Commit 3cf76f9f authored by Sandro Mathys's avatar Sandro Mathys
Browse files

first rough version of .gitlab-ci.yml

parent 20c884db
default:
tags:
- docker-host-linux
image:
name: "${CI_REGISTRY}/maps/cicd-images/helm:latest"
variables:
# TODO: use separate namespace (i.e. not `deepl`) - probably requires new KUBE_TOKEN
NAMESPACE: "deepl"
KUBE_APISERVER: "https://console.zh.shift.switchengines.ch:443"
HELM_KUBEAPISERVER: ${KUBE_APISERVER}
HELM_NAMESPACE: ${NAMESPACE}
HELM_KUBETOKEN: ${KUBE_TOKEN}
HELM_RELEASE: "shibboleth-sp-helm-chart"
HELM_EXPERIMENTAL_OCI: "1" # required to use the container registry as helm chart repository
# HELM_DEBUG: "true"
cache:
key: "${CI_ENVIRONMENT_SLUG}-${CI_COMMIT_REF_SLUG}"
paths:
- ".config/helm/registry.json"
stages:
- prepare
# - setup
- deploy
- verify
- cleanup
- upload
prepare staging:
stage: prepare
environment:
name: staging
only:
- staging
image:
name: "${CI_REGISTRY}/maps/cicd-images/ansible:latest"
interruptible: true
before_script:
# we only have a POSIX compliant shell (busybox ash), no bash - thus the code here is a bit awkward
- missing_vars=""
- test -n "${KUBE_TOKEN}" || missing_vars="${missing_vars} KUBE_TOKEN"
- test -n "${SHIBBOLETH_SP_HELM_CHART_REGISTRY_TOKEN}" || missing_vars="${missing_vars} SHIBBOLETH_SP_HELM_CHART_REGISTRY_TOKEN"
- test -n "${VAULT_PASSWORD}" || missing_vars="${missing_vars} VAULT_PASSWORD"
- if test -n "${missing_vars}"; then echo "Required environment variable(s) not set:${missing_vars} - check CI / CD variables in the project settings" >&2; exit 1; fi;
# just in case
- kubectl delete secret shibboleth-sp-helm-chart-certs 2>&1 || true
script:
# apparently ash can't do process substitution, so we have to write this to a file temporarily
- echo "${VAULT_PASSWORD}" > ".vault_password"
- ansible-vault view --vault-password-file ".vault_password" "chart/ci/sp-key.pem.vault" > "chart/ci/sp-key.pem"
- kubectl create secret tls shibboleth-sp-helm-chart-certs --cert="ci/sp-cert.pem" --key="ci/sp-key.pem"
# they shouldn't survive the stage anyway, but let's make sure
- rm -f ".vault_password" "chart/ci/sp-key.pem"
deploy staging:
stage: deploy
environment:
name: staging
only:
- staging
needs:
- prepare staging
- setup staging
interruptible: true
before_script:
# just in case
- helm uninstall "${HELM_RELEASE}" 2>&1 || true
script:
# thanks to --atomic, this command won't just install the chart but also ensure it works
- helm upgrade --install "${HELM_RELEASE}" chart --values="ci/values.yaml" --atomic --debug
verify staging:
stage: verify
environment:
name: staging
only:
- staging
needs:
- prepare staging
- deploy staging
interruptible: true
script:
- helm test "${HELM_RELEASE}"
- kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" logs "${HELM_RELEASE}-helm-test-curl" -c "root"
- kubectl --namespace "${NAMESPACE}" --server "${KUBE_APISERVER}" --token="${KUBE_TOKEN}" logs "${HELM_RELEASE}-helm-test-curl" -c "session"
cleanup staging:
stage: cleanup
environment:
name: staging
only:
- staging
needs:
- prepare staging
script:
- kubectl delete secret shibboleth-sp-helm-chart-certs
- helm uninstall "${HELM_RELEASE}"
# TODO: only run this in production
upload staging:
stage: setup
environment:
name: staging
only:
- staging
interruptible: true
script:
- echo "${SHIBBOLETH_SP_HELM_CHART_REGISTRY_TOKEN}" | helm registry login "${CI_REGISTRY}/maps/shibboleth-sp-helm-chart/" -u "gitlab-ci-shibboleth-sp-helm-chart" --password-stdin
# TODO: don't hardcode version
- helm chart save chart "cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.2.1"
# - helm chart push "cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.2.1"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment