|
| 1 | +--- |
| 2 | + |
| 3 | +default: |
| 4 | + image: ubuntu:jammy |
| 5 | + |
| 6 | +variables: |
| 7 | + # Because we are installing git-crypt as part of the job, we cannot reuse old |
| 8 | + # checkouts where git-crypt is already initialised as this results in an error |
| 9 | + GIT_STRATEGY: clone |
| 10 | + # Use the pipeline credentials for Terraform |
| 11 | + # This assumes that we are using GitLab-managed Terraform state (recommended when available) |
| 12 | + TF_HTTP_USERNAME: gitlab-ci-token |
| 13 | + TF_HTTP_PASSWORD: $CI_JOB_TOKEN |
| 14 | + |
| 15 | +stages: |
| 16 | + # This stage owns the scheduled job that checks for upstream changes |
| 17 | + - scheduled |
| 18 | + # This stage owns the deploy job for the staging environment |
| 19 | + - staging |
| 20 | + # This stage owns the deploy job for the production environment |
| 21 | + - production |
| 22 | + |
| 23 | +##### |
| 24 | +# This job checks to see if there is a new release that needs to be merged |
| 25 | +# |
| 26 | +# If there is, it will create a new branch containing the changes and a corresponding merge request |
| 27 | +# |
| 28 | +# It runs as a scheduled job, for which a suitable schedule must be defined, e.g. daily or weekly |
| 29 | +# |
| 30 | +# This job writes back to the repository and to the merge requests API |
| 31 | +# To do this, it needs more power than is granted to the CI token |
| 32 | +# So CI variables must be set that contain an access token and the corresponding username |
| 33 | +# This can be a Project Access Token (paid feature, recommended if available) or a Personal Access Token (not ideal) |
| 34 | +##### |
| 35 | +check_for_release: |
| 36 | + stage: scheduled |
| 37 | + rules: |
| 38 | + - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main" |
| 39 | + variables: |
| 40 | + GIT_STRATEGY: none |
| 41 | + before_script: |
| 42 | + - apt update -y |
| 43 | + - apt install -y curl git jq |
| 44 | + script: |
| 45 | + # Configure git to use the available credentials |
| 46 | + - git config --global credential.helper store |
| 47 | + # Do our own clone to make sure we don't get unrelated history errors from detached heads |
| 48 | + - git clone https://${GITLAB_PAT_USERNAME}:${GITLAB_PAT_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git ${CI_PROJECT_NAME} |
| 49 | + - cd ${CI_PROJECT_NAME} |
| 50 | + # Tell git who we are for commits |
| 51 | + - git config user.email "${CI_PROJECT_PATH_SLUG}-ci@${CI_SERVER_HOST}" |
| 52 | + - git config user.name "${CI_PROJECT_NAME} CI" |
| 53 | + # Create the merge branch |
| 54 | + - ./bin/create-merge-branch |
| 55 | + # Create a merge request for the branch |
| 56 | + - | |
| 57 | + if [ -f ".mergeenv" ]; then |
| 58 | + source ".mergeenv" |
| 59 | + BODY="{ |
| 60 | + \"id\": ${CI_PROJECT_ID}, |
| 61 | + \"title\": \"Upgrade config to upstream version ${RELEASE_TAG}\", |
| 62 | + \"source_branch\": \"${BRANCH_NAME}\", |
| 63 | + \"target_branch\": \"main\", |
| 64 | + \"remove_source_branch\": true, |
| 65 | + \"assignee_id\": \"${GITLAB_USER_ID}\" |
| 66 | + }" |
| 67 | + curl -kfsSL -X POST \ |
| 68 | + "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/merge_requests" \ |
| 69 | + --header "Authorization: Bearer ${GITLAB_PAT_TOKEN}" \ |
| 70 | + --header "Content-Type: application/json" \ |
| 71 | + --data "${BODY}" |
| 72 | + fi |
| 73 | + |
| 74 | +##### |
| 75 | +# This job deploys a staging/test version of the Magnum CAPI management cluster |
| 76 | +# |
| 77 | +# It runs automatically for every commit to main that changes one of the files |
| 78 | +# that affects the environment. |
| 79 | +# |
| 80 | +# NOTE: If the target site doesn't have a separate staging cloud with it's own Magnum |
| 81 | +# deployment then it may still be worth including a management cluster staging env in |
| 82 | +# this config repo which is a stripped down (1 master, 1 worker) version of the prod |
| 83 | +# env. Although this will not allow for testing the interaction between Magnum and the |
| 84 | +# CAPI management cluster, it will at least validate the deployment config before a |
| 85 | +# production rollout is performed. |
| 86 | +##### |
| 87 | +deploy_staging: |
| 88 | + stage: staging |
| 89 | + rules: |
| 90 | + # Prevent the job from running on any branch that is not main |
| 91 | + - if: $CI_COMMIT_BRANCH != "main" |
| 92 | + when: never |
| 93 | + # Allow deployments to be manually triggered on main even when there are no changed files |
| 94 | + - if: $CI_PIPELINE_SOURCE == "web" |
| 95 | + # Run for commits to main that change particular files |
| 96 | + - if: $CI_PIPELINE_SOURCE == "push" |
| 97 | + changes: |
| 98 | + # Files that affect the staging environment |
| 99 | + - env |
| 100 | + - env.secret |
| 101 | + - requirements.yml |
| 102 | + - environments/base/**/* |
| 103 | + - environments/ha/**/* |
| 104 | + - environments/capi-mgmt/**/* |
| 105 | + # TODO: Change these to actual site environment names |
| 106 | + - environments/site-base/**/* |
| 107 | + - environments/site-staging/**/* |
| 108 | + environment: |
| 109 | + # TODO: Change this to site staging environment name |
| 110 | + name: site-staging |
| 111 | + variables: |
| 112 | + ANSIBLE_FORCE_COLOR: "true" |
| 113 | + before_script: |
| 114 | + - source ./bin/ci-setup |
| 115 | + script: |
| 116 | + - ansible-playbook stackhpc.azimuth_ops.provision_capi_mgmt |
| 117 | + |
| 118 | +##### |
| 119 | +# This job deploys the Magnum CAPI management cluster to the production environment |
| 120 | +# |
| 121 | +# It runs for every commit to main that changes one of the files that affects |
| 122 | +# the environment, but only if the staging deployment succeeded |
| 123 | +# |
| 124 | +# It also includes a manual gate that can be used as a confirmation that the |
| 125 | +# relevant testing has taken place on staging |
| 126 | +##### |
| 127 | +deploy_production: |
| 128 | + stage: production |
| 129 | + rules: |
| 130 | + # Prevent the job from running on any branch that is not main |
| 131 | + - if: $CI_COMMIT_BRANCH != "main" |
| 132 | + when: never |
| 133 | + # Allow deployments to be manually triggered on main even when there are no changed files |
| 134 | + - if: $CI_PIPELINE_SOURCE == "web" |
| 135 | + when: manual |
| 136 | + # Run for commits to main that change particular files |
| 137 | + - if: $CI_PIPELINE_SOURCE == "push" |
| 138 | + changes: |
| 139 | + - env |
| 140 | + - env.secret |
| 141 | + - requirements.yml |
| 142 | + - environments/base/**/* |
| 143 | + - environments/ha/**/* |
| 144 | + - environments/capi-mgmt/**/* |
| 145 | + # TODO: Change these to actual site environment names |
| 146 | + - environments/site-base/**/* |
| 147 | + - environments/site-staging/**/* |
| 148 | + when: manual |
| 149 | + environment: |
| 150 | + # TODO: Change this to site prod environment name |
| 151 | + name: site-prod |
| 152 | + variables: |
| 153 | + ANSIBLE_FORCE_COLOR: "true" |
| 154 | + before_script: |
| 155 | + - source ./bin/ci-setup |
| 156 | + script: |
| 157 | + - ansible-playbook stackhpc.azimuth_ops.provision_capi_mgmt |
0 commit comments