Files that require bigbang integration testing📜
See bb MR testing for details regarding testing changes against bigbang umbrella chart📜
There are certain integrations within the bigbang ecosystem and this package that require additional testing outside of the specific package tests ran during CI. This is a requirement when files within those integrations are changed, as to avoid causing breaks up through the bigbang umbrella. Currently, these include changes to the istio implementation within gitlab-runner (see: istio templates, network policy templates, service entry templates), and kyverno (see: kyverno custom entries).
Be aware that any changes to files listed in the Modifications made to upstream chart section will also require a codeowner to validate the changes using above method, to ensure that they do not affect the package or its integrations adversely.
Be sure to also test against monitoring locally as it is integrated by default with these high-impact service control packages, and needs to be validated using the necessary chart values beneath istio.hardened block with monitoring.enabled set to true as part of your dev-overrides.yaml
How to upgrade the Gitlab Runner Package chart📜
BigBang makes modifications to the upstream helm chart. The full list of changes is at the end of this document.
- Renovate may have already made changes in the development branch. If that is the case then just verify that the changes are correct as you go through these steps.
- Discover the chart version tag that matches with the application version from the upstream chart by looking at the Chart.yaml. Do diff between old and new release tags to become aware of any significant chart changes. A graphical diff tool such as Meld is useful. You can see where the current chart version and available versions are at under the sourcessection in Chart.yaml.`
- Read the /CHANGELOG.md from the release tag from upstream upstream chart. Also, be aware of changes in the Gitlab chart that could affect the runner chart. Take note of any special upgrade instructions, if any.
- If Renovate has not created a development branch and merge request then manually create them.
- Merge/Sync the new helm chart with the existing Gitlab Runner package code. A graphical diff tool like Meld is useful. Reference the “Modifications made to upstream chart” section below. Be careful not to overwrite Big Bang Package changes that need to be kept. Note that some files will have combinations of changes that you will overwrite and changes that you keep. Stay alert. The hardest file to update is the /chart/values.yamlbecause many defaults are changed.
- In /chart/values.yamlupdate all the gitlab image tags to the new version. There are 3 images: gitlab-runner, gitlab-runner-helper, and the ubi.
- Update /tests/images.txtwith the new image tags. This file insures that the images are packaged in the pipelines.
- Update /CHANGELOG.md with an entry for “upgrade gitlab-runner to app version X.X.X chart version X.X.X-bb.X”. Or, whatever description is appropriate.
- 
Update /chart/Chart.yaml to the appropriate versions. The annotation version is the actual image tag and should match the appVersionwith a prependedv.version: X.X.X-bb.X appVersion: X.X.X annotations: bigbang.dev/applicationVersions: | - Gitlab Runner: vX.X.X dependencies: - name: gitlab-runner version: X.X.X repository: https://charts.gitlab.io alias: upstream - name: gluon version: X.X.X repository: oci://registry1.dso.mil/bigbang/helm.sh/images: | - name: gitlab-runner image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner:vX.X.X - name: gitlab-runner-helper image: registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper:vX.X.X - name: ubi9 image: registry1.dso.mil/ironbank/redhat/ubi/ubi9:X.X
- 
Look in /chart/Chart.yamlat the dependencies and verify that you have the most recent version of the Big Bang Gluon library. If not, delete the/chart/charts/gluon-x.x.x.tgzfile and the/requirements.lockfile. You will replace these files in the next step.
- 
Run a helm dependency command to update the chart/charts/*.tgz archives and create a new requirements.lock file. You will commit the tar archives along with the requirements.lock that was generated. This will contain the new upstream chart to commit if you have updated the Chart.yaml versioning for the upstream and other dependency charts. helm dependency update ./chart
- 
Update the /README.md following the gluon library script 
- Use a development environment to deploy and test Gitlab Runner. See more detailed testing instructions in Gitlab Package documentation. Test with Gitlab Package enabled to make sure the new gitlab-runner version still works with Gitlab. Also test an upgrade by deploying the old version first and then deploying the new version. Verify that the upgrade goes smoothly.
- When the Package pipeline runs expect the cypress tests to fail due to UI changes. Note that most of the cypress test files are synced from the Gitlab Package to avoid having two different versions of the same tests. Gitlab-runner has a fifth 05test that the Gitlab package does not have. If you sync the first 4 cypress tests from Gitlab you should not have any trouble. See the Gitlab Package documentation if you do need to run the cypress tests locally. This test should be able to pass on BOTH clean install and upgrade stages with the appropriate updates.
- Update the /README.md again if you have made any additional changes during the upgrade/testing process.
Testing new Gitlab Runner version📜
- Follow the testing instructions from the Gitlab Package documentation. The details are not repeated here.
Modifications made to upstream chart📜
This is a high-level list of modifications that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.
/chart/charts/*.tgz📜
- The BigBang Gluon library is added to the chart. Run helm dependency update ./chart.
- commit the tar archive that was downloaded from the helm dependency update command. And also commit the requirements.lock that was generated.
/chart/dashboards/*📜
- add Grafana dashboards
/chart/templates/bigbang/*📜
- Kyverno policies
- NetworkPolicies
- Istio peerAuthentications
- add support for Grafana dashboards
- Istio authorization policies
/chart/templates/tests/*📜
- add templates for helm tests
chart/templates/deployment.yaml📜
- remove "/usr/bin/dumb-init", "--",line 64. That path does not exist in IronBank hardened image
- ensure the security context is present ~ line 51
        securityContext:
          allowPrivilegeEscalation: false
          {{- toYaml $.Values.containerSecurityContext | nindent 10 }}
/chart/tests/cypress/*📜
- add cypress tests scripts
/chart/.gitignore📜
- comment the charts/*
/chart/Chart.yaml📜
- The Chart.yaml is updated with BigBang version changes and dependencies
- Update apiVersionfromv1tov2due to the addition of dependencies by BigBang
- Add the required kubeversion
/Kptfile📜
- Add the Kptfile to point to the upstream repo
/requirements.lock📜
- added by the helm dependency update
/templates/_helpers.tpl📜
- Modifies gitlab-runner.imageto use the image value if defined, otherwise use registry, repository and tag
/chart/values.yaml📜
- GitlabUrl: http://gitlab-webservice-default.gitlab.svc.cluster.local:8181
- unregisterRunners: true
- concurrent: 50
- rbac.create: true
- portName: tcp-metrics
- service.enabled: true
- runners.config: multiple changes
- locked: false
- runUntagged: true
- protected: true
- secret: gitlab-gitlab-runner-secret
- securityContext: changes to work with IB images
- resources: set requests and limits to the same values
- registry: independently customize registry
- repository: independently customize repository
- tag: independently customize tag
- runners.job: independently customize UBI image details
- runners.helper: independently customize Gitlab Runner Helper image details
- monitoring.enabled: value added to support BB monitoring
- bbtests: values added to support CI testing with gluon
- networkPolicies.enabled: value added to support NPs (for CI testing only)