Add detached pipeline and deployment workflow templates
Adds a detached pipeline workflow template which runs the CI flow for both merge requests and branches without merge requests. An additional deployment template is added to implement the default webapp deployment flow.
The detached pipeline template in this MR is a copy of gitlab-ci/auto-devops-for-detached-pipelines.yml in MR uis/devops/uga/smi!221, so see that MR for a test pipeline based on the detached pipeline workflow template.
The deployment template in this MR is basically a copy of the SMI deploy CI config file with the webapp URLs converted to variables, and some optimisation of the rules.
Closes #5 (closed)
Closes #6 (closed)
Merge request reports
Activity
auto-devops/deploy.yml 0 → 1006445 # configurations. It pulls in the UIS detached pipeline workflow template 6 # (which also pulls in the Auto-DevOps template). To use this template, 7 # make sure it's the first template to be "include"-d. 8 # 9 # include: 10 # - project: 'uis/devops/continuous-delivery/ci-templates' 11 # file: '/auto-devops/deploy.yml' 12 # 13 # Speed up deployment jobs by disabling Auto-DevOps jobs that are not needed 14 # in the deployment project, and all non-deployment jobs when actually 15 # deploying (that is, when DEPLOY_ENABLED is defined to indicate the deployment 16 # target). 17 # 18 # The webapp URL for each deployment target must be specified by defining the 19 # variables WEBAPP_URL_DEVELOPMENT, WEBAPP_URL_STAGING and 20 # WEBAPP_URL_PRODUCTION. -
How do we deal with projects with multiple webapps? E.g. https://gitlab.developers.cam.ac.uk/uis/devops/uga/deploy/-/merge_requests/19/diffs
As long as all the deployment jobs extend
.cloud-run-deploythen adding extra jobs for multiple webapps should require minimal configuration. As has been done in uis/devops/uga/deploy!19,SERVICE_PREFIXshould be added as a variable to.cloud-run-deploythat permits it to be configured for multiple webapps.Edited by Dave Hart
assigned to @amc203
auto-devops/deploy.yml 0 → 10064415 # deploying (that is, when DEPLOY_ENABLED is defined to indicate the deployment 16 # target). 17 # 18 # The webapp URL for each deployment target must be specified by defining the 19 # variables WEBAPP_URL_DEVELOPMENT, WEBAPP_URL_STAGING and 20 # WEBAPP_URL_PRODUCTION. 21 # 22 # This template will need updating as Auto-DevOps updates. 23 24 include: 25 - project: 'uis/devops/continuous-delivery/ci-templates' 26 file: '/auto-devops/detached-pipelines.yml' 27 28 variables: 29 # Disable Auto-DevOps jobs that we don't need in the deployment project 30 DEPENDENCY_SCANNING_DISABLED: "any-value" -
While GitLab CI documentation confirms that there is no dependency scanner for Terraform, the jobs will be skipped, so I think is safe not to include this line. Trying to be future proof and not modify autodevops when not necessary.
Edited by Dr Abraham Martin
-
We need to start versioning our CI templates to avoid having the same problems we have with
tox-tests.ymlwhich we can't update because it will break some pipelines. I think for this we should follow the same solution proposed in #7
- auto-devops/deploy.yml 0 → 100644
16 # target). 17 # 18 # The webapp URL for each deployment target must be specified by defining the 19 # variables WEBAPP_URL_DEVELOPMENT, WEBAPP_URL_STAGING and 20 # WEBAPP_URL_PRODUCTION. 21 # 22 # This template will need updating as Auto-DevOps updates. 23 24 include: 25 - project: 'uis/devops/continuous-delivery/ci-templates' 26 file: '/auto-devops/detached-pipelines.yml' 27 28 variables: 29 # Disable Auto-DevOps jobs that we don't need in the deployment project 30 DEPENDENCY_SCANNING_DISABLED: "any-value" 31 DAST_DISABLED: "any-value" - auto-devops/deploy.yml 0 → 100644
17 # 18 # The webapp URL for each deployment target must be specified by defining the 19 # variables WEBAPP_URL_DEVELOPMENT, WEBAPP_URL_STAGING and 20 # WEBAPP_URL_PRODUCTION. 21 # 22 # This template will need updating as Auto-DevOps updates. 23 24 include: 25 - project: 'uis/devops/continuous-delivery/ci-templates' 26 file: '/auto-devops/detached-pipelines.yml' 27 28 variables: 29 # Disable Auto-DevOps jobs that we don't need in the deployment project 30 DEPENDENCY_SCANNING_DISABLED: "any-value" 31 DAST_DISABLED: "any-value" 32 SAST_DISABLED: "any-value" -
Some SAST needs to be enabled for the deployment repos, reading GitLab documentation we can see that we should be executing at least,
Gitleaks,TruffleHog,Kubesec. As with others, I believe that GitLab SAST Template should be sufficiently clever to skip those that do not apply to the repo, and thus, this line shouldn't be necessary.
- auto-devops/deploy.yml 0 → 100644
19 # variables WEBAPP_URL_DEVELOPMENT, WEBAPP_URL_STAGING and 20 # WEBAPP_URL_PRODUCTION. 21 # 22 # This template will need updating as Auto-DevOps updates. 23 24 include: 25 - project: 'uis/devops/continuous-delivery/ci-templates' 26 file: '/auto-devops/detached-pipelines.yml' 27 28 variables: 29 # Disable Auto-DevOps jobs that we don't need in the deployment project 30 DEPENDENCY_SCANNING_DISABLED: "any-value" 31 DAST_DISABLED: "any-value" 32 SAST_DISABLED: "any-value" 33 34 .default-no-deploy: &default-no-deploy -
I think having all these exceptions is showing that probably we are not doing it properly to make it work with AutoDevOps. I believe this is because we are executing CD jobs in the Infrastructure as code (IAC) repository. IAC still requires Gitlab CI pipelines as our infrastructure is code, so it needs testing, SAST, etc.
If we look at this CI template there is nothing in there is nothing in here that uses any code of the IAC repo. When deploying, it does not even uses the build step, or any terraform code.
The only thing that we use from the repo are the secrets. I wonder then if we are architecting our repos wrong and we need:
- WebApp repo. Webapp code. Normal AutoDevOps but with review apps. Maybe review apps deployment should used the CD repo defined below?
- Infra as code repo. Terraform code for the infrastructure. Normal AutoDevOps for checking dependencies, secrets, test, etc. Deployment happens only once (or rarely when the infra definition changes). No need for auto-deployment of infra.
- CD repo. Will only contain gitlab-ci.yml file as code. That file will only import this template. Deployment secrets will only be stored as CI env vars in this repo. Will have a button to deploy to production, after a a staging deployment has happened DAST and E2E tests have been executed against staging (probably calling the webapp repo which will contain the e2e test code).
- auto-devops/detached-pipelines.yml 0 → 100644
44 <<: *only-merge-requests-branches-and-tags 45 container_scanning: 46 <<: *only-merge-requests-branches-and-tags 47 dast: 48 <<: *only-merge-requests-branches-and-tags 49 license_scanning: 50 <<: *only-merge-requests-branches-and-tags 51 # TODO: Add `secret_detection` when upgrading to GitLab 13.1 52 #secret_detection: 53 # <<: *only-merge-requests-branches-and-tags 54 # interruptible: true 55 test: 56 <<: *only-merge-requests-branches-and-tags 57 needs: ["build"] 58 59 # Dependency scanning -
The purpose of this section (and indeed the rest of the file) is to change our workflow. The GitLab default is the rule
if: '$CI_COMMIT_TAG || $CI_COMMIT_BRANCH'(which is the "branch pipeline" workflow), whereas usingif: $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG || $CI_COMMIT_BRANCHgives us a merge request + branch workflow (a variant of the "merge request pipeline" workflow).I don't think there's a way to change the Auto-DevOps workflow other than to change the rules for every single job. This situation might improve when this GitLab issue is implemented to permit variables to be defined based on other variables (scheduled for GitLab 13.5).
-
#9 (closed) implements the needs dependency of the
testjob on thebuildjob for the Tox-based test pipeline. Possibly we don't want this in the basic detached pipeline template? -
tox tests been looked at #7
-
Closing without merging as detached pipelines will no longer be used. A new merge request will be created with just the deployment template (for #6 (closed)).