.gitlab-ci.yml 5.97 KB
Newer Older
1
2
default:
  tags:
Sandro Mathys's avatar
Sandro Mathys committed
3
    - docker-host-linux
4
  image:
Sandro Mathys's avatar
Sandro Mathys committed
5
    name: "cr.gitlab.switch.ch/helm-charts/shibboleth-sp/pipeline-images/helm:latest"
6
7

variables:
Sandro Mathys's avatar
Sandro Mathys committed
8
  NAMESPACE: "shibboleth-sp-helm-chart"
9
10
11
12
13
14
15
16
17
18
19
  KUBE_APISERVER: "https://console.zh.shift.switchengines.ch:443"
  HELM_KUBEAPISERVER: ${KUBE_APISERVER}
  HELM_NAMESPACE: ${NAMESPACE}
  HELM_KUBETOKEN: ${KUBE_TOKEN}
  HELM_RELEASE: "shibboleth-sp-helm-chart"
  HELM_EXPERIMENTAL_OCI: "1" # required to use the container registry as helm chart repository
  # HELM_DEBUG: "true"

cache:
  key: "${CI_ENVIRONMENT_SLUG}-${CI_COMMIT_REF_SLUG}"
  paths:
Sandro Mathys's avatar
Sandro Mathys committed
20
21
    - "${CI_PROJECT_DIR}/ci/sp-key.pem"
    - "${CI_PROJECT_DIR}/.config/helm/registry.json"
22
23

stages:
24
  # on commit to main
25
  - prepare
Sandro Mathys's avatar
Sandro Mathys committed
26
  - pre-cleanup
27
28
  - deploy
  - verify
Sandro Mathys's avatar
Sandro Mathys committed
29
  - post-cleanup
30
  # on tag
31
  - build
Sandro Mathys's avatar
Sandro Mathys committed
32
  - release
33

34
.cleanup:
Sandro Mathys's avatar
Sandro Mathys committed
35
  interruptible: true
36
  script:
Sandro Mathys's avatar
Sandro Mathys committed
37
38
    # we `2>&1 || true` everything, because this template is used twice in the pipeline and thus it's likely we're trying to delete stuff that already doesn't exist.
    # also, if the previous deploy job failed, we might find a mixed bag of existing resources.
Sandro Mathys's avatar
Sandro Mathys committed
39
    - helm uninstall "${HELM_RELEASE}" 2>&1 || true
40
41
42
43
44
45
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete secret shibboleth-sp-helm-chart-certs 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete secret shibboleth-sp-helm-chart-sealer-keys 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete job shibboleth-sp-helm-chart-create-sealer-keys 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete rolebinding shibboleth-sp-helm-chart-sealer-keys-nanny 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete serviceaccount shibboleth-sp-helm-chart-sealer-keys-nanny 2>&1 || true

Sandro Mathys's avatar
Sandro Mathys committed
46
prepare:
47
48
  stage: prepare
  environment:
49
    name: main
50
  only:
51
    - main
Sandro Mathys's avatar
Sandro Mathys committed
52
    - tags
53
  image:
Sandro Mathys's avatar
Sandro Mathys committed
54
    name: "cr.gitlab.switch.ch/helm-charts/shibboleth-sp/pipeline-images/ansible:latest"
55
56
57
58
59
60
61
62
  interruptible: true
  before_script:
    # we only have a POSIX compliant shell (busybox ash), no bash - thus the code here is a bit awkward
    - missing_vars=""
    - test -n "${KUBE_TOKEN}" || missing_vars="${missing_vars} KUBE_TOKEN"
    - test -n "${VAULT_PASSWORD}" || missing_vars="${missing_vars} VAULT_PASSWORD"
    - if test -n "${missing_vars}"; then echo "Required environment variable(s) not set:${missing_vars} - check CI / CD variables in the project settings" >&2; exit 1; fi;
    # apparently ash can't do process substitution, so we have to write this to a file temporarily
Sandro Mathys's avatar
Sandro Mathys committed
63
    - echo "${VAULT_PASSWORD}" > "${CI_PROJECT_DIR}/.vault_password"
64
  script:
Sandro Mathys's avatar
Sandro Mathys committed
65
    # can't do this in the deploy step, because we have no ansible there
Sandro Mathys's avatar
Sandro Mathys committed
66
    - ansible-vault view --vault-password-file "${CI_PROJECT_DIR}/.vault_password" "${CI_PROJECT_DIR}/ci/sp-key.pem.vault" > "${CI_PROJECT_DIR}/ci/sp-key.pem"
67
  after_script:
Sandro Mathys's avatar
Sandro Mathys committed
68
    - rm -f "${CI_PROJECT_DIR}/.vault_password"
69

Sandro Mathys's avatar
Sandro Mathys committed
70
71
# just in case there's some left overs for some reason - because if so, the next job will fail
# we always want to perform an install (rather than an upgrade) in order to ensure the pre-install hooks work
Sandro Mathys's avatar
Sandro Mathys committed
72
73
pre-cleanup:
  stage: pre-cleanup
Sandro Mathys's avatar
Sandro Mathys committed
74
  resource_group: helm-deployment
75
  environment:
76
    name: main
77
  only:
78
    - main
Sandro Mathys's avatar
Sandro Mathys committed
79
    - tags
80
  extends:
81
    - .cleanup
82

Sandro Mathys's avatar
Sandro Mathys committed
83
deploy:
84
  stage: deploy
Sandro Mathys's avatar
Sandro Mathys committed
85
  resource_group: helm-deployment
86
  environment:
87
    name: main
88
  only:
89
    - main
Sandro Mathys's avatar
Sandro Mathys committed
90
    - tags
91
92
  interruptible: true
  script:
Sandro Mathys's avatar
Sandro Mathys committed
93
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" create secret tls shibboleth-sp-helm-chart-certs --cert="${CI_PROJECT_DIR}/ci/sp-cert.pem" --key="${CI_PROJECT_DIR}/ci/sp-key.pem"
94
    # thanks to --atomic, this command won't just install the chart but also ensure it works
95
    - helm install "${HELM_RELEASE}" "${CI_PROJECT_DIR}" --values="${CI_PROJECT_DIR}/ci/values.yaml" --atomic --debug
Sandro Mathys's avatar
Sandro Mathys committed
96
    # remove from cache
Sandro Mathys's avatar
Sandro Mathys committed
97
    - rm -f "${CI_PROJECT_DIR}/ci/sp-key.pem"
98

Sandro Mathys's avatar
Sandro Mathys committed
99
verify:
100
  stage: verify
Sandro Mathys's avatar
Sandro Mathys committed
101
  resource_group: helm-deployment
102
  environment:
103
    name: main
104
  only:
105
    - main
Sandro Mathys's avatar
Sandro Mathys committed
106
    - tags
107
108
109
110
111
112
  interruptible: true
  script:
    - helm test "${HELM_RELEASE}"
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" logs "${HELM_RELEASE}-helm-test-curl" -c "root"
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" logs "${HELM_RELEASE}-helm-test-curl" -c "session"

Sandro Mathys's avatar
Sandro Mathys committed
113
114
# we always want to perform an install (rather than an upgrade) in order to ensure the pre-install hooks work
# thus we're making extra sure to delete everything
Sandro Mathys's avatar
Sandro Mathys committed
115
116
post-cleanup:
  stage: post-cleanup
Sandro Mathys's avatar
Sandro Mathys committed
117
  resource_group: helm-deployment
118
  environment:
119
    name: main
120
  only:
121
    - main
Sandro Mathys's avatar
Sandro Mathys committed
122
    - tags
123
124
  extends:
    .cleanup
Sandro Mathys's avatar
Sandro Mathys committed
125
126
127

.set-helm-version:
  before_script:
128
    - sed "s/^\(version:\).*$/\1 ${CI_COMMIT_TAG}/" -i "${CI_PROJECT_DIR}/Chart.yaml"
Sandro Mathys's avatar
Sandro Mathys committed
129

Sandro Mathys's avatar
Sandro Mathys committed
130
package:
131
  stage: build
Sandro Mathys's avatar
Sandro Mathys committed
132
  environment:
Sandro Mathys's avatar
Sandro Mathys committed
133
    name: release
Sandro Mathys's avatar
Sandro Mathys committed
134
  only:
135
    - tags
Sandro Mathys's avatar
Sandro Mathys committed
136
  interruptible: true
Sandro Mathys's avatar
Sandro Mathys committed
137
138
  extends:
    .set-helm-version
Sandro Mathys's avatar
Sandro Mathys committed
139
  script:
140
    - helm package "${CI_PROJECT_DIR}"
Sandro Mathys's avatar
Sandro Mathys committed
141
142
  artifacts:
    paths:
Sandro Mathys's avatar
Sandro Mathys committed
143
      - ${CI_PROJECT_DIR}/*.tgz
Sandro Mathys's avatar
Sandro Mathys committed
144

Sandro Mathys's avatar
Sandro Mathys committed
145
upload:
146
  stage: build
147
  environment:
148
    name: release
149
  only:
150
    - tags
151
  interruptible: true
Sandro Mathys's avatar
Sandro Mathys committed
152
153
  extends:
    .set-helm-version
154
  script:
155
    - echo "${CI_REGISTRY_PASSWORD}" | helm registry login "${CI_REGISTRY_IMAGE}" -u "${CI_REGISTRY_USER}" --password-stdin
156
    - helm chart save "${CI_PROJECT_DIR}" "${CI_REGISTRY_IMAGE}/shibboleth-sp"
Sandro Mathys's avatar
Sandro Mathys committed
157
    - helm chart push "${CI_REGISTRY_IMAGE}/shibboleth-sp:${CI_COMMIT_TAG}"
Sandro Mathys's avatar
Sandro Mathys committed
158
159
160
161
162
163
164

release:
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  stage: release
  environment:
    name: release
  only:
165
    - tags
Sandro Mathys's avatar
Sandro Mathys committed
166
  interruptible: true
Sandro Mathys's avatar
Sandro Mathys committed
167
168
169
  # script or trigger is required :/
  script:
    - echo "Creating release ${CI_COMMIT_TAG}"
Sandro Mathys's avatar
Sandro Mathys committed
170
171
172
173
  release:
    name: "Release ${CI_COMMIT_TAG}"
    description: "Automatically created by the pipeline"
    tag_name: ${CI_COMMIT_TAG}