SocialGouv/gitlab-ci-yml

Reusable Giltlab pipelines

.gitlab-ci.yml

✨✨✨✨✨✨✨✨

⚠️ Considered legacy, checkout our new GitHub actions ⚠️

Usage

Use like this in your .gitlab-ci.yml :

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_semantic_release_stage.yml
    ref: v23.3.4
  - project: SocialGouv/gitlab-ci-yml
    file: /base_register_stage.yml
    ref: v23.3.4

.autodevops

Standard @socialgouv pipeline using @socialgouv/kosko-charts for deployment.

This pipeline produces :

• review deployments on branches
• preprod deployments on tags
• production deployment when PRODUCTION env var is set.

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /autodevops.yml
    ref: v23.3.4

Deploy

Name	Ref	URL	Cluster
Reviews	Branches	https://<branch_sha>-<project_name>.dev2.fabrique.social.gouv.fr/	*-dev
Preprod	Tags	https://preprod-<project_name>.dev2.fabrique.social.gouv.fr/	*-dev
Production	Tags with $PRODUCTION set	https://<project_name>.prod2.fabrique.social.gouv.fr/	prod

You can change the cluster target by setting one of the AUTO_DEVOPS_*_ENVIRONMENT_NAME variable.
Changing the cluster target will automatically alter the domaine as the url is following the $KUBE_INGRESS_BASE_DOMAIN GitLab variable.

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /autodevops.yml
    ref: v23.3.4

variables:
  AUTO_DEVOPS_DEV_ENVIRONMENT_NAME: "-tmp"
  AUTO_DEVOPS_PREPROD_ENVIRONMENT_NAME: "-tmp2"
  AUTO_DEVOPS_PROD_ENVIRONMENT_NAME: "fake"

Auto Release

To automatically release changes on branches you can set the AUTO_DEVOPS_RELEASE_AUTO

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /autodevops.yml
    ref: v23.3.4

variables:
  AUTO_DEVOPS_RELEASE_AUTO: "🔖"

Auto Ship To Production

To automatically deploy releases to production you can set the AUTO_DEVOPS_PRODUCTION_AUTO to the regex tag you wish to deploy

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /autodevops.yml
    ref: v23.3.4

variables:
  AUTO_DEVOPS_PRODUCTION_AUTO: "🚀"
  # Will deploy any stable release matching "/^v[0-9]+\\.[0-9]+\\.[0-9]+$/"

Disable some jobs

You can disable test jobs with AUTO_DEVOPS_TEST_DISABLED and/or lint with AUTO_DEVOPS_QUALITY_DISABLED. AUTO_DEVOPS_NOTIFY_DISABLED disable GitHub environments notifications.

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /autodevops.yml
    ref: v23.3.4

variables:
  AUTO_DEVOPS_TEST_DISABLED: "🛑"
  AUTO_DEVOPS_QUALITY_DISABLED: "🛑"
  AUTO_DEVOPS_NOTIFY_DISABLED: "🛑"

Register your image with Kaniko

You can use Kaniko as container image builder by setting the AUTO_DEVOPS_KANIKO.

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /autodevops.yml
    ref: v23.3.4

variables:
  AUTO_DEVOPS_KANIKO: "🕹️"

Register Kaniko image:
  extends: .base_register_kaniko_stage
  variables:
    IMAGE_NAME: app

Register another image:
  extends: .base_register_kaniko_stage
  dependencies: []
  needs: []
  variables:
    DOCKER_BUILD_ARGS: >-
      --dockerfile=hasura/Dockerfile
    CONTEXT: hasura
    IMAGE_NAME: hasura

Override existing jobs

All gitlab jobs are overridable. You can or extend them or completely replace them. Autodevops jobs are using a .autodevops_* definition you can extend.

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /autodevops.yml
    ref: v23.3.4

# Same name as the "Build" job defined in the autodevops file
# Override https://github.com/SocialGouv/gitlab-ci-yml/blob/v17.0.0/autodevops.yml#L50
Build:
  extends:
    - .autodevops_build
  script:
    - yarn build
    - yarn export
  artifacts:
    expire_in: 1 day
    paths:
      - out

# Same name as the "Preprod" job defined in the autodevops file
# Override https://github.com/SocialGouv/gitlab-ci-yml/blob/v17.0.0/autodevops.yml#L137
Preprod:
  extends:
    - .autodevops_preprod
  variables:
    KOSKO_APPEND_YAML_FROM: .k8s/environments/dev

# Just skip the job
Register:
  rules:
    - when: never

As the gitlab yaml parser is working, defining a job with the same name will replace the last defined one. You can replace any autodevops jobs by naming it :

.base_create_namespace_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_docker_kubectl_image_stage.yml
    ref: v23.3.4
  - project: SocialGouv/gitlab-ci-yml
    file: /base_create_namespace_stage.yml
    ref: v23.3.4

#

Create namespace:
  extends: .base_create_namespace_stage
  variables:
    # The rancher project where the namespaces will be created
    RANCHER_PROJECT_ID: <rancher_project_id>
    # Optional
    REMOTE_URL: "https://github.com/${CI_PROJECT_PATH}.git"
  before_script:
    - K8S_NAMESPACE=my-namespace
    # (re)create to ensure a new namespaces will be created
    # - kubectl delete namespaces ${K8S_NAMESPACE} || true

.base_delete_useless_k8s_ns_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_delete_useless_k8s_ns_stage.yml
    ref: v23.3.4
#

Delete useless k8s namespaces:
  extends: .base_delete_useless_k8s_ns_stage
  variables:
    # Optional
    # Filter the namespaces to check for suppression
    K8S_NAMESPACE_PREFIX: "${PROJECT}-${CI_PROJECT_ID}-review"

.base_deploy_app_chart_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_docker_helm_image_stage.yml
    ref: v23.3.4
  - project: SocialGouv/gitlab-ci-yml
    file: /base_deploy_app_chart_stage.yml
    ref: v23.3.4

#

.deploy_myapp_stage:
  dependencies: []
  stage: Deploy
  extends:
    - .base_deploy_app_chart_stage
  variables:
    CONTEXT: app
    VALUES_FILE: ./.k8s/app.values.yml
    # optional
    HELM_RENDER_ARGS: "--set deployment.port 8080"

#

Deploy myapp (dev):
  extends:
    - .deploy_myapp_stage
  except:
    - master
  variables:
    HOST: ${CI_ENVIRONMENT_SLUG}-${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}
  environment:
    name: ${CI_COMMIT_REF_NAME}-dev
    url: https://${CI_ENVIRONMENT_SLUG}-${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}

Deploy app (prod):
  extends:
    - .deploy_myapp_stage
  only:
    - master
  variables:
    HOST: ${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}
    K8S_NAMESPACE: ${CI_PROJECT_NAME}
    PRODUCTION: "true"
  environment:
    name: prod
    url: https://${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}

.base_docker_helm_image_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_docker_kubectl_image_stage.yml
    ref: v23.3.4
  - project: SocialGouv/gitlab-ci-yml
    file: /base_docker_helm_image_stage.yml
    ref: v23.3.4

#

Helm job:
  extends: .base_docker_helm_image_stage
  script:
    - helm version --client

.base_deploy_kosko_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_docker_kubectl_image_stage.yml
    ref: v23.3.4
  - project: SocialGouv/gitlab-ci-yml
    file: /base_deploy_kosko_stage.yml
    ref: v23.3.4

#

Deploy:
  extends: .base_deploy_kosko_stage
  environment:
    name: prod2
  variables:
    KOSKO_GENERATE_ARGS: --env prod

Options

if AUTO_DEVOPS_ENABLE_KAPP is set, then the deploy will use kapp instead of kubectl to apply the manifests. This makes debugging easier with feedback directly in the GitLab job log.

For this to work, you need to add these annotations to your deployments :

kapp.k14s.io/disable-default-ownership-label-rules: ""
kapp.k14s.io/disable-default-label-scoping-rules: ""

.base_docker_kubectl_image_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_docker_kubectl_image_stage.yml
    ref: v23.3.4
#

Kubectl job:
  extends: .base_docker_kubectl_image_stage
  script:
    - kubectl version --client

.base_notify_mattermost

Send a mattermost notification on pipeline success/failure

You'll need a MATTERMOST_WEBHOOK variable in your CI.

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_notify_mattermost.yml
    ref: v23.3.4

Notify fail:
  extends: .base_notify_fail_mattermost
  variables:
    MATTERMOST_CHANNEL: notifications

Notify success:
  extends: .base_notify_success_mattermost
  variables:
    MATTERMOST_CHANNEL: notifications

.base_nuclei_scan

A job to run a nuclei security scan on the deployed environement.

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_nuclei_scan.yml
    ref: v23.3.4

Nuclei Scan:
  extends: .base_nuclei_scan
  environment:
    name: ${CI_COMMIT_REF_SLUG}-dev2
    url: https://${CI_ENVIRONMENT_SLUG}.${KUBE_INGRESS_BASE_DOMAIN}
  only:
    - branches

.base_migrate_azure_db

This will run the two following scripts for feature-branches deployments :

• yarn run migrate:latest
• yarn run seed:run

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_migrate_azure_db.yml
    ref: v23.3.4

.base_register_docker_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_register_docker_stage.yml
    ref: v23.3.4

Register myapp image:
  extends: .base_register_docker_stage
  # or .base_register_stage
  variables:
    CONTEXT: . # The folder where the Dockerfile is
    IMAGE_NAME: $CI_REGISTRY_IMAGE # The image name
    # optional
    DOCKER_BUILD_ARGS: "--build-arg SENTRY_DSN=https://sentry"

.base_register_kaniko_stage

To use kaniko instead of docker build, import this stage after other includes

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_register_kaniko_stage.yml
    ref: v23.3.4
    
Register myapp image:
  extends: .base_register_kaniko_stage
  variables:
    CONTEXT: . # The folder where the Dockerfile is
    IMAGE_NAME: $CI_REGISTRY_IMAGE # The image name
    # optional
    DOCKER_BUILD_ARGS: "--build-arg SENTRY_DSN=https://sentry"

.base_semantic_release_stage

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_semantic_release_stage.yml
    ref: v23.3.4

#

Release:
  extends: .base_semantic_release_stage

# or

Release:
  extends: .base_semantic_release_stage
  variables:
    SEMANTIC_RELEASE_PLUGINS: "@semantic-release/changelog @semantic-release/git"

.base_trivy_scan

A manual job to run a trivy security scan on the main repo docker image.

Usage

include:
  - project: SocialGouv/gitlab-ci-yml
    file: /base_trivy_scan.yml
    ref: v23.3.4

Trivy Scan:
  extends: .base_trivy_scan