.gitlab-ci.yml 6.58 KB
Newer Older
Sandro Mathys's avatar
Sandro Mathys committed
1
2
3
#
# Things worth knowing wrt to the pipelines aas well as the branches / environments:
#
4
# Main:
Sandro Mathys's avatar
Sandro Mathys committed
5
6
7
8
# - Runs "tests" on all pushes, i.e. it performs a clean(!) install and runs the helm chart tests.
# - If successful, it creates a tarball from the helm chart and uploads that as an artifact.
# - There's no tags, no releases and no pushes to the helm repository.
#
9
10
11
12
# Release:
# - Does NOT allow pushes. Create merge requests from main instead.
# - Merge requests are only allowed to be merged if the main pipeline did run successfully.
# - Does NOT run any tests (or anything else from main).
Sandro Mathys's avatar
Sandro Mathys committed
13
14
15
# - Pushes the helm chart to the repository (which is in fact the GitLab built-in container registry).
# - Creates a release: a tag on the branch and a downloadable release (source code tarballs/archives).
#
16
17
# ALWAYS bump the version in chart/Chart.yaml before merging code into RELEASE.
# The release pipeline will not run successfully, if the the version has not been bumped.
Sandro Mathys's avatar
Sandro Mathys committed
18
19
20
21
22
23
24
# This is in order to not overwrite an existing version.
#
# If you need to replace an existing version for some reason, you MUST first delete the tag on
# the branch (and thus the release in the project) as well as the tag in the container registry.
# Here's the links to delete the two types of tags:
# https://gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/-/tags
# https://gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/container_registry/143
Sandro Mathys's avatar
Sandro Mathys committed
25

26
27
28
29
30
31
32
default:
  tags:
    - docker-host-linux
  image:
    name: "${CI_REGISTRY}/maps/cicd-images/helm:latest"

variables:
Sandro Mathys's avatar
Sandro Mathys committed
33
  NAMESPACE: "shibboleth-sp-helm-chart"
34
35
36
37
38
39
40
41
42
43
44
  KUBE_APISERVER: "https://console.zh.shift.switchengines.ch:443"
  HELM_KUBEAPISERVER: ${KUBE_APISERVER}
  HELM_NAMESPACE: ${NAMESPACE}
  HELM_KUBETOKEN: ${KUBE_TOKEN}
  HELM_RELEASE: "shibboleth-sp-helm-chart"
  HELM_EXPERIMENTAL_OCI: "1" # required to use the container registry as helm chart repository
  # HELM_DEBUG: "true"

cache:
  key: "${CI_ENVIRONMENT_SLUG}-${CI_COMMIT_REF_SLUG}"
  paths:
45
    - "ci/sp-key.pem"
46
47
48
    - ".config/helm/registry.json"

stages:
49
  # on commit to main
50
  - prepare
51
  - precleanup
52
53
  - deploy
  - verify
54
  - postcleanup
Sandro Mathys's avatar
Sandro Mathys committed
55
  - package
56
  # on tag
57
58
  - upload

59
.cleanup:
Sandro Mathys's avatar
Sandro Mathys committed
60
  interruptible: true
61
  script:
Sandro Mathys's avatar
Sandro Mathys committed
62
63
    # we `2>&1 || true` everything, because this template is used twice in the pipeline and thus it's likely we're trying to delete stuff that already doesn't exist.
    # also, if the previous deploy job failed, we might find a mixed bag of existing resources.
Sandro Mathys's avatar
Sandro Mathys committed
64
    - helm uninstall "${HELM_RELEASE}" 2>&1 || true
65
66
67
68
69
70
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete secret shibboleth-sp-helm-chart-certs 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete secret shibboleth-sp-helm-chart-sealer-keys 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete job shibboleth-sp-helm-chart-create-sealer-keys 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete rolebinding shibboleth-sp-helm-chart-sealer-keys-nanny 2>&1 || true
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" delete serviceaccount shibboleth-sp-helm-chart-sealer-keys-nanny 2>&1 || true

Sandro Mathys's avatar
Sandro Mathys committed
71
prepare:
72
73
  stage: prepare
  environment:
74
    name: main
75
  only:
76
    - main
77
78
79
80
81
82
83
84
85
86
87
88
  image:
    name: "${CI_REGISTRY}/maps/cicd-images/ansible:latest"
  interruptible: true
  before_script:
    # we only have a POSIX compliant shell (busybox ash), no bash - thus the code here is a bit awkward
    - missing_vars=""
    - test -n "${KUBE_TOKEN}" || missing_vars="${missing_vars} KUBE_TOKEN"
    - test -n "${SHIBBOLETH_SP_HELM_CHART_REGISTRY_TOKEN}" || missing_vars="${missing_vars} SHIBBOLETH_SP_HELM_CHART_REGISTRY_TOKEN"
    - test -n "${VAULT_PASSWORD}" || missing_vars="${missing_vars} VAULT_PASSWORD"
    - if test -n "${missing_vars}"; then echo "Required environment variable(s) not set:${missing_vars} - check CI / CD variables in the project settings" >&2; exit 1; fi;
    # apparently ash can't do process substitution, so we have to write this to a file temporarily
    - echo "${VAULT_PASSWORD}" > ".vault_password"
89
  script:
Sandro Mathys's avatar
Sandro Mathys committed
90
    # can't do this in the deploy step, because we have no ansible there
Sandro Mathys's avatar
Sandro Mathys committed
91
    - ansible-vault view --vault-password-file ".vault_password" "ci/sp-key.pem.vault" > "ci/sp-key.pem"
92
93
  after_script:
    - rm -f ".vault_password"
94

Sandro Mathys's avatar
Sandro Mathys committed
95
96
# just in case there's some left overs for some reason - because if so, the next job will fail
# we always want to perform an install (rather than an upgrade) in order to ensure the pre-install hooks work
Sandro Mathys's avatar
Sandro Mathys committed
97
precleanup:
98
99
  stage: precleanup
  environment:
100
    name: main
101
  only:
102
    - main
103
  extends:
104
    - .cleanup
105

Sandro Mathys's avatar
Sandro Mathys committed
106
deploy:
107
108
  stage: deploy
  environment:
109
    name: main
110
  only:
111
    - main
112
113
  interruptible: true
  script:
Sandro Mathys's avatar
Sandro Mathys committed
114
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" create secret tls shibboleth-sp-helm-chart-certs --cert="ci/sp-cert.pem" --key="ci/sp-key.pem"
115
    # thanks to --atomic, this command won't just install the chart but also ensure it works
Sandro Mathys's avatar
Sandro Mathys committed
116
    - helm install "${HELM_RELEASE}" chart --values="ci/values.yaml" --atomic --debug
Sandro Mathys's avatar
Sandro Mathys committed
117
    # remove from cache
118
    - rm -f "ci/sp-key.pem"
119

Sandro Mathys's avatar
Sandro Mathys committed
120
verify:
121
122
  stage: verify
  environment:
123
    name: main
124
  only:
125
    - main
126
127
128
129
130
131
  interruptible: true
  script:
    - helm test "${HELM_RELEASE}"
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" logs "${HELM_RELEASE}-helm-test-curl" -c "root"
    - kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" logs "${HELM_RELEASE}-helm-test-curl" -c "session"

Sandro Mathys's avatar
Sandro Mathys committed
132
133
# we always want to perform an install (rather than an upgrade) in order to ensure the pre-install hooks work
# thus we're making extra sure to delete everything
Sandro Mathys's avatar
Sandro Mathys committed
134
postcleanup:
135
  stage: postcleanup
136
  environment:
137
    name: main
138
  only:
139
    - main
140
141
  extends:
    .cleanup
142
  
Sandro Mathys's avatar
Sandro Mathys committed
143
144
145
package:
  stage: package
  environment:
146
    name: main
Sandro Mathys's avatar
Sandro Mathys committed
147
  only:
148
    - main
Sandro Mathys's avatar
Sandro Mathys committed
149
150
  interruptible: true
  script:
Sandro Mathys's avatar
Sandro Mathys committed
151
    - helm package chart
Sandro Mathys's avatar
Sandro Mathys committed
152
153
  artifacts:
    paths:
Sandro Mathys's avatar
Sandro Mathys committed
154
      - /builds/maps/shibboleth-sp-helm-chart/*.tgz
Sandro Mathys's avatar
Sandro Mathys committed
155

Sandro Mathys's avatar
Sandro Mathys committed
156
upload:
Sandro Mathys's avatar
Sandro Mathys committed
157
  stage: upload
158
  environment:
159
    name: release
160
  only:
161
162
    variables:
      - $CI_COMMIT_TAG
163
164
  interruptible: true
  script:
Sandro Mathys's avatar
Sandro Mathys committed
165
    - echo "${SHIBBOLETH_SP_HELM_CHART_REGISTRY_TOKEN}" | helm registry login "${CI_REGISTRY}/maps/shibboleth-sp-helm-chart/" -u "gitlab-ci-shibboleth-sp-helm-chart" --password-stdin
166
167
    - helm chart save chart "cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart"
    - helm chart push "cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart:${CI_COMMIT_TAG}"