Commit 3670d4a0 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: migrate to CI/CD component 

⚠️ requires GitLab 16.6 or later
parent 97bbf118

.gitlab-ci.yml

+1 −1
Original line number Diff line number Diff line
@@ -10,7 +10,7 @@ include: 
    file: '/templates/validation.yml'

  - project: 'to-be-continuous/bash'

    ref: '3.3'

    file: 'templates/gitlab-ci-bash.yml'

    file: '/templates/gitlab-ci-bash.yml'

  - project: 'to-be-continuous/semantic-release'

    ref: '3.7'

    file: '/templates/gitlab-ci-semrel.yml'

README.md

+92 −67
Original line number Diff line number Diff line
@@ -4,13 +4,44 @@ This project implements a GitLab CI/CD template to deploy your application to an 


## Usage



In order to include this template in your project, add the following to your `gitlab-ci.yml`:

This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) 

or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.



### Use as a CI/CD component



Add the following to your `gitlab-ci.yml`:



```yaml

include:

  # 1: include the component

  - component: gitlab.com/to-be-continuous/openshift/gitlab-ci-openshift@5.1.0

    # 2: set/override component inputs

    inputs:

      # ⚠ this is only an example

      base-app-name: wonderapp

      review-project: "wonder-noprod" # enable review env

      staging-project: "wonder-noprod" # enable staging env

      prod-project: "wonder-prod" # enable production env

```



### Use as a CI/CD template (legacy)



Add the following to your `gitlab-ci.yml`:



```yaml

include:

  # 1: include the template

  - project: 'to-be-continuous/openshift'

    ref: '5.1.0'

    file: '/templates/gitlab-ci-openshift.yml'



variables:

  # 2: set/override template variables

  # ⚠ this is only an example

  OS_BASE_APP_NAME: wonderapp

  OS_REVIEW_PROJECT: "wonder-noprod" # enable review env

  OS_STAGING_PROJECT: "wonder-noprod" # enable staging env

  OS_PROD_PROJECT: "wonder-prod" # enable production env

```



## Understand
@@ -356,17 +387,17 @@ Here are some advices about your **secrets** (variables marked with a :lock:): 


The OpenShift template uses some global configuration used throughout all jobs.



| Name                     | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `OS_CLI_IMAGE`           | the Docker image used to run OpenShift Client (OC) CLI commands <br/>:warning: **set the version required by your OpenShift server** | `quay.io/openshift/origin-cli:latest` |

| `OS_URL`                 | Default OpenShift API url              | **has to be defined** |

| `cli-image` / `OS_CLI_IMAGE` | the Docker image used to run OpenShift Client (OC) CLI commands <br/>:warning: **set the version required by your OpenShift server** | `quay.io/openshift/origin-cli:latest` |

| `url` / `OS_URL` | Default OpenShift API url              | **has to be defined** |

| :lock: `OS_TOKEN`        | Default OpenShift API [token](#supported-authentication-methods) | **has to be defined** |

| `OS_BASE_APP_NAME`       | Base application name                  | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) |

| `OS_ENVIRONMENT_URL`    | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.openshift.acme.com`)_ | _none_ |

| `OS_SCRIPTS_DIR`         | directory where OpenShift scripts (templates, hook scripts) are located | `.` _(root project dir)_ |

| `OS_BASE_TEMPLATE_NAME`  | Base OpenShift template name           | `openshift` |

| `OS_APP_LABEL`           | The OpenShift [label](https://docs.openshift.com/container-platform/latest/openshift_images/using-templates.html#writing-labels) set with the `$environment_name` [dynamic variable](#using-variables) value. _Advanced usage_ | `app` |

| `OS_ENV_LABEL`           | The OpenShift [label](https://docs.openshift.com/container-platform/latest/openshift_images/using-templates.html#writing-labels) set with the `$environment_type` [dynamic variable](#using-variables) value (`review`, `integration`, `staging` or `prod`). _Advanced usage_ | `env` |

| `base-app-name` / `OS_BASE_APP_NAME` | Base application name                  | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) |

| `environment-url` / `OS_ENVIRONMENT_URL`    | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.openshift.acme.com`)_ | _none_ |

| `scripts-dir` / `OS_SCRIPTS_DIR` | directory where OpenShift scripts (templates, hook scripts) are located | `.` _(root project dir)_ |

| `base-template-name` / `OS_BASE_TEMPLATE_NAME`  | Base OpenShift template name           | `openshift` |

| `app-label` / `OS_APP_LABEL` | The OpenShift [label](https://docs.openshift.com/container-platform/latest/openshift_images/using-templates.html#writing-labels) set with the `$environment_name` [dynamic variable](#using-variables) value. _Advanced usage_ | `app` |

| `env-label` / `OS_ENV_LABEL` | The OpenShift [label](https://docs.openshift.com/container-platform/latest/openshift_images/using-templates.html#writing-labels) set with the `$environment_type` [dynamic variable](#using-variables) value (`review`, `integration`, `staging` or `prod`). _Advanced usage_ | `env` |



### Review environments configuration
@@ -377,14 +408,14 @@ They are **disabled by default** and can be enabled by setting the `OS_REVIEW_PR 


Here are variables supported to configure review environments:



| Name                     | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `OS_REVIEW_PROJECT`      | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `review` env | _none_ (disabled) |

| `OS_REVIEW_URL`          | OpenShift API url for `review` env  _(only define if different from default)_    | `$OS_URL` |

| :lock: `OS_REVIEW_TOKEN` | OpenShift API [token](#supported-authentication-methods) for `review` env  _(only define if different from default)_    | `$OS_TOKEN` |

| `OS_REVIEW_APP_NAME`     | Application name for `review` env      | `"${OS_BASE_APP_NAME}-${CI_ENVIRONMENT_SLUG}"` (ex: `myproject-review-fix-bug-12`) |

| `OS_REVIEW_ENVIRONMENT_URL`| The review environments url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |

| `OS_REVIEW_AUTOSTOP_DURATION`| The amount of time before GitLab will automatically stop `review` environments | `4 hours` |

| `review-project` / `OS_REVIEW_PROJECT` | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `review` env | _none_ (disabled) |

| `review-url` / `OS_REVIEW_URL` | OpenShift API url for `review` env  _(only define to override default)_    | `$OS_URL` |

| :lock: `OS_REVIEW_TOKEN` | OpenShift API [token](#supported-authentication-methods) for `review` env  _(only define to override default)_    | `$OS_TOKEN` |

| `review-app-name` / `OS_REVIEW_APP_NAME` | Application name for `review` env      | `"${OS_BASE_APP_NAME}-${CI_ENVIRONMENT_SLUG}"` (ex: `myproject-review-fix-bug-12`) |

| `review-environment-url` / `OS_REVIEW_ENVIRONMENT_URL`| The review environments url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |

| `review-autostop-duration` / `OS_REVIEW_AUTOSTOP_DURATION` | The amount of time before GitLab will automatically stop `review` environments | `4 hours` |



### Integration environment configuration
@@ -394,13 +425,13 @@ It is **disabled by default** and can be enabled by setting the `OS_INTEG_PROJEC 


Here are variables supported to configure the integration environment:



| Name                     | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `OS_INTEG_PROJECT`       | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `integration` env | _none_ (disabled) |

| `OS_INTEG_URL`           | OpenShift API url for `integration` env  _(only define if different from default)_    | `$OS_URL` |

| :lock: `OS_INTEG_TOKEN`  | OpenShift API [token](#supported-authentication-methods) for `integration` env  _(only define if different from default)_    | `$OS_TOKEN` |

| `OS_INTEG_APP_NAME`      | Application name for `integration` env | `${OS_BASE_APP_NAME}-integration` |

| `OS_INTEG_ENVIRONMENT_URL`| The integration environment url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |

| `integ-project` / `OS_INTEG_PROJECT` | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `integration` env | _none_ (disabled) |

| `integ-url` / `OS_INTEG_URL` | OpenShift API url for `integration` env  _(only define to override default)_    | `$OS_URL` |

| :lock: `OS_INTEG_TOKEN`  | OpenShift API [token](#supported-authentication-methods) for `integration` env  _(only define to override default)_    | `$OS_TOKEN` |

| `integ-app-name` / `OS_INTEG_APP_NAME` | Application name for `integration` env | `${OS_BASE_APP_NAME}-integration` |

| `integ-environment-url` / `OS_INTEG_ENVIRONMENT_URL`| The integration environment url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |



### Staging environment configuration
@@ -410,13 +441,13 @@ It is **disabled by default** and can be enabled by setting the `OS_STAGING_PROJ 


Here are variables supported to configure the staging environment:



| Name                     | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `OS_STAGING_PROJECT`     | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `staging` env | _none_ (disabled) |

| `OS_STAGING_URL`         | OpenShift API url for `staging` env  _(only define if different from default)_   | `$OS_URL` |

| :lock: `OS_STAGING_TOKEN`| OpenShift API [token](#supported-authentication-methods) for `staging` env  _(only define if different from default)_    | `$OS_TOKEN` |

| `OS_STAGING_APP_NAME`    | Application name for `staging` env     | `${OS_BASE_APP_NAME}-staging` |

| `OS_STAGING_ENVIRONMENT_URL`| The staging environment url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |

| `staging-project` / `OS_STAGING_PROJECT` | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `staging` env | _none_ (disabled) |

| `staging-url` / `OS_STAGING_URL` | OpenShift API url for `staging` env  _(only define to override default)_   | `$OS_URL` |

| :lock: `OS_STAGING_TOKEN`| OpenShift API [token](#supported-authentication-methods) for `staging` env  _(only define to override default)_    | `$OS_TOKEN` |

| `staging-app-name` / `OS_STAGING_APP_NAME` | Application name for `staging` env     | `${OS_BASE_APP_NAME}-staging` |

| `staging-environment-url` / `OS_STAGING_ENVIRONMENT_URL`| The staging environment url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |



### Production environment configuration
@@ -426,14 +457,14 @@ It is **disabled by default** and can be enabled by setting the `OS_PROD_PROJECT 


Here are variables supported to configure the production environment:



| Name                     | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `OS_PROD_PROJECT`        | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `production` env | _none_ (disabled) |

| `OS_PROD_URL`            | OpenShift API url for `production` env  _(only define if different from default)_| `$OS_URL` |

| :lock: `OS_PROD_TOKEN`   | OpenShift API [token](#supported-authentication-methods) for `production` env  _(only define if different from default)_    | `$OS_TOKEN` |

| `OS_PROD_APP_NAME`       | Application name for `production` env  | `$OS_BASE_APP_NAME` |

| `OS_PROD_ENVIRONMENT_URL`| The production environment url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |

| `OS_PROD_DEPLOY_STRATEGY`| Defines the deployment to production strategy. One of `manual` (i.e. _one-click_) or `auto`. | `manual` |

| `prod-project` / `OS_PROD_PROJECT` | OpenShift [project](https://docs.openshift.com/container-platform/3.11/architecture/core_concepts/projects_and_users.html#projects) for `production` env | _none_ (disabled) |

| `prod-url` / `OS_PROD_URL` | OpenShift API url for `production` env  _(only define to override default)_| `$OS_URL` |

| :lock: `OS_PROD_TOKEN`   | OpenShift API [token](#supported-authentication-methods) for `production` env  _(only define to override default)_    | `$OS_TOKEN` |

| `prod-app-name` / `OS_PROD_APP_NAME` | Application name for `production` env  | `$OS_BASE_APP_NAME` |

| `prod-environment-url` / `OS_PROD_ENVIRONMENT_URL`| The production environment url _(only define for static environment URLs declaration and if different from default)_ | `$OS_ENVIRONMENT_URL` |

| `prod-deploy-strategy` / `OS_PROD_DEPLOY_STRATEGY` | Defines the deployment to production strategy. One of `manual` (i.e. _one-click_) or `auto`. | `manual` |





### `os-cleanup-all-review` job
@@ -476,11 +507,11 @@ This variant allows delegating your secrets management to a [Vault](https://www. 


In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:



| Name              | Description                            | Default value     |

| Input / Variable | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |

| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |

| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | _none_ |

| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |

| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
@@ -494,7 +525,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta 


With:



| Name                             | Description                            |

| Parameter                        | Description                            |

| -------------------------------- | -------------------------------------- |

| `secret_path` (_path parameter_) | this is your secret location in the Vault server |

| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
@@ -504,22 +535,19 @@ With: 
```yaml

include:

  # main template

  - project: 'to-be-continuous/openshift'

    ref: '5.1.0'

    file: '/templates/gitlab-ci-openshift.yml'

  - component: gitlab.com/to-be-continuous/openshift/gitlab-ci-openshift@5.1.0

  # Vault variant

  - project: 'to-be-continuous/openshift'

    ref: '5.1.0'

    file: '/templates/gitlab-ci-openshift-vault.yml'

  - component: gitlab.com/to-be-continuous/openshift/gitlab-ci-openshift-vault@5.1.0

    inputs:

      # audience claim for JWT

      vault-oidc-aud: "https://vault.acme.host"

      vault-base-url: "https://vault.acme.host/v1"

      # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable



variables:

    # audience claim for JWT

    VAULT_OIDC_AUD: "https://vault.acme.host"

  # Secrets managed by Vault

  OS_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/openshift/noprod?field=token"

  OS_PROD_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/openshift/noprod?field=token"

    VAULT_BASE_URL: "https://vault.acme.host/v1"

    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable

```



## Examples
@@ -536,20 +564,17 @@ variables: 


```yaml

include:

  - project: 'to-be-continuous/openshift'

    ref: '5.1.0' 

    file: '/templates/gitlab-ci-openshift.yml'



variables:

  OS_URL: "https://openshift-noprod.acme.host" # noprod cluster is default (review & staging)

  OS_PROD_URL: "https://openshift-prod.acme.host/" # prod cluster for prod env only

  - component: gitlab.com/to-be-continuous/openshift/gitlab-ci-openshift@5.1.0

    inputs:

      url: "https://openshift-noprod.acme.host" # noprod cluster is default (review & staging)

      prod-url: "https://openshift-prod.acme.host/" # prod cluster for prod env only

      # OS_TOKEN and OS_PROD_TOKEN are defined as a protected project variable

  OS_REVIEW_PROJECT: "myproj-noprod" # activates 'review' env in CI pipeline

  OS_STAGING_PROJECT: "myproj-noprod" # activates 'staging' env in CD pipeline

  OS_PROD_PROJECT: "myproj"

  OS_REVIEW_ENVIRONMENT_DOMAIN: "apps-noprod.acme.host" # intranet route

  OS_STAGING_ENVIRONMENT_URL: "https://myproj-staging.apps-noprod.acme.host" # internet route

  OS_PROD_ENVIRONMENT_URL: "https://myproj.apps.acme.com" # internet route

      review-project: "myproj-noprod" # activates 'review' env in CI pipeline

      staging-project: "myproj-noprod" # activates 'staging' env in CD pipeline

      prod-project: "myproj"

      review-environment-domain: "apps-noprod.acme.host" # intranet route

      staging-environment-url: "https://myproj-staging.apps-noprod.acme.host" # internet route

      prod-environment-url: "https://myproj.apps.acme.com" # internet route

```



#### OpenShift template

bumpversion.sh

+2 −2
Original line number Diff line number Diff line
@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then 
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."



  # replace in README

  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next

  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next

  mv -f README.md.next README.md



  # replace in template and variants

  for tmpl in templates/*.yml

  do

    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"

    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"

    mv -f "$tmpl.next" "$tmpl"

  done

else

kicker.json

+20 −12
Original line number Diff line number Diff line
@@ -3,6 +3,8 @@ 
  "description": "Deploy your application to an [OpenShift](https://www.openshift.com/) platform",

  "template_path": "templates/gitlab-ci-openshift.yml",

  "kind": "hosting",

  "prefix": "os",

  "is_component": true,

  "variables": [

    {

      "name": "OS_CLI_IMAGE",
@@ -27,6 +29,12 @@ 
      "default": "$CI_PROJECT_NAME",

      "advanced": true

    },

    {

      "name": "OS_BASE_TEMPLATE_NAME",

      "description": "Base OpenShift template name",

      "default": "openshift",

      "advanced": true

    },

    {

      "name": "OS_ENVIRONMENT_URL",

      "type": "url",
@@ -64,7 +72,7 @@ 
        },

        {

          "name": "OS_REVIEW_APP_NAME",

          "description": "The application name for review env (only define if different from global)",

          "description": "The application name for review env (only define to override default)",

          "advanced": true

        },

        {
@@ -81,12 +89,12 @@ 
        {

          "name": "OS_REVIEW_URL",

          "type": "url",

          "description": "OpenShift API url for review env (only define if different from global)",

          "description": "OpenShift API url for review env (only define to override default)",

          "advanced": true

        },

        {

          "name": "OS_REVIEW_TOKEN",

          "description": "OpenShift API token for review env (only define if different from global)",

          "description": "OpenShift API token for review env (only define to override default)",

          "secret": true

        },

        {
@@ -108,7 +116,7 @@ 
        },

        {

          "name": "OS_INTEG_APP_NAME",

          "description": "The application name for integration env (only define if different from global)",

          "description": "The application name for integration env (only define to override default)",

          "advanced": true

        },

        {
@@ -120,12 +128,12 @@ 
        {

          "name": "OS_INTEG_URL",

          "type": "url",

          "description": "OpenShift API url for integration env (only define if different from global)",

          "description": "OpenShift API url for integration env (only define to override default)",

          "advanced": true

        },

        {

          "name": "OS_INTEG_TOKEN",

          "description": "OpenShift API token for integration env (only define if different from global)",

          "description": "OpenShift API token for integration env (only define to override default)",

          "secret": true

        }

      ]
@@ -142,7 +150,7 @@ 
        },

        {

          "name": "OS_STAGING_APP_NAME",

          "description": "The application name for staging env (only define if different from global)",

          "description": "The application name for staging env (only define to override default)",

          "advanced": true

        },

        {
@@ -154,12 +162,12 @@ 
        {

          "name": "OS_STAGING_URL",

          "type": "url",

          "description": "OpenShift API url for staging env (only define if different from global)",

          "description": "OpenShift API url for staging env (only define to override default)",

          "advanced": true

        },

        {

          "name": "OS_STAGING_TOKEN",

          "description": "OpenShift API token for staging env (only define if different from global)",

          "description": "OpenShift API token for staging env (only define to override default)",

          "secret": true

        }

      ]
@@ -176,7 +184,7 @@ 
        },

        {

          "name": "OS_PROD_APP_NAME",

          "description": "The application name for production env (only define if different from global)",

          "description": "The application name for production env (only define to override default)",

          "advanced": true

        },

        {
@@ -195,12 +203,12 @@ 
        {

          "name": "OS_PROD_URL",

          "type": "url",

          "description": "OpenShift API url for production env (only define if different from global)",

          "description": "OpenShift API url for production env (only define to override default)",

          "advanced": true

        },

        {

          "name": "OS_PROD_TOKEN",

          "description": "OpenShift API token for production env (only define if different from global)",

          "description": "OpenShift API token for production env (only define to override default)",

          "secret": true

        }

      ]

logo.png

+6.75 KiB (15.1 KiB)
Loading image diff...