Newer
Older
Zachariah Dzielinski
committed
# global rules for when pipelines run
Zachariah Dzielinski
committed
# run pipeline for manual tag events
- if: $CI_COMMIT_TAG
# run pipeline on merge request events
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
# run pipeline on commits to default branch
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# skip pipeline for branches that start with "docs"
- if: '$CI_COMMIT_REF_NAME =~ /^doc*/i'
Zachariah Dzielinski
committed
# include templates
Zachariah Dzielinski
committed
- local: '/.gitlab-ci/templates.yml'
stages:
- smoke tests
- network up
- cluster up
- bigbang up
- test
- bigbang down
- cluster down
- network down
- package
- release
variables:
RELEASE_BUCKET: umbrella-bigbang-releases
IMAGE_LIST: images.txt
IMAGE_PKG: images.tar.gz
REPOS_PKG: repositories.tar.gz
.bigbang-dogfood:
tags:
- bigbang
- dogfood
Zachariah Dzielinski
committed
image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/k3d-builder:0.0.1
extends: .bigbang-dogfood
after_script:
- kubectl get all -A
- kubectl get helmrelease -A
#-----------------------------------------------------------------------------------------------------------------------
# Pre Stage Jobs
#
pre vars:
Zachariah Dzielinski
committed
image: registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates/pre-envs:ubi8.3
artifacts:
reports:
dotenv: variables.env
script:
# obtain MR and master versions
- CHART_MR_VERSION=$(sed -n -e 's/^version. //p' chart/Chart.yaml)
- git fetch && git checkout ${CI_DEFAULT_BRANCH}
- CHART_MA_VERSION=$(sed -n -e 's/^version. //p' chart/Chart.yaml)
- git fetch && git checkout ${CI_COMMIT_REF_NAME}
- echo "CHART_MR_VERSION=$CHART_MR_VERSION" >> variables.env
- echo "CHART_MA_VERSION=$CHART_MA_VERSION" >> variables.env
- CHART_VERSION_DIFF=$(./scripts/semver_diff.sh $CHART_MR_VERSION $CHART_MA_VERSION)
- IFS=. DIFF_ARR=(${CHART_VERSION_DIFF##*-})
- echo "CHART_VERSION_DIFF=$CHART_VERSION_DIFF" >> variables.env
# detect breaking change (first two version sections in semver diff)
- CHART_BREAKING_CHANGE="false"
- if (( ${DIFF_ARR[0]} > 0 )); then CHART_BREAKING_CHANGE="true"; fi
- if (( ${DIFF_ARR[1]} > 0 )); then CHART_BREAKING_CHANGE="true"; fi
# store variables
- echo "CHART_BREAKING_CHANGE=$CHART_BREAKING_CHANGE" >> variables.env
- echo "TF_VAR_env=$(echo $CI_COMMIT_REF_SLUG | cut -c 1-7)-$(echo $CI_COMMIT_SHA | cut -c 1-7)" >> variables.env
- cat variables.env
#-----------------------------------------------------------------------------------------------------------------------
#-----------------------------------------------------------------------------------------------------------------------
# Smoke Tests
#
.chart_changes: &chart_changes
changes:
- chart/**/*
- .gitlab-ci.yml
- .gitlab-ci/jobs/**/*
- scripts/**/*
- tests/**/*
- find ./scripts/deploy -type f -name '*.sh' | sort | xargs -r -I {} sh -c 'echo {} && sh {}'
- find ./tests -type f -name '*.sh' | sort | xargs -r -I {} sh -c 'echo {} && sh {}'
Josh Wolf
committed
- .k3d-ci
CLUSTER_NAME: "clean-${CI_COMMIT_SHORT_SHA}"
Josh Wolf
committed
- if: '$CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master"'
when: never
- *chart_changes
# Fetch list of all images ran
Josh Wolf
committed
- cid=$(docker ps -aqf "name=k3d-${CI_JOB_ID}-server-0")
- docker exec $cid crictl images -o json | jq -r '.images[].repoTags[0] | select(. != null)' | tee images.txt
- "cypress-tests/*/tests/cypress/screenshots"
- "cypress-tests/*/tests/cypress/videos"
expire_in: 7 days
when: always
dependencies:
- pre vars
Josh Wolf
committed
- .k3d-ci
Zachariah Dzielinski
committed
# skip job when MR title starts with 'Breaking Change'
Zachariah Dzielinski
committed
- if: '$CI_MERGE_REQUEST_TITLE =~ /^Breaking Change/'
Zachariah Dzielinski
committed
when: never
# run pipeline on merge request events
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
<<: *chart_changes
CLUSTER_NAME: "upgrade-${CI_COMMIT_SHORT_SHA}"
- if $CHART_BREAKING_CHANGE; then echo "Breaking change detected by chart version difference, skipping job"; exit 0; fi
- echo "Install Big Bang from ${CI_DEFAULT_BRANCH}"
- git fetch && git checkout ${CI_DEFAULT_BRANCH}
- *deploy_bigbang
- echo "Upgrade Big Bang from ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
- git reset --hard && git clean -fd
artifacts:
paths:
- "cypress-tests/*/tests/cypress/screenshots"
- "cypress-tests/*/tests/cypress/videos"
expire_in: 7 days
when: always
#-----------------------------------------------------------------------------------------------------------------------
#-----------------------------------------------------------------------------------------------------------------------
# Infrastructure: Management Jobs
#
# Abstract for job manually triggering infrastructure builds
.infra fork:
stage: network up
rules:
Tunde Oladipupo
committed
# Run on scheduled jobs OR when `test-ci` label is assigned
- if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
allow_failure: false
# Abstract for jobs responsible for creating infrastructure
.infra create:
rules:
Tunde Oladipupo
committed
# Run on scheduled jobs OR when `test-ci` label is assigned
- if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
# skip job when branch name starts with "hotfix" or "patch"
- if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ /^(hotfix|patch)/'
when: never
Tunde Oladipupo
committed
# Abstract for jobs responsible for cleaning up infrastructure OR when `test-ci` label is assigned
# Run on scheduled jobs
- if: '($CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "master") || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::infra(,|$)/'
Zachariah Dzielinski
committed
#-----------------------------------------------------------------------------------------------------------------------
#-----------------------------------------------------------------------------------------------------------------------
# Infrastructure: Networking
#
Zachariah Dzielinski
committed
- .infra fork
- .network up
environment:
name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
auto_stop_in: 1 hour
aws/network down:
extends:
- .infra cleanup
- .network down
stage: network down
environment:
name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
action: stop
Zachariah Dzielinski
committed
#-----------------------------------------------------------------------------------------------------------------------
#-----------------------------------------------------------------------------------------------------------------------
# Infrastructure: RKE2
#
Zachariah Dzielinski
committed
# Create RKE2 cluster on AWS
aws/rke2/cluster up:
stage: cluster up
extends:
- .infra create
- .rke2 up
needs:
- job: aws/network up
- job: pre vars
artifacts: true
environment:
name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
# Install BigBang on RKE2 cluster on AWS
aws/rke2/bigbang up:
stage: bigbang up
extends:
- .infra create
- .bigbang
needs:
- job: aws/rke2/cluster up
artifacts: true
- mkdir -p ~/.kube
- cp ${CI_PROJECT_DIR}/rke2.yaml ~/.kube/config
# Deploy a default storage class for aws
Zachariah Dzielinski
committed
- kubectl apply -f ${CI_PROJECT_DIR}/.gitlab-ci/jobs/rke2/dependencies/k8s-resources/aws/default-ebs-sc.yaml
- echo "Patching default rke2 PSPs to be less restrictive so OPA Gatekeeper can successfully deploy"
- |
kubectl --kubeconfig rke2.yaml patch psp global-unrestricted-psp -p '{"metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
- |
kubectl --kubeconfig rke2.yaml patch psp system-unrestricted-psp -p '{ "metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
- |
kubectl --kubeconfig rke2.yaml patch psp global-restricted-psp -p '{ "metadata": { "annotations": { "seccomp.security.alpha.kubernetes.io/allowedProfileNames": "*" } } }'
environment:
name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
joshwolf
committed
# Run tests on BigBang on RKE2 cluster on AWS
aws/rke2/bigbang test:
stage: test
extends:
- .infra create
- .bigbang
needs:
- job: aws/rke2/cluster up
artifacts: true
- job: aws/rke2/bigbang up
before_script:
- mkdir -p ~/.kube
- cp ${CI_PROJECT_DIR}/rke2.yaml ~/.kube/config
## Move this yum install to the dockerfile for the builder
## putting it here now for a quick way to install dig
- yum install bind-utils -y
- ./scripts/hosts.sh
environment:
name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
# Uninstall BigBang on RKE2 cluster on AWS
aws/rke2/bigbang down:
stage: bigbang down
extends:
- .infra cleanup
- .bigbang
needs:
- job: aws/rke2/cluster up
artifacts: true
- job: aws/rke2/bigbang test
before_script:
- mkdir -p ~/.kube
- cp ${CI_PROJECT_DIR}/rke2.yaml ~/.kube/config
- helm un -n bigbang bigbang
# TODO: Smarter wait
- sleep 180
environment:
name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
# Destroy RKE2 cluster on AWS
aws/rke2/cluster down:
stage: cluster down
extends:
- .infra cleanup
- .rke2 down
needs:
- job: aws/rke2/bigbang down
- job: pre vars
artifacts: true
environment:
name: review/aws-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
Zachariah Dzielinski
committed
#-----------------------------------------------------------------------------------------------------------------------
#-----------------------------------------------------------------------------------------------------------------------
# Release Jobs
#
package:
stage: package
image: registry.dso.mil/platform-one/big-bang/bigbang/synker:0.0.3
# run job for manual tag events or test-ci::release MRs
- if: '$CI_COMMIT_TAG || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::release(,|$)/'
before_script:
# Set up auth
- mkdir -p /root/.docker
- echo $DOCKER_AUTH_CONFIG > /root/.docker/config.json
script:
- cp ./scripts/package/synker.yaml ./synker.yaml
# Populate images list in synker config
Micah Nagel
committed
- |
for image in $(cat images.txt); do
yq -i e "(.source.images |= . + \"${image}\")" "./synker.yaml"
done
Micah Nagel
committed
# Create image list from synker, overwrite since ./synker.yaml contains everything at this point
- yq e '.source.images | .[] | ... comments=""' "./synker.yaml" > images.txt
# Tar up synker as well?
- cp /usr/local/bin/synker synker.yaml /var/lib/registry/
# Grab the registry image
- crane pull registry:2 registry.tar
- mv registry.tar /var/lib/registry/
- tar -C /var/lib/registry -czvf $IMAGE_PKG .
- tar -czvf $IMAGE_PKG /var/lib/registry
# Package dependent repos
- ./scripts/package/gits.sh
- tar -czf $REPOS_PKG repos/
# Prep release
- mkdir -p release
- mv $IMAGE_LIST $IMAGE_PKG $REPOS_PKG release/
# Publish packages to s3 release
- |
if [ -z $CI_COMMIT_TAG ]; then
aws s3 sync --quiet release/ s3://umbrella-bigbang-releases/tests/${CI_COMMIT_SHA}
else
aws s3 sync --quiet release/ s3://umbrella-bigbang-releases/umbrella/${CI_COMMIT_TAG}
fi
after_script: []
release:
stage: release
image: registry.gitlab.com/gitlab-org/release-cli:latest
# run job for manual tag events or test-ci::release MRs
- if: '$CI_COMMIT_TAG || $CI_MERGE_REQUEST_LABELS =~ /(^|,)test-ci::release(,|$)/'
variables:
RELEASE_ENDPOINT: https://${RELEASE_BUCKET}.s3-${AWS_DEFAULT_REGION}.amazonaws.com/umbrella/${CI_COMMIT_TAG}
script:
# Use release-cli to cut a release in Gitlab or simulate a dry-run & print asset links
RELEASE_ENDPOINT="https://${RELEASE_BUCKET}.s3-${AWS_DEFAULT_REGION}.amazonaws.com/tests/${CI_COMMIT_SHA}"
printf "Release will run: \n\
release-cli create --name \"Big Bang \${CI_COMMIT_TAG}\" --tag-name \${CI_COMMIT_TAG} \n\
--description \"Automated release notes are a WIP.\" \n\
--assets-link \"{\"name\":\"${IMAGE_LIST}\",\"url\":\"${RELEASE_ENDPOINT}/${IMAGE_LIST}\"}\" \n\
--assets-link \"{\"name\":\"${IMAGE_PKG}\",\"url\":\"${RELEASE_ENDPOINT}/${IMAGE_PKG}\"}\" \n\
--assets-link \"{\"name\":\"${REPOS_PKG}\",\"url\":\"${RELEASE_ENDPOINT}/${REPOS_PKG}\"}\"\n"
else
release-cli create --name "Big Bang ${CI_COMMIT_TAG}" --tag-name ${CI_COMMIT_TAG} \
--description "Automated release notes are a WIP." \
--assets-link "{\"name\":\"${IMAGE_LIST}\",\"url\":\"${RELEASE_ENDPOINT}/${IMAGE_LIST}\"}" \
--assets-link "{\"name\":\"${IMAGE_PKG}\",\"url\":\"${RELEASE_ENDPOINT}/${IMAGE_PKG}\"}" \
--assets-link "{\"name\":\"${REPOS_PKG}\",\"url\":\"${RELEASE_ENDPOINT}/${REPOS_PKG}\"}"
fi
#-----------------------------------------------------------------------------------------------------------------------