feat: separate Helm Chart build related jobs hierarchy from Helm deployment jobs

      aud: "$GCP_OIDC_AUD"

.helm-publish:

  extends: .helm-base

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "docker", "9.0.2"]

  # ENDSCRIPT

# job prototype

# base job prototype

# defines default Docker image, tracking probe, cache policy and tags

.helm-base:

  image:

      - .cache

      - .config

# Value Lint job prototype

# Can be extended for each concrete environment

#

# @arg ENV_TYPE      : environment type

# @arg ENV_VALUES    : env-specific Helm values

.helm-values-lint:

  extends: .helm-base

  image:

    name: $HELM_YAMLLINT_IMAGE

    entrypoint: [""]

  stage: test

  script:

    - TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "$ENV_VALUES" > generated-values.yml

    - yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values.yml

helm-values-lint-review:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: review

    ENV_VALUES: "$HELM_REVIEW_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_REVIEW_VALUES unset

    - if: '$HELM_REVIEW_VALUES == null || $HELM_REVIEW_VALUES == ""'

      when: never

    # exclude on integration or prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

helm-values-lint-integration:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: integration

    ENV_VALUES: "$HELM_INTEG_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_INTEG_VALUES unset

    - if: '$HELM_INTEG_VALUES == null || $HELM_INTEG_VALUES == ""'

      when: never

    # exclude on prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

helm-values-lint-staging:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: staging

    ENV_VALUES: "$HELM_STAGING_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_STAGING_VALUES unset

    - if: '$HELM_STAGING_VALUES == null || $HELM_STAGING_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

helm-values-lint-production:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: production

    ENV_VALUES: "$HELM_PROD_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_PROD_VALUES unset

    - if: '$HELM_PROD_VALUES == null || $HELM_PROD_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

# Helm Score job prototype

# Can be extended for each concrete environment

#

# @arg ENV_TYPE      : environment type

# @arg ENV_VALUES    : env-specific Helm values

.helm-score:

  extends: .helm-base

  image:

    name: $HELM_KUBE_SCORE_IMAGE

    entrypoint: [""]

  stage: package-test

  before_script:

    - !reference [.helm-scripts]

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - |

      if [ -f "$HELM_CHART_DIR/Chart.yaml" ]

      then

        helm $HELM_DEPENDENCY_ARGS $HELM_CHART_DIR

        helm_package=$HELM_CHART_DIR

      elif [ ! -z "${HELM_DEPLOY_CHART}" ]

      then

        add_helm_repositories

        helm_package=$HELM_DEPLOY_CHART

      else

        log_error "You need at least one Chart.yaml or external deploy chart reference"

        exit 1

      fi

  script:

    - TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "${HELM_COMMON_VALUES:-/dev/null}" > generated-values-common.yml

    - TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "$ENV_VALUES" > generated-values-env.yml

    - helm template $helm_package ${HELM_K8S_VERSION:+--kube-version "$HELM_K8S_VERSION"} --values generated-values-common.yml --values generated-values-env.yml | kube-score score ${HELM_K8S_VERSION:+--kubernetes-version "$HELM_K8S_VERSION"} ${HELM_KUBE_SCORE_ARGS} -

helm-score-review:

  extends: .helm-score

  variables:

    ENV_TYPE: review

    ENV_VALUES: "$HELM_REVIEW_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_REVIEW_VALUES unset

    - if: '$HELM_REVIEW_VALUES == null || $HELM_REVIEW_VALUES == ""'

      when: never

    # exclude on integration or prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

helm-score-integration:

  extends: .helm-score

  variables:

    ENV_TYPE: integration

    ENV_VALUES: "$HELM_INTEG_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_INTEG_VALUES unset

    - if: '$HELM_INTEG_VALUES == null || $HELM_INTEG_VALUES == ""'

      when: never

    # exclude on prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

helm-score-staging:

  extends: .helm-score

  variables:

    ENV_TYPE: staging

    ENV_VALUES: "$HELM_STAGING_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_STAGING_VALUES unset

    - if: '$HELM_STAGING_VALUES == null || $HELM_STAGING_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

helm-score-production:

  extends: .helm-score

  variables:

    ENV_TYPE: production

    ENV_VALUES: "$HELM_PROD_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_PROD_VALUES unset

    - if: '$HELM_PROD_VALUES == null || $HELM_PROD_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

# ==================================================

# Stage: check

# Helm Chart build jobs

# --------------------------------------------------

# Jobs related to building/publishing Helm Charts

# ==================================================

# base job for Helm Chart build

.helm-build-base:

  extends: .helm-base

# lint-job is used to check the syntax of the Helm Chart for best practices.

helm-lint:

  extends: .helm-base

  extends: .helm-build-base

  stage: test

  before_script:

    - !reference [.helm-scripts]

        # workaround https://gitlab.com/gitlab-org/gitlab/-/issues/451764

        - "Chart.yaml"

# ==================================================

# Stage: For helm-package and helm-publish, we need a hidden job that could be override by authentication variant.

# ==================================================

# base job for Helm Chart publishing

.helm-publish:

  extends: .helm-base

  extends: .helm-build-base

# ==================================================

# Stage: package-build

# ==================================================

# Helm Chart packaging

helm-package:

  extends: .helm-publish

  stage: package-build

    reports:

      dotenv: helm-package.env

# ==================================================

# Stage: publish

# ==================================================

# Helm Chart publish

helm-publish:

  extends: .helm-publish

  stage: publish

        # workaround https://gitlab.com/gitlab-org/gitlab/-/issues/451764

        - "Chart.yaml"

# ==================================================

# Helm Chart deployment jobs

# --------------------------------------------------

# Jobs related to Helm Charts deployments

# ==================================================

# base job for Helm Chart deployments

.helm-deploy-base:

  extends: .helm-base

# Value Lint job prototype

# Can be extended for each concrete environment

#

# @arg ENV_TYPE      : environment type

# @arg ENV_VALUES    : env-specific Helm values

.helm-values-lint:

  extends: .helm-deploy-base

  image:

    name: $HELM_YAMLLINT_IMAGE

    entrypoint: [""]

  stage: test

  script:

    - TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "$ENV_VALUES" > generated-values.yml

    - yamllint -d "$HELM_YAMLLINT_CONFIG" $HELM_YAMLLINT_ARGS generated-values.yml

# Helm Score job prototype

# Can be extended for each concrete environment

#

# @arg ENV_TYPE      : environment type

# @arg ENV_VALUES    : env-specific Helm values

.helm-score:

  extends: .helm-deploy-base

  image:

    name: $HELM_KUBE_SCORE_IMAGE

    entrypoint: [""]

  stage: package-test

  before_script:

    - !reference [.helm-scripts]

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - |

      if [ -f "$HELM_CHART_DIR/Chart.yaml" ]

      then

        helm $HELM_DEPENDENCY_ARGS $HELM_CHART_DIR

        helm_package=$HELM_CHART_DIR

      elif [ ! -z "${HELM_DEPLOY_CHART}" ]

      then

        add_helm_repositories

        helm_package=$HELM_DEPLOY_CHART

      else

        log_error "You need at least one Chart.yaml or external deploy chart reference"

        exit 1

      fi

  script:

    - TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "${HELM_COMMON_VALUES:-/dev/null}" > generated-values-common.yml

    - TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "$ENV_VALUES" > generated-values-env.yml

    - helm template $helm_package ${HELM_K8S_VERSION:+--kube-version "$HELM_K8S_VERSION"} --values generated-values-common.yml --values generated-values-env.yml | kube-score score ${HELM_K8S_VERSION:+--kubernetes-version "$HELM_K8S_VERSION"} ${HELM_KUBE_SCORE_ARGS} -

# Deploy job prototype

# Can be extended to define a concrete environment

#

# @arg ENV_NAMESPACE : env-specific Kubernetes namespace

# @arg ENV_VALUES    : env-specific Helm values

.helm-deploy:

  extends: .helm-base

  extends: .helm-deploy-base

  stage: deploy

  variables:

    ENV_APP_SUFFIX: "-$CI_ENVIRONMENT_SLUG"

# @arg ENV_KUBE_CONFIG: env-specific Kubeconfig

# @arg ENV_NAMESPACE : env-specific Kubernetes namespace

.helm-cleanup:

  extends: .helm-base

  extends: .helm-deploy-base

  stage: deploy

  # force no dependencies

  dependencies: []

# @arg ENV_KUBE_CONFIG: env-specific Kubeconfig

# @arg ENV_NAMESPACE : env-specific Kubernetes namespace

.helm-test:

  extends: .helm-base

  extends: .helm-deploy-base

  stage: acceptance

  before_script:

    - !reference [.helm-scripts]

    - helm_test

# ==================================================

# Stage: review

# Env: review

# ==================================================

helm-values-lint-review:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: review

    ENV_VALUES: "$HELM_REVIEW_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_REVIEW_VALUES unset

    - if: '$HELM_REVIEW_VALUES == null || $HELM_REVIEW_VALUES == ""'

      when: never

    # exclude on integration or prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

helm-score-review:

  extends: .helm-score

  variables:

    ENV_TYPE: review

    ENV_VALUES: "$HELM_REVIEW_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_REVIEW_VALUES unset

    - if: '$HELM_REVIEW_VALUES == null || $HELM_REVIEW_VALUES == ""'

      when: never

    # exclude on integration or prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

# deploy to review env (only for feature branches)

# disabled by default, enable this job by setting $HELM_REVIEW_ENABLED

helm-review:

    - !reference [.test-policy, rules]

# ==================================================

# Stage: integration

# Env: integration

# ==================================================

helm-values-lint-integration:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: integration

    ENV_VALUES: "$HELM_INTEG_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_INTEG_VALUES unset

    - if: '$HELM_INTEG_VALUES == null || $HELM_INTEG_VALUES == ""'

      when: never

    # exclude on prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

helm-score-integration:

  extends: .helm-score

  variables:

    ENV_TYPE: integration

    ENV_VALUES: "$HELM_INTEG_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_INTEG_VALUES unset

    - if: '$HELM_INTEG_VALUES == null || $HELM_INTEG_VALUES == ""'

      when: never

    # exclude on prod branch

    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    - !reference [.test-policy, rules]

# deploy to integration env (only for integration branches)

# disabled by default, enable this job by setting $HELM_INTEG_ENABLED

helm-integration:

    - !reference [.test-policy, rules]

# ==================================================

# Stage: staging

# Env: staging

# ==================================================

helm-values-lint-staging:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: staging

    ENV_VALUES: "$HELM_STAGING_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_STAGING_VALUES unset

    - if: '$HELM_STAGING_VALUES == null || $HELM_STAGING_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

helm-score-staging:

  extends: .helm-score

  variables:

    ENV_TYPE: staging

    ENV_VALUES: "$HELM_STAGING_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_STAGING_VALUES unset

    - if: '$HELM_STAGING_VALUES == null || $HELM_STAGING_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

helm-staging:

  extends: .helm-deploy

  variables:

    - !reference [.test-policy, rules]

# ==================================================

# Stage: production

# Env: production

# ==================================================

helm-values-lint-production:

  extends: .helm-values-lint

  variables:

    ENV_TYPE: production

    ENV_VALUES: "$HELM_PROD_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_YAMLLINT_DISABLED is set

    - if: '$HELM_YAMLLINT_DISABLED == "true"'

      when: never

    # exclude if $HELM_PROD_VALUES unset

    - if: '$HELM_PROD_VALUES == null || $HELM_PROD_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

helm-score-production:

  extends: .helm-score

  variables:

    ENV_TYPE: production

    ENV_VALUES: "$HELM_PROD_VALUES"

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    # exclude when $HELM_SCORE_DISABLED is set

    - if: '$HELM_KUBE_SCORE_DISABLED == "true"'

      when: never

    # exclude if $HELM_PROD_VALUES unset

    - if: '$HELM_PROD_VALUES == null || $HELM_PROD_VALUES == ""'

      when: never

    - !reference [.test-policy, rules]

helm-production:

  extends: .helm-deploy

  stage: production