cloud-native/charts/gitlab-zoekt chart and image versions are not automatically kept in sync with gitlab-zoekt-indexer releases

Problem

There are two versioned artifacts in cloud-native/charts/gitlab-zoekt that need to be updated when new gitlab-zoekt-indexer versions are released:

1. App image version (indexer.image.tag / webserver.image.tag in values.yaml)
2. Chart version (version in Chart.yaml) — which charts/gitlab depends on

Neither is automatically updated. Both require manual MRs. As a result, the chart has been stuck at image v1.8.0 (18.8) while gitlab-zoekt-indexer has released v1.9.0 through v1.13.0. SM customers have been unknowingly running v1.8.0, missing multiple bug fixes.

By contrast, Renovate correctly updates GITLAB_ZOEKT_VERSION in the GitLab monolith and the image SHA in CNG — but neither flows into the gitlab-zoekt chart automatically.

Additional concern: GitLab version compatibility

There is currently no documented compatibility matrix between gitlab-zoekt-indexer versions and GitLab (Rails) versions. This is a risk when automating version bumps — blindly bumping the indexer could break compatibility with the GitLab version a customer is running.

Steps to resolve

1. Investigate version compatibility — determine which gitlab-zoekt-indexer versions are compatible with which GitLab versions, and identify any known incompatible combinations
2. Document the compatibility matrix — publish findings in the appropriate place (likely doc/integration/zoekt/ in the GitLab monolith or the cloud-native/charts/gitlab-zoekt README)
3. Define self-managed release approval rules — a chart version bump may only be released to self-managed once both of the following are met:
   1. GITLAB_ZOEKT_VERSION in gitlab-org/gitlab is running the target gitlab-zoekt-indexer version, with the MR merged and CI pipelines passing
   2. The version is deployed to both GitLab.com staging and production, as reflected in gstg.zoekt-versions.yaml and gprd.zoekt-versions.yaml
4. Add Renovate config — add a config in gitlab-org/frontend/renovate-gitlab-bot for cloud-native/charts/gitlab-zoekt to auto-bump the image tag, incorporating the approval rules defined in step 3
5. Extend Renovate config to keep compatibility docs in sync — when the existing Renovate rule bumps GITLAB_ZOEKT_VERSION in gitlab-org/gitlab, the same MR should also update the compatibility matrix documentation introduced in step 2, so the documented supported version always reflects the version shipped with each GitLab release

Impact

SM customers on 18.9, 18.10, and 18.11 have been running v1.8.0 of the indexer, missing bug fixes including the force push detection fix (!852 (merged)). This was only discovered when attempting to backport that fix to 18.10.

References

• Original bug fix: !852 (merged)
• Renovate bot: gitlab-org/frontend/renovate-gitlab-bot
• Existing zoekt-indexer Renovate config: renovate-gitlab-bot/-/blob/main/renovate/gitlab-zoekt-indexer/gitlab-zoekt-indexer.config.js