chore(deps): update helm release gitlab to v8.7.0 - autoclosed #3706
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
Path: @@ -1289,8 +1289,8 @@
release: gitlab
heritage: Helm
data:
- gitlabVersion: "17.6.2"
- gitlabChartVersion: "8.6.2"
+ gitlabVersion: "17.7.0"
+ gitlabChartVersion: "8.7.0"
---
# Source: gitlab/charts/minio/templates/minio_pvc.yaml
kind: PersistentVolumeClaim
@@ -1507,13 +1507,13 @@
release: gitlab
heritage: Helm
annotations:
- checksum/config: fd3fb21f894101be117227e0806379a1d5913ce300dec37a237fe213bced1c76
- checksum/config-sshd: d01f718f0436a33021eb6697fbe5aa5d4bc4ee19aa96dbd5543d230a3c89adbc
+ checksum/config: 937a4a2e0ff5b6adc0554414748175a7bc831b2236e6a4d7effe61ad524af043
+ checksum/config-sshd: 61fbbc53c0cb80b0ebd3efba64eb44951b73d695868786b4ef53bab3784a1cea
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -1521,6 +1521,8 @@
- ALL
runAsNonRoot: true
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -1533,7 +1535,7 @@
cpu: 50m
- name: configure
command: ['sh', '/config/configure']
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -1541,6 +1543,8 @@
- ALL
runAsNonRoot: true
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: shell-config
mountPath: /config
@@ -1594,6 +1598,8 @@
value: '/etc/gitlab-secrets/ssh'
- name: SSH_DAEMON
value: "openssh"
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: shell-config
mountPath: '/etc/gitlab-shell'
@@ -1693,7 +1699,7 @@
heritage: Helm
queue-pod-name: all-in-1
annotations:
- checksum/configmap: 54df4a2bbbbcf2d24aa9b9ec648c41dc429ea4bffd33aff4b49f68bc8f423d36
+ checksum/configmap: aa98225358908697549a24d2a68250fb8e3439d10635cfcc6ecbc58886794702
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
gitlab.com/prometheus_scrape: "true"
gitlab.com/prometheus_port: "3807"
@@ -1721,7 +1727,7 @@
terminationGracePeriodSeconds: 30
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -1730,6 +1736,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -1742,7 +1750,7 @@
cpu: 50m
- name: configure
command: ['sh', '/config/configure']
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -1751,6 +1759,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: sidekiq-config
mountPath: /config
@@ -1765,7 +1775,7 @@
requests:
cpu: 50m
- name: dependencies
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ce:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ce:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -1788,6 +1798,8 @@
value: "25"
- name: ENABLE_BOOTSNAP
value: "1"
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
@@ -1810,7 +1822,7 @@
cpu: 50m
containers:
- name: sidekiq
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ce:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq-ce:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -1845,6 +1857,8 @@
value: "30"
- name: ENABLE_BOOTSNAP
value: "1"
+ - name: TZ
+ value: "Europe/Zurich"
ports:
- containerPort: 3807
name: http-metrics
@@ -2031,7 +2045,7 @@
release: gitlab
heritage: Helm
annotations:
- checksum/config: 00dd4c74df7a9781904789687c42df3310801739916e41396adff5398d004b70
+ checksum/config: 1a9930cfd76a84c3f03fc4df3d370895f2c79d924101aa9abb5dd73413f06913
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
spec:
securityContext:
@@ -2043,7 +2057,7 @@
automountServiceAccountToken: false
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2052,6 +2066,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -2064,7 +2080,7 @@
cpu: 50m
- name: configure
command: ['sh', '/config/configure']
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2073,6 +2089,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: toolbox-config
mountPath: /config
@@ -2102,7 +2120,7 @@
- /bin/bash
- -c
- cp -v -r -L /etc/gitlab/.s3cfg $HOME/.s3cfg && while sleep 3600; do :; done # alpine sleep has no infinity
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2143,6 +2161,8 @@
value: '/var/opt/gitlab/templates'
- name: CONFIG_DIRECTORY
value: '/srv/gitlab/config'
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: toolbox-config
mountPath: '/var/opt/gitlab/templates'
@@ -2309,7 +2329,7 @@
heritage: Helm
gitlab.com/webservice-name: default
annotations:
- checksum/config: 6f04cd1dd60a36214e33e70806f976898e5c4e84c12d4d8121e63cb860147bbd
+ checksum/config: 306f1f4a42731ac2df0c3a06de03f5fb70991f52b3d5db47531d997c0ac52e54
cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
gitlab.com/prometheus_scrape: "true"
gitlab.com/prometheus_port: "8083"
@@ -2337,7 +2357,7 @@
automountServiceAccountToken: false
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2346,6 +2366,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -2359,7 +2381,7 @@
- name: configure
command: ['sh']
args: ['-c', 'sh -x /config-webservice/configure ; sh -x /config-workhorse/configure ; mkdir -p -m 3770 /tmp/gitlab']
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2368,6 +2390,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: webservice-config
mountPath: /config-webservice
@@ -2391,7 +2415,7 @@
requests:
cpu: 50m
- name: dependencies
- image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2402,6 +2426,8 @@
args:
- /scripts/wait-for-deps
env:
+ - name: TZ
+ value: "Europe/Zurich"
- name: GITALY_FEATURE_DEFAULT_ON
value: "1"
- name: CONFIG_TEMPLATE_DIRECTORY
@@ -2433,7 +2459,7 @@
cpu: 50m
containers:
- name: webservice
- image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2447,6 +2473,8 @@
- containerPort: 8083
name: http-metrics-ws
env:
+ - name: TZ
+ value: "Europe/Zurich"
- name: GITLAB_WEBSERVER
value: puma
- name: TMPDIR
@@ -2538,7 +2566,7 @@
cpu: 300m
memory: 2.5G
- name: gitlab-workhorse
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ce:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-workhorse-ce:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2550,6 +2578,8 @@
- containerPort: 8181
name: http-workhorse
env:
+ - name: TZ
+ value: "Europe/Zurich"
- name: TMPDIR
value: "/tmp/gitlab"
- name: GITLAB_WORKHORSE_AUTH_BACKEND
@@ -2794,7 +2824,7 @@
medium: "Memory"
initContainers:
- name: configure
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2807,6 +2837,9 @@
mountPath: /config
- name: minio-server-config
mountPath: /minio
+ env:
+ - name: TZ
+ value: "Europe/Zurich"
resources:
requests:
cpu: 50m
@@ -2821,6 +2854,9 @@
- ALL
runAsNonRoot: true
runAsUser: 1000
+ env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: export
mountPath: /export
@@ -2888,7 +2924,7 @@
automountServiceAccountToken: false
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2897,6 +2933,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -2908,7 +2946,7 @@
requests:
cpu: 50m
- name: configure
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2933,9 +2971,11 @@
value: /templates
- name: CONFIG_DIRECTORY
value: /registry
+ - name: TZ
+ value: "Europe/Zurich"
containers:
- name: registry
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v4.13.0-gitlab"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-container-registry:v4.14.0-gitlab"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -2944,6 +2984,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: registry-server-config
mountPath: /etc/docker/registry/
@@ -3141,7 +3183,7 @@
release: gitlab
heritage: Helm
annotations:
- checksum/config: 287af6ac37e6d6b50c97d2f2b4369f2fdd2f3419125d00fb8844330497cf9042
+ checksum/config: bdc494debaf10d5c7dc91825cb4c96c20b5688b44c424984d6f40bd202f702c2
gitlab.com/prometheus_scrape: "true"
gitlab.com/prometheus_port: "9236"
gitlab.com/prometheus_path: /metrics
@@ -3152,7 +3194,7 @@
terminationGracePeriodSeconds: 30
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3160,6 +3202,8 @@
- ALL
runAsNonRoot: true
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -3172,7 +3216,7 @@
cpu: 50m
- name: configure
command: ['sh', '/config/configure']
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3180,6 +3224,8 @@
- ALL
runAsNonRoot: true
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: gitaly-config
mountPath: /config
@@ -3209,7 +3255,7 @@
automountServiceAccountToken: false
containers:
- name: gitaly
- image: "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitaly:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3231,6 +3277,10 @@
value: '/etc/gitaly/config.toml'
- name: SSL_CERT_DIR
value: '/etc/ssl/certs'
+ - name: TZ
+ value: "Europe/Zurich"
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs/
@@ -3481,7 +3531,7 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: gitlab-migrations-c0d9ad1
+ name: gitlab-migrations-af5d61b
namespace: default
labels:
app: migrations
@@ -3505,7 +3555,7 @@
automountServiceAccountToken: false
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3513,6 +3563,8 @@
- ALL
runAsNonRoot: true
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -3525,7 +3577,7 @@
cpu: 50m
- name: configure
command: ['sh', '/config/configure']
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3533,6 +3585,8 @@
- ALL
runAsNonRoot: true
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: migrations-config
mountPath: /config
@@ -3549,7 +3603,7 @@
restartPolicy: OnFailure
containers:
- name: migrations
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce:v17.7.0"
args:
- /scripts/wait-for-deps
- /scripts/db-migrate
@@ -3569,6 +3623,8 @@
value: 'true'
- name: ENABLE_BOOTSNAP
value: '1'
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: migrations-config
mountPath: '/var/opt/gitlab/templates'
@@ -3651,7 +3707,7 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: gitlab-minio-create-buckets-38e5553
+ name: gitlab-minio-create-buckets-d64098d
namespace: default
labels:
app: minio
@@ -3732,11 +3788,11 @@
metadata:
labels:
app: toolbox
- chart: toolbox-8.6.2
+ chart: toolbox-8.7.0
release: gitlab
heritage: Helm
annotations:
- checksum/config: 00dd4c74df7a9781904789687c42df3310801739916e41396adff5398d004b70
+ checksum/config: 1a9930cfd76a84c3f03fc4df3d370895f2c79d924101aa9abb5dd73413f06913
cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
spec:
restartPolicy: OnFailure
@@ -3748,7 +3804,7 @@
type: RuntimeDefault
initContainers:
- name: certificates
- image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/certificates:v17.7.0
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3757,6 +3813,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: etc-ssl-certs
mountPath: /etc/ssl/certs
@@ -3769,7 +3827,7 @@
cpu: 50m
- name: configure
command: ['sh', '/config/configure']
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3778,6 +3836,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
volumeMounts:
- name: toolbox-config
mountPath: /config
@@ -3797,7 +3857,7 @@
- /bin/bash
- -c
- cp /etc/gitlab/.s3cfg $HOME/.s3cfg && backup-utility # alpine sleep has no infinity
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-toolbox-ce:v17.7.0"
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -3806,6 +3866,8 @@
runAsNonRoot: true
runAsUser: 1000
env:
+ - name: TZ
+ value: "Europe/Zurich"
- name: ARTIFACTS_BUCKET_NAME
value: gitlab-artifacts
- name: REGISTRY_BUCKET_NAME
@@ -4065,7 +4127,7 @@
"helm.sh/hook-weight": "-3"
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
data:
- generate-secrets: "# vim: set filetype=sh:\n\nnamespace=default\nrelease=gitlab\nenv=production\n\npushd $(mktemp -d)\n\n# Args pattern, length\nfunction gen_random(){\n head -c 4096 /dev/urandom | LC_CTYPE=C tr -cd $1 | head -c $2\n}\n\n# Args: yaml file, search path\nfunction fetch_rails_value(){\n local value=$(yq \".${2}\" $1)\n\n # Don't return null values\n if [ \"${value}\" != \"null\" ]; then echo \"${value}\"; fi\n}\n\n# Args: secretname\nfunction label_secret(){\n local secret_name=$1\n# Remove application labels if they exist\n kubectl --namespace=$namespace label \\\n secret $secret_name $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\n\n kubectl --namespace=$namespace label \\\n --overwrite \\\n secret $secret_name app=gitlab chart=gitlab-8.6.2 release=gitlab heritage=Helm \n}\n\n# Args: secretname, args\nfunction generate_secret_if_needed(){\n local secret_args=( \"${@:2}\")\n local secret_name=$1\n\n if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then\n kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]}\n else\n echo \"secret \\\"$secret_name\\\" already exists.\"\n\n for arg in \"${secret_args[@]}\"; do\n local from=$(echo -n ${arg} | cut -d '=' -f1)\n\n if [ -z \"${from##*literal*}\" ]; then\n local key=$(echo -n ${arg} | cut -d '=' -f2)\n local desiredValue=$(echo -n ${arg} | cut -d '=' -f3-)\n local flags=\"--namespace=$namespace --allow-missing-template-keys=false\"\n\n if ! $(kubectl $flags get secret $secret_name -ojsonpath=\"{.data.${key}}\" > /dev/null 2>&1); then\n echo \"key \\\"${key}\\\" does not exist. patching it in.\"\n\n if [ \"${desiredValue}\" != \"\" ]; then\n desiredValue=$(echo -n \"${desiredValue}\" | base64 -w 0)\n fi\n\n kubectl --namespace=$namespace patch secret ${secret_name} -p \"{\\\"data\\\":{\\\"$key\\\":\\\"${desiredValue}\\\"}}\"\n fi\n fi\n done\n fi\n\n label_secret $secret_name\n}\n\n# Initial root password\ngenerate_secret_if_needed \"gitlab-gitlab-initial-root-password\" --from-literal=\"password\"=$(gen_random 'a-zA-Z0-9' 64)\n\n\n# Redis password\ngenerate_secret_if_needed \"gitlab-redis-secret\" --from-literal=\"secret\"=$(gen_random 'a-zA-Z0-9' 64)\n\n\n\n\n# Gitlab shell\ngenerate_secret_if_needed \"gitlab-gitlab-shell-secret\" --from-literal=\"secret\"=$(gen_random 'a-zA-Z0-9' 64)\n\n# Gitaly secret\ngenerate_secret_if_needed \"gitlab-gitaly-secret\" --from-literal=\"token\"=$(gen_random 'a-zA-Z0-9' 64)\n\n# Minio secret\ngenerate_secret_if_needed \"gitlab-minio-secret\" --from-literal=accesskey=$(gen_random 'a-zA-Z0-9' 64) --from-literal=secretkey=$(gen_random 'a-zA-Z0-9' 64)\n\n\n# Gitlab runner secret\ngenerate_secret_if_needed \"gitlab-gitlab-runner-secret\" --from-literal=runner-registration-token=$(gen_random 'a-zA-Z0-9' 64) --from-literal=runner-token=\"\"\n\n# GitLab Pages API secret\n\n\n# GitLab Pages auth secret for hashing cookie store when using access control\n\n\n# GitLab Pages OAuth secret\n\n\n\n\n# Gitlab-suggested-reviewers secret\ngenerate_secret_if_needed \"gitlab-gitlab-suggested-reviewers\" --from-literal=\"suggested_reviewers_secret\"=$(gen_random 'a-zA-Z0-9' 32 | base64)\n\n\n\n\n\n# Registry certificates\nmkdir -p certs\nopenssl req -new -newkey rsa:4096 -subj \"/CN=gitlab-issuer\" -nodes -x509 -keyout certs/registry-example-com.key -out certs/registry-example-com.crt -days 3650\ngenerate_secret_if_needed \"gitlab-registry-secret\" --from-file=registry-auth.key=certs/registry-example-com.key --from-file=registry-auth.crt=certs/registry-example-com.crt\n\n# config/secrets.yaml\nif [ -n \"$env\" ]; then\n rails_secret=\"gitlab-rails-secret\"\n\n # Fetch the values from the existing secret if it exists\n if $(kubectl --namespace=$namespace get secret $rails_secret > /dev/null 2>&1); then\n kubectl --namespace=$namespace get secret $rails_secret -o jsonpath=\"{.data.secrets\\.yml}\" | base64 --decode > secrets.yml\n secret_key_base=$(fetch_rails_value secrets.yml \"${env}.secret_key_base\")\n otp_key_base=$(fetch_rails_value secrets.yml \"${env}.otp_key_base\")\n db_key_base=$(fetch_rails_value secrets.yml \"${env}.db_key_base\")\n openid_connect_signing_key=$(fetch_rails_value secrets.yml \"${env}.openid_connect_signing_key\")\n encrypted_settings_key_base=$(fetch_rails_value secrets.yml \"${env}.encrypted_settings_key_base\")\n fi;\n\n # Generate defaults for any unset secrets\n secret_key_base=\"${secret_key_base:-$(gen_random 'a-f0-9' 128)}\" # equavilent to secureRandom.hex(64)\n otp_key_base=\"${otp_key_base:-$(gen_random 'a-f0-9' 128)}\" # equavilent to secureRandom.hex(64)\n db_key_base=\"${db_key_base:-$(gen_random 'a-f0-9' 128)}\" # equavilent to secureRandom.hex(64)\n openid_connect_signing_key=\"${openid_connect_signing_key:-$(openssl genrsa 2048)}\"\n encrypted_settings_key_base=\"${encrypted_settings_key_base:-$(gen_random 'a-f0-9' 128)}\" # equavilent to secureRandom.hex(64)\n\n # Update the existing secret\n cat << EOF > rails-secrets.yml\napiVersion: v1\nkind: Secret\nmetadata:\n name: $rails_secret\ntype: Opaque\nstringData:\n secrets.yml: |-\n $env:\n secret_key_base: $secret_key_base\n otp_key_base: $otp_key_base\n db_key_base: $db_key_base\n encrypted_settings_key_base: $encrypted_settings_key_base\n openid_connect_signing_key: |\n$(echo \"${openid_connect_signing_key}\" | awk '{print \" \" $0}')\nEOF\n kubectl --validate=false --namespace=$namespace apply -f rails-secrets.yml\n label_secret $rails_secret\nfi\n\n# Shell ssh host keys\nssh-keygen -A\nmkdir -p host_keys\ncp /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub host_keys/\ngenerate_secret_if_needed \"gitlab-gitlab-shell-host-keys\" --from-file host_keys\n\n# Gitlab-workhorse secret\ngenerate_secret_if_needed \"gitlab-gitlab-workhorse-secret\" --from-literal=\"shared_secret\"=$(gen_random 'a-zA-Z0-9' 32 | base64)\n\n# Registry http.secret secret\ngenerate_secret_if_needed \"gitlab-registry-httpsecret\" --from-literal=\"secret\"=$(gen_random 'a-z0-9' 128 | base64 -w 0)\n\n# Container Registry notification_secret\ngenerate_secret_if_needed \"gitlab-registry-notification\" --from-literal=\"secret\"=[\\\"$(gen_random 'a-zA-Z0-9' 32)\\\"]\n\n\n\n# Zoekt basic auth credentials\ngenerate_secret_if_needed gitlab-zoekt-basicauth --from-literal=gitlab_username=gitlab --from-literal=gitlab_password=$(gen_random 'a-zA-Z0-9' 64)\n"
+ generate-secrets: "# vim: set filetype=sh:\n\nnamespace=default\nrelease=gitlab\nenv=production\n\npushd $(mktemp -d)\n\n# Args pattern, length\nfunction gen_random(){\n head -c 4096 /dev/urandom | LC_CTYPE=C tr -cd $1 | head -c $2\n}\n\n# Args: length\nfunction gen_random_base64(){\n local len=\"$1\"\n head -c \"$len\" /dev/urandom | base64 -w0\n}\n\n# Args: yaml file, search path\nfunction fetch_rails_value(){\n local value=$(yq \".${2}\" $1)\n\n # Don't return null values\n if [ \"${value}\" != \"null\" ]; then echo \"${value}\"; fi\n}\n\n# Args: secretname\nfunction label_secret(){\n local secret_name=$1\n# Remove application labels if they exist\n kubectl --namespace=$namespace label \\\n secret $secret_name $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\n\n kubectl --namespace=$namespace label \\\n --overwrite \\\n secret $secret_name app=gitlab chart=gitlab-8.7.0 release=gitlab heritage=Helm \n}\n\n# Args: secretname, args\nfunction generate_secret_if_needed(){\n local secret_args=( \"${@:2}\")\n local secret_name=$1\n\n if ! $(kubectl --namespace=$namespace get secret $secret_name > /dev/null 2>&1); then\n kubectl --namespace=$namespace create secret generic $secret_name ${secret_args[@]}\n else\n echo \"secret \\\"$secret_name\\\" already exists.\"\n\n for arg in \"${secret_args[@]}\"; do\n local from=$(echo -n ${arg} | cut -d '=' -f1)\n\n if [ -z \"${from##*literal*}\" ]; then\n local key=$(echo -n ${arg} | cut -d '=' -f2)\n local desiredValue=$(echo -n ${arg} | cut -d '=' -f3-)\n local flags=\"--namespace=$namespace --allow-missing-template-keys=false\"\n\n if ! $(kubectl $flags get secret $secret_name -ojsonpath=\"{.data.${key}}\" > /dev/null 2>&1); then\n echo \"key \\\"${key}\\\" does not exist. patching it in.\"\n\n if [ \"${desiredValue}\" != \"\" ]; then\n desiredValue=$(echo -n \"${desiredValue}\" | base64 -w 0)\n fi\n\n kubectl --namespace=$namespace patch secret ${secret_name} -p \"{\\\"data\\\":{\\\"$key\\\":\\\"${desiredValue}\\\"}}\"\n fi\n fi\n done\n fi\n\n label_secret $secret_name\n}\n\n# Initial root password\ngenerate_secret_if_needed \"gitlab-gitlab-initial-root-password\" --from-literal=\"password\"=$(gen_random 'a-zA-Z0-9' 64)\n\n\n# Redis password\ngenerate_secret_if_needed \"gitlab-redis-secret\" --from-literal=\"secret\"=$(gen_random 'a-zA-Z0-9' 64)\n\n\n\n\n# Gitlab shell\ngenerate_secret_if_needed \"gitlab-gitlab-shell-secret\" --from-literal=\"secret\"=$(gen_random 'a-zA-Z0-9' 64)\n\n# Gitaly secret\ngenerate_secret_if_needed \"gitlab-gitaly-secret\" --from-literal=\"token\"=$(gen_random 'a-zA-Z0-9' 64)\n\n# Minio secret\ngenerate_secret_if_needed \"gitlab-minio-secret\" --from-literal=accesskey=$(gen_random 'a-zA-Z0-9' 64) --from-literal=secretkey=$(gen_random 'a-zA-Z0-9' 64)\n\n\n# Gitlab runner secret\ngenerate_secret_if_needed \"gitlab-gitlab-runner-secret\" --from-literal=runner-registration-token=$(gen_random 'a-zA-Z0-9' 64) --from-literal=runner-token=\"\"\n\n# GitLab Pages API secret\n\n\n# GitLab Pages auth secret for hashing cookie store when using access control\n\n\n# GitLab Pages OAuth secret\n\n\n\n\n# Gitlab-suggested-reviewers secret\ngenerate_secret_if_needed \"gitlab-gitlab-suggested-reviewers\" --from-literal=\"suggested_reviewers_secret\"=$(gen_random 'a-zA-Z0-9' 32 | base64)\n\n\n\n\n\n# Registry certificates\nmkdir -p certs\nopenssl req -new -newkey rsa:4096 -subj \"/CN=gitlab-issuer\" -nodes -x509 -keyout certs/registry-example-com.key -out certs/registry-example-com.crt -days 3650\ngenerate_secret_if_needed \"gitlab-registry-secret\" --from-file=registry-auth.key=certs/registry-example-com.key --from-file=registry-auth.crt=certs/registry-example-com.crt\n\n# config/secrets.yaml\nif [ -n \"$env\" ]; then\n rails_secret=\"gitlab-rails-secret\"\n\n # Fetch the values from the existing secret if it exists\n if $(kubectl --namespace=$namespace get secret $rails_secret > /dev/null 2>&1); then\n kubectl --namespace=$namespace get secret $rails_secret -o jsonpath=\"{.data.secrets\\.yml}\" | base64 --decode > secrets.yml\n secret_key_base=$(fetch_rails_value secrets.yml \"${env}.secret_key_base\")\n otp_key_base=$(fetch_rails_value secrets.yml \"${env}.otp_key_base\")\n db_key_base=$(fetch_rails_value secrets.yml \"${env}.db_key_base\")\n openid_connect_signing_key=$(fetch_rails_value secrets.yml \"${env}.openid_connect_signing_key\")\n encrypted_settings_key_base=$(fetch_rails_value secrets.yml \"${env}.encrypted_settings_key_base\")\n\n active_record_encryption_primary_keys=$(fetch_rails_value secrets.yml \"${env}.active_record_encryption_primary_key\")\n active_record_encryption_deterministic_keys=$(fetch_rails_value secrets.yml \"${env}.active_record_encryption_deterministic_key\")\n active_record_encryption_key_derivation_salt=$(fetch_rails_value secrets.yml \"${env}.active_record_encryption_key_derivation_salt\")\n fi;\n\n # Generate defaults for any unset secrets\n secret_key_base=\"${secret_key_base:-$(gen_random 'a-f0-9' 128)}\" # equivalent to secureRandom.hex(64)\n otp_key_base=\"${otp_key_base:-$(gen_random 'a-f0-9' 128)}\" # equivalent to secureRandom.hex(64)\n db_key_base=\"${db_key_base:-$(gen_random 'a-f0-9' 128)}\" # equivalent to secureRandom.hex(64)\n openid_connect_signing_key=\"${openid_connect_signing_key:-$(openssl genrsa 2048)}\"\n encrypted_settings_key_base=\"${encrypted_settings_key_base:-$(gen_random 'a-f0-9' 128)}\" # equivalent to secureRandom.hex(64)\n\n # 1. We set the following two keys as an array to support keys rotation.\n # The last key in the array is always used to encrypt data:\n # https://github.com/rails/rails/blob/v7.0.8.4/activerecord/lib/active_record/encryption/key_provider.rb#L21\n # while all the keys are used (in the order they're defined) to decrypt data:\n # https://github.com/rails/rails/blob/v7.0.8.4/activerecord/lib/active_record/encryption/cipher.rb#L26.\n # This allows to rotate keys by adding a new key as the last key, and start a re-encryption process that\n # runs in the background: https://gitlab.com/gitlab-org/gitlab/-/issues/494976\n # 2. We use the same method and length as Rails' defaults:\n # https://github.com/rails/rails/blob/v7.0.8.4/activerecord/lib/active_record/railties/databases.rake#L537-L540\n active_record_encryption_primary_keys=${active_record_encryption_primary_keys:-\"- $(gen_random 'a-zA-Z0-9' 32)\"}\n active_record_encryption_deterministic_keys=${active_record_encryption_deterministic_keys:-\"- $(gen_random 'a-zA-Z0-9' 32)\"}\n active_record_encryption_key_derivation_salt=${active_record_encryption_key_derivation_salt:-$(gen_random 'a-zA-Z0-9' 32)}\n\n # Update the existing secret\n cat << EOF > rails-secrets.yml\napiVersion: v1\nkind: Secret\nmetadata:\n name: $rails_secret\ntype: Opaque\nstringData:\n secrets.yml: |-\n $env:\n secret_key_base: $secret_key_base\n otp_key_base: $otp_key_base\n db_key_base: $db_key_base\n encrypted_settings_key_base: $encrypted_settings_key_base\n openid_connect_signing_key: |\n$(echo \"${openid_connect_signing_key}\" | awk '{print \" \" $0}')\n active_record_encryption_primary_key:\n $active_record_encryption_primary_keys\n active_record_encryption_deterministic_key:\n $active_record_encryption_deterministic_keys\n active_record_encryption_key_derivation_salt: $active_record_encryption_key_derivation_salt\nEOF\n kubectl --validate=false --namespace=$namespace apply -f rails-secrets.yml\n label_secret $rails_secret\nfi\n\n# Shell ssh host keys\nssh-keygen -A\nmkdir -p host_keys\ncp /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub host_keys/\ngenerate_secret_if_needed \"gitlab-gitlab-shell-host-keys\" --from-file host_keys\n\n# Gitlab-workhorse secret\ngenerate_secret_if_needed \"gitlab-gitlab-workhorse-secret\" --from-literal=\"shared_secret\"=$(gen_random 'a-zA-Z0-9' 32 | base64)\n\n# Registry http.secret secret\ngenerate_secret_if_needed \"gitlab-registry-httpsecret\" --from-literal=\"secret\"=$(gen_random 'a-z0-9' 128 | base64 -w 0)\n\n# Container Registry notification_secret\ngenerate_secret_if_needed \"gitlab-registry-notification\" --from-literal=\"secret\"=[\\\"$(gen_random 'a-zA-Z0-9' 32)\\\"]\n\n\n\n# Zoekt basic auth credentials\ngenerate_secret_if_needed gitlab-zoekt-basicauth --from-literal=gitlab_username=gitlab --from-literal=gitlab_password=$(gen_random 'a-zA-Z0-9' 64)\n"
---
# Source: gitlab/templates/upgrade_check_hook.yaml
apiVersion: v1
@@ -4215,7 +4277,7 @@
apiVersion: v1
kind: Pod
metadata:
- name: gitlab-webservice-test-runner-527be
+ name: gitlab-webservice-test-runner-lvluu
namespace: default
annotations:
"helm.sh/hook": test
@@ -4227,7 +4289,7 @@
spec:
containers:
- name: test-runner
- image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/gitlab-webservice-ce:v17.7.0
command: ['sh', '/tests/test_login']
volumeMounts:
- name: tests
@@ -4252,7 +4314,7 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: gitlab-shared-secrets-7de2337
+ name: gitlab-shared-secrets-9939bf8
namespace: default
labels:
app: gitlab
@@ -4279,7 +4341,7 @@
restartPolicy: Never
containers:
- name: gitlab
- image: registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.7.0
command: ['/bin/bash', '/scripts/generate-secrets']
securityContext:
allowPrivilegeEscalation: false
@@ -4306,7 +4368,7 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: gitlab-shared-secrets-7de2337-selfsign
+ name: gitlab-shared-secrets-9939bf8-selfsign
namespace: default
labels:
app: gitlab
@@ -4330,7 +4392,7 @@
restartPolicy: Never
initContainers:
- name: cfssl-self-sign
- image: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:v17.7.0
env:
- name: CA_SUBJECT
value: "GitLab Helm Chart" # defaults to GitLab in container
@@ -4356,11 +4418,11 @@
cpu: 50m
containers:
- name: kubectl
- image: registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.6.2
+ image: registry.gitlab.com/gitlab-org/build/cng/kubectl:v17.7.0
command:
- /bin/bash
- -exc
- - "certname=gitlab-wildcard-tls\n# create wildcard certificate secret\nkubectl create secret tls $certname \\\n --cert=/output/wildcard.pem --key=/output/wildcard-key.pem || true\nkubectl --namespace=$namespace label \\\n secret $certname $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\nkubectl --namespace=$namespace label --overwrite \\\n secret $certname app=gitlab chart=gitlab-8.6.2 release=gitlab heritage=Helm \n# create CA certificate secret\nkubectl create secret generic ${certname}-ca \\\n --from-file=cfssl_ca=/output/ca.pem || true\nkubectl --namespace=$namespace label \\\n secret ${certname}-ca $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\nkubectl --namespace=$namespace label --overwrite \\\n secret ${certname}-ca app=gitlab chart=gitlab-8.6.2 release=gitlab heritage=Helm \n# create certificate chain for GitLab Runner\ncat /output/ca.pem /output/wildcard.pem > /tmp/git.${BASE_DOMAIN}.crt\nkubectl create secret generic ${certname}-chain \\\n --from-file=/tmp/git.${BASE_DOMAIN}.crt || true\nkubectl --namespace=$namespace label \\\n secret ${certname}-chain $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\nkubectl --namespace=$namespace label --overwrite \\\n secret ${certname}-chain app=gitlab chart=gitlab-8.6.2 release=gitlab heritage=Helm \n"
+ - "certname=gitlab-wildcard-tls\n# create wildcard certificate secret\nkubectl create secret tls $certname \\\n --cert=/output/wildcard.pem --key=/output/wildcard-key.pem || true\nkubectl --namespace=$namespace label \\\n secret $certname $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\nkubectl --namespace=$namespace label --overwrite \\\n secret $certname app=gitlab chart=gitlab-8.7.0 release=gitlab heritage=Helm \n# create CA certificate secret\nkubectl create secret generic ${certname}-ca \\\n --from-file=cfssl_ca=/output/ca.pem || true\nkubectl --namespace=$namespace label \\\n secret ${certname}-ca $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\nkubectl --namespace=$namespace label --overwrite \\\n secret ${certname}-ca app=gitlab chart=gitlab-8.7.0 release=gitlab heritage=Helm \n# create certificate chain for GitLab Runner\ncat /output/ca.pem /output/wildcard.pem > /tmp/git.${BASE_DOMAIN}.crt\nkubectl create secret generic ${certname}-chain \\\n --from-file=/tmp/git.${BASE_DOMAIN}.crt || true\nkubectl --namespace=$namespace label \\\n secret ${certname}-chain $(echo 'app.kubernetes.io/name=gitlab' | sed -E 's/=[^ ]*/-/g')\nkubectl --namespace=$namespace label --overwrite \\\n secret ${certname}-chain app=gitlab chart=gitlab-8.7.0 release=gitlab heritage=Helm \n"
volumeMounts:
- name: certs-path
mountPath: /output
@@ -4401,7 +4463,7 @@
restartPolicy: Never
containers:
- name: run-check
- image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.6.2"
+ image: "registry.gitlab.com/gitlab-org/build/cng/gitlab-base:v17.7.0"
command: ['/bin/sh', '/scripts/runcheck']
securityContext:
allowPrivilegeEscalation: false
@@ -4412,9 +4474,9 @@
runAsUser: 65534
env:
- name: GITLAB_VERSION
- value: '17.6.2'
+ value: '17.7.0'
- name: CHART_VERSION
- value: '8.6.2'
+ value: '8.7.0'
volumeMounts:
- name: chart-info
mountPath: /chart-info |
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.6.2->8.7.0Release Notes
gitlab-org/charts/gitlab (gitlab)
v8.7.0Compare Source
Added (3 changes)
Fixed (1 change)
Changed (3 changes)
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.