/ironbank`. Continue edits on `renovate/ironbank`.
@@ -21,13 +24,16 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
1. Delete all the `/chart/charts/*.tgz` files and the `/chart/requirements.lock`. You will replace these files in a later step.
1. In `/chart/requirements.yaml` update the gluon library to the latest version.
1. Run a helm dependency command to update the `chart/charts/*.tgz` archives and create a new requirements.lock file. You will commit the tar archives along with the requirements.lock that was generated.
+
```bash
helm dependency update ./chart
```
+
1. In `/chart/values.yaml` update all the gitlab image tags to the new version. There are about 12 of them. Renovate might have already done this for you.
1. Update `/CHANGELOG.md` with an entry for "upgrade Gitlab to app version X.X.X chart version X.X.X-bb.X". Or, whatever description is appropriate.
1. Update the `/README.md` following the [gluon library script](https://repo1.dso.mil/platform-one/big-bang/apps/library-charts/gluon/-/blob/master/docs/bb-package-readme.md).
1. Update `/chart/Chart.yaml` to the appropriate versions. The annotation version should match the `appVersion`.
+
```yaml
version: X.X.X-bb.X
appVersion: X.X.X
@@ -35,18 +41,22 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
dev.bigbang.mil/applicationVersions: |
- Gitlab: X.X.X
```
+
1. Update `annotations.helm.sh/images` section in `/chart/Chart.yaml` to fix references to updated packages (if needed).
1. Use a development environment to deploy and test Gitlab. See more detailed testing instructions below. Also test with gitlab-runner to make sure it still works with the new Gitlab version. Also test an upgrade by deploying the old version first and then deploying the new version.
1. When the Package pipeline runs expect the cypress tests to fail due to UI changes. Note that most of the cypress test files are synced to the gitlab-runner Package to avoid having two different versions of the same tests. There is one place in particular that frequently fails because the button id number `button[id="__BVID__XX__BV_toggle_"]` changes in `/chart/tests/cypress/03-gitlab-login.spec.js`. It is usually necessary to run the cypress tests locally in order to troubleshoot a failing test. The following steps are about how to set up local cypress testing. There is not good documentation anywhere else so it is included here.
1. [Install a current version of cypress](https://docs.cypress.io/guides/getting-started/installing-cypress#npm-install) on your workstation.
1. Make a sibling directory named `cypress` next to where you have gitlab repo cloned.
+
```bash
mkdir cypress
ls -l
drwxrwxr-x cypress
drwxrwxr-x gitlab
```
+
Inside the cypress directory create a symbolic link named `integration` that points to the cypress tests inside the gitlab repo.
+
```bash
cd cypress
ln -s ../gitlab/chart/tests/cypress integration
@@ -54,7 +64,9 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
lrwxrwxrwx integration -> ../gitlab/chart/tests/cypress/
cd ..
```
+
1. Export the environment variables that are needed by the cypress test. Reference the `bbtests:` at the end of `/chart/values.yaml`.
+
```bash
export cypress_url=https://gitlab.dev.bigbang.mil
export cypress_gitlab_first_name=test
@@ -70,19 +82,24 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
# kubectl -n gitlab get secrets gitlab-gitlab-initial-root-password -ojson | jq .data.password -r | base64 -d | pbcopy
export cypress_adminpassword=put-the-gitlab-root-password-here
```
+
1. Run cypress from the parent directory of the gitlab and cypress directories.
+
```bash
cypress
```
+
1. When Cypress launches select the same directory where you ran cypress and you should see the gitlab cypress tests listed. Run them manually, in order, one at a time.
1. Investigate and fix errors in the cypress tests. You can run a separate browser with developer tools to find out names of elements on each page.
1. Update the `/README.md` and `/CHANGELOG.md` again if you have made any additional changes during the upgrade/testing process.
# Testing new Gitlab version
+
1. Create a k8s dev environment. One option is to use the Big Bang [k3d-dev.sh](https://repo1.dso.mil/platform-one/big-bang/bigbang/-/tree/master/docs/developer/scripts) with no arguments which will give you the default configuration. The following steps assume you are using the script.
1. Follow the instructions at the end of the script to connect to the k8s cluster and install flux.
1. Deploy gitlab with the dev values overrides from [docs/dev-overrides.yaml](./dev-overrides.yaml). Core apps are disabled for quick deployment.
- 1. Example helm upgrade command (run from within your local checkout of the `bigbang` repository):
+ 1. Example helm upgrade command (run from within your local checkout of the `bigbang` repository):
+
```shell
helm upgrade -n bigbang --create-namespace --install \
bigbang ./chart \
@@ -90,17 +107,21 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
-f https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blob/main/docs/dev-overrides.yaml \
--set addons.gitlab.git.branch=YOUR-WORKING-BRANCH-NAME-HERE
```
+
1. Access Gitlab UI from a browser and login with SSO (to learn about deploying GitLab with a dev version of Keycloak, see [keycloak-dev.md](./keycloak-dev.md)).
1. Test changing your profile image.
1. In your profile create an access token with all privileges. Save the token for later use.
1. Create a group called `test`.
1. Create a project called `test1` with a README.md within the `test` group.
1. From your workstation git clone with https the test1 project.
+
```bash
git clone https://gitlab.dev.bigbang.mil/test/test1.git
```
+
1. Make a change to README.md and commit and push. Verify that the change shows in Gitlab UI.
1. Test pushing and pulling an image to the project container registry. Use the access token you created.
+
```bash
docker login registry.dev.bigbang.mil
docker pull busybox
@@ -110,7 +131,9 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
docker image rm registry.dev.bigbang.mil/test/test1:latest
docker pull registry.dev.bigbang.mil/test/test1:latest
```
+
1. Test a pipeline with gitlab-runner. Navigate to `https://gitlab.dev.bigbang.mil/test/test1/-/settings/ci_cd` and disable the Auto DevOps. Navigate to `https://gitlab.dev.bigbang.mil/test/test1/-/ci/editor?branch_name=main` and configure a pipeline. Verify that it completes successfully at `https://gitlab.dev.bigbang.mil/test/test1/-/pipelines`.
+
```yaml
stages:
- test
@@ -125,26 +148,34 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
paths:
- file.txt
```
+
1. Perform a manual upgrade test. First deploy the current Gitlab version. Then deploy your development branch. Verify that the upgrade is successful.
1. Retest with monitoring and logging enabled. Verify that the logging and monitoring are working.
# Modifications made to upstream chart
+
This is a high-level list of modifications that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.
## chart/charts/certmanager-issuer/templates/rbac-config.yaml
+
- Exposed automountServiceAccountToken for service account.
+
```
automountServiceAccountToken: {{ template "gitlab.serviceAccount.automountServiceAccountToken" . }}
```
## chart/charts/gitlab/charts/*/templates/serviceaccount.yaml
+
- Exposed automountServiceAccountToken for service accounts in the following gitlab components: geo-logcursor, gitaly, gitlab-exporter, gitlab-pages, gitlab-shell, kas, mailroom, migrations (_serviceaccountspec.yaml), praefect, sidekiq, spamcheck, toolbox, webservice
+
```
automountServiceAccountToken: {{ template "gitlab.serviceAccount.automountServiceAccountToken" . }}
```
## chart/charts/gitlab/templates/_serviceAccount.tpl
+
- Added template that respects the global and specific service account settings pertaining to automountServiceAccountToken
+
```
{{/*
Return the sub-chart serviceAccount automountServiceAccountToken setting
@@ -160,7 +191,9 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## chart/charts/nginx-ingress/values.yaml
+
- Added default for serviceAccount.automountServiceAccountToken in controller.admissionWebhooks to respect implicit default
+
```
controller:
admissionWebhooks:
@@ -169,19 +202,25 @@ controller:
```
## chart/templates/shared-secrets/job.yaml && chart/templates/shared-secrets/self-signed-cert-job.yml
+
- Set automountServiceAccountToken to true for shared-secrets jobs which need this token to be successful
+
```
automountServiceAccountToken: true
```
## chart/templates/shared-secrets/rbac-config.yaml
+
- Exposed automountServiceAccountToken for service account.
+
```
automountServiceAccountToken: {{ template "shared-secrets.automountServiceAccountToken" . }}
```
## chart/charts/registry/templates/_helpers.tpl
+
- Added template that respects the global and specific service account settings pertaining to automountServiceAccountToken
+
```
{{/*
Return the sub-chart serviceAccount automountServiceAccountToken setting
@@ -197,7 +236,9 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## chart/templates/_helpers.tpl
+
- Added template that respects the global and specific service account settings pertaining to automountServiceAccountToken
+
```
{{/*
Return the sub-chart serviceAccount automountServiceAccountToken setting
@@ -214,11 +255,15 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## `chart/templates/_certificates.tpl`
+
- Remove the include initContainerSecurityContext function.
+
```
{{- include "gitlab.init.containerSecurityContext" . | indent 2 }}
```
+
- Add the logic to use our own configurable securityContext for certificates initContainers.
+
```
{{- with .Values.global.certificates.init.securityContext }}
securityContext:
@@ -227,18 +272,22 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## chart/bigbang/*
+
- Add DoD approved CA certificates (recursive copy directory from previous release).
- If updating new certificates from new bundle:
- Check `Department_of_State/` certificates for spaces in name.
- Check `DigiCert_Federal_SSP/Trust_Chain_2/` certificates for spaces in name.
- Convert `Entrust_Federal_SSP/Trust_Chain_2/0-Entrust_Managed_Services_Root_CA_rekey3.cer` to pem format.
+
```bash
openssl x509 -inform der -in 0-Entrust_Managed_Services_Root_CA_rekey3.cer -out 0-Entrust_Managed_Services_Root_CA_rekey3.pem
```
+
- Remove non-certificate metadata from `Carillon_Federal_Services/Trust_Chain_1/1-Carillon_Federal_Services_PIVI_CA2.cer`.
- Remove non-certificate metadata from `DigiCert_NFI/Trust_Chain_2/2-Senate_PIV-I_CA_G5.cer`.
## chart/templates/bigbang/*
+
- Add istio virtual service.
- Add networkpolicies.
- Add istio peerauthentications.
@@ -246,10 +295,13 @@ If that is not present it will use the global chart serviceAccount automountServ
- Add istio authorization policies
## chart/templates/tests/*
+
- Add templates for CI helm tests.
## chart/charts/gitlab/charts/toolbox/templates/configmap-custom-scripts.yaml
+
- Added custom configmap to mount ruby scripts to toolbox
+
```yaml
{{- if .Values.enabled -}}
{{- if .Values.customScripts -}}
@@ -271,6 +323,7 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## chart/charts/gitlab/charts/toolbox/templates/deployment.yaml
+
- Added volumeMount and volume for custom ruby script configmap
volumeMounts:
@@ -283,7 +336,9 @@ If that is not present it will use the global chart serviceAccount automountServ
{{- end }}
...
```
+
volumes:
+
```yaml
...
{{- if .Values.customScripts }}
@@ -296,37 +351,49 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## chart/charts/gitlab/charts/toolbox/templates/backup-job.yaml
+
- Added istio shutdown to command on lines 85 and 87.
+
```yaml
{{- if and .Values.global.istio.enabled (eq .Values.global.istio.injection "enabled") }}{{ .Values.backups.cron.istioShutdown }}{{- end }}
```
## chart/charts/gitlab/charts/gitlab-pages/templates/service-custom-domains.yaml
+
- Ensure the conditional checking for empty `$externalAddresses` is removed from above the entirety of the template, and instead above the first use of it where it checks if the length of the value is `>1`. Add a closing `{{- end }}` after the existing `{{- else }}` and `{{- end }}` around the `loadBalancerIP:` & `externalIPs:` entries.
+
```yaml
{{- if not (empty ($externalAddresses)) -}}
{{- if len $externalAddresses | eq 1 }}
...
{{- end }}
```
+
- Remove the un-indented `{{- end }}` from the very bottom of the template (to complete the removal of the if statement being around the entire template).
- Remove the `{{- if not (empty $.Values.global.pages.externalHttp) }}` and closing `{{- end }}` from around the `80` port definition so it is always present.
- Remove the `{{- if not (empty $.Values.global.pages.externalHttps) }}` and closing `{{- end }}` from around the `443` port definition so it is always present.
## chart/charts/minio/templates/_helper_create_buckets.sh
+
- Hack the MinIO sub-chart to work with newer mc version in IronBank image, line 65.
+
```bash
/usr/bin/mc policy set $POLICY myminio/$BUCKET
```
-## chart/charts/*.tgz
+
+## chart/charts/*.tgz
+
- Run `helm dependency update ./chart` and commit the downloaded archives.
- Commit the tar archives that were downloaded and requirements.lock that was generated from the helm dependency update command.
## chart/tests/*
+
- Add helm test scripts for CI pipeline.
## chart/templates/_certificates.tpl
+
- Hack to support pki certificate location within the RedHat UBI image. Is different than Debian based images. Add to definition of `gitlab.certificates.volumeMount`. The volumeMount definition is at the end of the file.
+
```yaml
- name: etc-ssl-certs
mountPath: /etc/pki/tls/certs/
@@ -338,14 +405,18 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## chart/.gitignore
+
- Comment the `charts/*.tgz`.
- Comment the `requirements.lock`.
## chart/.helmignore
+
- Change `scripts/` to `/scripts/` so that the helm test scripts are not ignored.
## chart/requirements.yaml
+
- Add latest gluon dependency to the end of the list.
+
```yaml
- name: gluon
version: "x.x.x"
@@ -353,6 +424,7 @@ If that is not present it will use the global chart serviceAccount automountServ
```
## chart/values.yaml
+
- Disable all internal services other than postgres, minio, and redis.
- Add BigBang additional values at bottom of `values.yaml`.
- Add prometheus exporter: gitlab.gitlab-exporter.
@@ -362,9 +434,11 @@ If that is not present it will use the global chart serviceAccount automountServ
- Add default dev.bigbang.mil hostnames at global.hosts.
- Add customCAs (the cert files and secrets need to be added in the next 2 steps for this to work).
- Run this to get a list of secrets:
+
```bash
for i in $(helm template -s templates/bigbang/secrets/DoD_CA_certs.yaml . | grep "name:" | cut -d ":" -f 2); do echo "- secret: $i"; done
``````
+
- Add `global.certificates.init.securityContext` and it's 3 entries
- Add `postgresqlInitdbArgs`, `securityContext`, `postgresqlDataDir` and `persistence` to get IB image working with postgres subchart.
- Add `upgradeCheck.annotations`: sidecar.istio.io/inject: "false".
@@ -376,6 +450,7 @@ If that is not present it will use the global chart serviceAccount automountServ
- Add `gitlab.toolbox.customScripts` with example `testing.rb` script for custom ruby scripts in toolbox.
# chart/Chart.yaml
+
- Change version key to Big Bang composite version.
- Add Big Bang `annotations.dev.bigbang.mil/applicationVersions` and `annotations.helm.sh/images` keys to support release automation.
- Add the required kubeversion
diff --git a/docs/Elastic.md b/docs/Elastic.md
index 981f1079c..576bbe871 100644
--- a/docs/Elastic.md
+++ b/docs/Elastic.md
@@ -1,8 +1,11 @@
create an index pattern for fluentd if not already created for you
+
```
gitlab-*
```
+
Build filter for gitlab namespace
+
```
{
"query": {
@@ -12,7 +15,9 @@ Build filter for gitlab namespace
}
}
```
+
There are more than 15 pods in a Gitlab delployment.
+
```
[p1dev@p1dev-vm gitlab]$ kubectl get pods -n gitlab
NAME READY STATUS RESTARTS AGE
@@ -36,11 +41,13 @@ gitlab-webservice-7ff8956d8b-8zcj2 2/2 Running 0 4h
gitlab-webservice-7ff8956d8b-9l8sj 2/2 Running 0 143m
global-shared-gitlab-runner-567cf8df54-8dzfw 1/1 Running 0 4h50m
```
+
Here is a document that lists the Gitlab components and what each one does
-https://docs.gitlab.com/ce/development/architecture.html#component-details
+<https://docs.gitlab.com/ce/development/architecture.html#component-details>
Here are some an examples of a filter for a specific containers:
front-end webservice
+
```
{
"query": {
@@ -50,7 +57,9 @@ front-end webservice
}
}
```
+
gitlab-workhorse - a gateway for routing http requests to the proper component
+
```
{
"query": {
@@ -60,7 +69,9 @@ gitlab-workhorse - a gateway for routing http requests to the proper component
}
}
```
+
cli git commands
+
```
{
"query": {
@@ -70,10 +81,13 @@ cli git commands
}
}
```
+
In the KQL field you can text search within a source field such as log
+
```
log: "error"
```
+
```
log:
F 2020-07-10T18:23:01.255Z 8 TID-go4bqp7cw ERROR: Error fetching job: Error connecting to Redis on gitlab-redis-master:6379 (Redis::TimeoutError)
@@ -103,4 +117,4 @@ kubernetes.labels.queue-pod-name:
all-in-1
kubernetes.labels.release:
gitlab
-```
\ No newline at end of file
+```
diff --git a/docs/PostgresSql.md b/docs/PostgresSql.md
index 077f00639..616686578 100644
--- a/docs/PostgresSql.md
+++ b/docs/PostgresSql.md
@@ -56,4 +56,4 @@ postgresql:
# preparedStatements: false
```
-[Gitlab](https://docs.gitlab.com/charts/advanced/external-db/) has documentation on doing this.
\ No newline at end of file
+[Gitlab](https://docs.gitlab.com/charts/advanced/external-db/) has documentation on doing this.
diff --git a/docs/gitlab17.md b/docs/gitlab17.md
index 730f55586..38c834b3a 100644
--- a/docs/gitlab17.md
+++ b/docs/gitlab17.md
@@ -2,7 +2,6 @@
Gitlab is migrating to a new [runner registration workflow](https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html) utilizing runner authentication tokens. Currently, these can be generated via the Admin Area UI following [these steps](https://docs.gitlab.com/ee/ci/runners/runners_scope.html#create-an-instance-runner-with-a-runner-authentication-token), or [programatically](https://docs.gitlab.com/ee/tutorials/automate_runner_creation/index.html) via the REST API available on gitlab. Note that programatically requires an existing administrator level access token. The secret used by gitlab-runner must be modified so that the new runner authentication token generated from above is available. See below examples, where `REDACTED` in the new workflow would be the newly generated authentication token.
-
In the legacy runner registration workflow, fields were specified with:
```
@@ -31,4 +30,4 @@ data:
### Re-enable legacy workflow
-The alternative is to manually re-enable the legacy workflow, which should be available until the next major release of Gitlab 18.0. This is accomplished following [these steps](https://docs.gitlab.com/ee/administration/settings/continuous_integration.html#enable-runner-registrations-tokens) in the Admin Area UI.
+The alternative is to manually re-enable the legacy workflow, which should be available until the next major release of Gitlab 18.0. This is accomplished following [these steps](https://docs.gitlab.com/ee/administration/settings/continuous_integration.html#enable-runner-registrations-tokens) in the Admin Area UI.
diff --git a/docs/k8s-resources.md b/docs/k8s-resources.md
index 6de3f93aa..3f2394d3c 100644
--- a/docs/k8s-resources.md
+++ b/docs/k8s-resources.md
@@ -1,11 +1,15 @@
# Kubernetes resource configuration
+
The BigBang Gitlab Package has a default resource configuration for a minimal installation which is sufficient for development, demos, and CI pipelines. For larger operational deployments you must increase the CPU and memory as needed. Consult Gitlab documentation and Gitlab Support for appropriate settings. The resource requests and limits must be equal to achive quality of service guarantee. Below is a catalog of the possible resource configurations which are provided here for convenience. The values below are fake. If you are pasting selected portions into a BigBang values override file you will need to add three additional indent levels and place them under
+
```yaml
addons:
gitlab:
values:
```
+
Here are the possible settings:
+
```yaml
gitlab:
toolbox:
@@ -261,4 +265,4 @@ minio:
requests:
cpu: 201m
memory: 301Mi
-```
\ No newline at end of file
+```
diff --git a/docs/keycloak-dev.md b/docs/keycloak-dev.md
index 9928652be..0a8ef2c1f 100644
--- a/docs/keycloak-dev.md
+++ b/docs/keycloak-dev.md
@@ -1,13 +1,17 @@
## Deploying GitLab with a Dev Instance of Keycloak
+
### Prerequisites
+
1. You will need a K8s development environment with two `Gateway` resources configured. One for `passthrough` and the other for `public`. Use the `k3d-dev.sh` script with the `-m` flag to deploy a dev cluster with MetalLB.
-1. You will need the following values file saved locally: `keycloak-dev-values.yaml` ([link](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/docs/assets/configs/example/keycloak-dev-values.yaml?ref_type=heads)).
+1. You will need the following values file saved locally: `keycloak-dev-values.yaml` ([link](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/docs/assets/configs/example/keycloak-dev-values.yaml?ref_type=heads)).
+
+### Deploying
-### Deploying
Before deploying GitLab and configuring SSO, you need to deploy the dev instance of Keycloak. Use the overrides file below.
1. `overrides.yaml`:
+
```yaml
clusterAuditor:
enabled: false
@@ -46,17 +50,23 @@ Before deploying GitLab and configuring SSO, you need to deploy the dev instance
keycloak:
enabled: true
````
+
1. Deploy BigBang:
+
```bash
- $ helm upgrade -i bigbang ./chart -n bigbang --create-namespace -f ./registry-values.yaml -f ./chart/ingress-certs.yaml -f ./keycloak-dev-values.yaml -f ./overrides.yaml
+ helm upgrade -i bigbang ./chart -n bigbang --create-namespace -f ./registry-values.yaml -f ./chart/ingress-certs.yaml -f ./keycloak-dev-values.yaml -f ./overrides.yaml
```
+
Wait for Keycloak pods to be ready before proceeding.
1. Run sshuttle to connect to your cluster's private network (command was provided once the `k3d-dev.sh` script completed.)
1. Run the following command and copy the results:
+
```bash
- $ curl https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/descriptor
+ curl https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/descriptor
```
+
1. Add the following to `overrides.yaml`:
+
```yaml
addons:
gitlab:
@@ -104,15 +114,19 @@ Before deploying GitLab and configuring SSO, you need to deploy the dev instance
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
```
+
1. Upgrade BigBang:
+
```bash
- $ helm upgrade -i bigbang ./chart -n bigbang --create-namespace -f ./registry-values.yaml -f ./chart/ingress-certs.yaml -f ./keycloak-dev-values.yaml -f ./overrides.yaml
+ helm upgrade -i bigbang ./chart -n bigbang --create-namespace -f ./registry-values.yaml -f ./chart/ingress-certs.yaml -f ./keycloak-dev-values.yaml -f ./overrides.yaml
```
-1. Login to the Keycloak admin console: (`admin/password`) https://keycloak.dev.bigbang.mil/auth/admin/master/console/
-1. Switch to the baby-yoda realm.
+
+1. Login to the Keycloak admin console: (`admin/password`) <https://keycloak.dev.bigbang.mil/auth/admin/master/console/>
+1. Switch to the baby-yoda realm.
1. Create a new user. Be sure to do the following: Switch "Email verified" to "Yes", join the "Impact Level 2 Authorized" group, remove all "Required user actions" (do this after the user is created), create a password (disable "Temporary").
1. Login to Gitlab using SSO and the user you just configured.
1. Setup MFA.
#### OmniAuth oidc-provider SSO setup
+
- Reference [keycloak.md](https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blob/main/docs/keycloak.md?ref_type=heads) for omniauth global configuration and more override examples.
diff --git a/docs/keycloak.md b/docs/keycloak.md
index 1d384b792..fa06e5162 100644
--- a/docs/keycloak.md
+++ b/docs/keycloak.md
@@ -5,20 +5,21 @@ The integration assumes that keycloak is deployed with a realm other than master
This documentation is geared towards configuring GitLab to work with P1 SSO/`login.dso.mil`. To learn about deploying GtitLab with a dev version of Keycloak, see [keycloak-dev.md](./keycloak-dev.md).
If the client gitlab doesn't exist in keycloak, please create the client gitlab with the following settings:
-1. Create a gitlab OIDC client scope. The scope name is case sensitive and must match the oidc settings that Gitlab was deployed with. Bigbang Gitlab settings are expecting scope name "Gitlab" with a capital G. Use the following mappings:
-
+
+1. Create a gitlab OIDC client scope. The scope name is case sensitive and must match the oidc settings that Gitlab was deployed with. Bigbang Gitlab settings are expecting scope name "Gitlab" with a capital G. Use the following mappings:
+
| Name | Mapper Type | Mapper Selection Sub | Token Claim Name | Claim JSON Type |
|-------------|------------------|----------------------|--------------------|-----------------|
| email | User Property | email | email | String |
| profile | User Attribute | profile | N/A | String |
| username | User Property | username | preferred_username | String |
-2. Create a gitlab client
+2. Create a gitlab client
- Change the following configuration items
- access type: confidential _this will enable "Credentials"_
- Direct Access Grants Enabled: Off
- - Valid Redirect URIs: https://code.${DOMAIN}/users/auth/openid_connect/callback
- - Base URL: https://code.${DOMAIN}
+ - Valid Redirect URIs: <https://code.${DOMAIN}/users/auth/openid_connect/callback>
+ - Base URL: <https://code.${DOMAIN}>
- Set Client Scopes
- Default Client Scopes: Gitlab (the client scope you created in the previous step. This is case sensitive.)
- optional client scopes: N/A
@@ -26,7 +27,8 @@ If the client gitlab doesn't exist in keycloak, please create the client gitlab
### GitLab configuration for keycloak
-Reference Gitlab [documentation for SSO](https://docs.gitlab.com/charts/charts/globals.html#omniauth). This is a working example of the json configuration used for keycloak integration.
+Reference Gitlab [documentation for SSO](https://docs.gitlab.com/charts/charts/globals.html#omniauth). This is a working example of the json configuration used for keycloak integration.
+
```
{
"name": "openid_connect",
@@ -50,15 +52,19 @@ Reference Gitlab [documentation for SSO](https://docs.gitlab.com/charts/charts/g
}
}
```
+
Fill in your values and create a json file with the contents in a temporary directory somewhere. You can name the file gitlab-oidc.json. Encode the contents with base64
+
```
cat gitlab-oidc.enc.json | base64 -w 0
```
+
The encoded output is what you will use in the next step. The ```-w 0``` insures that the encoded value is a one line string.
### Create a secret in Gitlab namespace for the oidc provider info
Create a secret for the json provider config from the previous step
+
```
apiVersion: v1
kind: Secret
@@ -68,11 +74,12 @@ metadata:
data:
gitlab-oidc.json: <enter your encoded json config here>
```
+
Before you commit this secret you can encrypt the base64 encoded data with sops. Only encrypt the data section. Flux needs to be able to read the other fields.
### Gitlab omniauth global configuration
-Override the helm chart values.yaml for your environment to include the oidc-provider secret in gitlab ```global.appConfig.omniauth``` definition. The following example is the minimum config that you need. Refer to Gitlab documentation for more settings.
+Override the helm chart values.yaml for your environment to include the oidc-provider secret in gitlab ```global.appConfig.omniauth``` definition. The following example is the minimum config that you need. Refer to Gitlab documentation for more settings.
```
global:
@@ -94,11 +101,14 @@ global:
- secret: oidc-provider
key: gitlab-oidc.json
```
+
#### Network Policy egress-sso configurable port
+
- Default egressPort = 443
- Scenerio: If omniauth is "enabled" and you are configuring the controlPlaneCidr to a specific controlplane ip block you will need to update the "Values.networkPolicies.egressPort" to 8443. This port needs to be open for oidc authentication to the keycloak client in the baby-yoda realm.
Example egress-sso Network Policy override:
+
```yaml
gitlab:
enabled: true
@@ -164,7 +174,8 @@ sso: # derived from https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blo
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
-```
+```
+
- Link to [keycloak-dev.md](https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blob/main/docs/keycloak-dev.md?ref_type=heads) document for complete SSO configuration.
If all your configuration is correct you will be able to deploy and use SSO auth for Gitlab!
diff --git a/docs/operational-production-settings.md b/docs/operational-production-settings.md
index ec21a22e5..c0073fb4f 100644
--- a/docs/operational-production-settings.md
+++ b/docs/operational-production-settings.md
@@ -1,14 +1,19 @@
# Operational configuration and settings for production environments
+
This document provides suggested settings for operational/production environment. Of course every environment is unique. These suggestions are a good starting point. Also consult the upstream Gitlab documentation and the other documents in the [./docs](./docs) directory.
-## Use external database and object storage
+## Use external database and object storage
+
For production deployments you must externalize the postgres and MinIO services. If you are deploying with BigBang the most common value overrides will passthrough to the Gitlab Package chart.
You should disable the internal postgres.
+
```
postgresql:
install: false
```
+
Enable an external database. Preferably a cloud database service. Customize the values for your external database credentials. If you are using BigBang the values will pass through to this Gitlab Package chart.
+
```
global:
## doc/charts/globals.md#configure-postgresql-settings
@@ -23,13 +28,17 @@ global:
# pool: 1
# preparedStatements: false
```
+
Disable the internal MinIO instance
+
```
global:
minio:
enabled: false
```
+
Customize the values for external object storage. If you are using BigBang the values will pass through to this Gitlab Package chart.
+
```
global:
appConfig:
@@ -46,12 +55,15 @@ global:
```
## Flux settings
+
When deploying this Gitlab Package chart with BigBang the deployment is controlled by the FluxCD GitOps tool. Large Gitlab installations should increase the Flux timeout in the BigBang value (addons.gitlab.flux.timeout) to around 30m to 45m. And the BigBang Flux retries value (addons.gitlab.flux.upgrade.retries) should be adjusted to around 8 to 10.
## Kubernetes resource request/limit settings
-K8s resource requests/limits for webservice and gitaly workloads should be increased from the defaults. Gitlab engineers state predicting Gitaly's resource consumption is very difficult, and will require testing to find the applicable limits/requests for each individual installation. See this [Gitlab Epic](https://gitlab.com/groups/gitlab-org/-/epics/6127) for more information. See the [docs/k8s-resources.md](./k8s-resources.md) for a list of all possible configuration values.
+
+K8s resource requests/limits for webservice and gitaly workloads should be increased from the defaults. Gitlab engineers state predicting Gitaly's resource consumption is very difficult, and will require testing to find the applicable limits/requests for each individual installation. See this [Gitlab Epic](https://gitlab.com/groups/gitlab-org/-/epics/6127) for more information. See the [docs/k8s-resources.md](./k8s-resources.md) for a list of all possible configuration values.
Recommended starting point:
+
```
gitlab:
webservice:
@@ -73,20 +85,27 @@ gitlab:
```
## Backup and rename gitlab-rails-secret
+
If the Kubernetes gitlab-rails-secret happens to get overwritten Gitlab will no longer be able to access the encrypted data in the database. You will get errors like this in the logs.
+
```
OpenSSL::Cipher::CipherError ()
```
+
Many things break when this happens and the recovery is ugly with serious user impacts.
At a minimum an operational deployment of Gitlab should export and save the gitlab-rails-secret somewhere secure outside the cluster.
+
```
kubectl get secret/gitlab-rails-secret -n gitlab -o yaml > cya.yaml
```
+
Ideally, an operational deployment should create a secret with a different name as [documented here](https://docs.gitlab.com/charts/installation/secrets.html#gitlab-rails-secret). The helm chart values ```global.railsSecrets.secret``` can be overridden to point to the secret.
+
```
global:
railsSecrets:
secret: my-gitlab-rails-secret
```
+
This secret should be backed up somewhere secure outside the cluster.
diff --git a/docs/overview.md b/docs/overview.md
index 6b203bf54..4ed51000d 100644
--- a/docs/overview.md
+++ b/docs/overview.md
@@ -3,26 +3,34 @@
[[_TOC_]]
# Gitlab for Kubernetes
+
[gitlab](https://docs.gitlab.com/) provides the upstream documentation:
GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and continuous integration/continuous deployment pipeline features, using an open-source license, developed by GitLab Inc.
## Application Deployment
+
The default values are intended for development, demo, and CI pipelines. For operational/production environments see the suggestions in [docs/operational-production-settings.md](./operational-production-settings.md).
## Kubernetes resource configuration
+
The BigBang Gitlab Package has a default resource configuration for a minimal installation which is sufficient for development, demos, and CI pipelines. For larger operational deployments you must increase the CPU and memory as needed. See suggested production settings here [docs/operational-production-settings.md](./operational-production-settings.md). Consult the upstream Gitlab documentation and Gitlab Support for appropriate settings. See the [docs/k8s-resources.md](./k8s-resources.md) for a list of all possible configuration values.
## Keycloak SSO integration
+
Gitlab SSO integration can be 100% configuration as code. No manual post-install actions are required if the configuration is correct.
see [docs/keycloak.md](./keycloak.md)
## elasticsearch notes
+
create an index pattern for fluentd if not already created for you
+
```
logstash-*
```
+
Build filter for gitlab namespace
+
```
{
"query": {
@@ -32,7 +40,9 @@ Build filter for gitlab namespace
}
}
```
+
There are more than 15 pods in a Gitlab deployment.
+
```
[p1dev@p1dev-vm gitlab]$ kubectl get pods -n gitlab
NAME READY STATUS RESTARTS AGE
@@ -56,11 +66,13 @@ gitlab-webservice-7ff8956d8b-8zcj2 2/2 Running 0 4h
gitlab-webservice-7ff8956d8b-9l8sj 2/2 Running 0 143m
global-shared-gitlab-runner-567cf8df54-8dzfw 1/1 Running 0 4h50m
```
+
Here is a document that lists the Gitlab components and what each one does
-https://docs.gitlab.com/ce/development/architecture.html#component-details
+<https://docs.gitlab.com/ce/development/architecture.html#component-details>
Here are some an examples of a filter for specific containers:
front-end webservice
+
```
{
"query": {
@@ -70,7 +82,9 @@ front-end webservice
}
}
```
+
gitlab-workhorse - a gateway for routing http requests to the proper component
+
```
{
"query": {
@@ -80,7 +94,9 @@ gitlab-workhorse - a gateway for routing http requests to the proper component
}
}
```
+
cli git commands
+
```
{
"query": {
@@ -90,10 +106,13 @@ cli git commands
}
}
```
+
In the KQL field you can text search within a source field such as log
+
```
log: "error"
```
+
```
log:
F 2020-07-10T18:23:01.255Z 8 TID-go4bqp7cw ERROR: Error fetching job: Error connecting to Redis on gitlab-redis-master:6379 (Redis::TimeoutError)
@@ -124,4 +143,3 @@ kubernetes.labels.queue-pod-name:
kubernetes.labels.release:
gitlab
```
-
diff --git a/docs/test-package-against-bb.md b/docs/test-package-against-bb.md
index 548c206e1..eabf81ce5 100644
--- a/docs/test-package-against-bb.md
+++ b/docs/test-package-against-bb.md
@@ -8,6 +8,7 @@ As part of your MR that modifies istio you will need to run bigbang tests agains
1. Create a new branch on bigbang off of master `git checkout master && git pull && git checkout -b my-bigbang-branch-for-testing.`
1. Modify the [test values](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/tests/test-values.yaml?ref_type=heads). Yours will be different for your package, you may need more than this.
+
```yaml
gitlab:
git:
@@ -18,6 +19,7 @@ As part of your MR that modifies istio you will need to run bigbang tests agains
hardened:
enabled: true
```
+
1. Stage your changes `git add -A.`
1. Commit your changes `git commit -m "prepping for test."`
1. Push your changes `git push -u origin my-bigbang-branch-for-testing.`
diff --git a/tests/images.txt b/tests/images.txt
index 392309bd1..49c400582 100644
--- a/tests/images.txt
+++ b/tests/images.txt
@@ -1,2 +1,2 @@
-registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter:17.2.9
-registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:17.2.9
+registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter:17.3.6
+registry1.dso.mil/ironbank/gitlab/gitlab/kubectl:17.3.6
--
GitLab