Move charts release to dev.gitlab.org and support security releases
Proposal
- We should be doing charts released on dev.gitlab.org, similar to omnibus-gitlab. A precondition for this is setting up mirror repos in dev.gitlab.org for CNG and Charts projects
- We should be tagging CNG project so images can be differentiated for GitLab/Charts versions. This prevents against Charts using CNG images built from master branch, which may have moved forward and have incomatibilities.
Code to be added to different projects
- Add a rake task in release-tools which creates branches/tags and push them to CNG.
- Add code in Charts project that ensures the images are available before releasing the charts. This will be a manual job.
- Check and modify CI config of CNG and Charts to work with dev.gitlab.org repos.
Proposed workflow
- When
tag
command of chatops is issued, we currently create and push tags to CE, EE and omnibus-gitlab repos. We will be pushing tags to CNG repo too. - Pushing tags to CNG will build images and push them to registry of CNG project in dev.gitlab.org
- When
publish
command of chatops is issued, we currently run the manual job in omnibus-gitlab pipeline. In addition, we will push tags to Helm chart too.- The pipeline made by pushing tags to Charts repo will have two jobs.
- First job will get images from registry of CNG project in dev.gitlab.org registry and push them to registry of CNG project in gitlab.com, thus making them publically available.
- Second job will trigger a pipeline in charts.gitlab.io, which will build the charts and add them to the GitLab Pages.
By moving release to dev.gitlab.org, we need not have two process for security and regular releases.
However, we will still need to tackle https://gitlab.com/gitlab-org/distribution/team-tasks/issues/213 to support backport releases as a follow up task.
Original issue:
Title: Older GitLab versions should not be build using the CNG master branch
Description:
All new builds are built from the CNG master, regardless of their version. This causes issues where we have patch version bumps in gitlab that are incompatible with minor chart versions unless you upgrade to the latest patch release.
See https://gitlab.com/charts/gitlab/issues/941 for an example.
As an idea to fix: We should start git tagging the CNG repo, and specify the tag name in a CNG_DOCKERFILE_VERSION file in the gitlab-ce repo. And have the gitlab-ee tag triggers use the value from that file for the trigger ref.