feat(gitlab): add GitLab platform example with Replicated SDK and CMX validation

.github/dependabot.yml

@@ -3,11 +3,14 @@
 # When adding a new Helm chart that depends on the Replicated SDK,
 # add a corresponding entry here so Dependabot keeps it up to date.
 #
+# NOTE: Dependabot requires unique (ecosystem, directory) pairs, so we
+# use a single entry with groups to separate Replicated SDK updates from
+# everything else. Both follow a weekly cadence as a result.
+#
 version: 2
 updates:
-  # Track the Replicated SDK on a weekly cadence
   - package-ecosystem: "helm"
-    directories: &helm-dirs
+    directories:
       - "/applications/fake-services/app"
       - "/applications/mlflow/charts/mlflow"
       - "/applications/n8n/charts/n8n"
@@ -17,21 +20,10 @@ updates:
       - "/applications/wg-easy/charts/wg-easy"
     schedule:
       interval: "weekly"
-    allow:
-      - dependency-name: "replicated"
     groups:
       replicated-sdk:
         patterns:
           - "replicated"
-
-  # Track all other Helm dependencies on a monthly cadence
-  - package-ecosystem: "helm"
-    directories: *helm-dirs
-    schedule:
-      interval: "monthly"
-    ignore:
-      - dependency-name: "replicated"
-    groups:
       all-other-deps:
-        patterns:
-          - "*"
+        exclude-patterns:
+          - "replicated"

.github/workflows/flagd-ci.yml

@@ -55,10 +55,18 @@ jobs:
           fi
           echo "Checksum changed: $CHECKSUM_BEFORE -> $CHECKSUM_AFTER"
 
+  check-secret:
+    runs-on: ubuntu-22.04
+    outputs:
+      has-token: ${{ steps.check.outputs.has-token }}
+    steps:
+      - id: check
+        run: echo "has-token=${{ secrets.REPLICATED_PLATFORM_EXAMPLES_TOKEN != '' }}" >> "$GITHUB_OUTPUT"
+
   helm-install-test:
     runs-on: ubuntu-22.04
-    needs: [lint-and-template]
-    if: ${{ secrets.REPLICATED_PLATFORM_EXAMPLES_TOKEN != '' }}
+    needs: [lint-and-template, check-secret]
+    if: needs.check-secret.outputs.has-token == 'true'
     defaults:
       run:
         working-directory: applications/flagd

.github/workflows/gitlab-ci.yml

@@ -0,0 +1,134 @@
+name: GitLab CI
+
+# Security note: GITLAB_REPLICATED_API_TOKEN must be from a dedicated service account,
+# NOT a personal token. Create one at: vendor.replicated.com >
+# Account Settings > Service Accounts.
+
+on:
+  pull_request:
+    paths:
+      - 'applications/gitlab/charts/**'
+      - 'applications/gitlab/kots/**'
+      - 'applications/gitlab/tests/**'
+      - 'applications/gitlab/Makefile'
+      - '.github/workflows/gitlab-ci.yml'
+  push:
+    branches:
+      - main
+    paths:
+      - 'applications/gitlab/charts/**'
+      - 'applications/gitlab/kots/**'
+      - 'applications/gitlab/tests/**'
+      - 'applications/gitlab/Makefile'
+      - '.github/workflows/gitlab-ci.yml'
+
+env:
+  APP_SLUG: gitlab-pika
+
+jobs:
+  lint-and-template:
+    runs-on: ubuntu-22.04
+    defaults:
+      run:
+        working-directory: applications/gitlab
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.0
+        with:
+          version: v3.13.3
+
+      - name: Add Helm repositories
+        run: make add-helm-repositories
+
+      - name: Update dependencies
+        run: make update-dependencies
+
+      - name: Helm lint
+        run: helm lint ./charts/gitlab
+
+      - name: Helm template
+        run: helm template gitlab ./charts/gitlab -f tests/helm/ci-values.yaml > /dev/null
+
+  create-release:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-22.04
+    needs: [lint-and-template]
+    defaults:
+      run:
+        working-directory: applications/gitlab
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.0
+        with:
+          version: v3.13.3
+
+      - name: Set release version
+        id: set-release-version
+        run: |
+          git_hash=$(git rev-parse --short HEAD)
+          version="0.1.0-pr.${{ github.event.pull_request.number }}.${git_hash}"
+          echo "VERSION=${version}" >> $GITHUB_ENV
+
+      - name: Add Helm repositories
+        run: make add-helm-repositories
+
+      - name: Package Helm chart into kots/
+        run: helm package ./charts/gitlab --version ${{ env.VERSION }} -u -d kots/
+
+      - name: Create Replicated release on Unstable
+        uses: replicatedhq/compatibility-actions/create-release@v1
+        with:
+          app-slug: ${{ env.APP_SLUG }}
+          api-token: ${{ secrets.GITLAB_REPLICATED_API_TOKEN }}
+          yaml-dir: applications/gitlab/kots
+          version: ${{ env.VERSION }}
+          promote-channel: Unstable
+
+  promote-stable:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-22.04
+    needs: [lint-and-template]
+    defaults:
+      run:
+        working-directory: applications/gitlab
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.3.0
+        with:
+          version: v3.13.3
+
+      - name: Set release version
+        id: set-release-version
+        run: |
+          git_hash=$(git rev-parse --short HEAD)
+          date_version=$(date -u '+%Y.%-m.%-d-%H%M%S')
+          version="${date_version}-${git_hash}"
+          echo "VERSION=${version}" >> $GITHUB_ENV
+
+      - name: Add Helm repositories
+        run: make add-helm-repositories
+
+      - name: Package Helm chart into kots/
+        run: helm package ./charts/gitlab --version ${{ env.VERSION }} -u -d kots/
+
+      - name: Create release and promote to Stable
+        uses: replicatedhq/compatibility-actions/create-release@v1
+        with:
+          app-slug: ${{ env.APP_SLUG }}
+          api-token: ${{ secrets.GITLAB_REPLICATED_API_TOKEN }}
+          yaml-dir: applications/gitlab/kots
+          version: ${{ env.VERSION }}
+          promote-channel: Stable

applications/gitlab/.cluster-id

@@ -0,0 +1 @@
+44637dd1

applications/gitlab/.envrc.example

@@ -0,0 +1,23 @@
+# Copy this file to .envrc and fill in your values, then run `direnv allow`.
+# .envrc is git-ignored so your credentials stay local.
+#
+# Install direnv: https://direnv.net/docs/installation.html
+
+# Your Replicated Vendor Portal API token.
+# Create one at: vendor.replicated.com > Account Settings > API Tokens
+# For CI, use a dedicated service account token instead of a personal token.
+export REPLICATED_API_TOKEN=
+
+# Your Replicated app slug (shown in the Vendor Portal URL and app settings).
+# Example: my-app-slug
+export REPLICATED_APP=
+
+# (Optional) License ID for testing the customer Helm install flow.
+# This is the `installationId` field from `replicated customer create --output json`,
+# NOT the top-level `id` field. Used with `helm registry login` and
+# `--set global.replicated.licenseID=` during CMX validation.
+export REPLICATED_LICENSE_ID=
+
+# (Optional) Customer email associated with the license above.
+# Used as the username for `helm registry login registry.replicated.com`.
+export REPLICATED_CUSTOMER_EMAIL=

applications/gitlab/.gitignore

@@ -0,0 +1 @@
+kots/*.tgz

applications/gitlab/Makefile

@@ -0,0 +1,114 @@
+.PHONY: add-helm-repositories update-dependencies lint package release \
+        cluster-create cluster-delete setup-deps teardown-deps install uninstall
+
+PG_PASSWORD    ?= gitlab-pg-pass
+REDIS_PASSWORD ?= gitlab-redis-pass
+
+CHART_DIR        := charts/gitlab
+CLUSTER_NAME     ?= gitlab-cmx
+CMX_DISTRIBUTION ?= k3s
+CMX_VERSION      ?= 1.32
+CMX_INSTANCE     ?= r1.xlarge
+CMX_DISK         ?= 100
+CMX_TTL          ?= 4h
+CLUSTER_ID_FILE  := .cluster-id
+
+add-helm-repositories:
+	helm repo add gitlab https://charts.gitlab.io/
+	helm repo update
+
+update-dependencies:
+	helm dependency update $(CHART_DIR)
+
+lint:
+	helm lint $(CHART_DIR)
+	helm template gitlab $(CHART_DIR) -f tests/helm/ci-values.yaml > /dev/null
+
+package: update-dependencies
+	helm package $(CHART_DIR) -d kots/
+
+release: package
+	REPLICATED_API_TOKEN=$(REPLICATED_API_TOKEN) replicated release create \
+		--app $(REPLICATED_APP) \
+		--yaml-dir kots \
+		--promote Unstable \
+		--release-notes "Release via Makefile"
+
+# CMX cluster management
+cluster-create:
+	@echo "Creating CMX cluster '$(CLUSTER_NAME)'..."
+	replicated cluster create \
+		--distribution $(CMX_DISTRIBUTION) \
+		--version $(CMX_VERSION) \
+		--instance-type $(CMX_INSTANCE) \
+		--disk $(CMX_DISK) \
+		--ttl $(CMX_TTL) \
+		--name $(CLUSTER_NAME) \
+		--wait 10m \
+		--output json | jq -r '.id' > $(CLUSTER_ID_FILE)
+	replicated cluster kubeconfig $$(cat $(CLUSTER_ID_FILE))
+	@echo "Cluster ready. ID: $$(cat $(CLUSTER_ID_FILE))"
+
+cluster-delete:
+	@test -f $(CLUSTER_ID_FILE) || (echo "No $(CLUSTER_ID_FILE) found. Run 'make cluster-create' first."; exit 1)
+	replicated cluster rm $$(cat $(CLUSTER_ID_FILE))
+	rm -f $(CLUSTER_ID_FILE)
+
+# In-cluster PostgreSQL and Redis for CMX testing (not for production)
+setup-deps:
+	helm repo add bitnami https://charts.bitnami.com/bitnami
+	helm repo update
+	kubectl create namespace gitlab --dry-run=client -o yaml | kubectl apply -f -
+	helm upgrade --install postgresql bitnami/postgresql \
+		--namespace gitlab \
+		--set fullnameOverride=external-postgresql \
+		--set auth.username=gitlab \
+		--set auth.password=$(PG_PASSWORD) \
+		--set auth.database=gitlabhq_production \
+		--set primary.resourcesPreset=none \
+		--set primary.resources.requests.memory=1Gi \
+		--set primary.resources.limits.memory=2Gi \
+		--wait
+	helm upgrade --install redis bitnami/redis \
+		--namespace gitlab \
+		--set fullnameOverride=external-redis \
+		--set architecture=standalone \
+		--set auth.password=$(REDIS_PASSWORD) \
+		--wait
+	kubectl create secret generic gitlab-external-pg-password \
+		--from-literal=password=$(PG_PASSWORD) \
+		--namespace gitlab \
+		--dry-run=client -o yaml | kubectl apply -f -
+	kubectl create secret generic gitlab-external-redis-password \
+		--from-literal=redis-password=$(REDIS_PASSWORD) \
+		--namespace gitlab \
+		--dry-run=client -o yaml | kubectl apply -f -
+	@echo "Granting superuser to gitlab DB user so migrations can CREATE EXTENSION..."
+	kubectl exec -n gitlab pod/external-postgresql-0 -- \
+		env PGPASSWORD=$$(kubectl get secret external-postgresql -n gitlab \
+			-o jsonpath='{.data.postgres-password}' | base64 -d) \
+		psql -U postgres -c "ALTER USER gitlab SUPERUSER;"
+
+teardown-deps:
+	helm uninstall postgresql --namespace gitlab --ignore-not-found
+	helm uninstall redis --namespace gitlab --ignore-not-found
+
+# Helm install / uninstall (customer flow via Replicated OCI registry)
+install:
+	@test -n "$(REPLICATED_CUSTOMER_EMAIL)" || (echo "REPLICATED_CUSTOMER_EMAIL is not set"; exit 1)
+	@test -n "$(REPLICATED_LICENSE_ID)" || (echo "REPLICATED_LICENSE_ID is not set"; exit 1)
+	helm registry login registry.replicated.com \
+		--username $(REPLICATED_CUSTOMER_EMAIL) \
+		--password $(REPLICATED_LICENSE_ID)
+	helm install gitlab \
+		oci://registry.replicated.com/$(REPLICATED_APP)/unstable/gitlab \
+		--namespace gitlab \
+		--create-namespace \
+		--set global.replicated.licenseID=$(REPLICATED_LICENSE_ID) \
+		-f tests/helm/cmx-deploy-values.yaml \
+		--timeout 20m \
+		--wait
+
+uninstall:
+	helm uninstall gitlab --namespace gitlab
+	kubectl delete namespace gitlab --ignore-not-found