.gitlab-ci.yml

+# variables in the GitLab CI/CD variables:
+  #   GITLAB_TOKEN to support the semantic-release
+  #   DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
+  #   TMPL_RELEASE_ENABLED to enable the semantic-release job
+  #   TBC_NAMESPACE: smartdatalab/public/ci-cd-components
+
 include:
-  - project: "to-be-continuous/tools/gitlab-ci"
-    ref: "master"
-    file: "/templates/extract.yml"
-  - project: "to-be-continuous/tools/gitlab-ci"
-    ref: "master"
-    file: "/templates/validation.yml"
-  - project: "to-be-continuous/kicker"
-    ref: "master"
-    file: "/templates/validation.yml"
-  - component: $CI_SERVER_FQDN/to-be-continuous/bash/gitlab-ci-bash@3.6
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
+    inputs:
+      extract-script-job-tags: ["docker"]
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
+    inputs:
+      check-links-job-tags: ["docker"]
+      tbc-check-job-tags: ["docker"]
+      tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
+      gitlab-ci-lint-job-tags: ["docker"]
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
     inputs:
+      kicker-validation-job-tags: ["docker"]
+      schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
+    inputs:
+      bash-shellcheck-job-tags: ["docker"]
       shellcheck-files: "*.sh"
-  - component: $CI_SERVER_FQDN/to-be-continuous/semantic-release/gitlab-ci-semrel@3.13
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
+    inputs:
+      semantic-release-job-tags: ["docker"]
 
 variables:
   GITLAB_CI_FILES: "templates/gitlab-ci-k8s.yml"
+  GIT_STRATEGY: clone
 
 semantic-release:
   rules:

.gitlab/merge_request_templates/new_feature.md

@@ -8,8 +8,8 @@ Closes #999
 ## Checklist
 
 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
     * [ ] untagged runners
     * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

CHANGELOG.md

+## [7.3.1](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/compare/7.3.0...7.3.1) (2025-05-07)
+
+
+### Bug Fixes
+
+* **envsubst:** leave lines with '# nosubst' unchanged when substituting (used to be simply dropped) ([f8164e7](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/commit/f8164e79e74a592742ceb94b23aa7cfdfc845798)), closes [#50](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/issues/50)
+
+## [7.3.1](https://gitlab.com/to-be-continuous/kubernetes/compare/7.3.0...7.3.1) (2025-04-11)
+
+
+### Bug Fixes
+
+* **envsubst:** leave lines with '# nosubst' unchanged when substituting (used to be simply dropped) ([f8164e7](https://gitlab.com/to-be-continuous/kubernetes/commit/f8164e79e74a592742ceb94b23aa7cfdfc845798)), closes [#50](https://gitlab.com/to-be-continuous/kubernetes/issues/50)
+
 # [7.3.0](https://gitlab.com/to-be-continuous/kubernetes/compare/7.2.1...7.3.0) (2025-03-10)
 
 
@@ -53,21 +67,14 @@ implementation flaws.
 
 ### Features
 
-* disable tracking service by default ([5b31f18](https://gitlab.com/to-be-continuous/kubernetes/commit/5b31f18734e9e4497716d0eb091606dd7bf9edd5))
-
-# [6.4.0](https://gitlab.com/to-be-continuous/kubernetes/compare/6.3.0...6.4.0) (2025-01-20)
-
-
-### Features
-
-* add automatic namespace creation (when it doesn't exist) ([266bee9](https://gitlab.com/to-be-continuous/kubernetes/commit/266bee9290b7b5e8611c4ef9e80f842004fbd015))
+* disable tracking service by default ([5b31f18](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/commit/5b31f18734e9e4497716d0eb091606dd7bf9edd5))
 
-# [6.3.0](https://gitlab.com/to-be-continuous/kubernetes/compare/6.2.0...6.3.0) (2024-08-05)
+# [6.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/compare/6.2.0...6.3.0) (2024-08-29)
 
 
 ### Features
 
-* **gcp:** setup GCP credentials through ADC ([ff59904](https://gitlab.com/to-be-continuous/kubernetes/commit/ff599041fe3515bce9c0e69b99d44859dfd93ba4))
+* **gcp:** setup GCP credentials through ADC ([ff59904](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/kubernetes/commit/ff599041fe3515bce9c0e69b99d44859dfd93ba4))
 
 # [6.2.0](https://gitlab.com/to-be-continuous/kubernetes/compare/6.1.4...6.2.0) (2024-07-12)
 

CONTRIBUTING.md

@@ -61,7 +61,7 @@ To contribute:
 
 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
    Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
 
 ### Git Commit Conventions

kicker.json

@@ -59,6 +59,13 @@
       "description": "Additional [`kubectl kustomize` options](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#kustomize)\n\n_For example: `--enable-helm`_",
       "advanced": true
     },
+    {
+      "name": "K8S_K8S_SCORE_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
     {
       "name": "K8S_CREATE_NAMESPACE_ENABLED",
       "description": "Set to `true` to enable automatic namespace creation",
@@ -88,7 +95,7 @@
     {
       "id": "review",
       "name": "Review",
-      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/))",
+      "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ci/review_apps/))",
       "variables": [
         {
           "name": "K8S_REVIEW_SPACE",
@@ -131,6 +138,20 @@
           "name": "K8S_REVIEW_CA_CERT",
           "description": "Kubernetes cluster server certificate authority for review env (only define if using exploded kubeconfig parameters and if different from global)",
           "secret": true
+        },
+        {
+          "name": "K8S_K8S_REVIEW_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
+        },
+        {
+          "name": "K8S_K8S_CLEANUP_REVIEW_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
         }
       ]
     },
@@ -175,6 +196,13 @@
           "name": "K8S_INTEG_CA_CERT",
           "description": "Kubernetes cluster server certificate authority for integration env (only define if using exploded kubeconfig parameters and if different from global)",
           "secret": true
+        },
+        {
+          "name": "K8S_K8S_INTEG_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
         }
       ]
     },
@@ -219,6 +247,13 @@
           "name": "K8S_STAGING_CA_CERT",
           "description": "Kubernetes cluster server certificate authority for staging env (only define if using exploded kubeconfig parameters and if  different from global)",
           "secret": true
+        },
+        {
+          "name": "K8S_K8S_STAGING_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
         }
       ]
     },
@@ -270,6 +305,13 @@
           "name": "K8S_PROD_CA_CERT",
           "description": "Kubernetes cluster server certificate authority for production env (only define if using exploded kubeconfig parameters and if  different from global)",
           "secret": true
+        },
+        {
+          "name": "K8S_K8S_PROD_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
         }
       ]
     }
@@ -318,7 +360,7 @@
       "variables": [
         {
           "name": "GCP_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
           "default": "$CI_SERVER_URL",
           "advanced": true
         },
@@ -328,7 +370,7 @@
         },
         {
           "name": "GCP_OIDC_PROVIDER",
-          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
+          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
         },
         {
           "name": "GCP_REVIEW_OIDC_ACCOUNT",
@@ -337,7 +379,7 @@
         },
         {
           "name": "GCP_REVIEW_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment",
           "advanced": true
         },
         {
@@ -347,7 +389,7 @@
         },
         {
           "name": "GCP_INTEG_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment",
           "advanced": true
         },
         {
@@ -357,7 +399,7 @@
         },
         {
           "name": "GCP_STAGING_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment",
           "advanced": true
         },
         {
@@ -367,7 +409,7 @@
         },
         {
           "name": "GCP_PROD_OIDC_PROVIDER",
-          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment",
+          "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment",
           "advanced": true
         },
         {
@@ -385,7 +427,7 @@
       "variables": [
         {
           "name": "AWS_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
           "default": "$CI_SERVER_URL",
           "advanced": true
         },

templates/gitlab-ci-k8s-aws.yml

@@ -10,19 +10,19 @@ spec:
       description: The `aud` claim for the JWT
       default: $CI_SERVER_URL
     aws-oidc-role-arn:
-      description: Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+      description: Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/)
       default: ''
     aws-review-oidc-role-arn:
-      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define to override default)_
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `review` env _(only define to override default)_
       default: ''
     aws-integ-oidc-role-arn:
-      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define to override default)_
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `integration` env _(only define to override default)_
       default: ''
     aws-staging-oidc-role-arn:
-      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define to override default)_
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `staging` env _(only define to override default)_
       default: ''
     aws-prod-oidc-role-arn:
-      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define to override default)_
+      description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `production` env _(only define to override default)_
       default: ''
 
 ---

templates/gitlab-ci-k8s-gcp.yml

@@ -13,31 +13,31 @@ spec:
       description: Default Service Account to which impersonate with OpenID Connect authentication
       default: ''
     gcp-oidc-provider:
-      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+      description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
       default: ''
     gcp-review-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `review` environment
       default: ''
     gcp-review-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment
       default: ''
     gcp-integ-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `integration` environment
       default: ''
     gcp-integ-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment
       default: ''
     gcp-staging-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `staging` environment
       default: ''
     gcp-staging-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment
       default: ''
     gcp-prod-oidc-account:
       description: Service Account to which impersonate with OpenID Connect authentication on `production` environment
       default: ''
     gcp-prod-oidc-provider:
-      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment
+      description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment
       default: ''
 ---
 variables:

templates/gitlab-ci-k8s-vault.yml

@@ -22,7 +22,7 @@ variables:
 .k8s-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "--port", "8082", "kubernetes", "7.3.0"]
+      command: ["--service", "--port", "8082", "kubernetes", "7.3.1"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
   variables:

templates/gitlab-ci-k8s.yml

@@ -114,6 +114,31 @@ spec:
     prod-url:
       description: Kubernetes API url for production env (only define if using exploded kubeconfig parameters and if different from global)
       default: ''
+    k8s-score-job-tags:
+      description: tags to filter applicable runners for k8s-score job
+      type: array
+      default: []
+    k8s-review-job-tags:
+      description: tags to filter applicable runners for k8s-review job
+      type: array
+      default: []
+    k8s-cleanup-review-job-tags:
+      description: tags to filter applicable runners for k8s-cleanup-review job
+      type: array
+      default: []
+    k8s-integ-job-tags:
+      description: tags to filter applicable runners for k8s-integration job
+      type: array
+      default: []
+    k8s-staging-job-tags:
+      description: tags to filter applicable runners for k8s-staging job
+      type: array
+      default: []
+    k8s-prod-job-tags:
+      description: tags to filter applicable runners for k8s-production job
+      type: array
+      default: []
+
 ---
 # default workflow rules: Merge Request pipelines
 workflow:
@@ -449,7 +474,11 @@ stages:
         }
         return enc
       }
-      !/# *nosubst/ {
+      /# *nosubst/ {
+        print $0
+        next
+      }
+      {
         orig_line = $0
         line = $0
         count_repl_in_line = 0
@@ -862,7 +891,7 @@ stages:
     entrypoint: [""]
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "kubernetes", "7.3.0"]
+      command: ["--service", "kubernetes", "7.3.1"]
   before_script:
     - !reference [.k8s-scripts]
     - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
@@ -908,7 +937,7 @@ k8s-score:
     - if: '$ENV_TYPE == "production" && ($K8S_PROD_SPACE == null || $K8S_PROD_SPACE == "")'
       when: never
     - !reference [.test-policy, rules]
-
+  tags: $[[ inputs.k8s-score-job-tags ]]
 
 # Deploy job prototype
 # Can be extended to define a concrete environment
@@ -991,6 +1020,7 @@ k8s-review:
       when: never
     # only on non-production, non-integration branches, with $K8S_REVIEW_SPACE set
     - if: '$K8S_REVIEW_SPACE != "" && $CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
+  tags: $[[ inputs.k8s-review-job-tags ]]
 
 # stop review env (automatically triggered once branches are deleted)
 k8s-cleanup-review:
@@ -1015,6 +1045,7 @@ k8s-cleanup-review:
     - if: '$K8S_REVIEW_SPACE != "" && $CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
       when: manual
       allow_failure: true
+  tags: $[[ inputs.k8s-cleanup-review-job-tags ]]
 
 k8s-integration:
   extends: .k8s-deploy
@@ -1033,6 +1064,7 @@ k8s-integration:
   rules:
     # only on integration branch(es), with $K8S_INTEG_SPACE set
     - if: '$K8S_INTEG_SPACE != "" && $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+  tags: $[[ inputs.k8s-integ-job-tags ]]
 
 ###############################
 # Staging deploys are disabled by default since
@@ -1058,6 +1090,7 @@ k8s-staging:
   rules:
     # only on production branch(es), with $K8S_STAGING_SPACE set
     - if: '$K8S_STAGING_SPACE != "" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
+  tags: $[[ inputs.k8s-staging-job-tags ]]
 
 k8s-production:
   extends: .k8s-deploy
@@ -1085,3 +1118,4 @@ k8s-production:
     - if: '$K8S_PROD_DEPLOY_STRATEGY == "manual"'
       when: manual
     - if: '$K8S_PROD_DEPLOY_STRATEGY == "auto"'
+  tags: $[[ inputs.k8s-prod-job-tags ]]
\ No newline at end of file