Disable sign-ups after Review App deploy

Signed-off-by: Rémy Coutable <remy@rymai.me>

.gitlab/ci/review.gitlab-ci.yml

@@ -16,25 +16,24 @@ review-cleanup:
     - ruby -rrubygems scripts/review_apps/automated_cleanup.rb
     - gcp_cleanup
 
-# Temporarily disabling review apps
-#review-build-cng:
-#  extends:
-#    - .default-retry
-#    - .review:rules:review-build-cng
-#  image: ruby:2.6-alpine
-#  stage: review-prepare
-#  before_script:
-#    - source scripts/utils.sh
-#    - install_api_client_dependencies_with_apk
-#    - install_gitlab_gem
-#  needs:
-#    - job: compile-production-assets
-#      artifacts: false
-#  script:
-#    - BUILD_TRIGGER_TOKEN=$REVIEW_APPS_BUILD_TRIGGER_TOKEN ./scripts/trigger-build cng
-#    # When the job is manual, review-deploy is also manual and we don't want people
-#    # to have to manually start the jobs in sequence, so we do it for them.
-#    - '[ -z $CI_JOB_MANUAL ] || play_job "review-deploy"'
+review-build-cng:
+  extends:
+    - .default-retry
+    - .review:rules:review-build-cng
+  image: ruby:2.6-alpine
+  stage: review-prepare
+  before_script:
+    - source scripts/utils.sh
+    - install_api_client_dependencies_with_apk
+    - install_gitlab_gem
+  needs:
+    - job: compile-production-assets
+      artifacts: false
+  script:
+    - BUILD_TRIGGER_TOKEN=$REVIEW_APPS_BUILD_TRIGGER_TOKEN ./scripts/trigger-build cng
+    # When the job is manual, review-deploy is also manual and we don't want people
+    # to have to manually start the jobs in sequence, so we do it for them.
+    - '[ -z $CI_JOB_MANUAL ] || play_job "review-deploy"'
 
 .review-workflow-base:
   extends:
@@ -50,37 +49,37 @@ review-cleanup:
     on_stop: review-stop
     auto_stop_in: 48 hours
 
-# Temporarily disabling review apps
-#review-deploy:
-#  extends:
-#    - .review-workflow-base
-#    - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise
-#  stage: review
-#  dependencies: []
-#  resource_group: "review/${CI_COMMIT_REF_NAME}"
-#  before_script:
-#    - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
-#    - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
-#    - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
-#    - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
-#    - source ./scripts/utils.sh
-#    - install_api_client_dependencies_with_apk
-#    - source scripts/review_apps/review-apps.sh
-#  script:
-#    - check_kube_domain
-#    - ensure_namespace
-#    - install_external_dns
-#    - download_chart
-#    - date
-#    - deploy || (display_deployment_debug && exit 1)
-#    # When the job is manual, review-qa-smoke is also manual and we don't want people
-#    # to have to manually start the jobs in sequence, so we do it for them.
-#    - '[ -z $CI_JOB_MANUAL ] || play_job "review-qa-smoke"'
-#    - '[ -z $CI_JOB_MANUAL ] || play_job "review-performance"'
-#  artifacts:
-#    paths: [environment_url.txt]
-#    expire_in: 2 days
-#    when: always
+review-deploy:
+  extends:
+    - .review-workflow-base
+    - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise
+  stage: review
+  dependencies: []
+  resource_group: "review/${CI_COMMIT_REF_NAME}"
+  before_script:
+    - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
+    - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
+    - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
+    - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
+    - source ./scripts/utils.sh
+    - install_api_client_dependencies_with_apk
+    - source scripts/review_apps/review-apps.sh
+  script:
+    - check_kube_domain
+    - ensure_namespace
+    - install_external_dns
+    - download_chart
+    - date
+    - deploy || (display_deployment_debug && exit 1)
+    - disable_sign_ups
+    # When the job is manual, review-qa-smoke is also manual and we don't want people
+    # to have to manually start the jobs in sequence, so we do it for them.
+    - '[ -z $CI_JOB_MANUAL ] || play_job "review-qa-smoke"'
+    - '[ -z $CI_JOB_MANUAL ] || play_job "review-performance"'
+  artifacts:
+    paths: [environment_url.txt]
+    expire_in: 2 days
+    when: always
 
 .review-stop-base:
   extends: .review-workflow-base
@@ -113,110 +112,110 @@ review-stop:
   script:
     - delete_release
 
-# Temporarily disabling review apps
-#.review-qa-base:
-#  extends:
-#    - .default-retry
-#    - .use-docker-in-docker
-#  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.6
-#  stage: qa
-#  # This is needed so that manual jobs with needs don't block the pipeline.
-#  # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
-#  dependencies: ["review-deploy"]
-#  variables:
-#    QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa"
-#    QA_CAN_TEST_GIT_PROTOCOL_V2: "false"
-#    QA_DEBUG: "true"
-#    GITLAB_USERNAME: "root"
-#    GITLAB_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
-#    GITLAB_ADMIN_USERNAME: "root"
-#    GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
-#    GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
-#    EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
-#  before_script:
-#    - export QA_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab-ee-qa:${CI_COMMIT_REF_SLUG}"
-#    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
-#    - echo "${CI_ENVIRONMENT_URL}"
-#    - echo "${QA_IMAGE}"
-#    - source scripts/utils.sh
-#    - install_api_client_dependencies_with_apk
-#    - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}}
-#  artifacts:
-#    paths:
-#      - ./qa/gitlab-qa-run-*
-#    expire_in: 7 days
-#    when: always
-#
-#review-qa-smoke:
-#  extends:
-#    - .review-qa-base
-#    - .review:rules:review-qa-smoke
-#  script:
-#    - gitlab-qa Test::Instance::Smoke "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}"
-#
-#review-qa-all:
-#  extends:
-#    - .review-qa-base
-#    - .review:rules:mr-only-manual
-#  parallel: 5
-#  script:
-#    - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
-#    - export KNAPSACK_TEST_FILE_PATTERN=qa/specs/features/**/*_spec.rb
-#    - gitlab-qa Test::Instance::Any "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" -- --format RspecJunitFormatter --out tmp/rspec-${CI_JOB_ID}.xml --format html --out tmp/rspec.htm --color --format documentation
-#
-#review-performance:
-#  extends:
-#    - .default-retry
-#    - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise
-#  image:
-#    name: sitespeedio/sitespeed.io:6.3.1
-#    entrypoint: [""]
-#  stage: qa
-#  # This is needed so that manual jobs with needs don't block the pipeline.
-#  # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
-#  dependencies: ["review-deploy"]
-#  before_script:
-#    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
-#    - echo "${CI_ENVIRONMENT_URL}"
-#    - mkdir -p gitlab-exporter
-#    - wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js
-#    - mkdir -p sitespeed-results
-#  script:
-#    - /start.sh --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "${CI_ENVIRONMENT_URL}"
-#  after_script:
-#    - mv sitespeed-results/data/performance.json performance.json
-#  artifacts:
-#    paths:
-#      - sitespeed-results/
-#    reports:
-#      performance: performance.json
-#    expire_in: 31d
-#
-#parallel-spec-reports:
-#  extends:
-#    - .review:rules:mr-only-manual
-#  image: ruby:2.6-alpine
-#  stage: post-qa
-#  dependencies: ["review-qa-all"]
-#  variables:
-#    NEW_PARALLEL_SPECS_REPORT: qa/report-new.html
-#    BASE_ARTIFACT_URL: "${CI_PROJECT_URL}/-/jobs/${CI_JOB_ID}/artifacts/file/qa/"
-#  script:
-#    - apk add --update build-base libxml2-dev libxslt-dev && rm -rf /var/cache/apk/*
-#    - gem install nokogiri --no-document
-#    - cd qa/gitlab-qa-run-*/gitlab-*
-#    - ARTIFACT_DIRS=$(pwd |rev| awk -F / '{print $1,$2}' | rev | sed s_\ _/_)
-#    - cd -
-#    - '[[ -f $NEW_PARALLEL_SPECS_REPORT ]] || echo "{}" > ${NEW_PARALLEL_SPECS_REPORT}'
-#    - scripts/merge-html-reports ${NEW_PARALLEL_SPECS_REPORT} ${BASE_ARTIFACT_URL}${ARTIFACT_DIRS} qa/gitlab-qa-run-*/**/rspec.htm
-#  artifacts:
-#    when: always
-#    paths:
-#      - qa/report-new.html
-#      - qa/gitlab-qa-run-*
-#    reports:
-#      junit: qa/gitlab-qa-run-*/**/rspec-*.xml
-#    expire_in: 31d
+.review-qa-base:
+  extends:
+    - .default-retry
+    - .use-docker-in-docker
+  image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.6
+  stage: qa
+  # This is needed so that manual jobs with needs don't block the pipeline.
+  # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
+  dependencies: ["review-deploy"]
+  variables:
+    QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa"
+    QA_CAN_TEST_GIT_PROTOCOL_V2: "false"
+    QA_DEBUG: "true"
+    GITLAB_USERNAME: "root"
+    GITLAB_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
+    GITLAB_ADMIN_USERNAME: "root"
+    GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
+    GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
+    EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
+    SIGNUP_DISABLED: "true"
+  before_script:
+    - export QA_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab-ee-qa:${CI_COMMIT_REF_SLUG}"
+    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
+    - echo "${CI_ENVIRONMENT_URL}"
+    - echo "${QA_IMAGE}"
+    - source scripts/utils.sh
+    - install_api_client_dependencies_with_apk
+    - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}}
+  artifacts:
+    paths:
+      - ./qa/gitlab-qa-run-*
+    expire_in: 7 days
+    when: always
+
+review-qa-smoke:
+  extends:
+    - .review-qa-base
+    - .review:rules:review-qa-smoke
+  script:
+    - gitlab-qa Test::Instance::Smoke "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}"
+
+review-qa-all:
+  extends:
+    - .review-qa-base
+    - .review:rules:mr-only-manual
+  parallel: 5
+  script:
+    - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
+    - export KNAPSACK_TEST_FILE_PATTERN=qa/specs/features/**/*_spec.rb
+    - gitlab-qa Test::Instance::Any "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" -- --format RspecJunitFormatter --out tmp/rspec-${CI_JOB_ID}.xml --format html --out tmp/rspec.htm --color --format documentation
+
+review-performance:
+  extends:
+    - .default-retry
+    - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise
+  image:
+    name: sitespeedio/sitespeed.io:6.3.1
+    entrypoint: [""]
+  stage: qa
+  # This is needed so that manual jobs with needs don't block the pipeline.
+  # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
+  dependencies: ["review-deploy"]
+  before_script:
+    - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
+    - echo "${CI_ENVIRONMENT_URL}"
+    - mkdir -p gitlab-exporter
+    - wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js
+    - mkdir -p sitespeed-results
+  script:
+    - /start.sh --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "${CI_ENVIRONMENT_URL}"
+  after_script:
+    - mv sitespeed-results/data/performance.json performance.json
+  artifacts:
+    paths:
+      - sitespeed-results/
+    reports:
+      performance: performance.json
+    expire_in: 31d
+
+parallel-spec-reports:
+  extends:
+    - .review:rules:mr-only-manual
+  image: ruby:2.6-alpine
+  stage: post-qa
+  dependencies: ["review-qa-all"]
+  variables:
+    NEW_PARALLEL_SPECS_REPORT: qa/report-new.html
+    BASE_ARTIFACT_URL: "${CI_PROJECT_URL}/-/jobs/${CI_JOB_ID}/artifacts/file/qa/"
+  script:
+    - apk add --update build-base libxml2-dev libxslt-dev && rm -rf /var/cache/apk/*
+    - gem install nokogiri --no-document
+    - cd qa/gitlab-qa-run-*/gitlab-*
+    - ARTIFACT_DIRS=$(pwd |rev| awk -F / '{print $1,$2}' | rev | sed s_\ _/_)
+    - cd -
+    - '[[ -f $NEW_PARALLEL_SPECS_REPORT ]] || echo "{}" > ${NEW_PARALLEL_SPECS_REPORT}'
+    - scripts/merge-html-reports ${NEW_PARALLEL_SPECS_REPORT} ${BASE_ARTIFACT_URL}${ARTIFACT_DIRS} qa/gitlab-qa-run-*/**/rspec.htm
+  artifacts:
+    when: always
+    paths:
+      - qa/report-new.html
+      - qa/gitlab-qa-run-*
+    reports:
+      junit: qa/gitlab-qa-run-*/**/rspec-*.xml
+    expire_in: 31d
 
 danger-review:
   extends:

scripts/review_apps/base-config.yaml

@@ -61,11 +61,11 @@ gitlab:
   task-runner:
     resources:
       requests:
-        cpu: 50m
-        memory: 350M
+        cpu: 300m
+        memory: 800M
       limits:
-        cpu: 100m
-        memory: 700M
+        cpu: 450m
+        memory: 1200M
   webservice:
     resources:
       requests:
@@ -92,6 +92,7 @@ gitlab:
         periodSeconds: 15  # Default is 10
         timeoutSeconds: 5  # Default is 2
 gitlab-runner:
+  install: false
   resources:
     requests:
       cpu: 675m

scripts/review_apps/review-apps.sh

@@ -99,9 +99,9 @@ function get_pod() {
   local namespace="${KUBE_NAMESPACE}"
   local release="${CI_ENVIRONMENT_SLUG}"
   local app_name="${1}"
-  local status="${2-Running}"
+  local status2="${2-Running}"
 
-  get_pod_cmd="kubectl get pods --namespace ${namespace} --field-selector=status.phase=${status} -lapp=${app_name},release=${release} --no-headers -o=custom-columns=NAME:.metadata.name | tail -n 1"
+  get_pod_cmd="kubectl get pods --namespace ${namespace} --field-selector=status.phase=${status2} -lapp=${app_name},release=${release} --no-headers -o=custom-columns=NAME:.metadata.name | tail -n 1"
   echoinfo "Waiting till '${app_name}' pod is ready" true
   echoinfo "Running '${get_pod_cmd}'"
 
@@ -126,6 +126,38 @@ function get_pod() {
   echo "${pod_name}"
 }
 
+function run_task() {
+  local namespace="${KUBE_NAMESPACE}"
+  local ruby_cmd="${1}"
+  local task_runner_pod=$(get_pod "task-runner")
+
+  kubectl exec -it --namespace "${namespace}" "${task_runner_pod}" -- gitlab-rails runner "${ruby_cmd}"
+}
+
+function disable_sign_ups() {
+  if [ -z ${REVIEW_APPS_ROOT_TOKEN+x} ]; then
+    echoerr "In order to protect Review Apps, REVIEW_APPS_ROOT_TOKEN variable must be set"
+    false
+  else
+    true
+  fi
+
+  # Create the root token
+  local ruby_cmd="token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api], name: 'Token to disable sign-ups'); token.set_token('${REVIEW_APPS_ROOT_TOKEN}'); begin; token.save!; rescue(ActiveRecord::RecordNotUnique); end"
+  run_task "${ruby_cmd}"
+
+  # Disable sign-ups
+  curl --request PUT --header "PRIVATE-TOKEN: ${REVIEW_APPS_ROOT_TOKEN}" "${CI_ENVIRONMENT_URL}/api/v4/application/settings?signup_enabled=false"
+
+  local signup_enabled=$(curl --silent --show-error --request GET --header "PRIVATE-TOKEN: ${REVIEW_APPS_ROOT_TOKEN}" "${CI_ENVIRONMENT_URL}/api/v4/application/settings" | jq ".signup_enabled")
+  if [[ "${signup_enabled}" == "false" ]]; then
+    echoinfo "Sign-ups have been disabled successfully."
+  else
+    echoerr "Sign-ups should be disabled but are still enabled!"
+    false
+  fi
+}
+
 function check_kube_domain() {
   echoinfo "Checking that Kube domain exists..." true