-
Notifications
You must be signed in to change notification settings - Fork 5
/
.gitlab-ci.yml
174 lines (161 loc) · 5.67 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
image: gitlab-registry.cern.ch/authzsvc/docker-images/python-base:3.8
variables:
CLIENT_ID: keycloak-rest-adapter
NAMESPACE_DEV: test-keycloak-rest-adapter
NAMESPACE_QA: keycloak-rest-adapter-qa
NAMESPACE_PROD: keycloak-rest-adapter
KEYCLOAK_SERVER_PROD: https://auth.cern.ch
KEYCLOAK_SERVER_QA: https://keycloak-qa.cern.ch
KEYCLOAK_SERVER_DEV: https://keycloak-dev.cern.ch
KEYCLOAK_REALM_PROD: cern
KEYCLOAK_REALM_QA: cern
KEYCLOAK_REALM_DEV: cern
OPENSHIFT_SERVER_PROD: https://api.paas.okd.cern.ch
OPENSHIFT_SERVER_QA: https://api.paas.okd.cern.ch
OPENSHIFT_SERVER_DEV: https://api.paas.okd.cern.ch
BUILD_ENV_DEV: staging
BUILD_ENV_PROD: production
BUILD_ENV_QA: qa
QA_TAG: qa
DEV_TAG: dev
RESOURCE: ${CI_PROJECT_NAME}
APP_NAME: ${CI_PROJECT_NAME}
stages:
- lint_verify_deps
- test
- build_docker
- deploy
.docker_build_template: &docker_definition
stage: build_docker
image:
# We recommend using the CERN version of the Kaniko image: gitlab-registry.cern.ch/ci-tools/docker-image-builder
name: gitlab-registry.cern.ch/ci-tools/docker-image-builder
entrypoint: [""]
script:
# Prepare Kaniko configuration file
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
# Build and push the image from the Dockerfile at the root of the project.
# To push to a specific docker tag, amend the --destination parameter, e.g. --destination $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME
# See https://docs.gitlab.com/ee/ci/variables/predefined_variables.html#variables-reference for available variables
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination ${TO}
.deploy_template: &deploy_definition
stage: deploy
image: gitlab-registry.cern.ch/paas-tools/openshift-client:latest
script:
- LOWERCASE_PATH=$(echo ${CI_PROJECT_PATH} | awk '{ print tolower($0) } ')
# Adding || true to disable the error message when the image already exists
- oc import-image ${APP_NAME} --from="gitlab-registry.cern.ch/${LOWERCASE_PATH}:${TAG}" --confirm --token=${TOKEN} --server=${OPENSHIFT_SERVER} -n ${NAMESPACE} || true
- oc create configmap keycloak-rest-adapter-cfg --token=${TOKEN} --server=${OPENSHIFT_SERVER} -n ${NAMESPACE} || true
- oc create configmap keycloak-rest-adapter-env --token=${TOKEN} --server=${OPENSHIFT_SERVER} -n ${NAMESPACE} || true
- oc process --local -f openshift/adapter_configmap.yaml -p KC_ALIAS=$KC_ALIAS -p REALM=$REALM -p CLIENT_ID=$CLIENT_ID -p CLIENT_SECRET=$CLIENT_SECRET -p ROUTE_HOSTNAME=$ROUTE_HOSTNAME | oc replace -f - --token=${TOKEN} --server=${OPENSHIFT_SERVER} -n ${NAMESPACE}
- oc tag "gitlab-registry.cern.ch/${LOWERCASE_PATH}:${TAG}" "${APP_NAME}:latest" --token=${TOKEN} --server=${OPENSHIFT_SERVER} -n ${NAMESPACE}
### Linting
flake8_verify_deps:
stage: lint_verify_deps
before_script:
- pip install -r dev-requirements.txt
- pip install pip-tools
- apt-get -y update
- apt-get -y -qq install git
script:
- python -m flake8 *.py keycloak_api_client
- PIP_CONFIG_FILE=$(pwd)/pip.conf pip-compile --quiet && git diff --exit-code requirements.txt
allow_failure: true
### Testing
test:
stage: test
services:
- name: gitlab-registry.cern.ch/authzsvc/docker-images/keycloak
alias: keycloak
variables:
RUN_INTEGRATION: 1
KEYCLOAK_USER: "admin"
KEYCLOAK_PASSWORD: "admin"
before_script:
- export PIP_CONFIG_FILE=$(pwd)/pip.conf
- pip install -r dev-requirements.txt
- pip install -r requirements.txt
script:
- coverage run -m pytest
- coverage html
- coverage xml
- coverage report
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage.xml
paths:
- coverage_html_report
expire_in: 1 week
### Docker build definitions
build_docker_dev:
<<: *docker_definition
variables:
TO: ${CI_REGISTRY_IMAGE}:${DEV_TAG}
only:
- dev
build_docker_qa:
<<: *docker_definition
variables:
TO: ${CI_REGISTRY_IMAGE}:${QA_TAG}
only:
- master
build_docker_prod:
<<: *docker_definition
variables:
TO: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}
only:
- tags # the branch you want to publish
### Deployment definitions
deploy_dev:
<<: *deploy_definition
variables:
KC_ALIAS: ${KEYCLOAK_SERVER_DEV}
REALM: ${KEYCLOAK_REALM_DEV}
CLIENT_SECRET: ${CLIENT_SECRET_DEV}
ENVIRONMENT: dev
OPENSHIFT_SERVER: ${OPENSHIFT_SERVER_DEV}
TOKEN: ${OPENSHIFT_DEV_TOKEN}
NAMESPACE: ${NAMESPACE_DEV}
TAG: ${DEV_TAG}
ROUTE_HOSTNAME: https://${NAMESPACE_DEV}.web.cern.ch
environment:
name: staging
url: https://test-keycloak-rest-adapter.web.cern.ch
only:
- dev
deploy_qa:
<<: *deploy_definition
variables:
KC_ALIAS: ${KEYCLOAK_SERVER_QA}
REALM: ${KEYCLOAK_REALM_QA}
CLIENT_SECRET: ${CLIENT_SECRET_QA}
ENVIRONMENT: qa
TOKEN: ${OPENSHIFT_QA_TOKEN}
OPENSHIFT_SERVER: ${OPENSHIFT_SERVER_QA}
NAMESPACE: ${NAMESPACE_QA}
TAG: ${QA_TAG}
ROUTE_HOSTNAME: https://${NAMESPACE_QA}.web.cern.ch
environment:
name: qa
url: https://keycloak-rest-adapter-qa.web.cern.ch
only:
- master
deploy_prod:
<<: *deploy_definition
variables:
KC_ALIAS: ${KEYCLOAK_SERVER_PROD}
REALM: ${KEYCLOAK_REALM_PROD}
CLIENT_SECRET: ${CLIENT_SECRET_PROD}
ENVIRONMENT: prod
TOKEN: ${OPENSHIFT_PROD_TOKEN}
OPENSHIFT_SERVER: ${OPENSHIFT_SERVER_PROD}
NAMESPACE: ${NAMESPACE_PROD}
TAG: ${CI_COMMIT_TAG}
ROUTE_HOSTNAME: https://${NAMESPACE_PROD}.web.cern.ch
environment:
name: production
url: https://keycloak-rest-adapter.web.cern.ch
only:
- tags