Automate Helm Chart Bumps

Problem Description

Manual updates of helm chart versions are time-consuming and error-prone. GitLab.com Cells needs an automated process to manage chart version updates. The pre-release versions of the Helm chart will be specified in the Tenant model field gitlab_custom_helm_chart (implemented in https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/tenant-model-schema/-/merge_requests/427)

Blueprint: https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/merge_requests/1262

For comparison, with the legacy cell (GitLab.com), we use the autobump-gitlab-chart.sh script, which is run once every week using a GitLab CI/CD pipeline schedule.

Solution Description

Create an automated system within Cells/Tissue that monitors, updates, and manages helm chart versions through CI/CD pipelines, using Renovate Bot. This includes fetching the latest available versions for pre-release Helm charts, creating merge requests for version updates, and implementing proper validation checks within the Merge request CI pipelines.

Exit Criteria

• Tokens that allow Renovate to authenticate with a private OCI registry where Helm pre-release charts are stored are in place (implemented in #20874 (closed))
• Renovate is able to authenticate with the private registry
• Renovate is able to fetch the available pre-release versions from the private registry
• Automated patch generation system working
• Renovate creates merge requests containing valid patches whenever it runs
• Merge request consisting patches are validated in MR pipelines

Related MRs on Ops

MRs on ops.gitlab.net related to this issue do not show up in the Development section.

1. chore: Allow Vault to impersonate the read-only SA for Renovate (!11171)
2. feat: Automate upgrading gitlab_version for cells (!521)
3. fix: Remove "v" suffix from gitlab_version (!530)
4. feat: Inject credentials to authenticate with private OCI registry (!534)
5. feat: Auto-upgrade Helm pre-release chart version using Renovate bot (!560)