.gitlab-ci.yml

default:
  tags:
    - rancher-shared

stages:          # List of stages for jobs, and their order of execution
  - build_images
  - deploy_dev
  - cleanup_dev_deployment
  - tag_release
  - deploy_tds
  - cleanup_dev_images


build_images:
  stage: build_images
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)?$/ || $CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)-dev+([.][0-9]+)?$/ || $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH =~ /^RESTAPI-.{10,}$/'
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - echo "Build images with tag tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID}"
    - mkdir -p /kaniko/.docker
    - echo '{"auths":{"'$CI_REGISTRY'":{"username":"'$CI_REGISTRY_USER'","password":"'$CI_REGISTRY_PASSWORD'"}}}' > /kaniko/.docker/config.json
    - |
        # Base image for each commit
        /kaniko/executor --context ./ --dockerfile deploy/docker/base/Dockerfile --destination ${CI_REGISTRY_PREFIX}/f7t-base:tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID} --single-snapshot

        # Core microservices
        for img in certificator compute reservations status storage tasks utilities; do
            /kaniko/executor --build-arg BASE_IMAGE=${CI_REGISTRY_PREFIX}/f7t-base:tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID} \
                             --build-arg GENERAL_INFORMATION="{\"FIRECREST_VERSION\":\"$CI_COMMIT_TAG\", \"FIRECREST_BUILD\":\"$(date -u +"%Y-%m-%dT%H:%M:%SZ")\"}" \
                             --registry-mirror ${CI_REGISTRY} \
                             --context ./ --dockerfile deploy/docker/$img/Dockerfile --destination ${CI_REGISTRY_PREFIX}/$img:tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID} --cleanup
        done

        if [ "$CI_COMMIT_TAG" != "" ]; then exit 0; fi

        # build tester
        /kaniko/executor --context ./ --dockerfile deploy/docker/tester/Dockerfile \
        --destination ${CI_REGISTRY_PREFIX}/tester:tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID} --cleanup --single-snapshot


deploy_dev:
  variables:
    CI_NAMESPACE_DEV: firecrest-cicd
    DOCKER_AUTH_CONFIG: '{"auths":{"${CI_REGISTRY}":{"username":"${CI_REGISTRY_USER}","password":"${CI_REGISTRY_PASSWORD}"}}}'
  stage: deploy_dev
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://git.cscs.ch
  needs:
    - job: build_images
  image:
    name: ${CI_REGISTRY_PREFIX}/ci-util:latest
  script:
    - echo "Deploy development environment"
    - export VAULT_ADDR="$CI_VAULT_ADDR"
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt_idtoken/login role=firecrest2 jwt=$VAULT_ID_TOKEN)"
    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
    - CI_K8S_TOKEN="$(vault kv get -field=firecrest-cicd-secret firecrest/dev)"
    - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
    - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)"
    - |
        printf 'Waiting for other pipelines...'
        ELEVATED_TOKEN="$(vault kv get -field=GITLAB_ACCESS_TOKEN firecrest/dev)"
        while true; do
          READY=$(curl -sS --header "PRIVATE-TOKEN: ${ELEVATED_TOKEN}" "${CI_GITLAB_URL}/api/v4/projects/${CI_PROJECT_ID}/pipelines?order_by=id&sort=asc&scope=running" | jq '.[0].id=='"${CI_PIPELINE_ID}")
          if [ "${READY}" = "true" ]; then
            printf '\nReady!'
            break
          else
            printf '.'
            sleep 10
          fi
        done

    - |
      ## configuring pipeline to access gitlab agent context
      kubectl config get-contexts
      kubectl config use-context firecrest/firecrest:firecrest-ci-agent
      # Fixing Kubeconfig permissions to avoid warnings
      chmod 600 $KUBECONFIG
      
      helm list -n ${CI_NAMESPACE_DEV}
      
      cd deploy/k8s

      ## adding at the end of values-dev.yaml on global section
      echo -e "\n  registry: ${CI_REGISTRY_PREFIX}\n  tag: 'tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID}' \n  namespace: ${CI_NAMESPACE_DEV}\n" >> values-dev.yaml

      # link API specification inside chart
      ln -s ../../../../doc/openapi/firecrest-api.yaml openapi/files/firecrest-api.yaml

      for app in config certificator compute jaeger keycloak kong minio openapi reservations status storage tasks utilities; do
        helm uninstall -n ${CI_NAMESPACE_DEV} "$app" || true
        helm install --wait --wait-for-jobs --timeout 240s -n ${CI_NAMESPACE_DEV} -f values-dev.yaml "$app" $app;
      done
    # Cluster is deployed separately ALWAYS with tag = latest
    - |
      echo -e "global:\n  registry: ${CI_REGISTRY_PREFIX}\n  tag: latest\n  namespace: ${CI_NAMESPACE_DEV}\n" > values-cluster-dev.yaml;

      helm uninstall -n ${CI_NAMESPACE_DEV} cluster || true;
      helm install --wait --wait-for-jobs --timeout 180s -n ${CI_NAMESPACE_DEV} -f values-cluster-dev.yaml cluster cluster;

      helm list -n ${CI_NAMESPACE_DEV};

      kubectl get pods -n ${CI_NAMESPACE_DEV};

    # Testing
    - >
      for use_gateway in False True; do

        helm uninstall -n ${CI_NAMESPACE_DEV} tester && sleep 15s || true;

        echo -e "Test using gateway: $use_gateway";

        helm install --wait --timeout 120s  -n $CI_NAMESPACE_DEV  -f values-dev.yaml \
            --set tag=tmp-$CI_COMMIT_SHORT_SHA-$CI_PIPELINE_ID \
            --set workingDir="/firecrest/src/tests/automated_tests" \
            --set use_gateway="$use_gateway" \
            --set pytest_config_file="firecrest-dev.ini" \
            tester tester;

        cont_exitcode=0;

        while :
        do
            sleep 20s;
            tester_pod=$(kubectl get pods --selector=job-name=job-tester -n ${CI_NAMESPACE_DEV} --output=jsonpath='{.items[*].metadata.name}');
            echo "Tester pod is: $tester_pod";
            pdstatus=$(kubectl get pods -n ${CI_NAMESPACE_DEV} $tester_pod -o jsonpath="{.status.phase}");

            if [ "$pdstatus" = "Running" ] || [ "$pdstatus" = "Pending" ]; then
                cont_exitcode=$(kubectl get pods -n ${CI_NAMESPACE_DEV} --selector=app=tester -o jsonpath="{.items[*].status.containerStatuses[*].state.terminated.exitCode}")

                if [ "$cont_exitcode" = "" ]; then echo "$tester_pod is still $pdstatus"; continue; fi

                cont_reason=$(kubectl get pods -n ${CI_NAMESPACE_DEV} --selector=app=tester -o jsonpath="{.items[*].status.containerStatuses[*].state.terminated.reason}")
                echo "Container tester exit code $cont_exitcode (reason: $cont_reason)";
            elif [ "$pdstatus" = "Succeeded" ]; then
              echo -e "$tester_pod succeeded."; 
              kubectl logs $tester_pod -n ${CI_NAMESPACE_DEV};
              break;
            elif [ "$pdstatus" = "Failed" ]; then
              echo -e "$tester_pod failed."; 
              kubectl logs $tester_pod -n ${CI_NAMESPACE_DEV};
              exit 1;
            fi

          done
      done
  only:
    - master
    - /^RESTAPI-.{10,}$/

  when: on_success

cleanup_dev_deployment:
  variables:
    CI_NAMESPACE_DEV: firecrest-cicd
    DOCKER_AUTH_CONFIG: '{"auths":{"${CI_REGISTRY}":{"username":"${CI_REGISTRY_USER}","password":"${CI_REGISTRY_PASSWORD}"}}}'
  needs:
    - job: deploy_dev
  stage: cleanup_dev_deployment
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://git.cscs.ch
  image:
    name: ${CI_REGISTRY_PREFIX}/ci-util:latest
  script:
    - export VAULT_ADDR="$CI_VAULT_ADDR"
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt_idtoken/login role=firecrest2 jwt=$VAULT_ID_TOKEN)"
    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
    - CI_K8S_TOKEN="$(vault kv get -field=firecrest-cicd-secret firecrest/dev)"
    - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
    - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)"
    - |
      ## configuring pipeline to access gitlab agent context
      kubectl config get-contexts
      kubectl config use-context firecrest/firecrest:firecrest-ci-agent
    - >
      for app in config certificator compute jaeger keycloak kong minio openapi reservations status storage tasks utilities cluster tester; do
        helm uninstall -n ${CI_NAMESPACE_DEV} "$app" || true
      done
  only:
    - master
    - /^RESTAPI-.{10,}$/
  when: on_success

tag_release:
  variables:
    DOCKER_AUTH_CONFIG: '{"auths":{"${CI_REGISTRY}":{"username":"${CI_REGISTRY_USER}","password":"${CI_REGISTRY_PASSWORD}"}}}'
  needs:
    - job: build_images
  stage: tag_release
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://git.cscs.ch
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)-dev+([.][0-9]+)?$/'      
    - if: '$CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)?$/'
      when: manual
      allow_failure: false

  image:
    name: ${CI_REGISTRY_PREFIX}/ci-util:latest
  script:
    - export VAULT_ADDR="$CI_VAULT_ADDR"
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt_idtoken/login role=firecrest2 jwt=$VAULT_ID_TOKEN)"
    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
    - GITLAB_ACCESS_TOKEN="$(vault kv get -field=GITLAB_ACCESS_TOKEN firecrest/dev)"
    - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
    - |
      env_tags="$CI_COMMIT_TAG prod"
      code_tag="prod"
      # Check if this branch is master or a the commit tag contains "dev" 
      if $(curl -sS --header "PRIVATE-TOKEN: ${GITLAB_ACCESS_TOKEN}" "${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/repository/commits/${CI_COMMIT_SHORT_SHA}/refs?type=branch" | jq '.[].name=="master"' | grep true) || [[ $CI_COMMIT_TAG =~ "dev" ]];
        then
        # Distinguish between TDS and PROD
        if [[ $CI_COMMIT_TAG =~ "dev" ]]; then
          env_tags="$CI_COMMIT_TAG tds"
          code_tag="tds"
          echo "This is a TDS release"
        else
          echo "This is a Prod release"
        fi
      
        # Check if tag $code_tag exists
        res_get=$(curl -s -w "%{http_code}" --header "PRIVATE-TOKEN: ${GITLAB_ACCESS_TOKEN}" "${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/repository/tags/${code_tag}")
        status=$(printf "%s" "$res_get" | tail -c 3)
        echo "Status of getting the tag $code_tag: $status"
      
        if [ "$status" == "200" ]; then
          # if exists, then delete the tag $code_tag (since it can't be updated)
          echo "Tag $code_tag exists. Has to be deleted in order to update"
          res_del=$(curl -s -w "%{http_code}" --request DELETE --header "PRIVATE-TOKEN: ${GITLAB_ACCESS_TOKEN}" "${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/repository/tags/${code_tag}")
          status_del=$(printf "%s" "$res_del" | tail -c 3)
          echo "Status of deleting the tag $code_tag: $status_del"
          if [ "$status_del" != "204" ]; then
            # if it is deleted, then a new one with the same tag name has to be created
            echo "Tag $code_tag couldn't been deleted. Exiting"
            echo "Result: $res_del"
            exit 1
          fi
          echo "Tag $code_tag successfully deleted"
        fi

        echo "Trying to create tag $code_tag"
        res_post=$(curl -s -w "%{http_code}" --request POST --header "PRIVATE-TOKEN: ${GITLAB_ACCESS_TOKEN}" "${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/repository/tags?tag_name=${code_tag}&ref=${CI_COMMIT_SHORT_SHA}")
        status_post=$(printf "%s" "$res_post" | tail -c 3)

        echo "Status of creating tag $code_tag: $status_post"
        if [ "$status_post" == "201" ]; then
          echo "Tag $code_tag created successfully"
        else
          echo "Tag $code_tag couldn't be created"
          echo "Result: $res_post"
          exit 1
        fi

        echo "Tagging images and helm charts for '$code_tag' deployment"
        for tag in $env_tags; do
          if [ "$code_tag" == "prod" ] && [ "$tag" != "prod" ]; then
            #  if code_tag indicates prod and tag is 'v1...'
            GH_USER = $(vault kv get -field=ghcr_pat_user firecrest/prod/)"
            GH_PAT = $(vault kv get -field=ghcr_pat_token firecrest/prod/)"
            crane auth login ghcr.io --username $GH_USER --password $GH_PAT
            # publish 'f7t-base'
            crane copy ${CI_REGISTRY_PREFIX}/f7t-base:$CI_COMMIT_TAG ghcr.io/eth-cscs/firecrest/f7t-base:${tag}
            crane tag ghcr.io/eth-cscs/firecrest/f7t-base:${tag} latest
          fi
          images="certificator compute reservations status storage tasks utilities";
          for img in $images; do
            echo "Tagging image ${CI_REGISTRY_GROUP}/$img/$tag"
            jfrog rt copy --flat=true --url="https://${CI_REGISTRY}/artifactory" --user="${CI_REGISTRY_USER}" --password="${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY_GROUP}/$img/tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID}/" "${CI_REGISTRY_GROUP}/$img/$tag/";
            if [ "$code_tag" == "prod" ] && [ "$tag" != "prod" ] && [ "$img" != "reservations" ]; then
              # if code_tag indicates prod and tag is 'v1...', also publish to GitHub
              crane copy ${CI_REGISTRY_PREFIX}/${img}:${tag} ghcr.io/eth-cscs/firecrest/f7t-${img}:${tag}
               crane tag ghcr.io/eth-cscs/firecrest/f7t-${img}:${tag} latest
            fi
          done
        done

        echo "Pushing helm charts to $CI_REGISTRY_HELM_URL"
        # include API specification inside chart folder
        cp doc/openapi/firecrest-api.yaml deploy/k8s/openapi/files/firecrest-api.yaml

        images="config certificator compute reservations status storage tasks utilities openapi kong";
        for img in $images; do
          helm package --version=$CI_COMMIT_TAG --app-version=$CI_COMMIT_TAG deploy/k8s/$img
          file=$(find . -iname "$img-*.tgz" -print -maxdepth 1)

          sha1=`sha1sum $file | awk '{print $1}'`
          sha256=`sha256sum $file | awk '{print $1}'`
          md5=`md5sum $file | awk '{print $1}'`

          echo "Pushing helm chart ${CI_REGISTRY_HELM_URL}/${file}"
          curl -H "X-JFrog-Art-Api:${CI_REGISTRY_PASSWORD}" -H "X-Checksum-md5:${md5}" -H "X-Checksum-sha1:${sha1}" -H "X-Checksum-sha256:${sha256}" -T $file ${CI_REGISTRY_HELM_URL}
        done
      else
        echo "The prod tag does not belong to master the branch";
        exit 1
      fi

  when: on_success

deploy_tds:
  variables:
    RELEASE_VERSION: ${CI_COMMIT_TAG}
    RELEASE_ENVIRONMENT: "tds"
    RELEASE_SERVICE: "firecrest-api"
  needs:
    - job: tag_release
  stage: deploy_tds
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)-dev+([.][0-9]+)?$/'
  trigger: ArgoCD/apps/firecrest
  when: on_success

cleanup_dev_images:
  variables:
    DOCKER_AUTH_CONFIG: '{"auths":{"${CI_REGISTRY}":{"username":"${CI_REGISTRY_USER}","password":"${CI_REGISTRY_PASSWORD}"}}}'
  stage: cleanup_dev_images
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://git.cscs.ch
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)?$/ || $CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)-dev+([.][0-9]+)?$/ || $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH =~ /^RESTAPI-.{10,}$/'
  image:
    name: ${CI_REGISTRY_PREFIX}/ci-util:latest
  script:
    - export VAULT_ADDR="$CI_VAULT_ADDR"
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt_idtoken/login role=firecrest2 jwt=$VAULT_ID_TOKEN)"
    - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi
    - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)"
    - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)"
    - >
      for image in certificator compute reservations status storage tasks tester utilities; do

        jfrog rt del --recursive --quiet --url="https://${CI_REGISTRY}/artifactory" --user="${CI_REGISTRY_USER}" --password="${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY_GROUP}/$image/tmp-${CI_COMMIT_SHORT_SHA}-${CI_PIPELINE_ID}/"

      done
  when: on_success