-
Notifications
You must be signed in to change notification settings - Fork 91
Expand file tree
/
Copy path.gitlab-ci.yml
More file actions
433 lines (414 loc) · 16.6 KB
/
.gitlab-ci.yml
File metadata and controls
433 lines (414 loc) · 16.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
spec:
inputs:
virter_version:
type: string
default: v0.27.0
description: virter version to use
vmshed_version:
type: string
default: v0.24.0
description: vmshed version to use
build_helpers_version:
type: string
default: b2edbb8af25e877317844f5974db3a6b349a4d8b
description: build-helpers version or tag to use
vmshed_torun:
type: string
default: "all"
description: "list of named tests to run, `all` means all :D"
vmshed_variants:
type: string
default: --variant standard
description: "which variant to run: [standard, default, crd]; e.g. `--variant crd`"
vmshed_print_error_details:
type: boolean
default: false
description: "Show all test error logs at the end of the run"
linstor_test_repeats:
type: number
default: 1
description: How often to repeat each run
distributions:
type: string
default: ubuntu-focal,ubuntu-jammy,ubuntu-noble,rhel8.0,rhel9.0,rhel10.0,debian-trixie
description: "which distributions to build for"
ci_e2e_timeout:
type: string
default: 90 minutes
description: "timeout for the CI e2e tests"
ci_remove_success_logs:
type: boolean
default: false
description: "Removes vm logs from successful tests before creating the artifact"
---
image: $LINBIT_DOCKER_REGISTRY/build-helpers:$[[ inputs.build_helpers_version ]]
variables:
GIT_SUBMODULE_STRATEGY: recursive
RUNNER_TAG_LIBVIRT: "libvirt"
LINBIT_CI_MAX_CPUS: 38 # limit memory usage (limit 84GB) on default runners 38 * 2 + 7(vmshed/virter...)
GRADLE_USER_HOME: $CI_PROJECT_DIR/.gradle
cache:
key:
files:
- build.gradle
- gradle.lockfile
paths:
- .gradle/wrapper
- .gradle/caches
- tools
stages:
- build
- test
- deploy
- integration
- integration-all
workflow:
rules:
- if: $CI_COMMIT_BRANCH == 'jenkins'
variables:
RUNNER_TAG_LIBVIRT: "libvirt-xl"
LINBIT_CI_MAX_CPUS: 64 # enough memory on xl runners
- if: $CI_COMMIT_BRANCH == 'master'
variables:
RUNNER_TAG_LIBVIRT: "libvirt-xl"
LINBIT_CI_MAX_CPUS: 64 # enough memory on xl runners
- when: always # Other pipelines can run, but use the default variables
.run_lbbuild:
script:
# build spacetracking
- |
ST_BRANCH="master"
if git ls-remote https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.at.linbit.com/linstor/linstor-server-spacetracking.git | grep refs/heads/${CI_COMMIT_REF_NAME} ; then
ST_BRANCH=${CI_COMMIT_REF_NAME}
fi
- echo "Using ST-Branch ${ST_BRANCH}"
- git clone --single-branch --branch ${ST_BRANCH} --recursive https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.at.linbit.com/linstor/linstor-server-spacetracking.git linstor-spacetracking
- cd linstor-spacetracking
- git remote add linstor https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.at.linbit.com/linstor/linstor-server.git
- git fetch linstor --recurse-submodules=no
- git config --global user.email "fake@example.com"
- git config --global user.name "Faker"
- git rebase $CI_COMMIT_SHORT_SHA
- git submodule update
- ./gradlew getProtoc && ./gradlew installdist
- ./gradlew getproguard
- make obfuscate-spacetracking
- mkdir ../libs
- cp satellite-st/build/libs/satellite-st.jar ../libs/
- cp controller-st/build/libs/controller-st.jar ../libs/
- cp server-st/build/libs/server-st.jar ../libs/
- cd ..
- rm -Rf linstor-spacetracking
# normal linstor build
- dummy-release.sh linstor-server $LINSTOR_VERSION 1 linstor.spec
- FORCE=1 VERSION=$LINSTOR_VERSION make debrelease
- . gitlab-utils.sh
- ci_prepare_tools
- curl -isSf -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD --upload-file linstor-server-$LINSTOR_VERSION.tar.gz $LINBIT_REGISTRY_URL/repository/lbbuild-upstream/
- pulp file content upload --repository lbbuild-upstream --file linstor-server-$LINSTOR_VERSION.tar.gz --relative-path linstor-server-$LINSTOR_VERSION.tar.gz
# - |
# curl -kisSf -X POST -u "admin:${LINBIT_PULP_PASSWORD}" \
# -H "Content-Type: multipart/form-data" \
# -F "repository=https://pulp.at.linbit.com/pulp/api/v3/repositories/file/file/019b1dc3-e2f8-7ef9-860c-9f74ea754d49/" \
# -F "relative_path=linstor-server-$LINSTOR_VERSION.tar.gz" \
# -F "file=@linstor-server-$LINSTOR_VERSION.tar.gz" \
# "https://pulp.at.linbit.com/pulp/api/v3/content/file/files/"
# workaround a nexus bug not regenerating metadata
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel10/x86_64/linstor-controller-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel10/x86_64/linstor-common-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel10/x86_64/linstor-satellite-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel9/x86_64/linstor-controller-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel9/x86_64/linstor-common-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel9/x86_64/linstor-satellite-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel8/x86_64/linstor-controller-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel8/x86_64/linstor-common-$LINSTOR_VERSION-1.noarch.rpm
- curl -X DELETE -u $LINBIT_REGISTRY_USER:$LINBIT_REGISTRY_PASSWORD $LINBIT_REGISTRY_URL/repository/ci-yum/rhel8/x86_64/linstor-satellite-$LINSTOR_VERSION-1.noarch.rpm
- lbbuildctl build linstor-server --arch amd64 --ci -v "$LINSTOR_VERSION"
-e LINBIT_REGISTRY_USER=$LINBIT_REGISTRY_USER
-e LINBIT_REGISTRY_PASSWORD=$LINBIT_REGISTRY_PASSWORD
-e LINBIT_REGISTRY_URL=$LINBIT_REGISTRY_URL
-d $[[ inputs.distributions ]]
- |
IFS="," read -ra ALL_DISTS <<< $[[ inputs.distributions ]]
echo "distributions:"
for dist in "${ALL_DISTS[@]}"; do
if [[ ${dist} == rhel* ]] ; then
echo " ${dist%%.*}:"
for linstor_comp in linstor-controller linstor-satellite linstor-common; do
echo " ${linstor_comp/-/_}: \"https://nexus.at.linbit.com/repository/ci-yum/${dist%%.*}/x86_64/${linstor_comp}-${LINSTOR_VERSION}-1.noarch.rpm\""
done
elif [[ ${dist} == ubuntu* || ${dist} == debian* ]] ; then
echo " ${dist/-/_}:"
for linstor_comp in linstor-controller linstor-satellite linstor-common; do
echo " ${linstor_comp/-/_}: \"https://nexus.at.linbit.com/repository/${dist}/pool/l/${linstor_comp}/${linstor_comp}_${LINSTOR_VERSION}-1_all.deb\""
done
else
echo "unknown distribution: ${dist}"
fi
done
- rm linstor-server-$LINSTOR_VERSION.tar.gz
- |
for sha in $(pulp file repository content list --repository lbbuild-upstream | jq -r ".[] | select(.relative_path==\"linstor-server-$LINSTOR_VERSION.tar.gz\") | .sha256"); do
pulp file repository content remove --repository lbbuild-upstream --relative-path linstor-server-$LINSTOR_VERSION.tar.gz --sha256 $sha
done
.common_e2e:
script:
- IMAGE_NAME=$LINBIT_DOCKER_REGISTRY/linstor-tests:latest
- |
SAFE_REF_NAME=${CI_COMMIT_REF_SLUG}
if docker image pull $LINBIT_DOCKER_REGISTRY/linstor-tests:$SAFE_REF_NAME ; then
TEST_BRANCH=$SAFE_REF_NAME
IMAGE_NAME=$LINBIT_DOCKER_REGISTRY/linstor-tests:$SAFE_REF_NAME
else
docker image pull $IMAGE_NAME
fi
# copy virter files out from the docker image (replaces old bundle)
- |
CID=$(docker create $IMAGE_NAME)
docker cp $CID:/linstor-tests/virter ./
docker rm -v $CID
- |
mkdir build-helpers
BUILD_HELPERS_VERSION=$[[ inputs.build_helpers_version ]]
curl -sSfL $LINBIT_REGISTRY_URL/repository/test-suite/build-helpers-$BUILD_HELPERS_VERSION.tar.gz | tar -xvz -C ./build-helpers
. build-helpers/gitlab-utils.sh
- |
ci_prepare_tools
ci_fetch_rq
VIRTER_VERSION=$[[ inputs.virter_version ]]
VMSHED_VERSION=$[[ inputs.vmshed_version ]]
ci_fetch_binary virter virter-$VIRTER_VERSION https://github.com/LINBIT/virter/releases/download/$VIRTER_VERSION/virter-linux-amd64
ci_fetch_binary vmshed vmshed-$VMSHED_VERSION https://github.com/LINBIT/vmshed/releases/download/$VMSHED_VERSION/vmshed-linux-amd64
- VARIANTS="${TMP_VARIANTS:-$[[ inputs.vmshed_variants ]]}"
# --- is used because of bash
- echo "Running variants $VARIANTS"
- echo "LINSTOR-TEST BRANCH = $TEST_BRANCH"
- export LINSTOR_VERSION=1.99.0.$CI_COMMIT_SHORT_SHA
- export LINSTOR_TESTS_VERSION=$TEST_BRANCH
- export LINBIT_CI_JOB_ID=$CI_JOB_ID
- export LINBIT_CI_REMOVE_SUCCESS_LOGS=$[[ inputs.ci_remove_success_logs ]]
- ./virter/run-test.py $VARIANTS --torun $[[ inputs.vmshed_torun ]] --repeats="$[[ inputs.linstor_test_repeats ]]" --error-details=$[[ inputs.vmshed_print_error_details ]]
check-openapi:
stage: build
interruptible: true
image:
name: ibmdevxsdk/openapi-validator:1.37.11
entrypoint: [""] # force empty entrypoint to workaround a gitlab issue
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "web"'
changes:
- docs/rest_v1_openapi.yaml
- docs/.spectral.yaml
before_script:
- echo default before disabled
script:
- cd docs
- lint-openapi -e rest_v1_openapi.yaml
check-resttypes:
stage: build
interruptible: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "web"
- if: $CI_COMMIT_BRANCH == "jenkins"
- if: $CI_COMMIT_BRANCH == "master"
before_script:
- echo "checking if JsonGenTypes.java is up-to-date"
script:
- make resttypes
# exits with 1 if a difference is found, and also shows it
- git diff --exit-code
check-package-info:
stage: build
interruptible: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "web"
- if: $CI_COMMIT_BRANCH == "jenkins"
- if: $CI_COMMIT_BRANCH == "master"
before_script:
- echo "checking package-info.java"
script:
- ret=0
- |
function check_package_info() {
for f in ${1}/*; do
if [ -d "${f}" ]; then
if ls ${f}/*.java 1> /dev/null 2>&1; then
# this folder contains at least 1 .java file
if [ ! -f ${f}/package-info.java ]; then
ret=1
echo -e "\x1b[31;mno package-info.java in \x1b[0m${f}"
fi
fi
check_package_info ${f}
fi
done
}
- |
for entry in ./{.,controller,satellite,server}/src/main/java; do
check_package_info ${entry}
done
- exit ${ret}
test:
stage: test
interruptible: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "web"
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_BRANCH == "master"
- if: $CI_COMMIT_BRANCH == "jenkins"
script:
- ./gradlew getProtoc
- ./gradlew -PversionOverride= checkstyleMain
- ./gradlew -PversionOverride= assemble
- JAVA_OPTS="-ea" ./gradlew -PversionOverride= -PCoverageReport=true test
- awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print "Total", 100*covered/instructions, "% covered" }' build/reports/jacoco/test/jacocoTestReport.csv
coverage: '/Total (\d+.\d+) % covered/'
artifacts:
reports:
junit: build/test-results/test/TEST-*.xml
coverage_report:
coverage_format: cobertura
path: build/reports/jacoco/test/jacocoTestReport.xml
paths:
- build/distributions/linstor-server.tar
expire_in: 4 days
deploy:
stage: deploy
rules:
- if: '$CI_COMMIT_BRANCH == "master"'
before_script:
- echo "DEPLOY"
script:
- cp Dockerfile.test-controller Dockerfile
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build -t $CI_REGISTRY/linstor/linstor-server/controller:latest .
- docker push $CI_REGISTRY/linstor/linstor-server/controller:latest
tags:
- shell
run-lbbuild-master:
stage: deploy
rules:
- if: $CI_COMMIT_BRANCH == 'master'
before_script:
- curl -sSL $LINBIT_REGISTRY_URL/repository/lbbuild/lbbuildctl-latest -o /usr/local/bin/lbbuildctl
- chmod +x /usr/local/bin/lbbuildctl
variables:
LINSTOR_VERSION: 1.99.0.latest
extends: .run_lbbuild
run-lbbuild:
stage: deploy
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "web"
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_BRANCH == 'master'
- if: $CI_COMMIT_BRANCH == "jenkins"
before_script:
- curl -sSL $LINBIT_REGISTRY_URL/repository/lbbuild/lbbuildctl-latest -o /usr/local/bin/lbbuildctl
- chmod +x /usr/local/bin/lbbuildctl
variables:
LINSTOR_VERSION: 1.99.0.$CI_COMMIT_SHORT_SHA
extends: .run_lbbuild
test-e2e-all:
stage: integration-all
interruptible: true
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
tags:
- libvirt
before_script:
- echo "no before"
script:
- TEST_BRANCH=latest
- TMP_VARIANTS="--variant nonstandard"
- !reference [.common_e2e, script]
artifacts:
# provide a convenient name so that the downloaded artifacts can be identified
name: $CI_PROJECT_NAME-$CI_JOB_ID
paths:
- tests-out/
when: always
reports:
junit: tests-out/test-results/*.xml
test-e2e:
stage: integration
interruptible: true
timeout: $[[ inputs.ci_e2e_timeout ]]
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "web"
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_BRANCH == "jenkins"
variables:
TMP_VARIANTS: "--variant default --variant crd"
- if: '$CI_COMMIT_BRANCH == "master" && $CI_PIPELINE_SOURCE == "push"'
variables:
TMP_VARIANTS: "--variant default"
tags:
- $RUNNER_TAG_LIBVIRT
before_script:
- echo "no before"
script:
- TEST_BRANCH=latest
- !reference [.common_e2e, script]
artifacts:
# provide a convenient name so that the downloaded artifacts can be identified
name: $CI_PROJECT_NAME-$CI_JOB_ID
paths:
- tests-out/
when: always
reports:
junit: tests-out/test-results/*.xml
sbom:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "web"
- if: $CI_COMMIT_BRANCH == "jenkins"
- if: $CI_COMMIT_TAG
stage: build
before_script:
- BUILD_HELPERS_VERSION=$[[ inputs.build_helpers_version ]]
- git init build-helpers -q -b unused
- git -C build-helpers fetch -q --depth 1 $CI_SERVER_PROTOCOL://gitlab-ci-token:${CI_JOB_TOKEN}@$CI_SERVER_HOST:$CI_SERVER_PORT/linbit/build-helpers.git $BUILD_HELPERS_VERSION
- git -C build-helpers checkout -q $BUILD_HELPERS_VERSION
- . build-helpers/gitlab-utils.sh
- ci_prepare_tools
script:
- git apply scripts/gradle-cyclonedx.diff
- ./gradlew cyclonedxBom
- if [ -n "$CI_COMMIT_TAG" ] || [ "$CI_COMMIT_BRANCH" == "jenkins" ]; then
- ci_put_bom linstor-server ${CI_COMMIT_TAG:-$CI_COMMIT_BRANCH} build/reports/linstor-server.json
- fi
artifacts:
paths:
- build/reports/linstor-server.json
cve-scan:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "web"
- if: $CI_COMMIT_BRANCH == "jenkins"
- if: $CI_COMMIT_TAG
stage: test
image:
name: docker.io/aquasec/trivy:latest
entrypoint: [ "" ]
variables:
# No need to clone the repo, we exclusively work on artifacts. See
# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
GIT_STRATEGY: none
script:
- trivy --version
- trivy -q sbom --exit-code 0 --format template --template "@/contrib/html.tpl" -o cve-scan.html build/reports/linstor-server.json
# Prints full report
- trivy -q sbom --exit-code 0 build/reports/linstor-server.json
# Fail on critical (unfixed) vulnerabilities
- trivy -q sbom --exit-code 1 --ignore-unfixed --severity CRITICAL build/reports/linstor-server.json
allow_failure: true # For now...
artifacts:
when: always
expose_as: "CVE Scan"
paths:
- cve-scan.html