From 8fb624e846c8b5cca17ffe6b1cf76d8448a1e4df Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 25 Mar 2025 17:21:37 +0400 Subject: [PATCH 01/82] * default's `before_script` block in Setup moved to `.setup`, so it's will execute only when requested by some job Signed-off-by: Ivan.Makeev --- README.md | 8 +++- templates/Setup.gitlab-ci.yml | 69 +++++++++++++++++++---------------- 2 files changed, 44 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 7d93525..074a803 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,12 @@ Build: extends: .build ``` -> Instead of `/main/`, you can specify a specific commit to ensure changes do not affect your CI. +> Instead of `/main/`, you can specify a specific commit to ensure changes do not affect your CI. The [`examples`](examples/) folder contains examples of `.gitlab-ci.yml` that can be assembled from the templates. + +## Variables + +`$MODULES_MODULE_SOURCE` - base URL for the registry, e.g., `registry.example.com/deckhouse/modules` +`$MODULES_MODULE_NAME` (Optional) - module name, by default it is equal to the project name +`$WERF_REPO` - registry path, default `${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}` diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 438c659..d9d4634 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -2,40 +2,45 @@ variables: MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} BASE_IMAGES_VERSION: v0.2 - WERF_REPO: ${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME} -before_script: - # Setup trdl - - | - trdl_version=$(curl -s https://tuf.trdl.dev/targets/channels/0/stable) - curl -sSLO "https://tuf.trdl.dev/targets/releases/$trdl_version/linux-amd64/bin/trdl" - install -D trdl ~/bin/trdl - rm trdl - export PATH=$PATH:~/bin +stages: + - lint + - build + - deploy - # Setup werf - - | - trdl add werf https://tuf.werf.io 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2 - source $(trdl use werf ${WERF_VERSION:-1.2 stable}) - source $(werf ci-env gitlab --as-file) +.setup: + before_script: + # Setup trdl + - | + trdl_version=$(curl -s https://tuf.trdl.dev/targets/channels/0/stable) + curl -sSLO "https://tuf.trdl.dev/targets/releases/$trdl_version/linux-amd64/bin/trdl" + install -D trdl ~/bin/trdl + rm trdl + export PATH=$PATH:~/bin - # Login to gitlab registry by default - if [[ "x${MODULES_REGISTRY_LOGIN}" == "x" ]]; then - MODULES_REGISTRY_LOGIN="${CI_REGISTRY_USER}" - fi - if [[ "x${MODULES_REGISTRY_PASSWORD}" == "x" ]]; then - MODULES_REGISTRY_PASSWORD="${CI_REGISTRY_PASSWORD}" - fi - werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} + # Setup werf + - | + trdl add werf https://tuf.werf.io 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2 + source $(trdl use werf ${WERF_VERSION:-1.2 stable}) + source $(werf ci-env gitlab --as-file) - # Setup dmt - - | - trdl add dmt https://trrr.flant.dev/trdl-dmt/ 0 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 - source $(trdl use dmt 0 stable) + # Login to gitlab registry by default + if [[ "x${MODULES_REGISTRY}" == "x" ]]; then + MODULES_REGISTRY="${CI_REGISTRY}" + fi + if [[ "x${MODULES_REGISTRY_LOGIN}" == "x" ]]; then + MODULES_REGISTRY_LOGIN="${CI_REGISTRY_USER}" + fi + if [[ "x${MODULES_REGISTRY_PASSWORD}" == "x" ]]; then + MODULES_REGISTRY_PASSWORD="${CI_REGISTRY_PASSWORD}" + fi + werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} - # Download base images yaml file - - env | grep BASE_IMAGES_VERSION - - curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml -stages: - - build - - deploy + # Setup dmt + - | + trdl add dmt https://trrr.flant.dev/trdl-dmt/ 0 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 + source $(trdl use dmt 0 stable) + + # Download base images yaml file + - env | grep BASE_IMAGES_VERSION + - curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml From d76af7783cb1bd9ee0b5ef37ac4bf9c0a3272d14 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 25 Mar 2025 17:24:46 +0400 Subject: [PATCH 02/82] * add `.lint` job to `lint` stage Signed-off-by: Ivan.Makeev --- templates/Lint.gitlab-ci.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 templates/Lint.gitlab-ci.yml diff --git a/templates/Lint.gitlab-ci.yml b/templates/Lint.gitlab-ci.yml new file mode 100644 index 0000000..99ffe4f --- /dev/null +++ b/templates/Lint.gitlab-ci.yml @@ -0,0 +1,18 @@ +.lint: + stage: lint + rules: + # run if push to a branch + - if: '$CI_COMMIT_BRANCH' + when: on_success + # run if module tag defined (module release) + - if: '$CI_COMMIT_TAG' + when: on_success + # do not run in other cases + - when: never + + allow_failure: true + before_script: + - !reference [.setup, before_script] + script: + - | + dmt lint ./ From 40fdc7ea2a3fcca92604c8ac64b9109b579e4698 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 26 Mar 2025 12:45:27 +0400 Subject: [PATCH 03/82] * add workflow D8.Module Signed-off-by: Ivan.Makeev --- templates/Build.gitlab-ci.yml | 58 +++++++++++-------------------- templates/Lint.gitlab-ci.yml | 10 ------ templates/Setup.gitlab-ci.yml | 10 ------ workflows/D8.Module.gitlab-ci.yml | 52 +++++++++++++++++++++++++++ 4 files changed, 72 insertions(+), 58 deletions(-) create mode 100644 workflows/D8.Module.gitlab-ci.yml diff --git a/templates/Build.gitlab-ci.yml b/templates/Build.gitlab-ci.yml index 5d90510..365768b 100644 --- a/templates/Build.gitlab-ci.yml +++ b/templates/Build.gitlab-ci.yml @@ -1,46 +1,28 @@ -# variables: -# $MODULES_MODULE_SOURCE - base URL for the registry, e.g., registry.example.com/deckhouse/modules -# $MODULES_MODULE_NAME (Optional) - module name, by default it is equal to the project name -# $WERF_REPO - registry path, default ${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME} - -.lint: - stage: build - script: - - | - dmt lint ./ - only: - - branches - - tags - allow_failure: true +spec: + inputs: + tag_regex: + branch_regex: +# for info about expand_vars see https://docs.gitlab.com/ci/yaml/inputs/#expand_vars .build: stage: build + rules: + # run if tag match with regex + - if: '"$CI_COMMIT_TAG" =~ /^($[[ inputs.tag_regex | expand_vars ]])$/' + when: on_success + # run if branch name match with regex + - if: '"$CI_COMMIT_BRANCH" =~ /^($[[ inputs.branch_regex | expand_vars ]])$/' + when: on_success + # do not run in other cases + - when: never + before_script: + - !reference [.setup, before_script] script: # Build images - | werf build \ --save-build-report --build-report-path images_tags_werf.json - # Bundle image - - | - IMAGE_SRC="$(jq -r '.Images."bundle".DockerImageName' images_tags_werf.json)" - IMAGE_DST="$(jq -r '.Images.bundle.DockerRepo' images_tags_werf.json):${MODULES_MODULE_TAG}" - - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} - # Release-channel image - - | - IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" - IMAGE_DST="$(jq -r '.Images."release-channel-version".DockerRepo' images_tags_werf.json)/release:${MODULES_MODULE_TAG}" - - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} - # Register module - - | - echo "✨ Register the module ${MODULES_MODULE_NAME}" - crane append \ - --oci-empty-base \ - --new_layer "" \ - --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" - only: - - tags - - branches + artifacts: + paths: + - images_tags_werf.json + expire_in: "30 days" diff --git a/templates/Lint.gitlab-ci.yml b/templates/Lint.gitlab-ci.yml index 99ffe4f..4070bd8 100644 --- a/templates/Lint.gitlab-ci.yml +++ b/templates/Lint.gitlab-ci.yml @@ -1,15 +1,5 @@ .lint: stage: lint - rules: - # run if push to a branch - - if: '$CI_COMMIT_BRANCH' - when: on_success - # run if module tag defined (module release) - - if: '$CI_COMMIT_TAG' - when: on_success - # do not run in other cases - - when: never - allow_failure: true before_script: - !reference [.setup, before_script] diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index d9d4634..9c3d5ea 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -1,13 +1,3 @@ -variables: - MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" - MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} - BASE_IMAGES_VERSION: v0.2 - -stages: - - lint - - build - - deploy - .setup: before_script: # Setup trdl diff --git a/workflows/D8.Module.gitlab-ci.yml b/workflows/D8.Module.gitlab-ci.yml new file mode 100644 index 0000000..53b0c23 --- /dev/null +++ b/workflows/D8.Module.gitlab-ci.yml @@ -0,0 +1,52 @@ +variables: + ############################## + # User default settings + ############################## + + # process only tags with prefix "v" by default + TAG_REGEX: "v.*" + # process everything branch by default + BRANCH_REGEX: ".*" + + MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" + MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} + + ############################## + # Internal default settings + ############################## + BASE_IMAGES_VERSION: v0.2 + + # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) + WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} + +stages: + - lint + - build + - deploy + +workflow: + rules: + # https://docs.gitlab.com/ee/ci/yaml/index.html#workflow + # https://docs.gitlab.com/ee/ci/variables/predefined_variables.html + # https://docs.gitlab.com/ee/ci/variables/predefined_variables.html#predefined-variables-for-merge-request-pipelines + + # run if $FORCE_WORKFLOW variable is defined + - if: '$FORCE_WORKFLOW' + # run if there is a tag defined (module release workflow) + - if: '$CI_COMMIT_TAG' + # run if there is a push to a branch + - if: '$CI_COMMIT_BRANCH' + +include: + - local: '/templates/Setup.gitlab-ci.yml' + - local: '/templates/Lint.gitlab-ci.yml' + # This is a workaround for checking to variable matching some regex + # More info: https://gitlab.com/gitlab-org/gitlab/-/issues/209904 + # Also: https://docs.gitlab.com/ci/yaml/inputs/#expand_vars + # Only variables you can use with the include keyword and which are not masked can be expanded. + - local: '/templates/Build.gitlab-ci.yml' + inputs: + tag_regex: $TAG_REGEX + branch_regex: $BRANCH_REGEX + + From 179c7b0ebbfae27f077775818b3fe8f23b60962f Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 26 Mar 2025 13:14:10 +0400 Subject: [PATCH 04/82] * revert back to dedicated files instead of workflow, because workflow does not work when included via `remote` keyword :-( Signed-off-by: Ivan.Makeev --- templates/Build.gitlab-ci.yml | 15 +-------- templates/Lint.gitlab-ci.yml | 2 ++ templates/Setup.gitlab-ci.yml | 30 ++++++++++++++++++ workflows/D8.Module.gitlab-ci.yml | 52 ------------------------------- 4 files changed, 33 insertions(+), 66 deletions(-) delete mode 100644 workflows/D8.Module.gitlab-ci.yml diff --git a/templates/Build.gitlab-ci.yml b/templates/Build.gitlab-ci.yml index 365768b..18d731e 100644 --- a/templates/Build.gitlab-ci.yml +++ b/templates/Build.gitlab-ci.yml @@ -1,20 +1,7 @@ -spec: - inputs: - tag_regex: - branch_regex: - -# for info about expand_vars see https://docs.gitlab.com/ci/yaml/inputs/#expand_vars .build: stage: build rules: - # run if tag match with regex - - if: '"$CI_COMMIT_TAG" =~ /^($[[ inputs.tag_regex | expand_vars ]])$/' - when: on_success - # run if branch name match with regex - - if: '"$CI_COMMIT_BRANCH" =~ /^($[[ inputs.branch_regex | expand_vars ]])$/' - when: on_success - # do not run in other cases - - when: never + - !reference [.default_rules, rules] before_script: - !reference [.setup, before_script] script: diff --git a/templates/Lint.gitlab-ci.yml b/templates/Lint.gitlab-ci.yml index 4070bd8..5ac4269 100644 --- a/templates/Lint.gitlab-ci.yml +++ b/templates/Lint.gitlab-ci.yml @@ -1,5 +1,7 @@ .lint: stage: lint + rules: + - !reference [.default_rules, rules] allow_failure: true before_script: - !reference [.setup, before_script] diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 9c3d5ea..bd911a2 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -1,3 +1,33 @@ +variables: + ############################## + # User default settings + ############################## + + MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" + MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} + + ############################## + # Internal default settings + ############################## + BASE_IMAGES_VERSION: v0.2 + + # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) + WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} + +stages: + - lint + - build + - deploy + +.default_rules: + rules: + # run if $FORCE_CI variable is defined + - if: '$FORCE_CI' + # run if there is a tag defined (module release workflow) + - if: '$CI_COMMIT_TAG' + # run if there is a push to a branch + - if: '$CI_COMMIT_BRANCH' + .setup: before_script: # Setup trdl diff --git a/workflows/D8.Module.gitlab-ci.yml b/workflows/D8.Module.gitlab-ci.yml deleted file mode 100644 index 53b0c23..0000000 --- a/workflows/D8.Module.gitlab-ci.yml +++ /dev/null @@ -1,52 +0,0 @@ -variables: - ############################## - # User default settings - ############################## - - # process only tags with prefix "v" by default - TAG_REGEX: "v.*" - # process everything branch by default - BRANCH_REGEX: ".*" - - MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" - MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} - - ############################## - # Internal default settings - ############################## - BASE_IMAGES_VERSION: v0.2 - - # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) - WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} - -stages: - - lint - - build - - deploy - -workflow: - rules: - # https://docs.gitlab.com/ee/ci/yaml/index.html#workflow - # https://docs.gitlab.com/ee/ci/variables/predefined_variables.html - # https://docs.gitlab.com/ee/ci/variables/predefined_variables.html#predefined-variables-for-merge-request-pipelines - - # run if $FORCE_WORKFLOW variable is defined - - if: '$FORCE_WORKFLOW' - # run if there is a tag defined (module release workflow) - - if: '$CI_COMMIT_TAG' - # run if there is a push to a branch - - if: '$CI_COMMIT_BRANCH' - -include: - - local: '/templates/Setup.gitlab-ci.yml' - - local: '/templates/Lint.gitlab-ci.yml' - # This is a workaround for checking to variable matching some regex - # More info: https://gitlab.com/gitlab-org/gitlab/-/issues/209904 - # Also: https://docs.gitlab.com/ci/yaml/inputs/#expand_vars - # Only variables you can use with the include keyword and which are not masked can be expanded. - - local: '/templates/Build.gitlab-ci.yml' - inputs: - tag_regex: $TAG_REGEX - branch_regex: $BRANCH_REGEX - - From c9d8ddb55d1ddf0bff63bf69e0dd781edf5988c7 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 26 Mar 2025 16:58:29 +0400 Subject: [PATCH 05/82] * add .publish job to deploy stage Signed-off-by: Ivan.Makeev --- templates/Deploy.gitlab-ci.yml | 62 +++++++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 5 deletions(-) diff --git a/templates/Deploy.gitlab-ci.yml b/templates/Deploy.gitlab-ci.yml index 9005d88..3f24e5d 100644 --- a/templates/Deploy.gitlab-ci.yml +++ b/templates/Deploy.gitlab-ci.yml @@ -3,18 +3,70 @@ # $MODULES_MODULE_NAME (Optional) - module name, by default it is equal to the project name # $RELEASE_CHANNEL - lowercase release channel name, e.g., alpha, stable, early-access +.publish: + stage: deploy + dependencies: + - .build + script: + - | + # Login to Gitlab (source) registry if target registry is not same Gitlab + if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" ]]; then + echo "Login to Gitlab (source) ${CI_REGISTRY}..." + werf cr login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} + fi + + # Login to target registry + werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} + # generate MODULES_MODULE_SOURCE + - | + export MODULES_MODULE_SOURCE="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}" + # Module images + - | + for image in $(ls images); do + IMAGE_SRC="$(jq -r ".Images.\"$image\".DockerImageName" images_tags_werf.json)" + IMAGE_TAG="$(jq -r ".Images.\"$image\".DockerTag" images_tags_werf.json)" + IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${IMAGE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + done + # Bundle image + - | + IMAGE_SRC="$(jq -r '.Images."bundle".DockerImageName' images_tags_werf.json)" + IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + # Release-channel image + - | + IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" + IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + # Register module + - | + echo "✨ Register the module ${MODULES_MODULE_NAME}" + crane append \ + --oci-empty-base \ + --new_layer "" \ + --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" .deploy: stage: deploy + rules: + # add MANUAL deploy job only if $FORCE_CI variable is defined + - if: $FORCE_CI + when: manual + # add MANUAL deploy job only if it is a tag release and release channel is defined + - if: '$CI_COMMIT_TAG && $RELEASE_CHANNEL' + when: manual script: - | REPO="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release" - + IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" - + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" crane copy "${IMAGE_SRC}" "${IMAGE_DST}" - only: - - tags - when: manual From 8d9fccb0baec6d24ebb8f16c39c9c7ee6578f72d Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 26 Mar 2025 17:06:39 +0400 Subject: [PATCH 06/82] fix: remove dependencies: .build from .publish Signed-off-by: Ivan.Makeev --- templates/Deploy.gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/Deploy.gitlab-ci.yml b/templates/Deploy.gitlab-ci.yml index 3f24e5d..13a7524 100644 --- a/templates/Deploy.gitlab-ci.yml +++ b/templates/Deploy.gitlab-ci.yml @@ -5,8 +5,6 @@ .publish: stage: deploy - dependencies: - - .build script: - | # Login to Gitlab (source) registry if target registry is not same Gitlab From 7a12eb91857c0abeb13dfb9d430af668b54cc24f Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 26 Mar 2025 17:28:54 +0400 Subject: [PATCH 07/82] * add Deploy_DEV job Signed-off-by: Ivan.Makeev --- README.md | 2 +- jobs/Deploy_DEV.gitlab-ci.yml | 20 ++++++++++++++++++++ templates/Deploy.gitlab-ci.yml | 5 ----- templates/Setup.gitlab-ci.yml | 2 ++ 4 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 jobs/Deploy_DEV.gitlab-ci.yml diff --git a/README.md b/README.md index 074a803..7aead8d 100644 --- a/README.md +++ b/README.md @@ -29,4 +29,4 @@ The [`examples`](examples/) folder contains examples of `.gitlab-ci.yml` that ca `$MODULES_MODULE_SOURCE` - base URL for the registry, e.g., `registry.example.com/deckhouse/modules` `$MODULES_MODULE_NAME` (Optional) - module name, by default it is equal to the project name -`$WERF_REPO` - registry path, default `${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}` +`$RELEASE_CHANNEL` - lowercase release channel name, e.g., `alpha`, `stable`, `early-access` diff --git a/jobs/Deploy_DEV.gitlab-ci.yml b/jobs/Deploy_DEV.gitlab-ci.yml new file mode 100644 index 0000000..52b5ae9 --- /dev/null +++ b/jobs/Deploy_DEV.gitlab-ci.yml @@ -0,0 +1,20 @@ +# emulate same behaviour as in Deckhouse Github registry +# when opened PRs will pushed to dev registry +Publish DEV: + extends: .publish + variables: + MODULES_REGISTRY: ${DEV_MODULES_REGISTRY} + MODULES_REGISTRY_PATH: ${DEV_MODULES_REGISTRY_PATH} + MODULES_REGISTRY_LOGIN: ${DEV_MODULES_REGISTRY_LOGIN} + MODULES_REGISTRY_PASSWORD: ${DEV_MODULES_REGISTRY_PASSWORD} + # names as in Github: "pr" + merge request project-level ID instead of branch name + MODULES_MODULE_TAG: pr${CI_MERGE_REQUEST_IID} + rules: + # do not run if some required variables is empty + - if: '$DEV_MODULES_REGISTRY == null || $DEV_MODULES_REGISTRY == "" || $DEV_MODULES_REGISTRY_PATH == null || $DEV_MODULES_REGISTRY_PATH == ""' + when: never + # run only for merge requests + - if: $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "merge_request_event" + when: on_success + # do not run in other cases + - when: never diff --git a/templates/Deploy.gitlab-ci.yml b/templates/Deploy.gitlab-ci.yml index 13a7524..0a474cc 100644 --- a/templates/Deploy.gitlab-ci.yml +++ b/templates/Deploy.gitlab-ci.yml @@ -1,8 +1,3 @@ -# variables: -# $MODULES_MODULE_SOURCE - base URL for the registry, e.g., registry.example.com/deckhouse/modules -# $MODULES_MODULE_NAME (Optional) - module name, by default it is equal to the project name -# $RELEASE_CHANNEL - lowercase release channel name, e.g., alpha, stable, early-access - .publish: stage: deploy script: diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index bd911a2..276c4d5 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -27,6 +27,8 @@ stages: - if: '$CI_COMMIT_TAG' # run if there is a push to a branch - if: '$CI_COMMIT_BRANCH' + # run if there is a merge request event + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' .setup: before_script: From f23c3367417b029aad50659826d944fb3fa0e26d Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 26 Mar 2025 17:41:44 +0400 Subject: [PATCH 08/82] * fix .default_rules Signed-off-by: Ivan.Makeev --- templates/Setup.gitlab-ci.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 276c4d5..795ec51 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -25,10 +25,13 @@ stages: - if: '$FORCE_CI' # run if there is a tag defined (module release workflow) - if: '$CI_COMMIT_TAG' - # run if there is a push to a branch - - if: '$CI_COMMIT_BRANCH' # run if there is a merge request event - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + # DO NOT run if there is a push to a branch and there are open merge requests + - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' + when: never + # run if there is a push to a branch (without opened merge requests) + - if: '$CI_COMMIT_BRANCH' .setup: before_script: From e888650403cca4d2ddfe4d85d6179b70e166c6f0 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 26 Mar 2025 17:44:22 +0400 Subject: [PATCH 09/82] * fix .default_rules Signed-off-by: Ivan.Makeev --- templates/Setup.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 795ec51..32a7293 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -27,7 +27,7 @@ stages: - if: '$CI_COMMIT_TAG' # run if there is a merge request event - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - # DO NOT run if there is a push to a branch and there are open merge requests + # DO NOT run if there is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' when: never # run if there is a push to a branch (without opened merge requests) From 44afc499c90fea45b8a082a6a89a96744449115d Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 27 Mar 2025 12:14:24 +0400 Subject: [PATCH 10/82] * add jobs/Deploy_PROD Signed-off-by: Ivan.Makeev --- README.md | 3 ++- jobs/Deploy_PROD.gitlab-ci.yml | 24 ++++++++++++++++++++++++ templates/Deploy.gitlab-ci.yml | 15 +++++++++++---- 3 files changed, 37 insertions(+), 5 deletions(-) create mode 100644 jobs/Deploy_PROD.gitlab-ci.yml diff --git a/README.md b/README.md index 7aead8d..bcd5ff9 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ The [`examples`](examples/) folder contains examples of `.gitlab-ci.yml` that ca ## Variables -`$MODULES_MODULE_SOURCE` - base URL for the registry, e.g., `registry.example.com/deckhouse/modules` +`$MODULES_REGISTRY` - base URL for the registry, e.g. `registry.example.com` +`$MODULES_REGISTRY_PATH` - path to modules repository in registry, e.g. `deckhouse/modules` `$MODULES_MODULE_NAME` (Optional) - module name, by default it is equal to the project name `$RELEASE_CHANNEL` - lowercase release channel name, e.g., `alpha`, `stable`, `early-access` diff --git a/jobs/Deploy_PROD.gitlab-ci.yml b/jobs/Deploy_PROD.gitlab-ci.yml new file mode 100644 index 0000000..09a707c --- /dev/null +++ b/jobs/Deploy_PROD.gitlab-ci.yml @@ -0,0 +1,24 @@ +Deploy to Alpha: + extends: .deploy + variables: + RELEASE_CHANNEL: alpha + +Deploy to Beta: + extends: .deploy + variables: + RELEASE_CHANNEL: beta + +Deploy to EarlyAccess: + extends: .deploy + variables: + RELEASE_CHANNEL: early-access + +Deploy to Stable: + extends: .deploy + variables: + RELEASE_CHANNEL: stable + +Deploy to RockSolid: + extends: .deploy + variables: + RELEASE_CHANNEL: rock-solid diff --git a/templates/Deploy.gitlab-ci.yml b/templates/Deploy.gitlab-ci.yml index 0a474cc..aec1800 100644 --- a/templates/Deploy.gitlab-ci.yml +++ b/templates/Deploy.gitlab-ci.yml @@ -45,18 +45,25 @@ --new_layer "" \ --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" -.deploy: - stage: deploy +.deploy-prod-rules: rules: - # add MANUAL deploy job only if $FORCE_CI variable is defined + # add MANUAL deploy job if $FORCE_CI variable is defined - if: $FORCE_CI when: manual + # do not run if some required variables is empty + - if: '$PROD_MODULES_REGISTRY == null || $PROD_MODULES_REGISTRY == "" || $PROD_MODULES_REGISTRY_PATH == null || $PROD_MODULES_REGISTRY_PATH == ""' + when: never # add MANUAL deploy job only if it is a tag release and release channel is defined - if: '$CI_COMMIT_TAG && $RELEASE_CHANNEL' when: manual + +.deploy: + stage: deploy + rules: + - !reference [.deploy-prod-rules, rules] script: - | - REPO="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release" + REPO="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" From d40fc2e6773e5cbf993105b012e0c423ca61429b Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 28 Mar 2025 11:03:18 +0400 Subject: [PATCH 11/82] refactor: move my `multi-repo` version to `templates/multi-repo` Signed-off-by: Ivan.Makeev --- .../{ => multi-repo}/Deploy_DEV.gitlab-ci.yml | 0 .../Deploy_PROD.gitlab-ci.yml | 0 templates/Build.gitlab-ci.yml | 47 ++++++-- templates/Deploy.gitlab-ci.yml | 68 ++---------- templates/Setup.gitlab-ci.yml | 100 ++++++------------ templates/multi-repo/Build.gitlab-ci.yml | 15 +++ templates/multi-repo/Deploy.gitlab-ci.yml | 72 +++++++++++++ templates/{ => multi-repo}/Lint.gitlab-ci.yml | 0 templates/multi-repo/Setup.gitlab-ci.yml | 71 +++++++++++++ 9 files changed, 240 insertions(+), 133 deletions(-) rename jobs/{ => multi-repo}/Deploy_DEV.gitlab-ci.yml (100%) rename jobs/{ => multi-repo}/Deploy_PROD.gitlab-ci.yml (100%) create mode 100644 templates/multi-repo/Build.gitlab-ci.yml create mode 100644 templates/multi-repo/Deploy.gitlab-ci.yml rename templates/{ => multi-repo}/Lint.gitlab-ci.yml (100%) create mode 100644 templates/multi-repo/Setup.gitlab-ci.yml diff --git a/jobs/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml similarity index 100% rename from jobs/Deploy_DEV.gitlab-ci.yml rename to jobs/multi-repo/Deploy_DEV.gitlab-ci.yml diff --git a/jobs/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml similarity index 100% rename from jobs/Deploy_PROD.gitlab-ci.yml rename to jobs/multi-repo/Deploy_PROD.gitlab-ci.yml diff --git a/templates/Build.gitlab-ci.yml b/templates/Build.gitlab-ci.yml index 18d731e..841cb6e 100644 --- a/templates/Build.gitlab-ci.yml +++ b/templates/Build.gitlab-ci.yml @@ -1,15 +1,46 @@ +# variables: +# $MODULES_MODULE_SOURCE - base URL for the registry, e.g., registry.example.com/deckhouse/modules +# $MODULES_MODULE_NAME (Optional) - module name, by default it is equal to the project name +# $WERF_REPO - registry path, default ${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME} + +.lint: + stage: build + script: + - | + dmt lint ./ + only: + - branches + - tags + allow_failure: true + .build: stage: build - rules: - - !reference [.default_rules, rules] - before_script: - - !reference [.setup, before_script] script: # Build images - | werf build \ --save-build-report --build-report-path images_tags_werf.json - artifacts: - paths: - - images_tags_werf.json - expire_in: "30 days" + # Bundle image + - | + IMAGE_SRC="$(jq -r '.Images."bundle".DockerImageName' images_tags_werf.json)" + IMAGE_DST="$(jq -r '.Images.bundle.DockerRepo' images_tags_werf.json):${MODULES_MODULE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + # Release-channel image + - | + IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" + IMAGE_DST="$(jq -r '.Images."release-channel-version".DockerRepo' images_tags_werf.json)/release:${MODULES_MODULE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + # Register module + - | + echo "✨ Register the module ${MODULES_MODULE_NAME}" + crane append \ + --oci-empty-base \ + --new_layer "" \ + --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" + only: + - tags + - branches \ No newline at end of file diff --git a/templates/Deploy.gitlab-ci.yml b/templates/Deploy.gitlab-ci.yml index aec1800..9ff48be 100644 --- a/templates/Deploy.gitlab-ci.yml +++ b/templates/Deploy.gitlab-ci.yml @@ -1,72 +1,20 @@ -.publish: - stage: deploy - script: - - | - # Login to Gitlab (source) registry if target registry is not same Gitlab - if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" ]]; then - echo "Login to Gitlab (source) ${CI_REGISTRY}..." - werf cr login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} - fi - - # Login to target registry - werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} - # generate MODULES_MODULE_SOURCE - - | - export MODULES_MODULE_SOURCE="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}" - # Module images - - | - for image in $(ls images); do - IMAGE_SRC="$(jq -r ".Images.\"$image\".DockerImageName" images_tags_werf.json)" - IMAGE_TAG="$(jq -r ".Images.\"$image\".DockerTag" images_tags_werf.json)" - IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${IMAGE_TAG}" - - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} - done - # Bundle image - - | - IMAGE_SRC="$(jq -r '.Images."bundle".DockerImageName' images_tags_werf.json)" - IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" - - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} - # Release-channel image - - | - IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" - IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" - - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} - # Register module - - | - echo "✨ Register the module ${MODULES_MODULE_NAME}" - crane append \ - --oci-empty-base \ - --new_layer "" \ - --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" +# variables: +# $MODULES_MODULE_SOURCE - base URL for the registry, e.g., registry.example.com/deckhouse/modules +# $MODULES_MODULE_NAME (Optional) - module name, by default it is equal to the project name +# $RELEASE_CHANNEL - lowercase release channel name, e.g., alpha, stable, early-access -.deploy-prod-rules: - rules: - # add MANUAL deploy job if $FORCE_CI variable is defined - - if: $FORCE_CI - when: manual - # do not run if some required variables is empty - - if: '$PROD_MODULES_REGISTRY == null || $PROD_MODULES_REGISTRY == "" || $PROD_MODULES_REGISTRY_PATH == null || $PROD_MODULES_REGISTRY_PATH == ""' - when: never - # add MANUAL deploy job only if it is a tag release and release channel is defined - - if: '$CI_COMMIT_TAG && $RELEASE_CHANNEL' - when: manual .deploy: stage: deploy - rules: - - !reference [.deploy-prod-rules, rules] script: - | - REPO="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" + REPO="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release" IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" crane copy "${IMAGE_SRC}" "${IMAGE_DST}" + only: + - tags + when: manual \ No newline at end of file diff --git a/templates/Setup.gitlab-ci.yml b/templates/Setup.gitlab-ci.yml index 32a7293..364b38b 100644 --- a/templates/Setup.gitlab-ci.yml +++ b/templates/Setup.gitlab-ci.yml @@ -1,71 +1,41 @@ variables: - ############################## - # User default settings - ############################## - MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} - - ############################## - # Internal default settings - ############################## BASE_IMAGES_VERSION: v0.2 - - # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) - WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} - + WERF_REPO: ${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME} + +before_script: + # Setup trdl + - | + trdl_version=$(curl -s https://tuf.trdl.dev/targets/channels/0/stable) + curl -sSLO "https://tuf.trdl.dev/targets/releases/$trdl_version/linux-amd64/bin/trdl" + install -D trdl ~/bin/trdl + rm trdl + export PATH=$PATH:~/bin + + # Setup werf + - | + trdl add werf https://tuf.werf.io 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2 + source $(trdl use werf ${WERF_VERSION:-1.2 stable}) + source $(werf ci-env gitlab --as-file) + + # Login to gitlab registry by default + if [[ "x${MODULES_REGISTRY_LOGIN}" == "x" ]]; then + MODULES_REGISTRY_LOGIN="${CI_REGISTRY_USER}" + fi + if [[ "x${MODULES_REGISTRY_PASSWORD}" == "x" ]]; then + MODULES_REGISTRY_PASSWORD="${CI_REGISTRY_PASSWORD}" + fi + werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} + + # Setup dmt + - | + trdl add dmt https://trrr.flant.dev/trdl-dmt/ 0 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 + source $(trdl use dmt 0 stable) + + # Download base images yaml file + - env | grep BASE_IMAGES_VERSION + - curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml stages: - - lint - build - - deploy - -.default_rules: - rules: - # run if $FORCE_CI variable is defined - - if: '$FORCE_CI' - # run if there is a tag defined (module release workflow) - - if: '$CI_COMMIT_TAG' - # run if there is a merge request event - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - # DO NOT run if there is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) - - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' - when: never - # run if there is a push to a branch (without opened merge requests) - - if: '$CI_COMMIT_BRANCH' - -.setup: - before_script: - # Setup trdl - - | - trdl_version=$(curl -s https://tuf.trdl.dev/targets/channels/0/stable) - curl -sSLO "https://tuf.trdl.dev/targets/releases/$trdl_version/linux-amd64/bin/trdl" - install -D trdl ~/bin/trdl - rm trdl - export PATH=$PATH:~/bin - - # Setup werf - - | - trdl add werf https://tuf.werf.io 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2 - source $(trdl use werf ${WERF_VERSION:-1.2 stable}) - source $(werf ci-env gitlab --as-file) - - # Login to gitlab registry by default - if [[ "x${MODULES_REGISTRY}" == "x" ]]; then - MODULES_REGISTRY="${CI_REGISTRY}" - fi - if [[ "x${MODULES_REGISTRY_LOGIN}" == "x" ]]; then - MODULES_REGISTRY_LOGIN="${CI_REGISTRY_USER}" - fi - if [[ "x${MODULES_REGISTRY_PASSWORD}" == "x" ]]; then - MODULES_REGISTRY_PASSWORD="${CI_REGISTRY_PASSWORD}" - fi - werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} - - # Setup dmt - - | - trdl add dmt https://trrr.flant.dev/trdl-dmt/ 0 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 - source $(trdl use dmt 0 stable) - - # Download base images yaml file - - env | grep BASE_IMAGES_VERSION - - curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml + - deploy \ No newline at end of file diff --git a/templates/multi-repo/Build.gitlab-ci.yml b/templates/multi-repo/Build.gitlab-ci.yml new file mode 100644 index 0000000..18d731e --- /dev/null +++ b/templates/multi-repo/Build.gitlab-ci.yml @@ -0,0 +1,15 @@ +.build: + stage: build + rules: + - !reference [.default_rules, rules] + before_script: + - !reference [.setup, before_script] + script: + # Build images + - | + werf build \ + --save-build-report --build-report-path images_tags_werf.json + artifacts: + paths: + - images_tags_werf.json + expire_in: "30 days" diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml new file mode 100644 index 0000000..aec1800 --- /dev/null +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -0,0 +1,72 @@ +.publish: + stage: deploy + script: + - | + # Login to Gitlab (source) registry if target registry is not same Gitlab + if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" ]]; then + echo "Login to Gitlab (source) ${CI_REGISTRY}..." + werf cr login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} + fi + + # Login to target registry + werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} + # generate MODULES_MODULE_SOURCE + - | + export MODULES_MODULE_SOURCE="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}" + # Module images + - | + for image in $(ls images); do + IMAGE_SRC="$(jq -r ".Images.\"$image\".DockerImageName" images_tags_werf.json)" + IMAGE_TAG="$(jq -r ".Images.\"$image\".DockerTag" images_tags_werf.json)" + IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${IMAGE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + done + # Bundle image + - | + IMAGE_SRC="$(jq -r '.Images."bundle".DockerImageName' images_tags_werf.json)" + IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + # Release-channel image + - | + IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" + IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + # Register module + - | + echo "✨ Register the module ${MODULES_MODULE_NAME}" + crane append \ + --oci-empty-base \ + --new_layer "" \ + --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" + +.deploy-prod-rules: + rules: + # add MANUAL deploy job if $FORCE_CI variable is defined + - if: $FORCE_CI + when: manual + # do not run if some required variables is empty + - if: '$PROD_MODULES_REGISTRY == null || $PROD_MODULES_REGISTRY == "" || $PROD_MODULES_REGISTRY_PATH == null || $PROD_MODULES_REGISTRY_PATH == ""' + when: never + # add MANUAL deploy job only if it is a tag release and release channel is defined + - if: '$CI_COMMIT_TAG && $RELEASE_CHANNEL' + when: manual + +.deploy: + stage: deploy + rules: + - !reference [.deploy-prod-rules, rules] + script: + - | + REPO="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" + + IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" + IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy "${IMAGE_SRC}" "${IMAGE_DST}" diff --git a/templates/Lint.gitlab-ci.yml b/templates/multi-repo/Lint.gitlab-ci.yml similarity index 100% rename from templates/Lint.gitlab-ci.yml rename to templates/multi-repo/Lint.gitlab-ci.yml diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml new file mode 100644 index 0000000..32a7293 --- /dev/null +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -0,0 +1,71 @@ +variables: + ############################## + # User default settings + ############################## + + MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" + MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} + + ############################## + # Internal default settings + ############################## + BASE_IMAGES_VERSION: v0.2 + + # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) + WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} + +stages: + - lint + - build + - deploy + +.default_rules: + rules: + # run if $FORCE_CI variable is defined + - if: '$FORCE_CI' + # run if there is a tag defined (module release workflow) + - if: '$CI_COMMIT_TAG' + # run if there is a merge request event + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + # DO NOT run if there is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) + - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' + when: never + # run if there is a push to a branch (without opened merge requests) + - if: '$CI_COMMIT_BRANCH' + +.setup: + before_script: + # Setup trdl + - | + trdl_version=$(curl -s https://tuf.trdl.dev/targets/channels/0/stable) + curl -sSLO "https://tuf.trdl.dev/targets/releases/$trdl_version/linux-amd64/bin/trdl" + install -D trdl ~/bin/trdl + rm trdl + export PATH=$PATH:~/bin + + # Setup werf + - | + trdl add werf https://tuf.werf.io 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2 + source $(trdl use werf ${WERF_VERSION:-1.2 stable}) + source $(werf ci-env gitlab --as-file) + + # Login to gitlab registry by default + if [[ "x${MODULES_REGISTRY}" == "x" ]]; then + MODULES_REGISTRY="${CI_REGISTRY}" + fi + if [[ "x${MODULES_REGISTRY_LOGIN}" == "x" ]]; then + MODULES_REGISTRY_LOGIN="${CI_REGISTRY_USER}" + fi + if [[ "x${MODULES_REGISTRY_PASSWORD}" == "x" ]]; then + MODULES_REGISTRY_PASSWORD="${CI_REGISTRY_PASSWORD}" + fi + werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} + + # Setup dmt + - | + trdl add dmt https://trrr.flant.dev/trdl-dmt/ 0 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 + source $(trdl use dmt 0 stable) + + # Download base images yaml file + - env | grep BASE_IMAGES_VERSION + - curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml From 34cad561e03aa6fca5f030fffb149baea3af18fd Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 31 Mar 2025 12:34:51 +0400 Subject: [PATCH 12/82] * multi-repo readme and example Signed-off-by: Ivan.Makeev --- README.md | 19 ++++++++++ examples/multi-repo-module.gitlab-ci.yml | 44 ++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 examples/multi-repo-module.gitlab-ci.yml diff --git a/README.md b/README.md index bcd5ff9..ca4c322 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,25 @@ Build: The [`examples`](examples/) folder contains examples of `.gitlab-ci.yml` that can be assembled from the templates. +## Multi-repository templates + +In `templates/multi-repo` the CI workflow differs from `basic` CI (which in `templates`) in the following key aspects: + +- In `multi-repo` workflow we can push to `dev` and `prod` registries separately with their own rules (see `jobs/multi-repo` and/or `examples/multi-repo-module.gitlab-ci.yml` for example jobs). +- All werf's caches and other artifacts (from `build` stage) are stored in Gitlab's module's registry by default. And **only final images** are pushed to the dev/prod registries. So, even in dev-registry there **should be no** "build-time garbage" and/or some "extra" images/layers for each module. + +### Detailed differences between `multi-repo` and `basic` workflows + +- [General] There is additional stage `lint` before `build`. +- [General] All `only` sections (like `only: [tags, branches]`) replaced with corresponding `rules` section. +- [General] Added `.default_rules` hidden job (see `templates/multi-repo/Setup.gitlab-ci.yml`) for easy modification of this whole workflow. +- [General] Added `.deploy-prod-rules` hidden job (see `templates/multi-repo/Deploy.gitlab-ci.yml`) for easy modification of `deploy to production` workflow. +- [General] Added `jobs/multi-repo` jobs files which user can include and use in their own workflow. +- [Refactor] Default `before_script` section (see `templates/Setup.gitlab-ci.yml`) moved to `.setup/before_script` job. +- [Refactor] `dmt lint` job moved to `lint` stage in dedicated `templates/multi-repo/Lint.gitlab-ci.yml` file. +- [Refactor] All werf's caches and other artifacts (from `build` stage) are stored in Gitlab's registry (`${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME}`) by default. +- [Refactor] Images publishing (via `crane copy`) and module's self-registration processes moved to dedicated hidden job `.publish` (see `templates/multi-repo/Deploy.gitlab-ci.yml`). + ## Variables `$MODULES_REGISTRY` - base URL for the registry, e.g. `registry.example.com` diff --git a/examples/multi-repo-module.gitlab-ci.yml b/examples/multi-repo-module.gitlab-ci.yml new file mode 100644 index 0000000..9d65411 --- /dev/null +++ b/examples/multi-repo-module.gitlab-ci.yml @@ -0,0 +1,44 @@ +include: + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Setup.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Lint.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Build.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Deploy.gitlab-ci.yml' + # deploy jobs for DEV registry + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/jobs/Deploy_DEV.gitlab-ci.yml' + # deploy jobs for PROD registry + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/jobs/Deploy_PROD.gitlab-ci.yml' + +variables: + # Do not forget to put these variables to your Gitlab CI secrets: + # They are REQUIRED and used for pulling/pushing images to the corresponding registry + # - DEV_MODULES_REGISTRY: DEV registry domain (like: registry.example.com) + # - DEV_MODULES_REGISTRY_PATH: path to modules repository in DEV registry (like: deckhouse/modules) + # - DEV_MODULES_REGISTRY_LOGIN: username to log in to DEV registry + # - DEV_MODULES_REGISTRY_PASSWORD: password to log in to DEV registry + + # WARNING: If some of following variables are NOT SET, then there is NO production deployment jobs will be created in pipeline + # - PROD_MODULES_REGISTRY: PROD registry domain (like: registry.example.com) + # - PROD_MODULES_REGISTRY_PATH: path to modules repository in PROD registry (like: deckhouse/modules) + # - PROD_MODULES_REGISTRY_LOGIN: username to log in to PROD registry + # - PROD_MODULES_REGISTRY_PASSWORD: password to log in to PROD registry + WERF_VERSION: "2 stable" + BASE_IMAGES_VERSION: v0.2 + +default: + tags: + - my-runner-tag + + +###### LINT STAGE ###### + +Lint: + extends: .lint + +###### END OF LINT STAGE ###### + +###### BUILD STAGE ###### + +Build: + extends: .build + +###### END OF BUILD STAGE ###### From 13fb130696d08ba77a79f84342345352797a76f2 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 1 Apr 2025 10:08:47 +0400 Subject: [PATCH 13/82] * fix URL to templates in `multi-repo-module.gitlab-ci.yml` as it already merged into `main` Signed-off-by: Ivan.Makeev --- examples/multi-repo-module.gitlab-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/multi-repo-module.gitlab-ci.yml b/examples/multi-repo-module.gitlab-ci.yml index 9d65411..c084174 100644 --- a/examples/multi-repo-module.gitlab-ci.yml +++ b/examples/multi-repo-module.gitlab-ci.yml @@ -1,12 +1,12 @@ include: - - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Setup.gitlab-ci.yml' - - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Lint.gitlab-ci.yml' - - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Build.gitlab-ci.yml' - - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/templates/Deploy.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Setup.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Lint.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Build.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Deploy.gitlab-ci.yml' # deploy jobs for DEV registry - - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/jobs/Deploy_DEV.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml' # deploy jobs for PROD registry - - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/i-makeev/feature-multirepo-workflow/jobs/Deploy_PROD.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml' variables: # Do not forget to put these variables to your Gitlab CI secrets: From f3eb92377c21e37121ab2266c07391324707e9ca Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 1 Apr 2025 14:45:02 +0400 Subject: [PATCH 14/82] * add `Publish default branch to DEV` job to `Deploy_DEV` Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index 52b5ae9..efd1bb0 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -1,6 +1,6 @@ # emulate same behaviour as in Deckhouse Github registry # when opened PRs will pushed to dev registry -Publish DEV: +Publish merge request to DEV: extends: .publish variables: MODULES_REGISTRY: ${DEV_MODULES_REGISTRY} @@ -18,3 +18,21 @@ Publish DEV: when: on_success # do not run in other cases - when: never + +Publish default branch to DEV: + extends: .publish + variables: + MODULES_REGISTRY: ${DEV_MODULES_REGISTRY} + MODULES_REGISTRY_PATH: ${DEV_MODULES_REGISTRY_PATH} + MODULES_REGISTRY_LOGIN: ${DEV_MODULES_REGISTRY_LOGIN} + MODULES_REGISTRY_PASSWORD: ${DEV_MODULES_REGISTRY_PASSWORD} + MODULES_MODULE_TAG: ${CI_DEFAULT_BRANCH} + rules: + # do not run if some required variables is empty + - if: '$DEV_MODULES_REGISTRY == null || $DEV_MODULES_REGISTRY == "" || $DEV_MODULES_REGISTRY_PATH == null || $DEV_MODULES_REGISTRY_PATH == ""' + when: never + # run only for default (main/master) branch + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + when: on_success + # do not run in other cases + - when: never From e13130d0a680fdcbd5e43a029c4489e35f368179 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 1 Apr 2025 17:19:05 +0400 Subject: [PATCH 15/82] * added `Cleanup` job Signed-off-by: Ivan.Makeev --- README.md | 3 ++- templates/multi-repo/Cleanup.gitlab-ci.yml | 11 +++++++++++ templates/multi-repo/Setup.gitlab-ci.yml | 1 + 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 templates/multi-repo/Cleanup.gitlab-ci.yml diff --git a/README.md b/README.md index ca4c322..e3c87b6 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,9 @@ In `templates/multi-repo` the CI workflow differs from `basic` CI (which in `tem ### Detailed differences between `multi-repo` and `basic` workflows -- [General] There is additional stage `lint` before `build`. +- [General] There is additional stage `lint` before `build` and `cleanup` stage after `deploy`. - [General] All `only` sections (like `only: [tags, branches]`) replaced with corresponding `rules` section. +- [General] Added `Cleanup` job to cleanup Gitlab's registry by pipeline schedule - [General] Added `.default_rules` hidden job (see `templates/multi-repo/Setup.gitlab-ci.yml`) for easy modification of this whole workflow. - [General] Added `.deploy-prod-rules` hidden job (see `templates/multi-repo/Deploy.gitlab-ci.yml`) for easy modification of `deploy to production` workflow. - [General] Added `jobs/multi-repo` jobs files which user can include and use in their own workflow. diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml new file mode 100644 index 0000000..f60c843 --- /dev/null +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -0,0 +1,11 @@ +Cleanup: + stage: cleanup + rules: + - if: $CI_PIPELINE_SOURCE == "schedule" + when: on_success + - when: never + before_script: + - !reference [.setup, before_script] + script: + - werf managed-images ls + - werf cleanup diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 32a7293..bf2bb27 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -18,6 +18,7 @@ stages: - lint - build - deploy + - cleanup .default_rules: rules: From 36be3a7003c8f2e85bd489ff520b7f56ba8354d8 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 1 Apr 2025 17:24:23 +0400 Subject: [PATCH 16/82] * add cleanup include to `multi-repo` example Signed-off-by: Ivan.Makeev --- examples/multi-repo-module.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/multi-repo-module.gitlab-ci.yml b/examples/multi-repo-module.gitlab-ci.yml index c084174..f21e819 100644 --- a/examples/multi-repo-module.gitlab-ci.yml +++ b/examples/multi-repo-module.gitlab-ci.yml @@ -3,6 +3,7 @@ include: - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Lint.gitlab-ci.yml' - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Build.gitlab-ci.yml' - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Deploy.gitlab-ci.yml' + - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/multi-repo/Cleanup.gitlab-ci.yml' # deploy jobs for DEV registry - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml' # deploy jobs for PROD registry From d7bf265d610dcce9af2136c6e036814d9a8f65ee Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 2 Apr 2025 12:15:27 +0400 Subject: [PATCH 17/82] * add `Auto cleanup` job which randomly (if current second is divided by 10) runs before `build` stage Signed-off-by: Ivan.Makeev --- README.md | 3 ++- templates/multi-repo/Cleanup.gitlab-ci.yml | 18 +++++++++++++++++- templates/multi-repo/Setup.gitlab-ci.yml | 5 ++++- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e3c87b6..69e6537 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,8 @@ In `templates/multi-repo` the CI workflow differs from `basic` CI (which in `tem - [General] There is additional stage `lint` before `build` and `cleanup` stage after `deploy`. - [General] All `only` sections (like `only: [tags, branches]`) replaced with corresponding `rules` section. -- [General] Added `Cleanup` job to cleanup Gitlab's registry by pipeline schedule +- [General] Added `Scheduled cleanup` job to cleanup Gitlab's registry by pipeline schedule +- [General] Added `Auto cleanup` job to cleanup Gitlab's registry BEFORE `build` stage. Can be disabled via `AUTO_CLEANUP="false"` variable. - [General] Added `.default_rules` hidden job (see `templates/multi-repo/Setup.gitlab-ci.yml`) for easy modification of this whole workflow. - [General] Added `.deploy-prod-rules` hidden job (see `templates/multi-repo/Deploy.gitlab-ci.yml`) for easy modification of `deploy to production` workflow. - [General] Added `jobs/multi-repo` jobs files which user can include and use in their own workflow. diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index f60c843..64d7833 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -1,4 +1,4 @@ -Cleanup: +Scheduled cleanup: stage: cleanup rules: - if: $CI_PIPELINE_SOURCE == "schedule" @@ -9,3 +9,19 @@ Cleanup: script: - werf managed-images ls - werf cleanup + +Auto cleanup: + stage: cleanup + rules: + - if: $AUTO_CLEANUP == "true" || $AUTO_CLEANUP == "1" + when: on_success + - when: never + before_script: + - !reference [.setup, before_script] + script: + - | + if (( $(date +%s) % 10 == 0 )); then + echo "✨ Run auto cleanup" + werf managed-images ls + werf cleanup + fi diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index bf2bb27..4800a35 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -5,6 +5,9 @@ variables: MODULES_MODULE_NAME: "${CI_PROJECT_NAME}" MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} + # Enable auto-cleanup job by default. + # `Auto cleanup` job is run randomly, only if current second is divisible by 10 + AUTO_CLEANUP: "true" ############################## # Internal default settings @@ -16,9 +19,9 @@ variables: stages: - lint + - cleanup - build - deploy - - cleanup .default_rules: rules: From 66f58d1c887bf2dff53710a3096ab337cc276443 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 2 Apr 2025 12:21:40 +0400 Subject: [PATCH 18/82] * fix `auto cleanup` job rules Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index 64d7833..1f87be1 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -13,9 +13,10 @@ Scheduled cleanup: Auto cleanup: stage: cleanup rules: - - if: $AUTO_CLEANUP == "true" || $AUTO_CLEANUP == "1" - when: on_success - - when: never + # do not run if this job is explicitly disabled by user + - if: $AUTO_CLEANUP == "false" || $AUTO_CLEANUP == "0" || $AUTO_CLEANUP == "" + when: never + - !reference [.default_rules, rules] before_script: - !reference [.setup, before_script] script: From ac682ef137f2f2c05db4df1ca4aed5236d17d2cf Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 2 Apr 2025 12:25:26 +0400 Subject: [PATCH 19/82] * allow `auto cleanup` job to fail Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index 1f87be1..58ad9a8 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -12,6 +12,7 @@ Scheduled cleanup: Auto cleanup: stage: cleanup + allow_failure: true rules: # do not run if this job is explicitly disabled by user - if: $AUTO_CLEANUP == "false" || $AUTO_CLEANUP == "0" || $AUTO_CLEANUP == "" From f6526e54592a7b8d5d2a9d9b8eb0fae79cd496ec Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 10:07:13 +0400 Subject: [PATCH 20/82] * refactor PROD deploy with EDITION and parallel.matrix.RELEASE_CHANNEL Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 42 ++++++++++++++--------- templates/multi-repo/Deploy.gitlab-ci.yml | 35 ++++++++++++------- templates/multi-repo/Setup.gitlab-ci.yml | 1 + 3 files changed, 48 insertions(+), 30 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 09a707c..efb34c0 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -1,24 +1,32 @@ -Deploy to Alpha: - extends: .deploy - variables: - RELEASE_CHANNEL: alpha +# Deploy to PROD EE: +# extends: .deploy_prod +# variables: +# EDITION: ee +# parallel: +# matrix: +# - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] -Deploy to Beta: - extends: .deploy +Deploy to PROD FE: + extends: .deploy_prod variables: - RELEASE_CHANNEL: beta + EDITION: fe + parallel: + matrix: + - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] -Deploy to EarlyAccess: - extends: .deploy +Deploy to PROD SE: + extends: .deploy_prod variables: - RELEASE_CHANNEL: early-access + EDITION: se + parallel: + matrix: + - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] -Deploy to Stable: - extends: .deploy +Deploy to PROD SE+: + extends: .deploy_prod variables: - RELEASE_CHANNEL: stable + EDITION: se-plus + parallel: + matrix: + - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] -Deploy to RockSolid: - extends: .deploy - variables: - RELEASE_CHANNEL: rock-solid diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index aec1800..466489d 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -45,7 +45,19 @@ --new_layer "" \ --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" -.deploy-prod-rules: +.deploy: + stage: deploy + script: + - | + REPO="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" + + IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" + IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" + + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy "${IMAGE_SRC}" "${IMAGE_DST}" + +.deploy_prod_rules: rules: # add MANUAL deploy job if $FORCE_CI variable is defined - if: $FORCE_CI @@ -57,16 +69,13 @@ - if: '$CI_COMMIT_TAG && $RELEASE_CHANNEL' when: manual -.deploy: - stage: deploy +.deploy_prod: + extends: .deploy rules: - - !reference [.deploy-prod-rules, rules] - script: - - | - REPO="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" - - IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" - IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" - - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy "${IMAGE_SRC}" "${IMAGE_DST}" + - !reference [.deploy_prod_rules, rules] + variables: + MODULES_REGISTRY: $PROD_MODULES_REGISTRY + MODULES_REGISTRY_LOGIN: $PROD_MODULES_REGISTRY_LOGIN + MODULES_REGISTRY_PASSWORD: $PROD_MODULES_REGISTRY_PASSWORD + # path in PROD registry must be hardcoded + MODULES_REGISTRY_PATH: deckhouse/${EDITION}/modules diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 4800a35..695db21 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -14,6 +14,7 @@ variables: ############################## BASE_IMAGES_VERSION: v0.2 + # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} From d37be2de7ec1b5d6984a079d4eca18fe87f03cc9 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 10:16:36 +0400 Subject: [PATCH 21/82] * do not run auto-cleanup when tag defined (release workflow) Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index 58ad9a8..6a82993 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -17,6 +17,9 @@ Auto cleanup: # do not run if this job is explicitly disabled by user - if: $AUTO_CLEANUP == "false" || $AUTO_CLEANUP == "0" || $AUTO_CLEANUP == "" when: never + # do not run if there is a tag (release workflow) + - if: $CI_COMMIT_TAG + when: never - !reference [.default_rules, rules] before_script: - !reference [.setup, before_script] From faeaae9ce295b122d4670aff994ce9cee6a3aaba Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 10:16:53 +0400 Subject: [PATCH 22/82] * fix .deploy_prod_rules Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 466489d..4b0677e 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -63,10 +63,10 @@ - if: $FORCE_CI when: manual # do not run if some required variables is empty - - if: '$PROD_MODULES_REGISTRY == null || $PROD_MODULES_REGISTRY == "" || $PROD_MODULES_REGISTRY_PATH == null || $PROD_MODULES_REGISTRY_PATH == ""' + - if: '$MODULES_REGISTRY == null || $MODULES_REGISTRY == "" || $MODULES_REGISTRY_PATH == null || $MODULES_REGISTRY_PATH == "" || $RELEASE_CHANNEL == null || $RELEASE_CHANNEL == ""' when: never - # add MANUAL deploy job only if it is a tag release and release channel is defined - - if: '$CI_COMMIT_TAG && $RELEASE_CHANNEL' + # add MANUAL deploy job only if it is a tag defined (release workflow) + - if: '$CI_COMMIT_TAG' when: manual .deploy_prod: From 615652d34c32f18fe3439aa2a5de6c02cd958db5 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 10:18:48 +0400 Subject: [PATCH 23/82] * add deploy to PROD EE Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index efb34c0..a4c3d7b 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -1,10 +1,10 @@ -# Deploy to PROD EE: -# extends: .deploy_prod -# variables: -# EDITION: ee -# parallel: -# matrix: -# - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] +Deploy to PROD EE: + extends: .deploy_prod + variables: + EDITION: ee + parallel: + matrix: + - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] Deploy to PROD FE: extends: .deploy_prod From 267b54110f87dd52fd74e97efe502b7e9644a950 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 10:21:59 +0400 Subject: [PATCH 24/82] * fix .deploy_prod_rules Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 4b0677e..c0ce42e 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -63,7 +63,7 @@ - if: $FORCE_CI when: manual # do not run if some required variables is empty - - if: '$MODULES_REGISTRY == null || $MODULES_REGISTRY == "" || $MODULES_REGISTRY_PATH == null || $MODULES_REGISTRY_PATH == "" || $RELEASE_CHANNEL == null || $RELEASE_CHANNEL == ""' + - if: '$PROD_MODULES_REGISTRY == null || $PROD_MODULES_REGISTRY == "" || $EDITION == null || $EDITION == "" || $RELEASE_CHANNEL == null || $RELEASE_CHANNEL == ""' when: never # add MANUAL deploy job only if it is a tag defined (release workflow) - if: '$CI_COMMIT_TAG' From 96b6368562b66f9a4ebd98a8d6122d3d330b0e25 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 10:54:38 +0400 Subject: [PATCH 25/82] * dry run deploy jobs (without crane copy) Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index c0ce42e..ca05c84 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -21,7 +21,7 @@ IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${IMAGE_TAG}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} + # crane copy ${IMAGE_SRC} ${IMAGE_DST} done # Bundle image - | @@ -29,14 +29,14 @@ IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} + # crane copy ${IMAGE_SRC} ${IMAGE_DST} # Release-channel image - | IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} + # crane copy ${IMAGE_SRC} ${IMAGE_DST} # Register module - | echo "✨ Register the module ${MODULES_MODULE_NAME}" @@ -55,7 +55,7 @@ IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy "${IMAGE_SRC}" "${IMAGE_DST}" + # crane copy "${IMAGE_SRC}" "${IMAGE_DST}" .deploy_prod_rules: rules: @@ -70,7 +70,7 @@ when: manual .deploy_prod: - extends: .deploy + stage: deploy rules: - !reference [.deploy_prod_rules, rules] variables: @@ -79,3 +79,8 @@ MODULES_REGISTRY_PASSWORD: $PROD_MODULES_REGISTRY_PASSWORD # path in PROD registry must be hardcoded MODULES_REGISTRY_PATH: deckhouse/${EDITION}/modules + script: + # publish final images to prod registry and register module with $MODULES_MODULE_TAG + - !reference [.publish, script] + # make 'symlink' to published module tag for specified release-channel + - !reference [.deploy, script] From a60c3e0f6249cbba185705a3bdade4f5cd54fc44 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 11:18:02 +0400 Subject: [PATCH 26/82] * remove 'dry run' mode for deploy to prod Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index ca05c84..7a2709c 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -21,7 +21,7 @@ IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${IMAGE_TAG}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - # crane copy ${IMAGE_SRC} ${IMAGE_DST} + crane copy ${IMAGE_SRC} ${IMAGE_DST} done # Bundle image - | @@ -36,7 +36,7 @@ IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - # crane copy ${IMAGE_SRC} ${IMAGE_DST} + crane copy ${IMAGE_SRC} ${IMAGE_DST} # Register module - | echo "✨ Register the module ${MODULES_MODULE_NAME}" @@ -55,7 +55,7 @@ IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - # crane copy "${IMAGE_SRC}" "${IMAGE_DST}" + crane copy "${IMAGE_SRC}" "${IMAGE_DST}" .deploy_prod_rules: rules: From 1105f86f682639f45cc6a2d27e99a4e0a63d6087 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 12:32:21 +0400 Subject: [PATCH 27/82] * add description to variables Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 695db21..3d64a15 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -7,13 +7,17 @@ variables: MODULES_MODULE_TAG: ${CI_COMMIT_REF_NAME} # Enable auto-cleanup job by default. # `Auto cleanup` job is run randomly, only if current second is divisible by 10 - AUTO_CLEANUP: "true" + AUTO_CLEANUP: + value: "true" + description: "`Auto cleanup` job is run randomly (if enabled), only if current second is divisible by 10" ############################## # Internal default settings ############################## BASE_IMAGES_VERSION: v0.2 - + FORCE_CI: + value: "false" + description: "Set to true if need force run workflow" # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} From dea5ceaac2b056b195e3131e1cfb22a7c3f25660 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 13:48:05 +0400 Subject: [PATCH 28/82] * fix FORCE_CI conditions Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 4 ++-- templates/multi-repo/Setup.gitlab-ci.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 7a2709c..5069ae1 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -59,8 +59,8 @@ .deploy_prod_rules: rules: - # add MANUAL deploy job if $FORCE_CI variable is defined - - if: $FORCE_CI + # add MANUAL deploy job if $FORCE_CI variable is set + - if: $FORCE_CI == "true" || $FORCE_CI == "1" when: manual # do not run if some required variables is empty - if: '$PROD_MODULES_REGISTRY == null || $PROD_MODULES_REGISTRY == "" || $EDITION == null || $EDITION == "" || $RELEASE_CHANNEL == null || $RELEASE_CHANNEL == ""' diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 3d64a15..eb1f826 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -30,17 +30,17 @@ stages: .default_rules: rules: - # run if $FORCE_CI variable is defined - - if: '$FORCE_CI' + # run if $FORCE_CI variable is set + - if: $FORCE_CI == "true" || $FORCE_CI == "1" # run if there is a tag defined (module release workflow) - - if: '$CI_COMMIT_TAG' + - if: $CI_COMMIT_TAG # run if there is a merge request event - if: $CI_PIPELINE_SOURCE == 'merge_request_event' # DO NOT run if there is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' when: never # run if there is a push to a branch (without opened merge requests) - - if: '$CI_COMMIT_BRANCH' + - if: $CI_COMMIT_BRANCH .setup: before_script: From b9fffe1ead2116cbbfa50e6698ed94e916bcf7a6 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 15:09:22 +0400 Subject: [PATCH 29/82] * debug Build/deploy Signed-off-by: Ivan.Makeev --- templates/multi-repo/Build.gitlab-ci.yml | 3 +++ templates/multi-repo/Deploy.gitlab-ci.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/templates/multi-repo/Build.gitlab-ci.yml b/templates/multi-repo/Build.gitlab-ci.yml index 18d731e..46e3f1a 100644 --- a/templates/multi-repo/Build.gitlab-ci.yml +++ b/templates/multi-repo/Build.gitlab-ci.yml @@ -9,6 +9,9 @@ - | werf build \ --save-build-report --build-report-path images_tags_werf.json + + # debug + cat images_tags_werf.json artifacts: paths: - images_tags_werf.json diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 5069ae1..729bdf0 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -15,6 +15,8 @@ export MODULES_MODULE_SOURCE="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}" # Module images - | + # debug + cat images_tags_werf.json for image in $(ls images); do IMAGE_SRC="$(jq -r ".Images.\"$image\".DockerImageName" images_tags_werf.json)" IMAGE_TAG="$(jq -r ".Images.\"$image\".DockerTag" images_tags_werf.json)" From dfdd14597150d8881e1e4c5d4089812843d97faf Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 3 Apr 2025 16:33:13 +0400 Subject: [PATCH 30/82] * fix deploy Signed-off-by: Ivan.Makeev --- templates/multi-repo/Build.gitlab-ci.yml | 3 --- templates/multi-repo/Deploy.gitlab-ci.yml | 4 +--- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/templates/multi-repo/Build.gitlab-ci.yml b/templates/multi-repo/Build.gitlab-ci.yml index 46e3f1a..18d731e 100644 --- a/templates/multi-repo/Build.gitlab-ci.yml +++ b/templates/multi-repo/Build.gitlab-ci.yml @@ -9,9 +9,6 @@ - | werf build \ --save-build-report --build-report-path images_tags_werf.json - - # debug - cat images_tags_werf.json artifacts: paths: - images_tags_werf.json diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 729bdf0..f6e1179 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -15,8 +15,6 @@ export MODULES_MODULE_SOURCE="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}" # Module images - | - # debug - cat images_tags_werf.json for image in $(ls images); do IMAGE_SRC="$(jq -r ".Images.\"$image\".DockerImageName" images_tags_werf.json)" IMAGE_TAG="$(jq -r ".Images.\"$image\".DockerTag" images_tags_werf.json)" @@ -31,7 +29,7 @@ IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - # crane copy ${IMAGE_SRC} ${IMAGE_DST} + crane copy ${IMAGE_SRC} ${IMAGE_DST} # Release-channel image - | IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" From b30ef21fff6bbb2846c12e8957b9bff993027194 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Apr 2025 13:05:45 +0400 Subject: [PATCH 31/82] * add Deploy_PROD_experiment Signed-off-by: Ivan.Makeev --- .../Deploy_PROD_experiment.gitlab-ci.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml diff --git a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml new file mode 100644 index 0000000..53d3742 --- /dev/null +++ b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml @@ -0,0 +1,20 @@ +# https://docs.gitlab.com/ci/inputs/ +spec: + inputs: + editions: + type: array + description: List of module editions + default: + - ee + - fe + - se + - se-plus + +--- + +Deploy to PROD ${EDITION}: + extends: .deploy_prod + parallel: + matrix: + - EDITION: $[[ inputs.editions ]] + - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] From 7112660f863c059bfc76425e73f672a44ced1b0b Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Apr 2025 13:15:05 +0400 Subject: [PATCH 32/82] * Deploy_PROD_experiment Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml index 53d3742..d876955 100644 --- a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml @@ -11,6 +11,16 @@ spec: - se-plus --- +Debug: + stage: deploy + rules: + - when: always + script: + - printenv | sort + parallel: + matrix: + - EDITION: $[[ inputs.editions ]] + - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] Deploy to PROD ${EDITION}: extends: .deploy_prod From 4bbf96fd91e3d4648e9351b53204775746e08064 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Apr 2025 13:19:53 +0400 Subject: [PATCH 33/82] * fix Deploy_PROD_experiment Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml index d876955..39e3305 100644 --- a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml @@ -20,11 +20,11 @@ Debug: parallel: matrix: - EDITION: $[[ inputs.editions ]] - - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] + RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] Deploy to PROD ${EDITION}: extends: .deploy_prod parallel: matrix: - EDITION: $[[ inputs.editions ]] - - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] + RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] From 4ee3f68bcfef0b5cc21431ed8baab65920136d3b Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Apr 2025 13:28:49 +0400 Subject: [PATCH 34/82] * fix Deploy_PROD_experiment Signed-off-by: Ivan.Makeev --- .../Deploy_PROD_experiment.gitlab-ci.yml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml index 39e3305..5a9c96d 100644 --- a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml @@ -10,19 +10,7 @@ spec: - se - se-plus ---- -Debug: - stage: deploy - rules: - - when: always - script: - - printenv | sort - parallel: - matrix: - - EDITION: $[[ inputs.editions ]] - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] - -Deploy to PROD ${EDITION}: +Deploy to PROD: extends: .deploy_prod parallel: matrix: From 3657f8f2dd3447b7db0f4c12438fa2676658c768 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Apr 2025 13:45:23 +0400 Subject: [PATCH 35/82] * fix Deploy_PROD_experiment Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml index 5a9c96d..96b7438 100644 --- a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml @@ -10,6 +10,8 @@ spec: - se - se-plus +--- + Deploy to PROD: extends: .deploy_prod parallel: From 6d3ea5fae5925076a4c6c527432c2f3262ecc2d0 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Apr 2025 14:10:46 +0400 Subject: [PATCH 36/82] * add inputs.editions to Deploy_PROD Signed-off-by: Ivan.Makeev --- examples/multi-repo-module.gitlab-ci.yml | 14 +++++++ jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 42 +++++++------------ .../Deploy_PROD_experiment.gitlab-ci.yml | 20 --------- 3 files changed, 29 insertions(+), 47 deletions(-) delete mode 100644 jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml diff --git a/examples/multi-repo-module.gitlab-ci.yml b/examples/multi-repo-module.gitlab-ci.yml index f21e819..5a3a4b5 100644 --- a/examples/multi-repo-module.gitlab-ci.yml +++ b/examples/multi-repo-module.gitlab-ci.yml @@ -8,6 +8,20 @@ include: - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml' # deploy jobs for PROD registry - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml' + inputs: + # Editions used in your module. Array of following items: + # ce - Community edition + # ee - Enterprise edition + # fe - Flant edition (internal edition for Flant's engineers) + # se - Standard edition + # se-plus - Standard edition + + editions: + # All values must be in lowercase and quoted + - "ce" + - "ee" + - "fe" + - "se" + - "se-plus" variables: # Do not forget to put these variables to your Gitlab CI secrets: diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index a4c3d7b..96b7438 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -1,32 +1,20 @@ -Deploy to PROD EE: - extends: .deploy_prod - variables: - EDITION: ee - parallel: - matrix: - - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] +# https://docs.gitlab.com/ci/inputs/ +spec: + inputs: + editions: + type: array + description: List of module editions + default: + - ee + - fe + - se + - se-plus -Deploy to PROD FE: - extends: .deploy_prod - variables: - EDITION: fe - parallel: - matrix: - - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] +--- -Deploy to PROD SE: +Deploy to PROD: extends: .deploy_prod - variables: - EDITION: se parallel: matrix: - - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] - -Deploy to PROD SE+: - extends: .deploy_prod - variables: - EDITION: se-plus - parallel: - matrix: - - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] - + - EDITION: $[[ inputs.editions ]] + RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] diff --git a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml deleted file mode 100644 index 96b7438..0000000 --- a/jobs/multi-repo/Deploy_PROD_experiment.gitlab-ci.yml +++ /dev/null @@ -1,20 +0,0 @@ -# https://docs.gitlab.com/ci/inputs/ -spec: - inputs: - editions: - type: array - description: List of module editions - default: - - ee - - fe - - se - - se-plus - ---- - -Deploy to PROD: - extends: .deploy_prod - parallel: - matrix: - - EDITION: $[[ inputs.editions ]] - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] From 9ac105f3e27036593c2918e96b325c8470b266de Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Apr 2025 14:18:30 +0400 Subject: [PATCH 37/82] * add spec.inputs.editions to README.md Signed-off-by: Ivan.Makeev --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 69e6537..7819b6a 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ In `templates/multi-repo` the CI workflow differs from `basic` CI (which in `tem - [General] Added `.default_rules` hidden job (see `templates/multi-repo/Setup.gitlab-ci.yml`) for easy modification of this whole workflow. - [General] Added `.deploy-prod-rules` hidden job (see `templates/multi-repo/Deploy.gitlab-ci.yml`) for easy modification of `deploy to production` workflow. - [General] Added `jobs/multi-repo` jobs files which user can include and use in their own workflow. +- [General] Added ability to specify which module's `EDITION` (`CE`, `EE`, etc) should be pushed to PRODUCTION registry. - [Refactor] Default `before_script` section (see `templates/Setup.gitlab-ci.yml`) moved to `.setup/before_script` job. - [Refactor] `dmt lint` job moved to `lint` stage in dedicated `templates/multi-repo/Lint.gitlab-ci.yml` file. - [Refactor] All werf's caches and other artifacts (from `build` stage) are stored in Gitlab's registry (`${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME}`) by default. From 61df3422adb462e60eeac1861ba3f7699a9bc829 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 12:06:38 +0400 Subject: [PATCH 38/82] * remove `if: $CI_COMMIT_BRANCH` rule from .default_rules Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index eb1f826..333962d 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -40,7 +40,8 @@ stages: - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' when: never # run if there is a push to a branch (without opened merge requests) - - if: $CI_COMMIT_BRANCH + # TODO: check that all pipelines works as expected without this one rule + # - if: $CI_COMMIT_BRANCH .setup: before_script: From b1411a5eb0d9b6f9ac2bda4a32509377f3c47c25 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 14:45:18 +0400 Subject: [PATCH 39/82] * add debug job Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Debug.gitlab-ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 jobs/multi-repo/Debug.gitlab-ci.yml diff --git a/jobs/multi-repo/Debug.gitlab-ci.yml b/jobs/multi-repo/Debug.gitlab-ci.yml new file mode 100644 index 0000000..02c0674 --- /dev/null +++ b/jobs/multi-repo/Debug.gitlab-ci.yml @@ -0,0 +1,13 @@ +variables: + DEBUG_CI: + value: "false" + description: "Run debug job(s)" + +debug:printenv: + stage: build + rules: + # run if $DEBUG_CI variable is set to true + - if: $DEBUG_CI == "true" || $DEBUG_CI == "1" + before_script: + - | + printenv | sort From e6a7292051a272ccbbb23d7a5039921cc1f7a2e2 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 14:48:14 +0400 Subject: [PATCH 40/82] * fix `debug:printenv` Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Debug.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/multi-repo/Debug.gitlab-ci.yml b/jobs/multi-repo/Debug.gitlab-ci.yml index 02c0674..376d13f 100644 --- a/jobs/multi-repo/Debug.gitlab-ci.yml +++ b/jobs/multi-repo/Debug.gitlab-ci.yml @@ -8,6 +8,6 @@ debug:printenv: rules: # run if $DEBUG_CI variable is set to true - if: $DEBUG_CI == "true" || $DEBUG_CI == "1" - before_script: + script: - | printenv | sort From c40f9e9bb6b08bd1facbb06fe270db0a7fc86e0e Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 14:57:25 +0400 Subject: [PATCH 41/82] [.default_rules] fix: do not run pipeline for push to the branch Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 333962d..0a2e07e 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -30,18 +30,18 @@ stages: .default_rules: rules: - # run if $FORCE_CI variable is set + # run if $FORCE_CI variable is set to true - if: $FORCE_CI == "true" || $FORCE_CI == "1" # run if there is a tag defined (module release workflow) - if: $CI_COMMIT_TAG - # run if there is a merge request event + # run if this is a merge request event - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - # DO NOT run if there is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) - - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' + # DO NOT run if this is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) + # - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' + # when: never + # DO NOT run if this is a push (commits) to a branch (regardless of opened merge requests) + - if: $CI_COMMIT_BRANCH when: never - # run if there is a push to a branch (without opened merge requests) - # TODO: check that all pipelines works as expected without this one rule - # - if: $CI_COMMIT_BRANCH .setup: before_script: From 40a866972979b58c9fd717bbe9fd3ee88a0f5ecc Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 15:12:52 +0400 Subject: [PATCH 42/82] [.default_rules] fix: run when merge request is merged to main/master branch Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 4 ++-- templates/multi-repo/Setup.gitlab-ci.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index efd1bb0..737b19b 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -31,8 +31,8 @@ Publish default branch to DEV: # do not run if some required variables is empty - if: '$DEV_MODULES_REGISTRY == null || $DEV_MODULES_REGISTRY == "" || $DEV_MODULES_REGISTRY_PATH == null || $DEV_MODULES_REGISTRY_PATH == ""' when: never - # run only for default (main/master) branch - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + # run only when push to default (main/master) branch + - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH when: on_success # do not run in other cases - when: never diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 0a2e07e..deb93f7 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -36,6 +36,8 @@ stages: - if: $CI_COMMIT_TAG # run if this is a merge request event - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + # run when push to default (main/master) branch (for example, when merge request is merged to `master` branch) + - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # DO NOT run if this is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) # - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' # when: never From e04f69775f08cd7a622650b69f5e7b56d17d55a8 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 15:54:05 +0400 Subject: [PATCH 43/82] [Publish merge request to DEV] fix: run Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 3 +++ templates/multi-repo/Setup.gitlab-ci.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index 737b19b..2a34868 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -16,6 +16,9 @@ Publish merge request to DEV: # run only for merge requests - if: $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "merge_request_event" when: on_success + # run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) + - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && !$CI_MERGE_REQUEST_IID && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" + when: on_success # do not run in other cases - when: never diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index deb93f7..8b3c6b8 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -38,6 +38,9 @@ stages: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' # run when push to default (main/master) branch (for example, when merge request is merged to `master` branch) - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + # run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) + # this rule is required for job `Publish merge request to DEV` to work properly + - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && !$CI_MERGE_REQUEST_IID && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" # DO NOT run if this is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) # - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' # when: never From 49158da4cfdfe36e521cae99d536fdf6315fdebf Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 15:56:25 +0400 Subject: [PATCH 44/82] [Publish merge request to DEV] fix: run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 8b3c6b8..0897b78 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -40,7 +40,7 @@ stages: - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) # this rule is required for job `Publish merge request to DEV` to work properly - - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && !$CI_MERGE_REQUEST_IID && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" + - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && ($CI_MERGE_REQUEST_IID == null || $CI_MERGE_REQUEST_IID == "") && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" # DO NOT run if this is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) # - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' # when: never From cb2e7b622c9d9eeb544449fab5d7adbaf173f310 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 15:57:39 +0400 Subject: [PATCH 45/82] [Publish merge request to DEV] fix: run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index 2a34868..bd21110 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -17,7 +17,7 @@ Publish merge request to DEV: - if: $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "merge_request_event" when: on_success # run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) - - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && !$CI_MERGE_REQUEST_IID && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" + - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && ($CI_MERGE_REQUEST_IID == null || $CI_MERGE_REQUEST_IID == "") && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" when: on_success # do not run in other cases - when: never From 7b055069ea8545d2861725e560b5af66c75b337d Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 14 Apr 2025 16:15:02 +0400 Subject: [PATCH 46/82] * remove pipeline rule for "new branches" Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 4 ++-- templates/multi-repo/Setup.gitlab-ci.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index bd21110..9a245a7 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -17,8 +17,8 @@ Publish merge request to DEV: - if: $CI_MERGE_REQUEST_IID && $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "merge_request_event" when: on_success # run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) - - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && ($CI_MERGE_REQUEST_IID == null || $CI_MERGE_REQUEST_IID == "") && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" - when: on_success + # - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && ($CI_MERGE_REQUEST_IID == null || $CI_MERGE_REQUEST_IID == "") && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" + # when: on_success # do not run in other cases - when: never diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 0897b78..1f8a4f4 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -40,7 +40,7 @@ stages: - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # run when new branch is created and there are no opened merge requests for this branch and no commits to this branch yet (completely new branch from master/main) # this rule is required for job `Publish merge request to DEV` to work properly - - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && ($CI_MERGE_REQUEST_IID == null || $CI_MERGE_REQUEST_IID == "") && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" + # - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && ($CI_MERGE_REQUEST_IID == null || $CI_MERGE_REQUEST_IID == "") && $CI_COMMIT_BEFORE_SHA == "0000000000000000000000000000000000000000" # DO NOT run if this is a push to a branch and there are open merge requests (remove duplicated `branch` pipeline) # - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' # when: never From 342b77731b06d7e7bbf3bbf9a054eeab1daeb79f Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 15 Apr 2025 12:18:20 +0400 Subject: [PATCH 47/82] * automatically create gitlab release when push new tag Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 96b7438..3005d7b 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -11,9 +11,22 @@ spec: - se-plus --- +Create gitlab release: + stage: deploy + image: registry.gitlab.com/gitlab-org/release-cli:latest + rules: + - if: $CI_COMMIT_TAG && $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ + script: + - echo "running release job" + # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties + release: + tag_name: '$CI_COMMIT_TAG' + description: '$CI_COMMIT_TAG' Deploy to PROD: extends: .deploy_prod + needs: + - Create gitlab release parallel: matrix: - EDITION: $[[ inputs.editions ]] From 56a64897f1c82a1d88fec2ec6260b4b009398a62 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 15 Apr 2025 12:28:38 +0400 Subject: [PATCH 48/82] [Create gitlab release] * fix Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 3005d7b..d027a24 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -13,15 +13,16 @@ spec: --- Create gitlab release: stage: deploy - image: registry.gitlab.com/gitlab-org/release-cli:latest + # image: registry.gitlab.com/gitlab-org/release-cli:latest rules: - if: $CI_COMMIT_TAG && $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ script: - - echo "running release job" + - glab release create $CI_COMMIT_TAG + # - echo "running release job" # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties - release: - tag_name: '$CI_COMMIT_TAG' - description: '$CI_COMMIT_TAG' + # release: + # tag_name: '$CI_COMMIT_TAG' + # description: '$CI_COMMIT_TAG' Deploy to PROD: extends: .deploy_prod From b18b4ad358e72389979a56ca6b95fd7e4a860ae9 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 15 Apr 2025 12:32:12 +0400 Subject: [PATCH 49/82] * remove release creating Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index d027a24..0855b69 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -11,18 +11,6 @@ spec: - se-plus --- -Create gitlab release: - stage: deploy - # image: registry.gitlab.com/gitlab-org/release-cli:latest - rules: - - if: $CI_COMMIT_TAG && $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?$/ - script: - - glab release create $CI_COMMIT_TAG - # - echo "running release job" - # See https://docs.gitlab.com/ee/ci/yaml/#release for available properties - # release: - # tag_name: '$CI_COMMIT_TAG' - # description: '$CI_COMMIT_TAG' Deploy to PROD: extends: .deploy_prod From 7e3d04889ab43ae22df3dcca11dadff993cbea89 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 15 Apr 2025 12:49:15 +0400 Subject: [PATCH 50/82] * remove release creating Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 0855b69..96b7438 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -14,8 +14,6 @@ spec: Deploy to PROD: extends: .deploy_prod - needs: - - Create gitlab release parallel: matrix: - EDITION: $[[ inputs.editions ]] From 321ec8c0f0f66e8ec8615f4cdd801d8fe0fe1d8e Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 21 Apr 2025 15:47:11 +0400 Subject: [PATCH 51/82] [.publish] fix: copy to destination registry only final images from `images_tags_werf.json` Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 25 +++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index f6e1179..49b8958 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -13,29 +13,42 @@ # generate MODULES_MODULE_SOURCE - | export MODULES_MODULE_SOURCE="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}" + # Module images - | - for image in $(ls images); do - IMAGE_SRC="$(jq -r ".Images.\"$image\".DockerImageName" images_tags_werf.json)" - IMAGE_TAG="$(jq -r ".Images.\"$image\".DockerTag" images_tags_werf.json)" - IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${IMAGE_TAG}" + jq -r '.Images | values[] | select (.Final==true) | .WerfImageName + " " + .DockerImageName + " " + .DockerTag + " " + .DockerImageDigest' < images_tags_werf.json | while read line; do + image="$(cut -d " " -f 1 <<< ${line})" + docker_image="$(cut -d " " -f 2 <<< ${line})" + docker_tag="$(cut -d " " -f 3 <<< ${line})" + shasum="$(cut -d " " -f 4 <<< ${line})" + name="$(tr '[:lower:]' '[:upper:]' <<< ${image} | sed 's|[-/]|_|g')" + + # image: pg-images-17.3-bookworm-standard; + # name: PG_IMAGES_17.3_BOOKWORM_STANDARD; + # shasum: sha256:cd6daa30c94ec77b352156cbf1c05c8e98b44d1d3a47fa2b0a1083587247f730; + # docker_image: registry.flant.com/team/managed-services/managed-psql/managed-psql-d8/managed-postgres:ed0388a743d61926309d1023e02c639c1006f7b7b56d78161f32b0e0-1744971955188; + # docker_tag: ed0388a743d61926309d1023e02c639c1006f7b7b56d78161f32b0e0-1744971955188 + + IMAGE_SRC="${docker_image}" + IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${docker_tag}" echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" crane copy ${IMAGE_SRC} ${IMAGE_DST} done + # Bundle image - | IMAGE_SRC="$(jq -r '.Images."bundle".DockerImageName' images_tags_werf.json)" IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + echo "✨ Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" crane copy ${IMAGE_SRC} ${IMAGE_DST} # Release-channel image - | IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + echo "✨ Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" crane copy ${IMAGE_SRC} ${IMAGE_DST} # Register module - | From b0b284e2814898b1877130ed4e53e3a9a3d3955d Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 22 Apr 2025 12:24:27 +0400 Subject: [PATCH 52/82] * set timeout for `Auto cleanup` job to 10 minutes instead of default 60 minutes Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index 6a82993..9cc89d9 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -13,6 +13,7 @@ Scheduled cleanup: Auto cleanup: stage: cleanup allow_failure: true + timeout: 10 minutes rules: # do not run if this job is explicitly disabled by user - if: $AUTO_CLEANUP == "false" || $AUTO_CLEANUP == "0" || $AUTO_CLEANUP == "" From eec1b1d6154112d628e264ae43ab2372ff8c638c Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 25 Apr 2025 12:58:35 +0400 Subject: [PATCH 53/82] * print env vars on .deploy_prod if DEBUG_CI enabled Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 49b8958..dc10a42 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -93,6 +93,10 @@ # path in PROD registry must be hardcoded MODULES_REGISTRY_PATH: deckhouse/${EDITION}/modules script: + - | + if [ "$DEBUG_CI" = "true" -o "$DEBUG_CI" = "1" ]; then + printenv | sort + fi # publish final images to prod registry and register module with $MODULES_MODULE_TAG - !reference [.publish, script] # make 'symlink' to published module tag for specified release-channel From 00112da7be202bcb1ca4963e4b4d1266141c27e4 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 25 Apr 2025 13:21:53 +0400 Subject: [PATCH 54/82] * grouping deploy jobs by release channels Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 37 +++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 96b7438..7e9f2a9 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -12,9 +12,42 @@ spec: --- -Deploy to PROD: +Deploy to PROD | Alpha: extends: .deploy_prod + variables: + RELEASE_CHANNEL: alpha + parallel: + matrix: + - EDITION: $[[ inputs.editions ]] + +Deploy to PROD | Beta: + extends: .deploy_prod + variables: + RELEASE_CHANNEL: beta + parallel: + matrix: + - EDITION: $[[ inputs.editions ]] + +Deploy to PROD | EarlyAccess: + extends: .deploy_prod + variables: + RELEASE_CHANNEL: early-access + parallel: + matrix: + - EDITION: $[[ inputs.editions ]] + +Deploy to PROD | Stable: + extends: .deploy_prod + variables: + RELEASE_CHANNEL: stable + parallel: + matrix: + - EDITION: $[[ inputs.editions ]] + +Deploy to PROD | RockSolid: + extends: .deploy_prod + variables: + RELEASE_CHANNEL: rock-solid parallel: matrix: - EDITION: $[[ inputs.editions ]] - RELEASE_CHANNEL: [alpha, beta, early-access, stable, rock-solid] From 2e963f51733a9540265215907d0cae96abd71df7 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 25 Apr 2025 13:30:27 +0400 Subject: [PATCH 55/82] * slightly rename deploy jobs: move env suffix (DEV/PROD) to begin of each job's name Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 4 ++-- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index 9a245a7..e835b64 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -1,6 +1,6 @@ # emulate same behaviour as in Deckhouse Github registry # when opened PRs will pushed to dev registry -Publish merge request to DEV: +DEV | Publish merge request: extends: .publish variables: MODULES_REGISTRY: ${DEV_MODULES_REGISTRY} @@ -22,7 +22,7 @@ Publish merge request to DEV: # do not run in other cases - when: never -Publish default branch to DEV: +DEV | Publish default branch: extends: .publish variables: MODULES_REGISTRY: ${DEV_MODULES_REGISTRY} diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 7e9f2a9..b9b0069 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -12,7 +12,7 @@ spec: --- -Deploy to PROD | Alpha: +PROD | Deploy to Alpha: extends: .deploy_prod variables: RELEASE_CHANNEL: alpha @@ -20,7 +20,7 @@ Deploy to PROD | Alpha: matrix: - EDITION: $[[ inputs.editions ]] -Deploy to PROD | Beta: +PROD | Deploy to Beta: extends: .deploy_prod variables: RELEASE_CHANNEL: beta @@ -28,7 +28,7 @@ Deploy to PROD | Beta: matrix: - EDITION: $[[ inputs.editions ]] -Deploy to PROD | EarlyAccess: +PROD | Deploy to EarlyAccess: extends: .deploy_prod variables: RELEASE_CHANNEL: early-access @@ -36,7 +36,7 @@ Deploy to PROD | EarlyAccess: matrix: - EDITION: $[[ inputs.editions ]] -Deploy to PROD | Stable: +PROD | Deploy TO Stable: extends: .deploy_prod variables: RELEASE_CHANNEL: stable @@ -44,7 +44,7 @@ Deploy to PROD | Stable: matrix: - EDITION: $[[ inputs.editions ]] -Deploy to PROD | RockSolid: +PROD | Deploy to RockSolid: extends: .deploy_prod variables: RELEASE_CHANNEL: rock-solid From 89dd366e816198a2c22824d5f0c4ef5f88547e80 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 25 Apr 2025 13:39:14 +0400 Subject: [PATCH 56/82] * slightly rename deploy jobs Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index b9b0069..3124e3c 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -36,7 +36,7 @@ PROD | Deploy to EarlyAccess: matrix: - EDITION: $[[ inputs.editions ]] -PROD | Deploy TO Stable: +PROD | Deploy to Stable: extends: .deploy_prod variables: RELEASE_CHANNEL: stable @@ -44,7 +44,8 @@ PROD | Deploy TO Stable: matrix: - EDITION: $[[ inputs.editions ]] -PROD | Deploy to RockSolid: +# because uppercased letters are ordered before lowercased, so put rock-solid job last as in stability level, not alphabetical +PROD | Deploy to rock-solid: extends: .deploy_prod variables: RELEASE_CHANNEL: rock-solid From c92fc2d4c3b4bab5609be83fe4692f737e0356df Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 25 Apr 2025 15:02:05 +0400 Subject: [PATCH 57/82] * slightly rename deploy jobs Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 3124e3c..5c429d6 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -20,7 +20,7 @@ PROD | Deploy to Alpha: matrix: - EDITION: $[[ inputs.editions ]] -PROD | Deploy to Beta: +PROD | Beta: extends: .deploy_prod variables: RELEASE_CHANNEL: beta @@ -28,7 +28,7 @@ PROD | Deploy to Beta: matrix: - EDITION: $[[ inputs.editions ]] -PROD | Deploy to EarlyAccess: +PROD | EarlyAccess: extends: .deploy_prod variables: RELEASE_CHANNEL: early-access @@ -36,7 +36,7 @@ PROD | Deploy to EarlyAccess: matrix: - EDITION: $[[ inputs.editions ]] -PROD | Deploy to Stable: +PROD | Stable: extends: .deploy_prod variables: RELEASE_CHANNEL: stable @@ -45,7 +45,7 @@ PROD | Deploy to Stable: - EDITION: $[[ inputs.editions ]] # because uppercased letters are ordered before lowercased, so put rock-solid job last as in stability level, not alphabetical -PROD | Deploy to rock-solid: +PROD | rock-solid: extends: .deploy_prod variables: RELEASE_CHANNEL: rock-solid From 61fee16d07b277b7a8ad39cea2505ca1aa6026a3 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 25 Apr 2025 15:04:44 +0400 Subject: [PATCH 58/82] * slightly rename deploy jobs Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_PROD.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml index 5c429d6..89bf35a 100644 --- a/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_PROD.gitlab-ci.yml @@ -12,7 +12,7 @@ spec: --- -PROD | Deploy to Alpha: +PROD | Alpha: extends: .deploy_prod variables: RELEASE_CHANNEL: alpha From 9d381c390dd879fabc2e27ea7ad6771ab5bb04d0 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 15 May 2025 10:26:37 +0400 Subject: [PATCH 59/82] * do not download base_images.yml if BASE_IMAGES_VERSION is empty Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 1f8a4f4..f309d1e 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -81,6 +81,10 @@ stages: trdl add dmt https://trrr.flant.dev/trdl-dmt/ 0 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 source $(trdl use dmt 0 stable) - # Download base images yaml file - - env | grep BASE_IMAGES_VERSION - - curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml + - | + if [[ ! -z "${BASE_IMAGES_VERSION}" ]]; then + echo "Downloading base_images.yml ${BASE_IMAGES_VERSION}" + curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml + else + echo "DO NOT download base_images.yml because BASE_IMAGES_VERSION is empty" + fi From 1accb079b9882c75407ec64ec7ec3077f2aa6da9 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 15 May 2025 10:28:24 +0400 Subject: [PATCH 60/82] * use BASE_IMAGES_VERSION v0.5.2 Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index f309d1e..e9af81e 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -14,7 +14,7 @@ variables: ############################## # Internal default settings ############################## - BASE_IMAGES_VERSION: v0.2 + BASE_IMAGES_VERSION: v0.5.2 FORCE_CI: value: "false" description: "Set to true if need force run workflow" From 622482fca375fdd3221ced1cf0a74d75ffde0552 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 17 Jun 2025 16:10:42 +0400 Subject: [PATCH 61/82] * fix ROOT_VERSION for dmt's trdl repo Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index e9af81e..bbed5ec 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -78,7 +78,7 @@ stages: # Setup dmt - | - trdl add dmt https://trrr.flant.dev/trdl-dmt/ 0 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 + trdl add dmt https://trrr.flant.dev/trdl-dmt/ 3 source $(trdl use dmt 0 stable) - | From 36b17a03296eed9223bd8e5dbf8afe7e75c39856 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 17 Jun 2025 16:44:25 +0400 Subject: [PATCH 62/82] * fix ROOT_VERSION for dmt's trdl repo Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index bbed5ec..1f89daf 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -78,7 +78,7 @@ stages: # Setup dmt - | - trdl add dmt https://trrr.flant.dev/trdl-dmt/ 3 + trdl add dmt https://trrr.flant.dev/trdl-dmt/ 3 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 source $(trdl use dmt 0 stable) - | From e82b9904e7b90f58cbc0a5a4744d09d2437e2dde Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 20 Jun 2025 13:58:29 +0400 Subject: [PATCH 63/82] * add "Login to target registry" Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index dc10a42..dfc62c2 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -9,6 +9,7 @@ fi # Login to target registry + echo "Login to target registry ${MODULES_REGISTRY}..." werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} # generate MODULES_MODULE_SOURCE - | From 69cacca898d41627f74a7eba399b885cf43a0d34 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 20 Jun 2025 14:07:56 +0400 Subject: [PATCH 64/82] * add printenv for debug .publish stage Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index dfc62c2..5f73a2a 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -1,6 +1,8 @@ .publish: stage: deploy script: + - | + printenv | sort - | # Login to Gitlab (source) registry if target registry is not same Gitlab if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" ]]; then From c4ef5649d3ea67977e1917650964e9b31b8dad73 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 20 Jun 2025 14:41:34 +0400 Subject: [PATCH 65/82] * remove debug Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 5f73a2a..dfc62c2 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -1,8 +1,6 @@ .publish: stage: deploy script: - - | - printenv | sort - | # Login to Gitlab (source) registry if target registry is not same Gitlab if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" ]]; then From dd36df04319e83ddcbfe0c87ce28abc1495ba08b Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 7 Jul 2025 17:36:32 +0400 Subject: [PATCH 66/82] WIP: add Svace setup/init to templates/multi-repo/Setup.gitlab-ci.yml Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 73 +++++++++++++++++++++++- 1 file changed, 72 insertions(+), 1 deletion(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 1f89daf..b3b9820 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -1,3 +1,18 @@ +# Required CI/CD variables (must be defined in Gitlab's project/group settings): +# $DEV_MODULES_REGISTRY - dev registry URL (WITHOUT http/https prefix and path part) (like: registry.example.com) +# $DEV_MODULES_REGISTRY_PATH - dev registry path (to modules folder) part (like: sys/deckhouse-oss/modules) +# $DEV_MODULES_REGISTRY_LOGIN - login for dev registry (same as module name for most cases) +# $DEV_MODULES_REGISTRY_PASSWORD - password for dev registry + +# $PROD_MODULES_REGISTRY - production registry URL (WITHOUT http/https prefix and path part) +# $PROD_MODULES_REGISTRY_PATH - prod registry path (to modules folder) part +# $PROD_MODULES_REGISTRY_LOGIN - login for prod registry +# $PROD_MODULES_REGISTRY_PASSWORD - password for prod registry + +# $SVACE_ANALYZE_HOST - hostname of the svace analyze vm +# $SVACE_ANALYZE_SSH_USER: - ssh user to connect with to svace analyze vm +# $SVACE_ANALYZE_SSH_PRIVATE_KEY- svace analyze server ssh private key + variables: ############################## # User default settings @@ -9,18 +24,32 @@ variables: # `Auto cleanup` job is run randomly, only if current second is divisible by 10 AUTO_CLEANUP: value: "true" + options: + - "true" + - "false" description: "`Auto cleanup` job is run randomly (if enabled), only if current second is divisible by 10" + SVACE_ENABLED: + value: "false" + description: "Enable Svace static analysis" + options: + - "true" + - "false" + ############################## # Internal default settings ############################## - BASE_IMAGES_VERSION: v0.5.2 + BASE_IMAGES_VERSION: v0.5.9 FORCE_CI: value: "false" + options: + - "true" + - "false" description: "Set to true if need force run workflow" # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} + WERF_VERSION: "2 stable" stages: - lint @@ -88,3 +117,45 @@ stages: else echo "DO NOT download base_images.yml because BASE_IMAGES_VERSION is empty" fi + + # Add ssh keys + - | + if [[ -n "${SOURCE_REPO_SSH_KEY}" || -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then + + eval $(ssh-agent) + trap "kill -3 ${SSH_AGENT_PID}" ERR EXIT HUP INT QUIT TERM + export SSH_KNOWN_HOSTS=~/.ssh/known_hosts + mkdir -p ~/.ssh + touch ~/.ssh/known_hosts + + if [[ -n "${SOURCE_REPO_SSH_KEY}" ]]; then + ssh-add - <<< "${SOURCE_REPO_SSH_KEY}" + if [[ -n "${SOURCE_REPO}" ]]; then + HOST=$(grep -oP '(?<=@)[^/:]+' <<< ${SOURCE_REPO}) + HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null) + while IFS= read -r KEY_LINE; do + CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE") + if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then + echo "$KEY_LINE" >> ~/.ssh/known_hosts + fi + done <<< "$HOST_KEYS" + fi + fi + + if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then + ssh-add - <<< "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" + if [[ -n "${SVACE_ANALYZE_HOST}" ]]; then + echo "Adding svace ssh key (ignoring errors)." + set +e + HOST=${SVACE_ANALYZE_HOST} + HOST_KEYS=$(ssh-keyscan -H "$HOST" 2>/dev/null) + while IFS= read -r KEY_LINE; do + CONSTANT_PART=$(awk '{print $2, $3}' <<< "$KEY_LINE") + if ! grep -q "$CONSTANT_PART" ~/.ssh/known_hosts; then + echo "$KEY_LINE" >> ~/.ssh/known_hosts + fi + done <<< "$HOST_KEYS" + set -e + fi + fi + fi From 55e33e7108f65cd55393e356be00e7878b6f4ce2 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Fri, 18 Jul 2025 11:36:07 +0400 Subject: [PATCH 67/82] * remove `werf managed-images ls` from Scheduled cleanup task Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index 9cc89d9..cfeeec0 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -7,7 +7,8 @@ Scheduled cleanup: before_script: - !reference [.setup, before_script] script: - - werf managed-images ls + # TODO: this one not work properly for submodules (for now?) + # - werf managed-images ls - werf cleanup Auto cleanup: From a668412588b32fb324cafa79b9fb7992b55f237e Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 21 Jul 2025 10:52:59 +0400 Subject: [PATCH 68/82] * apply private git repo patch before `werf cleanup` to properly checkout submodules Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 23 +++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index cfeeec0..0903669 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -7,9 +7,17 @@ Scheduled cleanup: before_script: - !reference [.setup, before_script] script: - # TODO: this one not work properly for submodules (for now?) - # - werf managed-images ls - - werf cleanup + - | + if [[ -z "${NO_PRIVATE_REPO_PATCH}" ]]; then + echo "Apply git private repo patch... Set NO_PRIVATE_REPO_PATCH=1 to disable it" + export GOPRIVATE=${CI_SERVER_HOST} + git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/".insteadOf "git@${CI_SERVER_HOST}:" + fi + + echo "Managed images which will be preserved during cleanup procedure:" + werf managed-images ls + echo "Starting cleanup..." + werf cleanup Auto cleanup: stage: cleanup @@ -29,6 +37,15 @@ Auto cleanup: - | if (( $(date +%s) % 10 == 0 )); then echo "✨ Run auto cleanup" + + if [[ -z "${NO_PRIVATE_REPO_PATCH}" ]]; then + echo "Apply git private repo patch... Set NO_PRIVATE_REPO_PATCH=1 to disable it" + export GOPRIVATE=${CI_SERVER_HOST} + git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/".insteadOf "git@${CI_SERVER_HOST}:" + fi + + echo "Managed images which will be preserved during cleanup procedure:" werf managed-images ls + echo "Starting cleanup..." werf cleanup fi From e15f278eccd8e22b2b8c6082966043feb47462c9 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 23 Jul 2025 10:09:59 +0400 Subject: [PATCH 69/82] * increase `Scheduled cleanup` timeout to 3 hour Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index 0903669..db7dcbd 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -1,5 +1,6 @@ Scheduled cleanup: stage: cleanup + timeout: 3h rules: - if: $CI_PIPELINE_SOURCE == "schedule" when: on_success From 8b30a26e48e11ce292200f22bce1fc7acec4bba0 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 24 Jul 2025 10:31:27 +0400 Subject: [PATCH 70/82] * add "Logging in to registry ..." for easy debug login issues Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index b3b9820..a74cb1c 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -103,6 +103,7 @@ stages: if [[ "x${MODULES_REGISTRY_PASSWORD}" == "x" ]]; then MODULES_REGISTRY_PASSWORD="${CI_REGISTRY_PASSWORD}" fi + echo "Logging in to registry ${MODULES_REGISTRY}..." werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} # Setup dmt From e62bd77ae9a7d3f8b98ac6f3ce1ef3b5f54630dc Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 24 Sep 2025 14:58:04 +0400 Subject: [PATCH 71/82] * separate MODULES_REGISTRY and MODULES_TARGET_REGISTRY for publish/deploy jobs * add $DEBUG_CI_DRY_RUN variable for dry run production-related jobs Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 90 ++++++++++++++++------- 1 file changed, 62 insertions(+), 28 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index dfc62c2..a430f29 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -2,18 +2,32 @@ stage: deploy script: - | - # Login to Gitlab (source) registry if target registry is not same Gitlab - if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" ]]; then - echo "Login to Gitlab (source) ${CI_REGISTRY}..." + if [[ "x${MODULES_REGISTRY}" == "x" || "x${MODULES_REGISTRY_LOGIN}" == "x" || "x${MODULES_REGISTRY_PASSWORD}" == "x" || "x${MODULES_REGISTRY_PATH}" == "x" ]]; then + echo "One or more required variables of source registry is empty: MODULES_REGISTRY, MODULES_REGISTRY_LOGIN, MODULES_REGISTRY_PASSWORD, MODULES_REGISTRY_PATH" + exit 5 + fi + + if [[ "x${MODULES_TARGET_REGISTRY}" == "x" || "x${MODULES_TARGET_REGISTRY_LOGIN}" == "x" || "x${MODULES_TARGET_REGISTRY_PASSWORD}" == "x" || "x${MODULES_TARGET_REGISTRY_PATH}" == "x" ]]; then + echo "One or more required variables of target registry is empty: MODULES_TARGET_REGISTRY, MODULES_TARGET_REGISTRY_LOGIN, MODULES_TARGET_REGISTRY_PASSWORD, MODULES_TARGET_REGISTRY_PATH" + exit 5 + fi + - | + # Login to Gitlab registry just in case + if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" && "x${CI_REGISTRY}" != "x" && "x${CI_REGISTRY_USER}" != "x" && "x${CI_REGISTRY_PASSWORD}" != "x" ]]; then + echo "Login to Gitlab ${CI_REGISTRY} just in case..." werf cr login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} fi - # Login to target registry - echo "Login to target registry ${MODULES_REGISTRY}..." + # Login to source registry + echo "Login to source registry ${MODULES_REGISTRY}..." werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} - # generate MODULES_MODULE_SOURCE + + # Login to target registry + echo "Login to target registry ${MODULES_TARGET_REGISTRY}..." + werf cr login -u ${MODULES_TARGET_REGISTRY_LOGIN} -p ${MODULES_TARGET_REGISTRY_PASSWORD} ${MODULES_TARGET_REGISTRY} + # generate MODULES_MODULE_TARGET - | - export MODULES_MODULE_SOURCE="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}" + export MODULES_MODULE_TARGET="${MODULES_TARGET_REGISTRY}/${MODULES_TARGET_REGISTRY_PATH}" # Module images - | @@ -31,45 +45,65 @@ # docker_tag: ed0388a743d61926309d1023e02c639c1006f7b7b56d78161f32b0e0-1744971955188 IMAGE_SRC="${docker_image}" - IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${docker_tag}" + IMAGE_DST="${MODULES_MODULE_TARGET}/${MODULES_MODULE_NAME}:${docker_tag}" - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} + if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + else + echo "[DEBUG_CI_DRY_RUN] ✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + fi done # Bundle image - | IMAGE_SRC="$(jq -r '.Images."bundle".DockerImageName' images_tags_werf.json)" - IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" + IMAGE_DST="${MODULES_MODULE_TARGET}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" - echo "✨ Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} + if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then + echo "✨ Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + else + echo "[DEBUG_CI_DRY_RUN] ✨ Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" + fi # Release-channel image - | IMAGE_SRC="$(jq -r '.Images."release-channel-version".DockerImageName' images_tags_werf.json)" - IMAGE_DST="${MODULES_MODULE_SOURCE}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" + IMAGE_DST="${MODULES_MODULE_TARGET}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" - echo "✨ Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy ${IMAGE_SRC} ${IMAGE_DST} + if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then + echo "✨ Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy ${IMAGE_SRC} ${IMAGE_DST} + else + echo "[DEBUG_CI_DRY_RUN] ✨ Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" + fi # Register module - | - echo "✨ Register the module ${MODULES_MODULE_NAME}" - crane append \ - --oci-empty-base \ - --new_layer "" \ - --new_tag "${MODULES_MODULE_SOURCE}:${MODULES_MODULE_NAME}" + if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then + echo "✨ Register the module ${MODULES_MODULE_NAME} in ${MODULES_MODULE_TARGET} registry" + crane append \ + --oci-empty-base \ + --new_layer "" \ + --new_tag "${MODULES_MODULE_TARGET}:${MODULES_MODULE_NAME}" + else + echo "[DEBUG_CI_DRY_RUN] ✨ Register the module ${MODULES_MODULE_NAME} in ${MODULES_MODULE_TARGET} registry" + fi .deploy: stage: deploy script: - | - REPO="${MODULES_REGISTRY}/${MODULES_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" + REPO="${MODULES_TARGET_REGISTRY}/${MODULES_TARGET_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" - crane copy "${IMAGE_SRC}" "${IMAGE_DST}" + if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then + echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + crane copy "${IMAGE_SRC}" "${IMAGE_DST}" + else + echo "[DEBUG_CI_DRY_RUN] ✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + fi .deploy_prod_rules: rules: @@ -88,11 +122,11 @@ rules: - !reference [.deploy_prod_rules, rules] variables: - MODULES_REGISTRY: $PROD_MODULES_REGISTRY - MODULES_REGISTRY_LOGIN: $PROD_MODULES_REGISTRY_LOGIN - MODULES_REGISTRY_PASSWORD: $PROD_MODULES_REGISTRY_PASSWORD + MODULES_TARGET_REGISTRY: $PROD_MODULES_REGISTRY + MODULES_TARGET_REGISTRY_LOGIN: $PROD_MODULES_REGISTRY_LOGIN + MODULES_TARGET_REGISTRY_PASSWORD: $PROD_MODULES_REGISTRY_PASSWORD # path in PROD registry must be hardcoded - MODULES_REGISTRY_PATH: deckhouse/${EDITION}/modules + MODULES_TARGET_REGISTRY_PATH: deckhouse/${EDITION}/modules script: - | if [ "$DEBUG_CI" = "true" -o "$DEBUG_CI" = "1" ]; then From df08fdf2191fc3a9a348a1c1e2de134fddd911ed Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 24 Sep 2025 15:07:05 +0400 Subject: [PATCH 72/82] * set default for MODULES_TARGET_REGISTRY_* variables from source registry variables (MODULES_REGISTRY_*) Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index a430f29..5a7606d 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -7,10 +7,12 @@ exit 5 fi - if [[ "x${MODULES_TARGET_REGISTRY}" == "x" || "x${MODULES_TARGET_REGISTRY_LOGIN}" == "x" || "x${MODULES_TARGET_REGISTRY_PASSWORD}" == "x" || "x${MODULES_TARGET_REGISTRY_PATH}" == "x" ]]; then - echo "One or more required variables of target registry is empty: MODULES_TARGET_REGISTRY, MODULES_TARGET_REGISTRY_LOGIN, MODULES_TARGET_REGISTRY_PASSWORD, MODULES_TARGET_REGISTRY_PATH" - exit 5 - fi + # set defaults for target registry variables from source registry variables + export MODULES_TARGET_REGISTRY="${MODULES_TARGET_REGISTRY:-$MODULES_REGISTRY}" + export MODULES_TARGET_REGISTRY_LOGIN="${MODULES_TARGET_REGISTRY_LOGIN:-$MODULES_REGISTRY_LOGIN}" + export MODULES_TARGET_REGISTRY_PASSWORD="${MODULES_TARGET_REGISTRY_PASSWORD:-$MODULES_REGISTRY_PASSWORD}" + export MODULES_TARGET_REGISTRY_PATH="${MODULES_TARGET_REGISTRY_PATH:-$MODULES_REGISTRY_PATH}" + - | # Login to Gitlab registry just in case if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" && "x${CI_REGISTRY}" != "x" && "x${CI_REGISTRY_USER}" != "x" && "x${CI_REGISTRY_PASSWORD}" != "x" ]]; then From 8e962ff5369c036342dc245cabdb42fc27b0c3db Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 24 Sep 2025 15:09:05 +0400 Subject: [PATCH 73/82] * set default for MODULES_TARGET_REGISTRY_* variables from source registry variables (MODULES_REGISTRY_*) Signed-off-by: Ivan.Makeev --- templates/multi-repo/Deploy.gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 5a7606d..184e1ed 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -95,6 +95,10 @@ stage: deploy script: - | + # set defaults for target registry variables from source registry variables + export MODULES_TARGET_REGISTRY="${MODULES_TARGET_REGISTRY:-$MODULES_REGISTRY}" + export MODULES_TARGET_REGISTRY_PATH="${MODULES_TARGET_REGISTRY_PATH:-$MODULES_REGISTRY_PATH}" + REPO="${MODULES_TARGET_REGISTRY}/${MODULES_TARGET_REGISTRY_PATH}/${MODULES_MODULE_NAME}/release" IMAGE_SRC="${REPO}:${MODULES_MODULE_TAG}" From ec2c5e94bdc0dd13af10afa6b2ffeb8aec416e21 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Wed, 24 Sep 2025 16:14:51 +0400 Subject: [PATCH 74/82] * get templates/CVE_Scan from `main` branch Signed-off-by: Ivan.Makeev --- templates/CVE_Scan.gitlab-ci.yml | 100 +++++++++++++++++++------------ 1 file changed, 62 insertions(+), 38 deletions(-) diff --git a/templates/CVE_Scan.gitlab-ci.yml b/templates/CVE_Scan.gitlab-ci.yml index f0605ce..1d89231 100644 --- a/templates/CVE_Scan.gitlab-ci.yml +++ b/templates/CVE_Scan.gitlab-ci.yml @@ -97,6 +97,49 @@ fi echo "CVE Scan will be applied to the following tags of ${MODULE_NAME} module:" echo "${module_tags[@]}" + + # Functions + trivy_scan() { + ${workdir}/bin/trivy i --policy "${TRIVY_POLICY_URL}" --cache-dir "${workdir}/bin/trivy_cache" --skip-db-update --skip-java-db-update --exit-code 0 --severity "${severity}" --ignorefile "${module_workdir}/.trivyignore" --format ${1} ${2} ${3} --quiet ${4} --username "${trivy_registry_user}" --password "${trivy_registry_pass}" --image-src remote + } + + send_report() { + echo "" + echo " Uploading trivy ${1} report for image \"${IMAGE_NAME}\" of \"${MODULE_NAME}\" module" + echo "" + curl -s -S -o /dev/null --fail-with-body -X POST \ + --retry 5 \ + --retry-delay 10 \ + --retry-all-errors \ + ${DD_URL}/api/v2/reimport-scan/ \ + -H "accept: application/json" \ + -H "Content-Type: multipart/form-data" \ + -H "Authorization: Token ${DD_TOKEN}" \ + -F "auto_create_context=True" \ + -F "minimum_severity=Info" \ + -F "active=true" \ + -F "verified=true" \ + -F "scan_type=Trivy Scan" \ + -F "close_old_findings=true" \ + -F "do_not_reactivate=false" \ + -F "push_to_jira=false" \ + -F "file=@${2}" \ + -F "product_type_name=External Modules" \ + -F "product_name=$MODULE_NAME" \ + -F "scan_date=${date_iso}" \ + -F "engagement_name=${1}" \ + -F "service=${MODULE_NAME} / ${IMAGE_NAME}" \ + -F "group_by=component_name+component_version" \ + -F "deduplication_on_engagement=false" \ + -F "tags=external_module,module:${MODULE_NAME},image:${IMAGE_NAME},branch:${module_tag},${dd_short_release_tag},${dd_full_release_tag},${dd_default_branch_tag}" \ + -F "test_title=[${MODULE_NAME}]: ${IMAGE_NAME}:${module_tag}" \ + -F "version=${dd_image_version}" \ + -F "build_id=${IMAGE_HASH}" \ + -F "commit_hash=${CI_COMMIT_SHA}" \ + -F "branch_tag=${module_tag}" \ + -F "apply_tags_to_findings=true" + } + # Scan in loop for provided list of tags for module_tag in ${module_tags[@]}; do dd_default_branch_tag="" @@ -154,50 +197,31 @@ if [ "${additional_image_detected}" == true ]; then if [ "${TRIVY_REPORTS_LOG_OUTPUT}" != "false" ]; then - ${workdir}/bin/trivy i --policy "${TRIVY_POLICY_URL}" --cache-dir "${workdir}/bin/trivy_cache" --skip-db-update --skip-java-db-update --exit-code 0 --severity ${severity} --ignorefile "${module_workdir}/.trivyignore" --format table --scanners vuln --quiet "${module_image}:${module_tag}" --username "${trivy_registry_user}" --password "${trivy_registry_pass}" --image-src remote + # CVE Scan + trivy_scan "table" "--scanners vuln" "" "${module_image}:${module_tag}" + # License scan + trivy_scan "table" "--scanners license --license-full" "" "${module_image}:${module_tag}" fi - ${workdir}/bin/trivy i --policy "${TRIVY_POLICY_URL}" --cache-dir "${workdir}/bin/trivy_cache" --skip-db-update --skip-java-db-update --exit-code 0 --severity $severity --ignorefile "${module_workdir}/.trivyignore" --format json --scanners vuln --output "${module_reports}/d8_${MODULE_NAME}_${IMAGE_NAME}_report.json" --quiet "${module_image}:${module_tag}" --username "${trivy_registry_user}" --password "${trivy_registry_pass}" --image-src remote + # CVE Scan + trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}:${module_tag}" + # License scan + trivy_scan "json" "--scanners license --license-full" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${module_image}:${module_tag}" else if [ "${TRIVY_REPORTS_LOG_OUTPUT}" != "false" ]; then - ${workdir}/bin/trivy i --policy "${TRIVY_POLICY_URL}" --cache-dir "${workdir}/bin/trivy_cache" --skip-db-update --skip-java-db-update --exit-code 0 --severity ${severity} --ignorefile "${module_workdir}/.trivyignore" --format table --scanners vuln --quiet "${module_image}@${IMAGE_HASH}" --username "${trivy_registry_user}" --password "${trivy_registry_pass}" --image-src remote + # CVE Scan + trivy_scan "table" "--scanners vuln" "" "${module_image}@${IMAGE_HASH}" + # License scan + trivy_scan "table" "--scanners license --license-full" "" "${module_image}@${IMAGE_HASH}" fi - ${workdir}/bin/trivy i --policy "${TRIVY_POLICY_URL}" --cache-dir "${workdir}/bin/trivy_cache" --skip-db-update --skip-java-db-update --exit-code 0 --severity ${severity} --ignorefile "${module_workdir}/.trivyignore" --format json --scanners vuln --output "${module_reports}/d8_${MODULE_NAME}_${IMAGE_NAME}_report.json" --quiet "${module_image}@${IMAGE_HASH}" --username "${trivy_registry_user}" --password "${trivy_registry_pass}" --image-src remote + # CVE Scan + trivy_scan "json" "--scanners vuln" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${module_image}@${IMAGE_HASH}" + # License scan + trivy_scan "json" "--scanners license --license-full" "--output ${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${module_image}@${IMAGE_HASH}" fi echo " Done" - echo "" - echo " Uploading trivy CVE report for image ${IMAGE_NAME} of ${MODULE_NAME} module" - echo "" - curl -s -S -o /dev/null --fail-with-body -X POST \ - --retry 5 \ - --retry-delay 10 \ - --retry-all-errors \ - ${DD_URL}/api/v2/reimport-scan/ \ - -H "accept: application/json" \ - -H "Content-Type: multipart/form-data" \ - -H "Authorization: Token ${DD_TOKEN}" \ - -F "auto_create_context=True" \ - -F "minimum_severity=Info" \ - -F "active=true" \ - -F "verified=true" \ - -F "scan_type=Trivy Scan" \ - -F "close_old_findings=true" \ - -F "do_not_reactivate=false" \ - -F "push_to_jira=false" \ - -F "file=@${module_reports}/d8_${MODULE_NAME}_${IMAGE_NAME}_report.json" \ - -F "product_type_name=Deckhouse images" \ - -F "product_name=$MODULE_NAME" \ - -F "scan_date=${date_iso}" \ - -F "engagement_name=CVE Test: ${MODULE_NAME} Images" \ - -F "service=${MODULE_NAME} / ${IMAGE_NAME}" \ - -F "group_by=component_name+component_version" \ - -F "deduplication_on_engagement=false" \ - -F "tags=deckhouse_image,module:${MODULE_NAME},image:${IMAGE_NAME},branch:${module_tag},${dd_short_release_tag},${dd_full_release_tag},${dd_default_branch_tag}" \ - -F "test_title=[${MODULE_NAME}]: ${IMAGE_NAME}:${module_tag}" \ - -F "version=${dd_image_version}" \ - -F "build_id=${IMAGE_HASH}" \ - -F "commit_hash=${CI_COMMIT_SHA}" \ - -F "branch_tag=${module_tag}" \ - -F "apply_tags_to_findings=true" + + send_report "CVE" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" + send_report "License" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" done < <(jq -rc 'to_entries[]' <<< "${digests}") done rm -rf ${workdir} From 053c4cc147c433c3ebfa6a977a20d1c59beaedf9 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 25 Sep 2025 09:52:40 +0400 Subject: [PATCH 75/82] [CVE_Scan] feat: generate docker config without `docker login` Signed-off-by: Ivan.Makeev --- templates/CVE_Scan.gitlab-ci.yml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/templates/CVE_Scan.gitlab-ci.yml b/templates/CVE_Scan.gitlab-ci.yml index 1d89231..c00260b 100644 --- a/templates/CVE_Scan.gitlab-ci.yml +++ b/templates/CVE_Scan.gitlab-ci.yml @@ -40,8 +40,23 @@ echo "Preparing DOCKER_CONFIG and login to registries" mkdir -p "${workdir}/docker" export DOCKER_CONFIG="${workdir}/docker" - echo ${PROD_REGISTRY_PASSWORD} | docker login --username="${PROD_REGISTRY_USER}" --password-stdin ${PROD_REGISTRY} - echo ${DEV_REGISTRY_PASSWORD} | docker login --username="${DEV_REGISTRY_USER}" --password-stdin ${DEV_REGISTRY} + + PROD_AUTH_STRING=$(echo -n "$PROD_REGISTRY_USER:$PROD_REGISTRY_PASSWORD" | base64 -w 0) + DEV_AUTH_STRING=$(echo -n "$DEV_REGISTRY_USER:$DEV_REGISTRY_PASSWORD" | base64 -w 0) + + # Create config.json file + cat > ${DOCKER_CONFIG}/config.json << EOF + { + "auths": { + "$PROD_REGISTRY": { + "auth": "$PROD_AUTH_STRING" + }, + "${DEV_REGISTRY}": { + "auth": "$DEV_AUTH_STRING" + } + } + } + EOF echo echo "=======================================================" echo From 5c9c3c953e975b6c0308e7859554130487b4450c Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 25 Sep 2025 13:15:32 +0400 Subject: [PATCH 76/82] * deploy tags also to dev-registry when tag is specified Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index e835b64..bcb7534 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -39,3 +39,27 @@ DEV | Publish default branch: when: on_success # do not run in other cases - when: never + +DEV | Publish tags also to dev-registry: + variables: + MODULES_REGISTRY: ${DEV_MODULES_REGISTRY} + MODULES_REGISTRY_PATH: ${DEV_MODULES_REGISTRY_PATH} + MODULES_REGISTRY_LOGIN: ${DEV_MODULES_REGISTRY_LOGIN} + MODULES_REGISTRY_PASSWORD: ${DEV_MODULES_REGISTRY_PASSWORD} + MODULES_MODULE_TAG: ${CI_COMMIT_TAG} + rules: + # do not run if some required variables is empty + - if: '$DEV_MODULES_REGISTRY == null || $DEV_MODULES_REGISTRY == "" || $DEV_MODULES_REGISTRY_PATH == null || $DEV_MODULES_REGISTRY_PATH == ""' + when: never + # deploy tags to dev-registry (as in prod registry) when tag specified + - if: '$CI_COMMIT_TAG && ($NO_DEPLOY_TAGS_TO_DEV == null || $NO_DEPLOY_TAGS_TO_DEV == "")' + when: on_success + # do not run in other cases + - when: never + script: + - | + if [ "$DEBUG_CI" = "true" -o "$DEBUG_CI" = "1" ]; then + printenv | sort + fi + # publish final images to dev registry and register module with $MODULES_MODULE_TAG + - !reference [.publish, script] From 282554e42448eb0fa1eb08212cfedf9caae4597a Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 25 Sep 2025 13:53:48 +0400 Subject: [PATCH 77/82] * fix `DEV | Publish tags also to dev-registry` job Signed-off-by: Ivan.Makeev --- jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index bcb7534..0b5805e 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -41,6 +41,7 @@ DEV | Publish default branch: - when: never DEV | Publish tags also to dev-registry: + stage: deploy variables: MODULES_REGISTRY: ${DEV_MODULES_REGISTRY} MODULES_REGISTRY_PATH: ${DEV_MODULES_REGISTRY_PATH} From d56add53b8a9e46b8068d7d0179102e2c0c20e84 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 29 Sep 2025 12:24:00 +0400 Subject: [PATCH 78/82] * add Svace integration from `main` branch Signed-off-by: Ivan.Makeev --- templates/multi-repo/Build.gitlab-ci.yml | 18 +++++++++++++++++ templates/multi-repo/Setup.gitlab-ci.yml | 25 +++++++++++++++++------- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/templates/multi-repo/Build.gitlab-ci.yml b/templates/multi-repo/Build.gitlab-ci.yml index 18d731e..c34de2b 100644 --- a/templates/multi-repo/Build.gitlab-ci.yml +++ b/templates/multi-repo/Build.gitlab-ci.yml @@ -13,3 +13,21 @@ paths: - images_tags_werf.json expire_in: "30 days" + +.svace_rules_mr: + rules: + - if: '$CI_MERGE_REQUEST_LABELS =~ /(^|,)analyze\/svace(,|$)/' + variables: + SVACE_ENABLED: "true" + +.svace_rules_manual: + rules: + - if: $CI_PIPELINE_SOURCE == "web" && $SVACE_ENABLED == "true" && $CI_COMMIT_BRANCH + variables: + SVACE_ENABLED: "true" + +.svace_rules_schedule: + rules: + - if: $CI_PIPELINE_SOURCE == "schedule" && $SVACE_ENABLED == "true" && $CI_COMMIT_BRANCH + variables: + SVACE_ENABLED: "true" \ No newline at end of file diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index a74cb1c..367811f 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -9,9 +9,11 @@ # $PROD_MODULES_REGISTRY_LOGIN - login for prod registry # $PROD_MODULES_REGISTRY_PASSWORD - password for prod registry -# $SVACE_ANALYZE_HOST - hostname of the svace analyze vm -# $SVACE_ANALYZE_SSH_USER: - ssh user to connect with to svace analyze vm -# $SVACE_ANALYZE_SSH_PRIVATE_KEY- svace analyze server ssh private key + +# SVACE_ANALYZE_HOST - hostname of the svace analyze vm +# SVACE_ANALYZE_SSH_USER: - ssh user to connect with to svace analyze vm +# SVACE_ANALYZE_SSH_PRIVATE_KEY_B64 - svace analyze server ssh private key + variables: ############################## @@ -48,7 +50,9 @@ variables: description: "Set to true if need force run workflow" # use module's container registry (on Gitlab) as werf's intermediate/cache images registry (repo with all build-time artifacts (garbage)) - WERF_REPO: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} + WERF_REPO: + description: "Container registry storage address" + value: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} WERF_VERSION: "2 stable" stages: @@ -119,9 +123,16 @@ stages: echo "DO NOT download base_images.yml because BASE_IMAGES_VERSION is empty" fi + # Download deckhouse lib-helm archive + - | + if [[ -n "${DECKHOUSE_LIB_HELM_VERSION}" ]]; then + mkdir charts + curl --fail -sSLO https://github.com/deckhouse/lib-helm/releases/download/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}.tgz --output-dir ./charts + fi + # Add ssh keys - | - if [[ -n "${SOURCE_REPO_SSH_KEY}" || -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then + if [[ -n "${SOURCE_REPO_SSH_KEY}" || -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then eval $(ssh-agent) trap "kill -3 ${SSH_AGENT_PID}" ERR EXIT HUP INT QUIT TERM @@ -143,8 +154,8 @@ stages: fi fi - if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" ]]; then - ssh-add - <<< "${SVACE_ANALYZE_SSH_PRIVATE_KEY}" + if [[ -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then + echo "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" | base64 -d | ssh-add - if [[ -n "${SVACE_ANALYZE_HOST}" ]]; then echo "Adding svace ssh key (ignoring errors)." set +e From 4f63159a67bd7ff2d41170272c471c964a60538c Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Mon, 29 Sep 2025 13:57:23 +0400 Subject: [PATCH 79/82] * fix DECKHOUSE_LIB_HELM_VERSION block indent in multi-repo/Setup Signed-off-by: Ivan.Makeev --- templates/multi-repo/Setup.gitlab-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 367811f..43b8755 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -123,12 +123,12 @@ stages: echo "DO NOT download base_images.yml because BASE_IMAGES_VERSION is empty" fi - # Download deckhouse lib-helm archive - - | - if [[ -n "${DECKHOUSE_LIB_HELM_VERSION}" ]]; then - mkdir charts - curl --fail -sSLO https://github.com/deckhouse/lib-helm/releases/download/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}.tgz --output-dir ./charts - fi + # Download deckhouse lib-helm archive + - | + if [[ -n "${DECKHOUSE_LIB_HELM_VERSION}" ]]; then + mkdir charts + curl --fail -sSLO https://github.com/deckhouse/lib-helm/releases/download/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}.tgz --output-dir ./charts + fi # Add ssh keys - | From 30c8df34b8bc0c093d6b18b6f3a1645d330ccdea Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Tue, 21 Oct 2025 09:53:39 +0400 Subject: [PATCH 80/82] * get CVE_Scan from v8.0 branch and patch to auth without docker Signed-off-by: Ivan.Makeev --- templates/CVE_Scan.gitlab-ci.yml | 81 +++++++++++++++++++++++++------- 1 file changed, 65 insertions(+), 16 deletions(-) diff --git a/templates/CVE_Scan.gitlab-ci.yml b/templates/CVE_Scan.gitlab-ci.yml index c00260b..74788ae 100644 --- a/templates/CVE_Scan.gitlab-ci.yml +++ b/templates/CVE_Scan.gitlab-ci.yml @@ -115,20 +115,29 @@ # Functions trivy_scan() { - ${workdir}/bin/trivy i --policy "${TRIVY_POLICY_URL}" --cache-dir "${workdir}/bin/trivy_cache" --skip-db-update --skip-java-db-update --exit-code 0 --severity "${severity}" --ignorefile "${module_workdir}/.trivyignore" --format ${1} ${2} ${3} --quiet ${4} --username "${trivy_registry_user}" --password "${trivy_registry_pass}" --image-src remote + ${workdir}/bin/trivy i --vex oci --show-suppressed --config-check "${TRIVY_POLICY_URL}" --cache-dir "${workdir}/bin/trivy_cache" --skip-db-update --skip-java-db-update --exit-code 0 --severity "${severity}" --ignorefile "${module_workdir}/.trivyignore" --format ${1} ${2} ${3} --quiet ${4} --username "${trivy_registry_user}" --password "${trivy_registry_pass}" --image-src remote } send_report() { + dd_scan_type="${1}" + dd_report_file_path="${2}" + dd_module_name="${3}" + dd_image_name="${4}" + dd_engagement_name="[$(echo "${dd_scan_type}" | tr '[:lower:]' '[:upper:]')] [IMAGES] [${dd_branch}]" + + tags_string="\"external_modules\",\"images\",\"${dd_scan_type}\",\"${dd_release_or_dev_tag}\",\"${dd_image_version}\"" + if [[ -n "${dd_short_release_tag}" && -n "${dd_full_release_tag}" ]]; then + tags_string+=",\"${dd_short_release_tag}\",\"${dd_full_release_tag}\"" + fi echo "" - echo " Uploading trivy ${1} report for image \"${IMAGE_NAME}\" of \"${MODULE_NAME}\" module" + echo " Uploading trivy ${dd_branch} report for image \"${dd_image_name}\" of \"${dd_module_name}\" module" echo "" - curl -s -S -o /dev/null --fail-with-body -X POST \ - --retry 5 \ - --retry-delay 10 \ + dd_upload_response=$(curl -sw "%{http_code}" -X POST \ + --retry 10 \ + --retry-delay 20 \ --retry-all-errors \ ${DD_URL}/api/v2/reimport-scan/ \ -H "accept: application/json" \ - -H "Content-Type: multipart/form-data" \ -H "Authorization: Token ${DD_TOKEN}" \ -F "auto_create_context=True" \ -F "minimum_severity=Info" \ @@ -138,21 +147,57 @@ -F "close_old_findings=true" \ -F "do_not_reactivate=false" \ -F "push_to_jira=false" \ - -F "file=@${2}" \ + -F "file=@${dd_report_file_path}" \ -F "product_type_name=External Modules" \ - -F "product_name=$MODULE_NAME" \ + -F "product_name=${dd_module_name}" \ -F "scan_date=${date_iso}" \ - -F "engagement_name=${1}" \ - -F "service=${MODULE_NAME} / ${IMAGE_NAME}" \ + -F "engagement_name=${dd_engagement_name}" \ + -F "service=${dd_module_name} / ${dd_image_name}" \ -F "group_by=component_name+component_version" \ -F "deduplication_on_engagement=false" \ - -F "tags=external_module,module:${MODULE_NAME},image:${IMAGE_NAME},branch:${module_tag},${dd_short_release_tag},${dd_full_release_tag},${dd_default_branch_tag}" \ - -F "test_title=[${MODULE_NAME}]: ${IMAGE_NAME}:${module_tag}" \ + -F "tags=external_module,${dd_scan_type},module:${dd_module_name},image:${dd_image_name},branch:${dd_branch},${dd_short_release_tag},${dd_full_release_tag},${dd_default_branch_tag},${dd_release_or_dev_tag}" \ + -F "test_title=[${dd_module_name}]: ${dd_image_name}:${dd_image_version}" \ -F "version=${dd_image_version}" \ -F "build_id=${IMAGE_HASH}" \ -F "commit_hash=${CI_COMMIT_SHA}" \ -F "branch_tag=${module_tag}" \ - -F "apply_tags_to_findings=true" + -F "apply_tags_to_findings=true") + + dd_return_code="${dd_upload_response: -3}" + dd_return_body="${dd_upload_response:0: -3}" + if [ ${dd_return_code} -eq 201 ]; then + dd_engagement_id=$(echo ${dd_return_body} | jq ".engagement_id" ) + echo "dd_engagement_id: ${dd_engagement_id}" + echo "Update with tags: ${tags_string}" + # Updating engagement + dd_eng_patch_response=$(curl -sw "%{http_code}" -X "PATCH" \ + --retry 10 \ + --retry-delay 20 \ + --retry-all-errors \ + "${DD_URL}/api/v2/engagements/${dd_engagement_id}/" \ + -H "accept: application/json" \ + -H "Authorization: Token ${DD_TOKEN}" \ + -H "Content-Type: application/json" \ + -d "{ + \"tags\": ["${tags_string}"], + \"version\": \"${dd_image_version}\", + \"branch_tag\": \"${dd_branch}\" + }") + if [ ${dd_eng_patch_response: -3} -eq 200 ]; then + echo "Engagemet \"${dd_engagement_name}\" updated successfully" + else + echo "!!!WARNING!!!" + echo "Engagemet \"${dd_engagement_name}\" WAS NOT UPDATED" + echo "HTTP_CODE: ${dd_eng_patch_response: -3}" + echo "DD_RESPONSE: ${dd_eng_patch_response:0: -3}" + fi + else + echo "!!!WARNING!!!" + echo "Report for image \"${dd_image_name}\" of \"${dd_module_name}\" module WAS NOT UPLOADED" + echo "HTTP_CODE: ${dd_return_code}" + echo "DD_RESPONSE: ${dd_return_body}" + fi + } # Scan in loop for provided list of tags @@ -160,7 +205,10 @@ dd_default_branch_tag="" dd_short_release_tag="" dd_full_release_tag="" + dd_release_or_dev_tag="dev" dd_image_version="${module_tag}" + dd_branch="${module_tag}" + date_iso=$(date -I) module_image="${DEV_REGISTRY_MODULE_BASEDIR}/${MODULE_NAME}" trivy_registry_user="${DEV_REGISTRY_USER}" trivy_registry_pass="${DEV_REGISTRY_PASSWORD}" @@ -174,6 +222,7 @@ trivy_registry_pass="${PROD_REGISTRY_PASSWORD}" dd_short_release_tag="release:$(echo ${module_tag} | cut -d '.' -f -2 | sed 's/^v//')" dd_full_release_tag="image_release_tag:${module_tag}" + dd_release_or_dev_tag="release" dd_image_version="$(echo ${dd_short_release_tag} | sed 's/^release\://')" fi module_workdir="${workdir}/${MODULE_NAME}_${module_tag}" @@ -193,7 +242,7 @@ digests=$(echo "${digests}"|jq --arg i "${MODULE_NAME}" --arg s "${module_tag}" '. += { ($i): ($s) }') echo "Images to scan:" echo "${digests}" - date_iso=$(date -I) + while read -r line; do IMAGE_NAME=$(jq -rc '.key' <<< "${line}") if [[ "${IMAGE_NAME}" == "trivy" ]]; then @@ -235,8 +284,8 @@ fi echo " Done" - send_report "CVE" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" - send_report "License" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" + send_report "CVE" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report.json" "${MODULE_NAME}" "${IMAGE_NAME}" + send_report "License" "${module_reports}/ext_${MODULE_NAME}_${IMAGE_NAME}_report_license.json" "${MODULE_NAME}" "${IMAGE_NAME}" done < <(jq -rc 'to_entries[]' <<< "${digests}") done rm -rf ${workdir} From 3e1d59abde8e4bc5db95ba40b4bccee438231c9a Mon Sep 17 00:00:00 2001 From: Makeev Ivan <1791673+Ranger-X@users.noreply.github.com> Date: Thu, 4 Dec 2025 09:04:42 +0400 Subject: [PATCH 81/82] Multirepo + images signing (#59) * * add sign images code from `feat/signing_images` branch Signed-off-by: Ivan.Makeev * * bump WERF_SIGN_VERSION Signed-off-by: Ivan.Makeev * * try download werf from fox with CI_JOB_TOKEN Signed-off-by: Ivan.Makeev * * try download werf from fox with CI_JOB_TOKEN Signed-off-by: Ivan.Makeev * * try download werf from fox with WERF_SIGN_PACKAGE_TOKEN Signed-off-by: Ivan.Makeev * * fix werf install Signed-off-by: Ivan.Makeev * * debug Signed-off-by: Ivan.Makeev * * remove debug statements Signed-off-by: Ivan.Makeev * * disable ELF files signing Signed-off-by: Ivan.Makeev * * require WERF_VAULT_AUTH_ROLE_ID or WERF_VAULT_AUTH_JWT Signed-off-by: Ivan.Makeev * * require WERF_VAULT_AUTH_ROLE_ID or WERF_VAULT_AUTH_JWT Signed-off-by: Ivan.Makeev * * add some emojis Signed-off-by: Ivan.Makeev * * do not enable images signing (comment WERF_SIGN_VERSION var) by default Signed-off-by: Ivan.Makeev --------- Signed-off-by: Ivan.Makeev --- README.md | 34 ++++++ jobs/multi-repo/Debug.gitlab-ci.yml | 1 + jobs/multi-repo/Deploy_DEV.gitlab-ci.yml | 1 + templates/multi-repo/Build.gitlab-ci.yml | 31 ++++++ templates/multi-repo/Cleanup.gitlab-ci.yml | 14 +-- templates/multi-repo/Deploy.gitlab-ci.yml | 29 ++--- templates/multi-repo/Lint.gitlab-ci.yml | 1 + templates/multi-repo/Setup.gitlab-ci.yml | 123 +++++++++++++++++++-- 8 files changed, 203 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 7819b6a..47bcbba 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,40 @@ In `templates/multi-repo` the CI workflow differs from `basic` CI (which in `tem - [Refactor] All werf's caches and other artifacts (from `build` stage) are stored in Gitlab's registry (`${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME}`) by default. - [Refactor] Images publishing (via `crane copy`) and module's self-registration processes moved to dedicated hidden job `.publish` (see `templates/multi-repo/Deploy.gitlab-ci.yml`). +## Image and Binary Signing + +The templates now support signing of container images and ELF binaries within those images using werf's built-in signing capabilities. + +### Features + +- **Image signing**: Container image manifests are signed using certificates +- **Binary signing**: ELF binaries within images are signed using GPG keys + +### Required Variables + +To enable signing, configure the following variables in your GitLab CI/CD project settings: + +#### Secret Variables (GitLab CI/CD Variables) + +- `WERF_SIGN_CERT` - Certificate for image signing (base64 encoded) +- `WERF_SIGN_INTERMEDIATES` - Intermediate certificates (base64 encoded) +- `WERF_SIGN_KEY` - Private key for signing (base64 encoded) +- `VAULT_ROLE_ID` - Vault role ID for accessing GPG keys +- `VAULT_SECRET_ID` - Vault secret ID for accessing GPG keys +- `VAULT_ADDR` - Vault URL +- `WERF_ELF_PGP_PRIVATE_KEY_FINGERPRINT` - GPG key fingerprint for binary signing +- `WERF_ELF_PGP_PRIVATE_KEY_PASSPHRASE` - GPG key passphrase + +### Configuration + +The signing is enabled by default when using the templates. The following environment variables are automatically configured: + +```yaml +WERF_SIGN_MANIFEST: "true" # Enable image manifest signing +WERF_BSIGN_ELF_FILES: "1" # Enable ELF binary signing +WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH: "true" # Enable dm-verity annotations +``` + ## Variables `$MODULES_REGISTRY` - base URL for the registry, e.g. `registry.example.com` diff --git a/jobs/multi-repo/Debug.gitlab-ci.yml b/jobs/multi-repo/Debug.gitlab-ci.yml index 376d13f..99afa7a 100644 --- a/jobs/multi-repo/Debug.gitlab-ci.yml +++ b/jobs/multi-repo/Debug.gitlab-ci.yml @@ -10,4 +10,5 @@ debug:printenv: - if: $DEBUG_CI == "true" || $DEBUG_CI == "1" script: - | + echo "👀 Debug mode is enabled. Printing environment variables..." printenv | sort diff --git a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml index 0b5805e..758dd82 100644 --- a/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml +++ b/jobs/multi-repo/Deploy_DEV.gitlab-ci.yml @@ -60,6 +60,7 @@ DEV | Publish tags also to dev-registry: script: - | if [ "$DEBUG_CI" = "true" -o "$DEBUG_CI" = "1" ]; then + echo "👀 Debug mode is enabled. Printing environment variables..." printenv | sort fi # publish final images to dev registry and register module with $MODULES_MODULE_TAG diff --git a/templates/multi-repo/Build.gitlab-ci.yml b/templates/multi-repo/Build.gitlab-ci.yml index c34de2b..d684876 100644 --- a/templates/multi-repo/Build.gitlab-ci.yml +++ b/templates/multi-repo/Build.gitlab-ci.yml @@ -1,3 +1,15 @@ +# variables: +# Variables for sign (inherited from Setup.gitlab-ci.yml): +# WERF_SIGN_MANIFEST - enable image signing +# WERF_BSIGN_ELF_FILES - enable binary signing +# WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH - add dm-verity hashes to layers +# WERF_ELF_PGP_PRIVATE_KEY_FINGERPRINT - GPG key fingerprint +# WERF_ELF_PGP_PRIVATE_KEY_PASSPHRASE - GPG key passphrase +# VAULT_ADDR - Vault address +# WERF_SIGN_CERT - certificate for signing images +# WERF_SIGN_INTERMEDIATES - intermediate certificates +# WERF_SIGN_KEY - private key for signing + .build: stage: build rules: @@ -5,6 +17,25 @@ before_script: - !reference [.setup, before_script] script: + # Bundle image + - | + # Check if signing keys are present + if [[ -n "${WERF_SIGN_VERSION}" && "${WERF_SIGN_MANIFEST}" == "true" ]]; then + if [[ -n "${WERF_SIGN_CERT}" && -n "${WERF_SIGN_KEY}" ]]; then + echo "✅ Image signing is enabled and configured" + else + echo "⚠️ WARNING: Image signing is enabled but certificates are not configured" + fi + fi + + if [[ -n "${WERF_SIGN_VERSION}" && "${WERF_BSIGN_ELF_FILES}" == "1" ]]; then + if [[ -n "${WERF_ELF_PGP_PRIVATE_KEY_FINGERPRINT}" ]]; then + echo "✅ Binary signing is enabled and configured" + else + echo "⚠️ WARNING: Binary signing is enabled but GPG key is not configured" + fi + fi + # Build images - | werf build \ diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index db7dcbd..eab15f5 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -10,14 +10,14 @@ Scheduled cleanup: script: - | if [[ -z "${NO_PRIVATE_REPO_PATCH}" ]]; then - echo "Apply git private repo patch... Set NO_PRIVATE_REPO_PATCH=1 to disable it" + echo "✅ Applying git private repo patch... Set NO_PRIVATE_REPO_PATCH=1 to disable it" export GOPRIVATE=${CI_SERVER_HOST} git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/".insteadOf "git@${CI_SERVER_HOST}:" fi - echo "Managed images which will be preserved during cleanup procedure:" + echo "🔧 Managed images which will be preserved during cleanup procedure:" werf managed-images ls - echo "Starting cleanup..." + echo "🔧 Starting cleanup..." werf cleanup Auto cleanup: @@ -37,16 +37,16 @@ Auto cleanup: script: - | if (( $(date +%s) % 10 == 0 )); then - echo "✨ Run auto cleanup" + echo "✨ Running auto cleanup..." if [[ -z "${NO_PRIVATE_REPO_PATCH}" ]]; then - echo "Apply git private repo patch... Set NO_PRIVATE_REPO_PATCH=1 to disable it" + echo "✅ Applying git private repo patch... Set NO_PRIVATE_REPO_PATCH=1 to disable it" export GOPRIVATE=${CI_SERVER_HOST} git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/".insteadOf "git@${CI_SERVER_HOST}:" fi - echo "Managed images which will be preserved during cleanup procedure:" + echo "🔧 Managed images which will be preserved during cleanup procedure:" werf managed-images ls - echo "Starting cleanup..." + echo "🔧 Starting cleanup..." werf cleanup fi diff --git a/templates/multi-repo/Deploy.gitlab-ci.yml b/templates/multi-repo/Deploy.gitlab-ci.yml index 184e1ed..305eacc 100644 --- a/templates/multi-repo/Deploy.gitlab-ci.yml +++ b/templates/multi-repo/Deploy.gitlab-ci.yml @@ -3,7 +3,7 @@ script: - | if [[ "x${MODULES_REGISTRY}" == "x" || "x${MODULES_REGISTRY_LOGIN}" == "x" || "x${MODULES_REGISTRY_PASSWORD}" == "x" || "x${MODULES_REGISTRY_PATH}" == "x" ]]; then - echo "One or more required variables of source registry is empty: MODULES_REGISTRY, MODULES_REGISTRY_LOGIN, MODULES_REGISTRY_PASSWORD, MODULES_REGISTRY_PATH" + echo "❌ ERROR: One or more required variables of source registry is empty: MODULES_REGISTRY, MODULES_REGISTRY_LOGIN, MODULES_REGISTRY_PASSWORD, MODULES_REGISTRY_PATH" exit 5 fi @@ -16,16 +16,16 @@ - | # Login to Gitlab registry just in case if [[ "x${MODULES_REGISTRY}" != "x${CI_REGISTRY}" && "x${CI_REGISTRY}" != "x" && "x${CI_REGISTRY_USER}" != "x" && "x${CI_REGISTRY_PASSWORD}" != "x" ]]; then - echo "Login to Gitlab ${CI_REGISTRY} just in case..." + echo "🔑 Logging in to Gitlab ${CI_REGISTRY} just in case..." werf cr login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY} fi # Login to source registry - echo "Login to source registry ${MODULES_REGISTRY}..." + echo "🔑 Logging in to source registry ${MODULES_REGISTRY}..." werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} # Login to target registry - echo "Login to target registry ${MODULES_TARGET_REGISTRY}..." + echo "🔑 Logging in to target registry ${MODULES_TARGET_REGISTRY}..." werf cr login -u ${MODULES_TARGET_REGISTRY_LOGIN} -p ${MODULES_TARGET_REGISTRY_PASSWORD} ${MODULES_TARGET_REGISTRY} # generate MODULES_MODULE_TARGET - | @@ -50,10 +50,10 @@ IMAGE_DST="${MODULES_MODULE_TARGET}/${MODULES_MODULE_NAME}:${docker_tag}" if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + echo "💿 Pushing ${IMAGE_SRC} to ${IMAGE_DST}" crane copy ${IMAGE_SRC} ${IMAGE_DST} else - echo "[DEBUG_CI_DRY_RUN] ✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + echo "[👀 DEBUG_CI_DRY_RUN 👀] 💿 Pushing ${IMAGE_SRC} to ${IMAGE_DST}" fi done @@ -63,10 +63,10 @@ IMAGE_DST="${MODULES_MODULE_TARGET}/${MODULES_MODULE_NAME}:${MODULES_MODULE_TAG}" if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then - echo "✨ Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" + echo "💿 Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" crane copy ${IMAGE_SRC} ${IMAGE_DST} else - echo "[DEBUG_CI_DRY_RUN] ✨ Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" + echo "[👀 DEBUG_CI_DRY_RUN 👀] 💿 Pushing BUNDLE ${IMAGE_SRC} to ${IMAGE_DST}" fi # Release-channel image - | @@ -74,21 +74,21 @@ IMAGE_DST="${MODULES_MODULE_TARGET}/${MODULES_MODULE_NAME}/release:${MODULES_MODULE_TAG}" if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then - echo "✨ Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" + echo "💿 Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" crane copy ${IMAGE_SRC} ${IMAGE_DST} else - echo "[DEBUG_CI_DRY_RUN] ✨ Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" + echo "[👀 DEBUG_CI_DRY_RUN 👀] 💿 Pushing RELEASE ${IMAGE_SRC} to ${IMAGE_DST}" fi # Register module - | if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then - echo "✨ Register the module ${MODULES_MODULE_NAME} in ${MODULES_MODULE_TARGET} registry" + echo "🏁 Register the module ${MODULES_MODULE_NAME} in ${MODULES_MODULE_TARGET} registry" crane append \ --oci-empty-base \ --new_layer "" \ --new_tag "${MODULES_MODULE_TARGET}:${MODULES_MODULE_NAME}" else - echo "[DEBUG_CI_DRY_RUN] ✨ Register the module ${MODULES_MODULE_NAME} in ${MODULES_MODULE_TARGET} registry" + echo "[👀 DEBUG_CI_DRY_RUN 👀] 🏁 Register the module ${MODULES_MODULE_NAME} in ${MODULES_MODULE_TARGET} registry" fi .deploy: @@ -105,10 +105,10 @@ IMAGE_DST="${REPO}:${RELEASE_CHANNEL}" if [[ -z "${DEBUG_CI_DRY_RUN}" ]]; then - echo "✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + echo "💿 Pushing ${IMAGE_SRC} to ${IMAGE_DST}" crane copy "${IMAGE_SRC}" "${IMAGE_DST}" else - echo "[DEBUG_CI_DRY_RUN] ✨ Pushing ${IMAGE_SRC} to ${IMAGE_DST}" + echo "[👀 DEBUG_CI_DRY_RUN 👀] 💿 Pushing ${IMAGE_SRC} to ${IMAGE_DST}" fi .deploy_prod_rules: @@ -136,6 +136,7 @@ script: - | if [ "$DEBUG_CI" = "true" -o "$DEBUG_CI" = "1" ]; then + echo "👀 Debug mode is enabled. Printing environment variables..." printenv | sort fi # publish final images to prod registry and register module with $MODULES_MODULE_TAG diff --git a/templates/multi-repo/Lint.gitlab-ci.yml b/templates/multi-repo/Lint.gitlab-ci.yml index 5ac4269..99a9253 100644 --- a/templates/multi-repo/Lint.gitlab-ci.yml +++ b/templates/multi-repo/Lint.gitlab-ci.yml @@ -7,4 +7,5 @@ - !reference [.setup, before_script] script: - | + echo "🔧 Running dmt lint..." dmt lint ./ diff --git a/templates/multi-repo/Setup.gitlab-ci.yml b/templates/multi-repo/Setup.gitlab-ci.yml index 43b8755..fbf07b7 100644 --- a/templates/multi-repo/Setup.gitlab-ci.yml +++ b/templates/multi-repo/Setup.gitlab-ci.yml @@ -14,6 +14,26 @@ # SVACE_ANALYZE_SSH_USER: - ssh user to connect with to svace analyze vm # SVACE_ANALYZE_SSH_PRIVATE_KEY_B64 - svace analyze server ssh private key +# Variables for sign (must be configured in GitLab CI/CD Variables): +# WERF_ELF_PGP_PRIVATE_KEY_FINGERPRINT - GPG key fingerprint +# WERF_ELF_PGP_PRIVATE_KEY_PASSPHRASE - GPG key passphrase +# VAULT_ADDR - URL to Vault address +# WERF_SIGN_CERT - certificate for signing images +# WERF_SIGN_INTERMEDIATES - intermediate certificates +# VAULT_ROLE_ID - ID role for access to Vault +# VAULT_SECRET_ID - secret ID for access to Vault +# WERF_SIGN_KEY - private key for signing +# +# Variables configured in ci file: +# WERF_BSIGN_ELF_FILES=1 - enable binary signing +# WERF_SIGN_MANIFEST: "true" - enable image signing +# WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH = true - add dm-verity hashes to layers +# WERF_SIGN_ELF_FILES: "1" - enable elf signing +# +# PACKAGE_TOKEN - token for access to internal repository for downloading werf binary +# +# The GPG key is located locally on the Gitlab runner +# Werf must be installed manually variables: ############################## @@ -55,6 +75,13 @@ variables: value: ${CI_REGISTRY_IMAGE}/${MODULES_MODULE_NAME} WERF_VERSION: "2 stable" + # See:https://wiki.flant.ru/doc/podpisanie-obrazov-vneshnih-modulej-2JzTJwTPEe + # WERF_SIGN_VERSION: "v2.51.0+dk" + WERF_SIGN_MANIFEST: "1" + WERF_SIGN_ELF_FILES: "0" + WERF_BSIGN_ELF_FILES: "0" + WERF_ANNOTATE_LAYERS_WITH_DM_VERITY_ROOT_HASH: "1" + stages: - lint - cleanup @@ -85,16 +112,47 @@ stages: before_script: # Setup trdl - | - trdl_version=$(curl -s https://tuf.trdl.dev/targets/channels/0/stable) - curl -sSLO "https://tuf.trdl.dev/targets/releases/$trdl_version/linux-amd64/bin/trdl" - install -D trdl ~/bin/trdl - rm trdl - export PATH=$PATH:~/bin + TRDL_ROOT="${HOME}/.trdl" + trdl_target_version=$(curl -s https://tuf.trdl.dev/targets/channels/0/stable) + TRDL_BIN="${TRDL_ROOT}/releases/${trdl_target_version}/trdl" + if [[ ! -x "${TRDL_BIN}" ]]; then + echo "🔧 Installing trdl ${trdl_target_version}..." + mkdir -p "${TRDL_ROOT}/releases/${trdl_target_version}" + curl -sSLO "https://tuf.trdl.dev/targets/releases/${trdl_target_version}/linux-amd64/bin/trdl" + mv trdl "${TRDL_BIN}" + chmod +x "${TRDL_BIN}" + fi + ln -sfn "releases/${trdl_target_version}" "${TRDL_ROOT}/current" + export PATH="${TRDL_ROOT}/current:${PATH}" # Setup werf - | - trdl add werf https://tuf.werf.io 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2 - source $(trdl use werf ${WERF_VERSION:-1.2 stable}) + if [[ -n "${WERF_SIGN_VERSION}" ]]; then + if [[ -z "${WERF_SIGN_PACKAGE_TOKEN}" ]]; then + echo "❌ ERROR: WERF_SIGN_PACKAGE_TOKEN is not set!" + echo "Please get token from delivery team and configure this variable in GitLab CI/CD settings -> Variables" + exit 1 + fi + + echo "🔧 Downloading werf $WERF_SIGN_VERSION binary with signing support from internal repository..." + + mkdir -p ${HOME}/bin + + curl --fail -sSL -o ${HOME}/bin/werf \ + -H "PRIVATE-TOKEN: $WERF_SIGN_PACKAGE_TOKEN" \ + "${CI_API_V4_URL}/projects/4052/packages/generic/werf/${WERF_SIGN_VERSION}/werf" + chmod +x ${HOME}/bin/werf + export PATH=${HOME}/bin:$PATH + else + echo "🔧 Installing werf $WERF_VERSION via trdl..." + trdl add werf https://tuf.werf.io 1 b7ff6bcbe598e072a86d595a3621924c8612c7e6dc6a82e919abe89707d7e3f468e616b5635630680dd1e98fc362ae5051728406700e6274c5ed1ad92bea52a2 + source $(trdl use werf ${WERF_VERSION:-1.2 stable}) + fi + + # Check werf version + type -a werf + werf version + source $(werf ci-env gitlab --as-file) # Login to gitlab registry by default @@ -107,25 +165,69 @@ stages: if [[ "x${MODULES_REGISTRY_PASSWORD}" == "x" ]]; then MODULES_REGISTRY_PASSWORD="${CI_REGISTRY_PASSWORD}" fi - echo "Logging in to registry ${MODULES_REGISTRY}..." + echo "🔑 Logging in to registry ${MODULES_REGISTRY}..." werf cr login -u ${MODULES_REGISTRY_LOGIN} -p ${MODULES_REGISTRY_PASSWORD} ${MODULES_REGISTRY} + - | + if [[ -n "${WERF_SIGN_VERSION}" ]]; then + echo "🔐 Checking required signing variables..." + + # Variables that must be set in secrets CI/CD + REQUIRED_SIGNING_VARS=( + "VAULT_ADDR" + ) + + if [[ "${WERF_SIGN_MANIFEST}" == "1" ]]; then + REQUIRED_SIGNING_VARS+=("WERF_SIGN_CERT" "WERF_SIGN_INTERMEDIATES" "WERF_SIGN_KEY") + fi + if [[ "${WERF_SIGN_ELF_FILES}" == "1" || "${WERF_BSIGN_ELF_FILES}" == "1" ]]; then + REQUIRED_SIGNING_VARS+=("WERF_ELF_PGP_PRIVATE_KEY_FINGERPRINT" "WERF_ELF_PGP_PRIVATE_KEY_PASSPHRASE") + fi + + if [[ -z "${WERF_VAULT_AUTH_ROLE_ID}" && -z "${WERF_VAULT_AUTH_JWT}" ]]; then + echo "❌ ERROR: Required secret variable WERF_VAULT_AUTH_ROLE_ID or WERF_VAULT_AUTH_JWT is not set!" + echo "Please configure this variable in GitLab CI/CD settings -> Variables. See https://github.com/deckhouse/delivery-kit-sdk/blob/main/pkg/signver/hashivault/README.md for details." + exit 1 + fi + + if [[ -z "${WERF_VAULT_AUTH_JWT}" ]]; then + # if no JWT variable, then we need to require both WERF_VAULT_AUTH_ROLE_ID and WERF_VAULT_AUTH_SECRET_ID + REQUIRED_SIGNING_VARS+=("WERF_VAULT_AUTH_ROLE_ID" "WERF_VAULT_AUTH_SECRET_ID") + else + # if JWT variable is set, then we need to require WERF_VAULT_AUTH_ROLE + REQUIRED_SIGNING_VARS+=("WERF_VAULT_AUTH_JWT" "WERF_VAULT_AUTH_ROLE") + fi + + # Check secret variables + for var in "${REQUIRED_SIGNING_VARS[@]}"; do + if [[ -z "${!var}" ]]; then + echo "❌ ERROR: Required secret variable $var is not set!" + echo "Please configure this variable in GitLab CI/CD settings -> Variables" + exit 1 + else + echo "✅ Secret variable $var is configured" + fi + done + fi + # Setup dmt - | + echo "🔧 Installing Deckhouse Module Tool (dmt)..." trdl add dmt https://trrr.flant.dev/trdl-dmt/ 3 e77d785600a8c8612b84b93a5a2e4c48188d68f7478356d0708213e928bf67b024ed412e702dc32930da5c5bfc9b1c44be3ee7a292f923327815c91c6c3c3833 source $(trdl use dmt 0 stable) - | if [[ ! -z "${BASE_IMAGES_VERSION}" ]]; then - echo "Downloading base_images.yml ${BASE_IMAGES_VERSION}" + echo "🔧 Downloading base_images.yml ${BASE_IMAGES_VERSION}" curl --fail -sSLO https://fox.flant.com/api/v4/projects/deckhouse%2Fbase-images/packages/generic/base_images/${BASE_IMAGES_VERSION}/base_images.yml else - echo "DO NOT download base_images.yml because BASE_IMAGES_VERSION is empty" + echo "⚠️ DO NOT download base_images.yml because BASE_IMAGES_VERSION is empty" fi # Download deckhouse lib-helm archive - | if [[ -n "${DECKHOUSE_LIB_HELM_VERSION}" ]]; then + echo "🔧 Downloading deckhouse lib-helm ${DECKHOUSE_LIB_HELM_VERSION}" mkdir charts curl --fail -sSLO https://github.com/deckhouse/lib-helm/releases/download/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}/deckhouse_lib_helm-${DECKHOUSE_LIB_HELM_VERSION}.tgz --output-dir ./charts fi @@ -133,6 +235,7 @@ stages: # Add ssh keys - | if [[ -n "${SOURCE_REPO_SSH_KEY}" || -n "${SVACE_ANALYZE_SSH_PRIVATE_KEY_B64}" ]]; then + echo "🔧 Adding ssh keys for svace analyze..." eval $(ssh-agent) trap "kill -3 ${SSH_AGENT_PID}" ERR EXIT HUP INT QUIT TERM From a21918ea7b482a6e5b4b17df83d7a87e338fece2 Mon Sep 17 00:00:00 2001 From: "Ivan.Makeev" Date: Thu, 4 Dec 2025 09:08:31 +0400 Subject: [PATCH 82/82] * show WERF_REPO on cleanup Signed-off-by: Ivan.Makeev --- templates/multi-repo/Cleanup.gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/multi-repo/Cleanup.gitlab-ci.yml b/templates/multi-repo/Cleanup.gitlab-ci.yml index eab15f5..55f33ef 100644 --- a/templates/multi-repo/Cleanup.gitlab-ci.yml +++ b/templates/multi-repo/Cleanup.gitlab-ci.yml @@ -15,6 +15,7 @@ Scheduled cleanup: git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/".insteadOf "git@${CI_SERVER_HOST}:" fi + echo "🔧 WERF_REPO: ${WERF_REPO}" echo "🔧 Managed images which will be preserved during cleanup procedure:" werf managed-images ls echo "🔧 Starting cleanup..." @@ -45,6 +46,7 @@ Auto cleanup: git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/".insteadOf "git@${CI_SERVER_HOST}:" fi + echo "🔧 WERF_REPO: ${WERF_REPO}" echo "🔧 Managed images which will be preserved during cleanup procedure:" werf managed-images ls echo "🔧 Starting cleanup..."