feat(ibmcloud): add GitLab runner support for IBM Power and IBM Z

- Register GitLab project or group runners via Pulumi NewUserRunner API
  during stack provisioning; auth token flows through ApplyT to avoid
  global state mutation
- Add --glrunner-unsecure flag (default false): by default a locked-down
  gitlab-runner system user is created with rootless-Podman support
  (subuid/subgid + loginctl enable-linger); when true the runner runs
  as the default OS user
- Create gitlab-runner system user with /bin/bash shell so PAM does not
  reject su calls from the shell executor (nologin caused immediate
  'prepare environment: exit status 1')
- Install and configure otelcol-contrib filelog collector for syslog,
  secure/auth, audit, and gitlab-runner log shipping via OTLP HTTP;
  use apt-get/dnf for installation to resolve package dependencies
  automatically
- Exclude otel-endpoint from partial-config validation since it carries
  a default value; only validate app-code, auth-token, and index
- Upgrade pulumi-gitlab SDK from v8 to v9 to match Containerfile
  pre-installed plugin (v9.11.0); bump pulumi-tls to v5.5.0
- Add systemd drop-in + logrotate for /var/log/gitlab-runner/runner.log
- IBM Power: use dnf for otelcol-contrib install; set route via VPC
  gateway; deploy optional VPC bastion with floating IP for SSH access
- IBM Z: wrap cloud-config in MIME multipart with base64 encoding so
  cloud-init decodes the payload before processing
- Update all module dependencies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: adrianriobo

cmd/mapt/cmd/aws/hosts/fedora.go

@@ -57,7 +57,7 @@ func getFedoraCreate() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
-					GLRunnerArgs:  params.GitLabRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(params.LinuxGitLabArch()),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&fedora.FedoraArgs{

cmd/mapt/cmd/aws/hosts/mac.go

@@ -48,7 +48,7 @@ func getMacRequest() *cobra.Command {
 					Debug:         viper.IsSet(params.Debug),
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
-					GLRunnerArgs:  params.GitLabRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(params.LinuxGitLabArch()),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&mac.MacRequestArgs{

cmd/mapt/cmd/aws/hosts/rhel.go

@@ -53,7 +53,7 @@ func getRHELCreate() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
-					GLRunnerArgs:  params.GitLabRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(params.LinuxGitLabArch()),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&rhel.RHELArgs{

cmd/mapt/cmd/aws/hosts/windows.go

@@ -66,7 +66,7 @@ func getWindowsCreate() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
-					GLRunnerArgs:  params.GitLabRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(params.LinuxGitLabArch()),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&windows.WindowsServerArgs{

cmd/mapt/cmd/aws/services/mac-pool.go

@@ -174,7 +174,7 @@ func request() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
-					GLRunnerArgs:  params.GitLabRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(params.LinuxGitLabArch()),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&macpool.RequestMachineArgs{

cmd/mapt/cmd/azure/hosts/rhel.go

@@ -49,7 +49,7 @@ func getCreateRHEL() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
-					GLRunnerArgs:  params.GitLabRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(params.LinuxGitLabArch()),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&azureRHEL.RhelArgs{

cmd/mapt/cmd/azure/hosts/windows.go

@@ -62,7 +62,7 @@ func getCreateWindowsDesktop() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
-					GLRunnerArgs:  params.GitLabRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(params.LinuxGitLabArch()),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&azureWindows.WindowsArgs{

cmd/mapt/cmd/ibmcloud/hosts/ibm-power.go

@@ -2,6 +2,7 @@ package hosts
 
 import (
 	"github.com/redhat-developer/mapt/cmd/mapt/cmd/params"
+	"github.com/redhat-developer/mapt/pkg/integrations/gitlab"
 	maptContext "github.com/redhat-developer/mapt/pkg/manager/context"
 	ibmpower "github.com/redhat-developer/mapt/pkg/provider/ibmcloud/action/ibm-power"
 	"github.com/spf13/cobra"
@@ -52,17 +53,24 @@ func ibmPowerCreate() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(&gitlab.Ppc64le),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&ibmpower.PWArgs{
 					PIPrivateSubnetID: viper.GetString(params.PIPrivateSubnetID),
 					WorkspaceID:       viper.GetString(params.WorkspaceID),
 					VPCPublicSubnetID: viper.GetString(params.VPCPublicSubnetID),
+					Memory:            viper.GetFloat64(params.PIMemory),
+					Processors:        viper.GetFloat64(params.PIProcessors),
+					ProcType:          viper.GetString(params.PIProcType),
+					SysType:           viper.GetString(params.PISysType),
+					StorageType:       viper.GetString(params.PIStorageType),
+					DiskSize:          viper.GetInt(params.PIDiskSize),
 					OtelAppCode:       viper.GetString(params.OtelAppCode),
 					OtelAuthToken:     viper.GetString(params.OtelAuthToken),
 					OtelEndpoint:      viper.GetString(params.OtelEndpoint),
-					OtelIndex:          viper.GetString(params.OtelIndex),
-					OtelExtraAttrs:     viper.GetStringMapString(params.OtelExtraAttrs),
+					OtelIndex:         viper.GetString(params.OtelIndex),
+					OtelExtraAttrs:    viper.GetStringMapString(params.OtelExtraAttrs),
 				})
 		},
 	}
@@ -77,8 +85,16 @@ func ibmPowerCreate() *cobra.Command {
 	flagSet.StringP(params.OtelEndpoint, "", "https://otel-input.corp.redhat.com", params.OtelEndpointDesc)
 	flagSet.StringP(params.OtelIndex, "", "", params.OtelIndexDesc)
 	flagSet.StringToStringP(params.OtelExtraAttrs, "", nil, params.OtelExtraAttrsDesc)
+	flagSet.Float64(params.PIMemory, params.PIMemoryDefault, params.PIMemoryDesc)
+	flagSet.Float64(params.PIProcessors, params.PIProcessorsDefault, params.PIProcessorsDesc)
+	flagSet.String(params.PIProcType, params.PIProcTypeDefault, params.PIProcTypeDesc)
+	flagSet.String(params.PISysType, params.PISysTypeDefault, params.PISysTypeDesc)
+	flagSet.String(params.PIStorageType, params.PIStorageTypeDefault, params.PIStorageTypeDesc)
+	flagSet.Int(params.PIDiskSize, params.PIDiskSizeDefault, params.PIDiskSizeDesc)
 	params.AddGHActionsFlags(flagSet)
 	params.AddCirrusFlags(flagSet)
+	params.AddGitLabRunnerFlags(flagSet)
+	flagSet.Int(params.GlRunnerConcurrent, params.GlRunnerConcurrentPowerDefault, params.GlRunnerConcurrentDesc)
 	c.PersistentFlags().AddFlagSet(flagSet)
 	_ = c.MarkPersistentFlagRequired(params.PIPrivateSubnetID)
 	_ = c.MarkPersistentFlagRequired(params.WorkspaceID)

cmd/mapt/cmd/ibmcloud/hosts/ibm-z.go

@@ -2,6 +2,7 @@ package hosts
 
 import (
 	"github.com/redhat-developer/mapt/cmd/mapt/cmd/params"
+	"github.com/redhat-developer/mapt/pkg/integrations/gitlab"
 	maptContext "github.com/redhat-developer/mapt/pkg/manager/context"
 	ibmz "github.com/redhat-developer/mapt/pkg/provider/ibmcloud/action/ibm-z"
 	"github.com/spf13/cobra"
@@ -52,14 +53,17 @@ func ibmZCreate() *cobra.Command {
 					DebugLevel:    viper.GetUint(params.DebugLevel),
 					CirrusPWArgs:  params.CirrusPersistentWorkerArgs(),
 					GHRunnerArgs:  params.GithubRunnerArgs(),
+					GLRunnerArgs:  params.GitLabRunnerArgs(&gitlab.S390x),
 					Tags:          viper.GetStringMapString(params.Tags),
 				},
 				&ibmz.ZArgs{
 					SubnetID:      viper.GetString(params.SubnetID),
+					Profile:       viper.GetString(params.IZProfile),
+					DiskSize:      viper.GetInt(params.IZDiskSize),
 					OtelAppCode:   viper.GetString(params.OtelAppCode),
 					OtelAuthToken: viper.GetString(params.OtelAuthToken),
 					OtelEndpoint:  viper.GetString(params.OtelEndpoint),
-					OtelIndex:      viper.GetString(params.OtelIndex),
+					OtelIndex:     viper.GetString(params.OtelIndex),
 					OtelExtraAttrs: viper.GetStringMapString(params.OtelExtraAttrs),
 				})
 		},
@@ -73,8 +77,12 @@ func ibmZCreate() *cobra.Command {
 	flagSet.StringP(params.OtelEndpoint, "", "https://otel-input.corp.redhat.com", params.OtelEndpointDesc)
 	flagSet.StringP(params.OtelIndex, "", "", params.OtelIndexDesc)
 	flagSet.StringToStringP(params.OtelExtraAttrs, "", nil, params.OtelExtraAttrsDesc)
+	flagSet.String(params.IZProfile, params.IZProfileDefault, params.IZProfileDesc)
+	flagSet.Int(params.IZDiskSize, params.IZDiskSizeDefault, params.IZDiskSizeDesc)
 	params.AddGHActionsFlags(flagSet)
 	params.AddCirrusFlags(flagSet)
+	params.AddGitLabRunnerFlags(flagSet)
+	flagSet.Int(params.GlRunnerConcurrent, params.GlRunnerConcurrentS390xDefault, params.GlRunnerConcurrentDesc)
 	c.PersistentFlags().AddFlagSet(flagSet)
 	return c
 }

cmd/mapt/cmd/params/params.go

@@ -7,6 +7,7 @@ import (
 	cr "github.com/redhat-developer/mapt/pkg/provider/api/compute-request"
 	spotTypes "github.com/redhat-developer/mapt/pkg/provider/api/spot"
 	"github.com/redhat-developer/mapt/pkg/util"
+	"github.com/redhat-developer/mapt/pkg/util/logging"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 )
@@ -82,7 +83,7 @@ const (
 	cirrusPWLabelsDesc string = "additional labels to use on the persistent worker (--it-cirrus-pw-labels key1=value1,key2=value2)"
 
 	glRunnerToken         string = "glrunner-token"
-	glRunnerTokenDesc     string = "GitLab Personal Access Token with api scope"
+	glRunnerTokenDesc     string = "GitLab token with create_runner scope (personal access token, group/project access token, or service account token)"
 	glRunnerProjectID     string = "glrunner-project-id"
 	glRunnerProjectIDDesc string = "GitLab project ID for project runner registration"
 	glRunnerGroupID       string = "glrunner-group-id"
@@ -92,6 +93,13 @@ const (
 	glRunnerURLDefault    string = "https://gitlab.com"
 	glRunnerTags          string = "glrunner-tags"
 	glRunnerTagsDesc      string = "List of tags separated by comma to be added to the self-hosted runner"
+	glRunnerUnsecure string = "glrunner-unsecure"
+	glRunnerUnsecureDesc string = "when set, the runner service runs as the default OS user instead of a dedicated system account; by default a locked-down gitlab-runner system user is created"
+
+	GlRunnerConcurrent             string = "glrunner-concurrent"
+	GlRunnerConcurrentDesc         string = "maximum number of jobs the runner executes concurrently"
+	GlRunnerConcurrentPowerDefault int    = 2
+	GlRunnerConcurrentS390xDefault int    = 3
 
 	//RHEL
 	SubsUsername              string = "rh-subscription-username"
@@ -134,6 +142,34 @@ const (
 	VPCPublicSubnetID     string = "vpc-public-subnet-id"
 	VPCPublicSubnetIDDesc string = "ID of an existing VPC subnet (with public gateway, connected to Transit Gateway) for the SSH bastion"
 
+	// IBM Power instance sizing
+	PIMemory             string  = "pi-memory"
+	PIMemoryDesc         string  = "PowerVS instance memory in GB"
+	PIMemoryDefault      float64 = 96.0
+	PIProcessors         string  = "pi-processors"
+	PIProcessorsDesc     string  = "PowerVS instance processor count (shared cores)"
+	PIProcessorsDefault  float64 = 24.0
+	PIProcType           string  = "pi-proc-type"
+	PIProcTypeDesc       string  = "PowerVS processor type (shared, dedicated, capped)"
+	PIProcTypeDefault    string  = "shared"
+	PISysType            string  = "pi-sys-type"
+	PISysTypeDesc        string  = "PowerVS system type (s922, s1022, e880, e980)"
+	PISysTypeDefault     string  = "s1022"
+	PIStorageType        string  = "pi-storage-type"
+	PIStorageTypeDesc    string  = "PowerVS storage tier for instance and data volume (tier1, tier3)"
+	PIStorageTypeDefault string  = "tier1"
+	PIDiskSize           string  = "pi-disk-size"
+	PIDiskSizeDesc       string  = "data volume size in GB attached to the PowerVS instance"
+	PIDiskSizeDefault    int     = 300
+
+	// IBM Z instance sizing
+	IZProfile         string = "iz-profile"
+	IZProfileDesc     string = "IBM Z VPC instance profile name"
+	IZProfileDefault  string = "mz2-16x128"
+	IZDiskSize        string = "iz-disk-size"
+	IZDiskSizeDesc    string = "boot volume size in GB for the IBM Z instance"
+	IZDiskSizeDefault int    = 300
+
 	OtelAppCode       string = "otel-app-code"
 	OtelAppCodeDesc   string = "OpenTelemetry appcode identifier (e.g. MAPT-001); when set together with --otel-auth-token, installs the otelcol-contrib filelog collector on the instance"
 	OtelAuthToken     string = "otel-auth-token"
@@ -269,8 +305,10 @@ func AddGitLabRunnerFlags(fs *pflag.FlagSet) {
 	fs.StringP(glRunnerGroupID, "", "", glRunnerGroupIDDesc)
 	fs.StringP(glRunnerURL, "", glRunnerURLDefault, glRunnerURLDesc)
 	fs.StringSlice(glRunnerTags, nil, glRunnerTagsDesc)
+	fs.Bool(glRunnerUnsecure, false, glRunnerUnsecureDesc)
 }
 
+
 func CirrusPersistentWorkerArgs() *cirrus.PersistentWorkerArgs {
 	if viper.IsSet(cirrusPWToken) {
 		return &cirrus.PersistentWorkerArgs{
@@ -284,21 +322,31 @@ func CirrusPersistentWorkerArgs() *cirrus.PersistentWorkerArgs {
 	return nil
 }
 
-func GitLabRunnerArgs() *gitlab.GitLabRunnerArgs {
+func GitLabRunnerArgs(arch *gitlab.Arch) *gitlab.GitLabRunnerArgs {
 	if viper.IsSet(glRunnerToken) {
+		if viper.IsSet(glRunnerProjectID) && viper.IsSet(glRunnerGroupID) {
+			logging.Error("--glrunner-project-id and --glrunner-group-id are mutually exclusive; ignoring GitLab runner configuration")
+			return nil
+		}
 		return &gitlab.GitLabRunnerArgs{
-			GitLabPAT: viper.GetString(glRunnerToken),
-			ProjectID: viper.GetString(glRunnerProjectID),
-			GroupID:   viper.GetString(glRunnerGroupID),
-			URL:       viper.GetString(glRunnerURL),
-			Tags:      viper.GetStringSlice(glRunnerTags),
-			Platform:  &gitlab.Linux,
-			Arch:      linuxArchAsGitLabArch(viper.GetString(LinuxArch)),
+			GitLabToken: viper.GetString(glRunnerToken),
+			ProjectID:   viper.GetString(glRunnerProjectID),
+			GroupID:     viper.GetString(glRunnerGroupID),
+			URL:         viper.GetString(glRunnerURL),
+			Tags:        viper.GetStringSlice(glRunnerTags),
+			Platform:    &gitlab.Linux,
+			Arch:        arch,
+			Unsecure:    viper.GetBool(glRunnerUnsecure),
+			Concurrent:  viper.GetInt(GlRunnerConcurrent),
 		}
 	}
 	return nil
 }
 
+func LinuxGitLabArch() *gitlab.Arch {
+	return linuxArchAsGitLabArch(viper.GetString(LinuxArch))
+}
+
 func linuxArchAsCirrusArch(arch string) *cirrus.Arch {
 	switch arch {
 	case "x86_64":
@@ -338,3 +386,4 @@ func MACArchAsGitLabArch(arch string) *gitlab.Arch {
 	}
 	return &gitlab.Arm64
 }
+