Use like this in your .gitlab-ci.yml
:
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_semantic_release_stage.yml
ref: v23.3.4
- project: SocialGouv/gitlab-ci-yml
file: /base_register_stage.yml
ref: v23.3.4
Standard @socialgouv pipeline using @socialgouv/kosko-charts for deployment.
This pipeline produces :
- review deployments on branches
- preprod deployments on tags
- production deployment when
PRODUCTION
env var is set.
include:
- project: SocialGouv/gitlab-ci-yml
file: /autodevops.yml
ref: v23.3.4
Name | Ref | URL | Cluster |
---|---|---|---|
Reviews | Branches | https://<branch_sha>-<project_name>.dev2.fabrique.social.gouv.fr/ |
*-dev |
Preprod | Tags | https://preprod-<project_name>.dev2.fabrique.social.gouv.fr/ |
*-dev |
Production | Tags with $PRODUCTION set |
https://<project_name>.prod2.fabrique.social.gouv.fr/ |
prod |
You can change the cluster target by setting one of the AUTO_DEVOPS_*_ENVIRONMENT_NAME
variable.
Changing the cluster target will automatically alter the domaine as the url is following the $KUBE_INGRESS_BASE_DOMAIN
GitLab variable.
include:
- project: SocialGouv/gitlab-ci-yml
file: /autodevops.yml
ref: v23.3.4
variables:
AUTO_DEVOPS_DEV_ENVIRONMENT_NAME: "-tmp"
AUTO_DEVOPS_PREPROD_ENVIRONMENT_NAME: "-tmp2"
AUTO_DEVOPS_PROD_ENVIRONMENT_NAME: "fake"
To automatically release changes on branches you can set the AUTO_DEVOPS_RELEASE_AUTO
include:
- project: SocialGouv/gitlab-ci-yml
file: /autodevops.yml
ref: v23.3.4
variables:
AUTO_DEVOPS_RELEASE_AUTO: "đź”–"
To automatically deploy releases to production you can set the AUTO_DEVOPS_PRODUCTION_AUTO
to the regex tag you wish to deploy
include:
- project: SocialGouv/gitlab-ci-yml
file: /autodevops.yml
ref: v23.3.4
variables:
AUTO_DEVOPS_PRODUCTION_AUTO: "🚀"
# Will deploy any stable release matching "/^v[0-9]+\\.[0-9]+\\.[0-9]+$/"
You can disable test jobs with AUTO_DEVOPS_TEST_DISABLED
and/or lint with AUTO_DEVOPS_QUALITY_DISABLED
. AUTO_DEVOPS_NOTIFY_DISABLED
disable GitHub environments notifications.
include:
- project: SocialGouv/gitlab-ci-yml
file: /autodevops.yml
ref: v23.3.4
variables:
AUTO_DEVOPS_TEST_DISABLED: "🛑"
AUTO_DEVOPS_QUALITY_DISABLED: "🛑"
AUTO_DEVOPS_NOTIFY_DISABLED: "🛑"
You can use Kaniko as container image builder by setting the AUTO_DEVOPS_KANIKO
.
include:
- project: SocialGouv/gitlab-ci-yml
file: /autodevops.yml
ref: v23.3.4
variables:
AUTO_DEVOPS_KANIKO: "🕹️"
Register Kaniko image:
extends: .base_register_kaniko_stage
variables:
IMAGE_NAME: app
Register another image:
extends: .base_register_kaniko_stage
dependencies: []
needs: []
variables:
DOCKER_BUILD_ARGS: >-
--dockerfile=hasura/Dockerfile
CONTEXT: hasura
IMAGE_NAME: hasura
All gitlab jobs are overridable. You can or extend them or completely replace them.
Autodevops jobs are using a .autodevops_*
definition you can extend.
include:
- project: SocialGouv/gitlab-ci-yml
file: /autodevops.yml
ref: v23.3.4
# Same name as the "Build" job defined in the autodevops file
# Override https://github.com/SocialGouv/gitlab-ci-yml/blob/v17.0.0/autodevops.yml#L50
Build:
extends:
- .autodevops_build
script:
- yarn build
- yarn export
artifacts:
expire_in: 1 day
paths:
- out
# Same name as the "Preprod" job defined in the autodevops file
# Override https://github.com/SocialGouv/gitlab-ci-yml/blob/v17.0.0/autodevops.yml#L137
Preprod:
extends:
- .autodevops_preprod
variables:
KOSKO_APPEND_YAML_FROM: .k8s/environments/dev
# Just skip the job
Register:
rules:
- when: never
As the gitlab yaml parser is working, defining a job with the same name will replace the last defined one. You can replace any autodevops jobs by naming it :
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_docker_kubectl_image_stage.yml
ref: v23.3.4
- project: SocialGouv/gitlab-ci-yml
file: /base_create_namespace_stage.yml
ref: v23.3.4
#
Create namespace:
extends: .base_create_namespace_stage
variables:
# The rancher project where the namespaces will be created
RANCHER_PROJECT_ID: <rancher_project_id>
# Optional
REMOTE_URL: "https://github.com/${CI_PROJECT_PATH}.git"
before_script:
- K8S_NAMESPACE=my-namespace
# (re)create to ensure a new namespaces will be created
# - kubectl delete namespaces ${K8S_NAMESPACE} || true
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_delete_useless_k8s_ns_stage.yml
ref: v23.3.4
#
Delete useless k8s namespaces:
extends: .base_delete_useless_k8s_ns_stage
variables:
# Optional
# Filter the namespaces to check for suppression
K8S_NAMESPACE_PREFIX: "${PROJECT}-${CI_PROJECT_ID}-review"
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_docker_helm_image_stage.yml
ref: v23.3.4
- project: SocialGouv/gitlab-ci-yml
file: /base_deploy_app_chart_stage.yml
ref: v23.3.4
#
.deploy_myapp_stage:
dependencies: []
stage: Deploy
extends:
- .base_deploy_app_chart_stage
variables:
CONTEXT: app
VALUES_FILE: ./.k8s/app.values.yml
# optional
HELM_RENDER_ARGS: "--set deployment.port 8080"
#
Deploy myapp (dev):
extends:
- .deploy_myapp_stage
except:
- master
variables:
HOST: ${CI_ENVIRONMENT_SLUG}-${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}
environment:
name: ${CI_COMMIT_REF_NAME}-dev
url: https://${CI_ENVIRONMENT_SLUG}-${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}
Deploy app (prod):
extends:
- .deploy_myapp_stage
only:
- master
variables:
HOST: ${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}
K8S_NAMESPACE: ${CI_PROJECT_NAME}
PRODUCTION: "true"
environment:
name: prod
url: https://${CI_PROJECT_NAME}.${KUBE_INGRESS_BASE_DOMAIN}
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_docker_kubectl_image_stage.yml
ref: v23.3.4
- project: SocialGouv/gitlab-ci-yml
file: /base_docker_helm_image_stage.yml
ref: v23.3.4
#
Helm job:
extends: .base_docker_helm_image_stage
script:
- helm version --client
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_docker_kubectl_image_stage.yml
ref: v23.3.4
- project: SocialGouv/gitlab-ci-yml
file: /base_deploy_kosko_stage.yml
ref: v23.3.4
#
Deploy:
extends: .base_deploy_kosko_stage
environment:
name: prod2
variables:
KOSKO_GENERATE_ARGS: --env prod
if AUTO_DEVOPS_ENABLE_KAPP
is set, then the deploy will use kapp instead of kubectl
to apply the manifests. This makes debugging easier with feedback directly in the GitLab job log.
For this to work, you need to add these annotations to your deployments :
kapp.k14s.io/disable-default-ownership-label-rules: ""
kapp.k14s.io/disable-default-label-scoping-rules: ""
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_docker_kubectl_image_stage.yml
ref: v23.3.4
#
Kubectl job:
extends: .base_docker_kubectl_image_stage
script:
- kubectl version --client
Send a mattermost notification on pipeline success/failure
You'll need a MATTERMOST_WEBHOOK
variable in your CI.
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_notify_mattermost.yml
ref: v23.3.4
Notify fail:
extends: .base_notify_fail_mattermost
variables:
MATTERMOST_CHANNEL: notifications
Notify success:
extends: .base_notify_success_mattermost
variables:
MATTERMOST_CHANNEL: notifications
A job to run a nuclei security scan on the deployed environement.
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_nuclei_scan.yml
ref: v23.3.4
Nuclei Scan:
extends: .base_nuclei_scan
environment:
name: ${CI_COMMIT_REF_SLUG}-dev2
url: https://${CI_ENVIRONMENT_SLUG}.${KUBE_INGRESS_BASE_DOMAIN}
only:
- branches
This will run the two following scripts for feature-branches deployments :
- yarn run migrate:latest
- yarn run seed:run
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_migrate_azure_db.yml
ref: v23.3.4
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_register_docker_stage.yml
ref: v23.3.4
Register myapp image:
extends: .base_register_docker_stage
# or .base_register_stage
variables:
CONTEXT: . # The folder where the Dockerfile is
IMAGE_NAME: $CI_REGISTRY_IMAGE # The image name
# optional
DOCKER_BUILD_ARGS: "--build-arg SENTRY_DSN=https://sentry"
To use kaniko instead of docker build, import this stage after other includes
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_register_kaniko_stage.yml
ref: v23.3.4
Register myapp image:
extends: .base_register_kaniko_stage
variables:
CONTEXT: . # The folder where the Dockerfile is
IMAGE_NAME: $CI_REGISTRY_IMAGE # The image name
# optional
DOCKER_BUILD_ARGS: "--build-arg SENTRY_DSN=https://sentry"
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_semantic_release_stage.yml
ref: v23.3.4
#
Release:
extends: .base_semantic_release_stage
# or
Release:
extends: .base_semantic_release_stage
variables:
SEMANTIC_RELEASE_PLUGINS: "@semantic-release/changelog @semantic-release/git"
A manual job to run a trivy security scan on the main repo docker image.
include:
- project: SocialGouv/gitlab-ci-yml
file: /base_trivy_scan.yml
ref: v23.3.4
Trivy Scan:
extends: .base_trivy_scan