-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
153 lines (146 loc) · 5.84 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
workflow:
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_TAG == null
variables:
DEPLOY_MODE: dev
when: always
- if: $CI_COMMIT_TAG =~ /v.*/
variables:
DEPLOY_MODE: prod
when: always
- when: never
variables:
CONTAINER_IMAGE_NAME: wildfly-image
CONTAINER_REGISTRY_HOST: asia-docker.pkg.dev
GCP_ARTIFACT_REGISTRY_NAME: my-docker-registry
GCP_GKE_CLUSTER: my-gke-cluster
GCP_GKE_LOCATION: asia-east1
GCP_PROJECT_ID: my-project
GCP_SA: my-gitlab-runner-serviceaccount@my-project.iam.gserviceaccount.com
GCP_WIP: projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-pool-providers
K8S_PROD_NS: wildfly-prod
K8S_TEST_NS: wildfly-test
stages:
- build
- dev-deploy
- prod-tag
- prod-deploy
build-and-push:
rules:
- if: $DEPLOY_MODE == "dev"
when: always
stage: build
image: google/cloud-sdk
# For running docker in Kubernetes, the following settings are required.
# See https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-the-kubernetes-executor-with-docker-in-docker
# for more details.
services:
- name: docker:dind
alias: docker
# docker:dind requires privileged GitLab Runner
# As GKE autopilot blocks privileged container, you may failed to start docker:dind with GKE Autopilot.
variables:
DOCKER_HOST: tcp://docker:2376
DOCKER_TLS_CERTDIR: "/certs"
DOCKER_TLS_VERIFY: 1
DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
before_script:
# Wait docker:dind becoming online
# https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27215#note_1058024207
- until docker info; do sleep 1; done
# Login to GCP
- echo ${CI_JOB_JWT_V2} > .ci_job_jwt_file
- gcloud iam workload-identity-pools create-cred-config ${GCP_WIP}
--service-account="${GCP_SA}"
--output-file=.gcp_temp_cred.json
--credential-source-file=.ci_job_jwt_file
--project=${GCP_PROJECT_ID}
- gcloud auth login --cred-file=.gcp_temp_cred.json
- gcloud --quiet auth configure-docker ${CONTAINER_REGISTRY_HOST}
# Check GCP Credentials
- gcloud auth list
- gcloud config get-value project
script:
- docker build -t ${CONTAINER_REGISTRY_HOST}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_NAME}/${CONTAINER_IMAGE_NAME}:${CI_COMMIT_SHA} .
- docker push ${CONTAINER_REGISTRY_HOST}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_NAME}/${CONTAINER_IMAGE_NAME}:${CI_COMMIT_SHA}
dev-deploy:
rules:
- if: $DEPLOY_MODE == "dev"
when: on_success
needs:
- build-and-push
stage: dev-deploy
image:
name: gcr.io/cloud-builders/kubectl
entrypoint:
- /bin/bash
before_script:
# Login to GCP
- echo ${CI_JOB_JWT_V2} > .ci_job_jwt_file
- gcloud iam workload-identity-pools create-cred-config ${GCP_WIP}
--service-account="${GCP_SA}"
--output-file=.gcp_temp_cred.json
--credential-source-file=.ci_job_jwt_file
--project=${GCP_PROJECT_ID}
- gcloud auth login --cred-file=.gcp_temp_cred.json
- gcloud --quiet auth configure-docker ${CONTAINER_REGISTRY_HOST}
# Configure kubectl credentials
- gcloud container clusters get-credentials ${GCP_GKE_CLUSTER} --location=${GCP_GKE_LOCATION}
# Download Kustomize
- curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
script:
- pushd deploy/overlay/test
- ${CI_PROJECT_DIR}/kustomize edit set namespace ${K8S_TEST_NS}
- ${CI_PROJECT_DIR}/kustomize edit set image wildfly-image=${CONTAINER_REGISTRY_HOST}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_NAME}/${CONTAINER_IMAGE_NAME}:${CI_COMMIT_SHA}
- ${CI_PROJECT_DIR}/kustomize build . | kubectl apply -f -
prod-tag:
rules:
- if: $DEPLOY_MODE == "prod"
when: always
stage: prod-tag
image: gcr.io/cloud-builders/gcloud
before_script:
# Login to GCP
- echo ${CI_JOB_JWT_V2} > .ci_job_jwt_file
- gcloud iam workload-identity-pools create-cred-config ${GCP_WIP}
--service-account="${GCP_SA}"
--output-file=.gcp_temp_cred.json
--credential-source-file=.ci_job_jwt_file
--project=${GCP_PROJECT_ID}
- gcloud auth login --cred-file=.gcp_temp_cred.json
- gcloud --quiet auth configure-docker ${CONTAINER_REGISTRY_HOST}
# Check GCP Credentials
- gcloud auth list
- gcloud config get-value project
script:
- gcloud artifacts docker tags add ${CONTAINER_REGISTRY_HOST}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_NAME}/${CONTAINER_IMAGE_NAME}:${CI_COMMIT_SHA} ${CONTAINER_REGISTRY_HOST}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_NAME}/${CONTAINER_IMAGE_NAME}:${CI_COMMIT_TAG}
prod-deploy:
rules:
- if: $DEPLOY_MODE == "prod"
when: on_success
needs:
- prod-tag
stage: prod-deploy
image:
name: gcr.io/cloud-builders/kubectl
entrypoint:
- /bin/bash
before_script:
# Login to GCP
- echo ${CI_JOB_JWT_V2} > .ci_job_jwt_file
- gcloud iam workload-identity-pools create-cred-config ${GCP_WIP}
--service-account="${GCP_SA}"
--output-file=.gcp_temp_cred.json
--credential-source-file=.ci_job_jwt_file
--project=${GCP_PROJECT_ID}
- gcloud auth login --cred-file=.gcp_temp_cred.json
- gcloud --quiet auth configure-docker ${CONTAINER_REGISTRY_HOST}
# Configure kubectl credentials
- gcloud container clusters get-credentials ${GCP_GKE_CLUSTER} --location=${GCP_GKE_LOCATION}
# Download Kustomize
- curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
script:
- pushd deploy/overlay/test
- ${CI_PROJECT_DIR}/kustomize edit set namespace ${K8S_PROD_NS}
- ${CI_PROJECT_DIR}/kustomize edit set image wildfly-image=${CONTAINER_REGISTRY_HOST}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_NAME}/${CONTAINER_IMAGE_NAME}:${CI_COMMIT_TAG}
- ${CI_PROJECT_DIR}/kustomize build . | kubectl apply -f -