Introduce a new `runners.configOverride` value. When set, the supplied
TOML is written verbatim as the runner's config.toml (passed through
`tpl` for value interpolation) and the chart skips the per-pod-boot
templating + `gitlab-runner register` dance entirely.

In override mode:
- `gitlab-runner register` is never called - no GitLab API hits on pod
  boot, removing a fragile dependency from the start-up path.
- `config.template.toml`, `register-the-runner`, and the
  `set-session-server-*` placeholder-substitution scripts are not
  rendered into the ConfigMap.
- `runnerRegistrationToken` / `runnerToken` are not required; the token
  lives in the supplied TOML (or is injected via extraEnv /
  extraEnvFromRefs / secrets).
- `runners.config`, `runners.configPath`, and the global-section value
  flags (`concurrent`, `checkInterval`, `logLevel`, `sessionServer`, ...)
  are ignored - the supplied TOML is the single source of truth.
- Cache secret env wiring, `preEntrypointScript`, and the
  `unregisterRunners` preStop hook keep working as before.

Default behaviour (`runners.configOverride` unset) is byte-identical to
before - the deployment-snapshot test passes without a snapshot diff.

configOverride replaces the entire rendered config.toml, so the global
section and [[runners]] template values it used to merge in are silently
ignored. Spell out exactly which values no longer apply (concurrent,
checkInterval, logLevel, sessionServer.*, runners.config / .name /
.tags / .protected / ..., gitlabUrl, ...) so users don't get caught out
when migrating to override mode.

When deployed on AWS EKS with an ELB LoadBalancer, the Kubernetes
Service JSON populates the hostname field in the LoadBalancer ingress
status. The existing grep/cut/xargs pipeline captures a trailing comma
from the raw JSON, causing DNS lookup failures like:

  tcp: lookup <hostname>,: no such host

Replace the grep/cut pipelines for both SERVICEHOSTNAME and SERVICEIP
with sed capture groups that extract only the value inside JSON double
quotes. Also consolidate the two redundant curl calls into one.

Fix trailing comma in session server address extraction

See merge request !535



Merged-by: Romuald Atchadé <ratchade@gitlab.com>
Approved-by: Romuald Atchadé <ratchade@gitlab.com>
Co-authored-by: Ross Fisher <rfisher@gitlab.com>

Support Labels on configMap

See merge request !534



Merged-by: Georgi N. Georgiev | GitLab <ggeorgiev@gitlab.com>
Approved-by: Georgi N. Georgiev | GitLab <ggeorgiev@gitlab.com>
Reviewed-by: GitLab Duo <gitlab-duo@gitlab.com>
Co-authored-by: Thorsten Banhart <thorsten.banhart@sick.de>

Add option to disable global cache credentials export

See merge request !545



Merged-by: Romuald Atchadé <ratchade@gitlab.com>
Approved-by: Igor <iwiedler@gitlab.com>
Approved-by: Romuald Atchadé <ratchade@gitlab.com>
Reviewed-by: Rehab <rhassanein@gitlab.com>
Co-authored-by: Rehab Hassanein <rhassanein@gitlab.com>

Address review feedback from @ratchade on !544: skipping register
removed the one place where an invalid or revoked token failed loudly
at boot, leaving misconfigured pods to start cleanly and silently
never pick up jobs.

When configOverride is set, the entrypoint now runs a single
non-destructive 'gitlab-runner verify --url=' as a preflight before
exec'ing the runner. Without --delete this is read-only, so it adds
fail-fast UX without bringing back the heavyweight register flow.

Also tighten the configOverride doc comment in values.yaml.

Add runners.configOverride mode to skip registration

See merge request !544



Merged-by: Igor <iwiedler@gitlab.com>
Approved-by: Romuald Atchadé <ratchade@gitlab.com>
Reviewed-by: Romuald Atchadé <ratchade@gitlab.com>
Reviewed-by: GitLab Duo <gitlab-duo@gitlab.com>

The 'chart' label embeds the chart version (e.g. 'gitlab-runner-0.88.2')
and was used in spec.selector.matchLabels on both the PodMonitor and the
ServiceMonitor. As a result, every chart upgrade caused the monitors to
stop selecting any pod/service still labelled with the previous chart
version, blackholing metrics for old replicas during a rollout and
breaking continuity of scrape targets across upgrades.

The Deployment's own pod selector already uses just 'app', and the
Service selector uses 'app' + 'release' — both stable across upgrades.
Align the monitors with that convention by selecting on
'app' + 'release' + 'heritage' and dropping 'chart' from the selector.
The 'chart' label is retained in metadata.labels (informational only).

The release beta job invokes 'git describe --long' to compose the chart
version. Git's CVE-2022-24765 protection refuses to operate when the
working tree's UID differs from the process UID, which is the case in
the Kubernetes executor (init-permissions runs as root, the build
container runs as a different user). The job started failing once the
build image picked up a git version that enforces this check.

Whitelisting $CI_PROJECT_DIR is the canonical fix: scoped to the one
path the runner just populated, idempotent, and confined to the
ephemeral build container. Avoids the broader 'safe.directory = *'
form, which would defeat the protection wholesale.

Not switching to CI_COMMIT_SHORT_SHA in this commit to preserve the
existing '<count>-g<sha>' beta version format and keep the blast
radius of the fix minimal. Worth revisiting separately.

Whitelist CI_PROJECT_DIR for git safe.directory in release beta

Closes #598

See merge request !549



Merged-by: Igor <iwiedler@gitlab.com>
Approved-by: Igor <iwiedler@gitlab.com>
Co-authored-by: Romuald Atchadé <ratchade@gitlab.com>

Drop chart version from PodMonitor/ServiceMonitor selectors

See merge request !548



Merged-by: Igor <iwiedler@gitlab.com>
Approved-by: Rehab <rhassanein@gitlab.com>
Approved-by: Georgi N. Georgiev | GitLab <ggeorgiev@gitlab.com>