diff --git a/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml b/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml index 3b77055b644..020031af3cb 100644 --- a/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml +++ b/vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml @@ -88,6 +88,14 @@ codequality: artifacts: paths: [codeclimate.json] +license_management: + image: registry.gitlab.com/gitlab-org/security-products/license-management:latest + allow_failure: true + script: + - license_management + artifacts: + paths: [gl-license-report.json] + performance: stage: performance image: docker:stable @@ -133,6 +141,7 @@ dependency_scanning: - dependency_scanning artifacts: paths: [gl-dependency-scanning-report.json] + sast:container: image: docker:stable variables: @@ -217,7 +226,7 @@ stop_review: # only manually promote to production, enable this job by removing the dot (.), # and uncomment the `when: manual` line in the `production` job. -.staging: +staging: stage: staging script: - check_kube_domain @@ -234,6 +243,11 @@ stop_review: refs: - master kubernetes: active + variables: + - $STAGING_ENABLED + except: + variables: + - $INCREMENTAL_ROLLOUT_ENABLED # Canaries are disabled by default, but if you want them, # and know what the downsides are, enable this job by removing the dot (.), @@ -263,7 +277,7 @@ stop_review: # or `canary` deploys, or you simply want more control over when you deploy # to production, uncomment the `when: manual` line in the `production` job. -production: +.production: &production_template stage: production script: - check_kube_domain @@ -274,17 +288,103 @@ production: - create_secret - deploy - delete canary + - delete rollout - persist_environment_url environment: name: production url: http://$CI_PROJECT_PATH_SLUG.$AUTO_DEVOPS_DOMAIN artifacts: paths: [environment_url.txt] -# when: manual + +production: + <<: *production_template only: refs: - master kubernetes: active + except: + variables: + - $STAGING_ENABLED + - $INCREMENTAL_ROLLOUT_ENABLED + +production_manual: + <<: *production_template + when: manual + only: + refs: + - master + kubernetes: active + variables: + - $STAGING_ENABLED + except: + variables: + - $INCREMENTAL_ROLLOUT_ENABLED + +# This job implements incremental rollout on for every push to `master`. + +.rollout: &rollout_template + stage: production + script: + - check_kube_domain + - install_dependencies + - download_chart + - ensure_namespace + - install_tiller + - create_secret + - deploy rollout $ROLLOUT_PERCENTAGE + - scale stable $((100-ROLLOUT_PERCENTAGE)) + - delete canary + - persist_environment_url + environment: + name: production + url: http://$CI_PROJECT_PATH_SLUG.$AUTO_DEVOPS_DOMAIN + artifacts: + paths: [environment_url.txt] + +rollout 10%: + <<: *rollout_template + variables: + ROLLOUT_PERCENTAGE: 10 + only: + refs: + - master + kubernetes: active + variables: + - $INCREMENTAL_ROLLOUT_ENABLED + +rollout 25%: + <<: *rollout_template + variables: + ROLLOUT_PERCENTAGE: 25 + when: manual + only: + refs: + - master + kubernetes: active + variables: + - $INCREMENTAL_ROLLOUT_ENABLED + +rollout 50%: + <<: *rollout_template + variables: + ROLLOUT_PERCENTAGE: 50 + when: manual + only: + refs: + - master + kubernetes: active + variables: + - $INCREMENTAL_ROLLOUT_ENABLED + +rollout 100%: + <<: *production_template + when: manual + only: + refs: + - master + kubernetes: active + variables: + - $INCREMENTAL_ROLLOUT_ENABLED # --------------------------------------------------------------------------- @@ -308,7 +408,7 @@ production: fi docker run -d --name db arminc/clair-db:latest - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1 + docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1 apk add -U wget ca-certificates docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 @@ -328,6 +428,14 @@ production: "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code } + function license_management() { + if echo $GITLAB_FEATURES |grep license_management > /dev/null ; then + /run.sh . + else + echo "License management is not available in your subscription" + fi + } + function sast() { case "$CI_SERVER_VERSION" in *-ee) @@ -363,30 +471,19 @@ production: esac } - function deploy() { - track="${1-stable}" - name="$CI_ENVIRONMENT_SLUG" - - if [[ "$track" != "stable" ]]; then - name="$name-$track" - fi - - replicas="1" - service_enabled="false" - postgres_enabled="$POSTGRES_ENABLED" - # canary uses stable db - [[ "$track" == "canary" ]] && postgres_enabled="false" + function get_replicas() { + track="${1:-stable}" + percentage="${2:-100}" env_track=$( echo $track | tr -s '[:lower:]' '[:upper:]' ) env_slug=$( echo ${CI_ENVIRONMENT_SLUG//-/_} | tr -s '[:lower:]' '[:upper:]' ) - if [[ "$track" == "stable" ]]; then + if [[ "$track" == "stable" ]] || [[ "$track" == "rollout" ]]; then # for stable track get number of replicas from `PRODUCTION_REPLICAS` eval new_replicas=\$${env_slug}_REPLICAS if [[ -z "$new_replicas" ]]; then new_replicas=$REPLICAS fi - service_enabled="true" else # for all tracks get number of replicas from `CANARY_PRODUCTION_REPLICAS` eval new_replicas=\$${env_track}_${env_slug}_REPLICAS @@ -394,9 +491,36 @@ production: eval new_replicas=\${env_track}_REPLICAS fi fi - if [[ -n "$new_replicas" ]]; then - replicas="$new_replicas" + + replicas="${new_replicas:-1}" + replicas="$(($replicas * $percentage / 100))" + + # always return at least one replicas + if [[ $replicas -gt 0 ]]; then + echo "$replicas" + else + echo 1 fi + } + + function deploy() { + track="${1-stable}" + percentage="${2:-100}" + name="$CI_ENVIRONMENT_SLUG" + + replicas="1" + service_enabled="true" + postgres_enabled="$POSTGRES_ENABLED" + + # if track is different than stable, + # re-use all attached resources + if [[ "$track" != "stable" ]]; then + name="$name-$track" + service_enabled="false" + postgres_enabled="false" + fi + + replicas=$(get_replicas "$track" "$percentage") if [[ "$CI_PROJECT_VISIBILITY" != "public" ]]; then secret_name='gitlab-registry' @@ -427,6 +551,25 @@ production: chart/ } + function scale() { + track="${1-stable}" + percentage="${2-100}" + name="$CI_ENVIRONMENT_SLUG" + + if [[ "$track" != "stable" ]]; then + name="$name-$track" + fi + + replicas=$(get_replicas "$track" "$percentage") + + helm upgrade --reuse-values \ + --wait \ + --set replicaCount="$replicas" \ + --namespace="$KUBE_NAMESPACE" \ + "$name" \ + chart/ + } + function install_dependencies() { apk add -U openssl curl tar gzip bash ca-certificates git wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/master/sgerrand.rsa.pub @@ -548,8 +691,8 @@ production: kubectl create secret -n "$KUBE_NAMESPACE" \ docker-registry gitlab-registry \ --docker-server="$CI_REGISTRY" \ - --docker-username="$CI_REGISTRY_USER" \ - --docker-password="$CI_REGISTRY_PASSWORD" \ + --docker-username="${CI_DEPLOY_USER:-$CI_REGISTRY_USER}" \ + --docker-password="${CI_DEPLOY_PASSWORD:-$CI_REGISTRY_PASSWORD}" \ --docker-email="$GITLAB_USER_EMAIL" \ -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f - }