Skip to content

G
gitlab-ce
Commit 161bf209 authored by Rémy Coutable's avatar Rémy Coutable Committed by Albert Salim
Browse files
Options

Disable sign-ups after Review App deploy 

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 48bc705f
Hide whitespace changes
Inline Side-by-side
Showing with 192 additions and 160 deletions
.gitlab/ci/review.gitlab-ci.yml
View file @ 161bf209
...@@ -16,25 +16,24 @@ review-cleanup: ...@@ -16,25 +16,24 @@ review-cleanup:
- ruby -rrubygems scripts/review_apps/automated_cleanup.rb - ruby -rrubygems scripts/review_apps/automated_cleanup.rb
- gcp_cleanup - gcp_cleanup
# Temporarily disabling review apps review-build-cng:
#review-build-cng: extends:
# extends: - .default-retry
# - .default-retry - .review:rules:review-build-cng
# - .review:rules:review-build-cng image: ruby:2.6-alpine
# image: ruby:2.6-alpine stage: review-prepare
# stage: review-prepare before_script:
# before_script: - source scripts/utils.sh
# - source scripts/utils.sh - install_api_client_dependencies_with_apk
# - install_api_client_dependencies_with_apk - install_gitlab_gem
# - install_gitlab_gem needs:
# needs: - job: compile-production-assets
# - job: compile-production-assets artifacts: false
# artifacts: false script:
# script: - BUILD_TRIGGER_TOKEN=$REVIEW_APPS_BUILD_TRIGGER_TOKEN ./scripts/trigger-build cng
# - BUILD_TRIGGER_TOKEN=$REVIEW_APPS_BUILD_TRIGGER_TOKEN ./scripts/trigger-build cng # When the job is manual, review-deploy is also manual and we don't want people
# # When the job is manual, review-deploy is also manual and we don't want people # to have to manually start the jobs in sequence, so we do it for them.
# # to have to manually start the jobs in sequence, so we do it for them. - '[ -z $CI_JOB_MANUAL ] || play_job "review-deploy"'
# - '[ -z $CI_JOB_MANUAL ] || play_job "review-deploy"'
.review-workflow-base: .review-workflow-base:
extends: extends:
...@@ -50,37 +49,37 @@ review-cleanup: ...@@ -50,37 +49,37 @@ review-cleanup:
on_stop: review-stop on_stop: review-stop
auto_stop_in: 48 hours auto_stop_in: 48 hours
# Temporarily disabling review apps review-deploy:
#review-deploy: extends:
# extends: - .review-workflow-base
# - .review-workflow-base - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise
# - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise stage: review
# stage: review dependencies: []
# dependencies: [] resource_group: "review/${CI_COMMIT_REF_NAME}"
# resource_group: "review/${CI_COMMIT_REF_NAME}" before_script:
# before_script: - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
# - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION) - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
# - export GITALY_VERSION=$(<GITALY_SERVER_VERSION) - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
# - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION) - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
# - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt - source ./scripts/utils.sh
# - source ./scripts/utils.sh - install_api_client_dependencies_with_apk
# - install_api_client_dependencies_with_apk - source scripts/review_apps/review-apps.sh
# - source scripts/review_apps/review-apps.sh script:
# script: - check_kube_domain
# - check_kube_domain - ensure_namespace
# - ensure_namespace - install_external_dns
# - install_external_dns - download_chart
# - download_chart - date
# - date - deploy || (display_deployment_debug && exit 1)
# - deploy || (display_deployment_debug && exit 1) - disable_sign_ups
# # When the job is manual, review-qa-smoke is also manual and we don't want people # When the job is manual, review-qa-smoke is also manual and we don't want people
# # to have to manually start the jobs in sequence, so we do it for them. # to have to manually start the jobs in sequence, so we do it for them.
# - '[ -z $CI_JOB_MANUAL ] || play_job "review-qa-smoke"' - '[ -z $CI_JOB_MANUAL ] || play_job "review-qa-smoke"'
# - '[ -z $CI_JOB_MANUAL ] || play_job "review-performance"' - '[ -z $CI_JOB_MANUAL ] || play_job "review-performance"'
# artifacts: artifacts:
# paths: [environment_url.txt] paths: [environment_url.txt]
# expire_in: 2 days expire_in: 2 days
# when: always when: always
.review-stop-base: .review-stop-base:
extends: .review-workflow-base extends: .review-workflow-base
...@@ -113,110 +112,110 @@ review-stop: ...@@ -113,110 +112,110 @@ review-stop:
script: script:
- delete_release - delete_release
# Temporarily disabling review apps .review-qa-base:
#.review-qa-base: extends:
# extends: - .default-retry
# - .default-retry - .use-docker-in-docker
# - .use-docker-in-docker image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.6
# image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine-ruby-2.6 stage: qa
# stage: qa # This is needed so that manual jobs with needs don't block the pipeline.
# # This is needed so that manual jobs with needs don't block the pipeline. # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
# # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979. dependencies: ["review-deploy"]
# dependencies: ["review-deploy"] variables:
# variables: QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa"
# QA_ARTIFACTS_DIR: "${CI_PROJECT_DIR}/qa" QA_CAN_TEST_GIT_PROTOCOL_V2: "false"
# QA_CAN_TEST_GIT_PROTOCOL_V2: "false" QA_DEBUG: "true"
# QA_DEBUG: "true" GITLAB_USERNAME: "root"
# GITLAB_USERNAME: "root" GITLAB_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
# GITLAB_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}" GITLAB_ADMIN_USERNAME: "root"
# GITLAB_ADMIN_USERNAME: "root" GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}"
# GITLAB_ADMIN_PASSWORD: "${REVIEW_APPS_ROOT_PASSWORD}" GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}"
# GITHUB_ACCESS_TOKEN: "${REVIEW_APPS_QA_GITHUB_ACCESS_TOKEN}" EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}"
# EE_LICENSE: "${REVIEW_APPS_EE_LICENSE}" SIGNUP_DISABLED: "true"
# before_script: before_script:
# - export QA_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab-ee-qa:${CI_COMMIT_REF_SLUG}" - export QA_IMAGE="${CI_REGISTRY}/${CI_PROJECT_PATH}/gitlab-ee-qa:${CI_COMMIT_REF_SLUG}"
# - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)" - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
# - echo "${CI_ENVIRONMENT_URL}" - echo "${CI_ENVIRONMENT_URL}"
# - echo "${QA_IMAGE}" - echo "${QA_IMAGE}"
# - source scripts/utils.sh - source scripts/utils.sh
# - install_api_client_dependencies_with_apk - install_api_client_dependencies_with_apk
# - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}} - gem install gitlab-qa --no-document ${GITLAB_QA_VERSION:+ --version ${GITLAB_QA_VERSION}}
# artifacts: artifacts:
# paths: paths:
# - ./qa/gitlab-qa-run-* - ./qa/gitlab-qa-run-*
# expire_in: 7 days expire_in: 7 days
# when: always when: always
#
#review-qa-smoke: review-qa-smoke:
# extends: extends:
# - .review-qa-base - .review-qa-base
# - .review:rules:review-qa-smoke - .review:rules:review-qa-smoke
# script: script:
# - gitlab-qa Test::Instance::Smoke "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" - gitlab-qa Test::Instance::Smoke "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}"
#
#review-qa-all: review-qa-all:
# extends: extends:
# - .review-qa-base - .review-qa-base
# - .review:rules:mr-only-manual - .review:rules:mr-only-manual
# parallel: 5 parallel: 5
# script: script:
# - export KNAPSACK_REPORT_PATH=knapsack/master_report.json - export KNAPSACK_REPORT_PATH=knapsack/master_report.json
# - export KNAPSACK_TEST_FILE_PATTERN=qa/specs/features/**/*_spec.rb - export KNAPSACK_TEST_FILE_PATTERN=qa/specs/features/**/*_spec.rb
# - gitlab-qa Test::Instance::Any "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" -- --format RspecJunitFormatter --out tmp/rspec-${CI_JOB_ID}.xml --format html --out tmp/rspec.htm --color --format documentation - gitlab-qa Test::Instance::Any "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" -- --format RspecJunitFormatter --out tmp/rspec-${CI_JOB_ID}.xml --format html --out tmp/rspec.htm --color --format documentation
#
#review-performance: review-performance:
# extends: extends:
# - .default-retry - .default-retry
# - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise - .review:rules:mr-and-schedule-auto-if-frontend-manual-otherwise
# image: image:
# name: sitespeedio/sitespeed.io:6.3.1 name: sitespeedio/sitespeed.io:6.3.1
# entrypoint: [""] entrypoint: [""]
# stage: qa stage: qa
# # This is needed so that manual jobs with needs don't block the pipeline. # This is needed so that manual jobs with needs don't block the pipeline.
# # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979. # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
# dependencies: ["review-deploy"] dependencies: ["review-deploy"]
# before_script: before_script:
# - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)" - export CI_ENVIRONMENT_URL="$(cat environment_url.txt)"
# - echo "${CI_ENVIRONMENT_URL}" - echo "${CI_ENVIRONMENT_URL}"
# - mkdir -p gitlab-exporter - mkdir -p gitlab-exporter
# - wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js - wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js
# - mkdir -p sitespeed-results - mkdir -p sitespeed-results
# script: script:
# - /start.sh --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "${CI_ENVIRONMENT_URL}" - /start.sh --plugins.add ./gitlab-exporter --outputFolder sitespeed-results "${CI_ENVIRONMENT_URL}"
# after_script: after_script:
# - mv sitespeed-results/data/performance.json performance.json - mv sitespeed-results/data/performance.json performance.json
# artifacts: artifacts:
# paths: paths:
# - sitespeed-results/ - sitespeed-results/
# reports: reports:
# performance: performance.json performance: performance.json
# expire_in: 31d expire_in: 31d
#
#parallel-spec-reports: parallel-spec-reports:
# extends: extends:
# - .review:rules:mr-only-manual - .review:rules:mr-only-manual
# image: ruby:2.6-alpine image: ruby:2.6-alpine
# stage: post-qa stage: post-qa
# dependencies: ["review-qa-all"] dependencies: ["review-qa-all"]
# variables: variables:
# NEW_PARALLEL_SPECS_REPORT: qa/report-new.html NEW_PARALLEL_SPECS_REPORT: qa/report-new.html
# BASE_ARTIFACT_URL: "${CI_PROJECT_URL}/-/jobs/${CI_JOB_ID}/artifacts/file/qa/" BASE_ARTIFACT_URL: "${CI_PROJECT_URL}/-/jobs/${CI_JOB_ID}/artifacts/file/qa/"
# script: script:
# - apk add --update build-base libxml2-dev libxslt-dev && rm -rf /var/cache/apk/* - apk add --update build-base libxml2-dev libxslt-dev && rm -rf /var/cache/apk/*
# - gem install nokogiri --no-document - gem install nokogiri --no-document
# - cd qa/gitlab-qa-run-*/gitlab-* - cd qa/gitlab-qa-run-*/gitlab-*
# - ARTIFACT_DIRS=$(pwd |rev| awk -F / '{print $1,$2}' | rev | sed s_\ _/_) - ARTIFACT_DIRS=$(pwd |rev| awk -F / '{print $1,$2}' | rev | sed s_\ _/_)
# - cd - - cd -
# - '[[ -f $NEW_PARALLEL_SPECS_REPORT ]] || echo "{}" > ${NEW_PARALLEL_SPECS_REPORT}' - '[[ -f $NEW_PARALLEL_SPECS_REPORT ]] || echo "{}" > ${NEW_PARALLEL_SPECS_REPORT}'
# - scripts/merge-html-reports ${NEW_PARALLEL_SPECS_REPORT} ${BASE_ARTIFACT_URL}${ARTIFACT_DIRS} qa/gitlab-qa-run-*/**/rspec.htm - scripts/merge-html-reports ${NEW_PARALLEL_SPECS_REPORT} ${BASE_ARTIFACT_URL}${ARTIFACT_DIRS} qa/gitlab-qa-run-*/**/rspec.htm
# artifacts: artifacts:
# when: always when: always
# paths: paths:
# - qa/report-new.html - qa/report-new.html
# - qa/gitlab-qa-run-* - qa/gitlab-qa-run-*
# reports: reports:
# junit: qa/gitlab-qa-run-*/**/rspec-*.xml junit: qa/gitlab-qa-run-*/**/rspec-*.xml
# expire_in: 31d expire_in: 31d
danger-review: danger-review:
extends: extends:
......
scripts/review_apps/base-config.yaml
View file @ 161bf209
...@@ -61,11 +61,11 @@ gitlab: ...@@ -61,11 +61,11 @@ gitlab:
task-runner: task-runner:
resources: resources:
requests: requests:
cpu: 50m cpu: 300m
memory: 350M memory: 800M
limits: limits:
cpu: 100m cpu: 450m
memory: 700M memory: 1200M
webservice: webservice:
resources: resources:
requests: requests:
...@@ -92,6 +92,7 @@ gitlab: ...@@ -92,6 +92,7 @@ gitlab:
periodSeconds: 15 # Default is 10 periodSeconds: 15 # Default is 10
timeoutSeconds: 5 # Default is 2 timeoutSeconds: 5 # Default is 2
gitlab-runner: gitlab-runner:
install: false
resources: resources:
requests: requests:
cpu: 675m cpu: 675m
......
scripts/review_apps/review-apps.sh
View file @ 161bf209
...@@ -99,9 +99,9 @@ function get_pod() { ...@@ -99,9 +99,9 @@ function get_pod() {
local namespace="${KUBE_NAMESPACE}" local namespace="${KUBE_NAMESPACE}"
local release="${CI_ENVIRONMENT_SLUG}" local release="${CI_ENVIRONMENT_SLUG}"
local app_name="${1}" local app_name="${1}"
local status="${2-Running}" local status2="${2-Running}"
get_pod_cmd="kubectl get pods --namespace ${namespace} --field-selector=status.phase=${status} -lapp=${app_name},release=${release} --no-headers -o=custom-columns=NAME:.metadata.name | tail -n 1" get_pod_cmd="kubectl get pods --namespace ${namespace} --field-selector=status.phase=${status2} -lapp=${app_name},release=${release} --no-headers -o=custom-columns=NAME:.metadata.name | tail -n 1"
echoinfo "Waiting till '${app_name}' pod is ready" true echoinfo "Waiting till '${app_name}' pod is ready" true
echoinfo "Running '${get_pod_cmd}'" echoinfo "Running '${get_pod_cmd}'"
...@@ -126,6 +126,38 @@ function get_pod() { ...@@ -126,6 +126,38 @@ function get_pod() {
echo "${pod_name}" echo "${pod_name}"
} }
function run_task() {
local namespace="${KUBE_NAMESPACE}"
local ruby_cmd="${1}"
local task_runner_pod=$(get_pod "task-runner")
kubectl exec -it --namespace "${namespace}" "${task_runner_pod}" -- gitlab-rails runner "${ruby_cmd}"
}
function disable_sign_ups() {
if [ -z ${REVIEW_APPS_ROOT_TOKEN+x} ]; then
echoerr "In order to protect Review Apps, REVIEW_APPS_ROOT_TOKEN variable must be set"
false
else
true
fi
# Create the root token
local ruby_cmd="token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api], name: 'Token to disable sign-ups'); token.set_token('${REVIEW_APPS_ROOT_TOKEN}'); begin; token.save!; rescue(ActiveRecord::RecordNotUnique); end"
run_task "${ruby_cmd}"
# Disable sign-ups
curl --request PUT --header "PRIVATE-TOKEN: ${REVIEW_APPS_ROOT_TOKEN}" "${CI_ENVIRONMENT_URL}/api/v4/application/settings?signup_enabled=false"
local signup_enabled=$(curl --silent --show-error --request GET --header "PRIVATE-TOKEN: ${REVIEW_APPS_ROOT_TOKEN}" "${CI_ENVIRONMENT_URL}/api/v4/application/settings" | jq ".signup_enabled")
if [[ "${signup_enabled}" == "false" ]]; then
echoinfo "Sign-ups have been disabled successfully."
else
echoerr "Sign-ups should be disabled but are still enabled!"
false
fi
}
function check_kube_domain() { function check_kube_domain() {
echoinfo "Checking that Kube domain exists..." true echoinfo "Checking that Kube domain exists..." true
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7