feat: add helm install and helm test to gitlab-ci

54e1cb8c · Maarten de Waard · af83437f · 54e1cb8c · 54e1cb8c · 54e1cb8c
Verified Commit 54e1cb8c authored 2 years ago by Maarten de Waard
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,11 +3,78 @@ include:
  - remote: https://open.greenhost.net/stackspin/stackspin/-/raw/main/.gitlab/ci_templates/dummy_job.yml
  - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'

+.use-kubernetes:
+  image:
+    name: alpine/k8s:1.22.6
+    entrypoint: ["/bin/sh", "-c"]
+  before_script:
+    - kubectl config get-contexts
+    - kubectl config use-context stackspin/kubernetes-agent-setup:stackspin-k8s-agent
+
+.chart-changes-rules:
+  rules:
+    - changes:
+      - ${CHART_DIR}*.yaml
+      - ${CHART_DIR}templates/*.yaml
+
 stages:
  - lint-helm-chart
+  - install-helm-chart
+  - test-helm-chart
  - package-helm-chart
  - release-helm-chart
  - dummy

 variables:
  CHART_NAME: nextcloud-onlyoffice
+
+delete-helmrelease:
+  stage: install-helm-chart
+  script:
+    - cd ${CHART_DIR:-"."}
+    - ./fully-delete-helmrelease.sh "nc-$CI_MERGE_REQUEST_IID"
+  environment:
+    name: helmrelease/$CI_MERGE_REQUEST_IID
+    action: stop
+  extends:
+    - .use-kubernetes
+    - .chart-changes-rules
+  # This job will fail if a helmrelease didn't exist (yet). For example in a
+  # first pipeline for an MR.
+  allow_failure: true
+
+install-helmrelease:
+  stage: install-helm-chart
+  needs:
+    # This job contains the `helm dep` artifacts
+    - job: lint-helm
+    # We can't install if there's still an installation from a previous run
+    # present.
+    - job: delete-helmrelease
+  script:
+    - cd ${CHART_DIR:-"."}
+    - cp values-local.yaml.example values-ci.yaml
+    # This sets the domains to files-MR_ID.gitlab.stackspin.net and
+    # office-MR_ID.gitlab.stackspin.net
+    - sed -i "s/\.your\.domain/-$CI_MERGE_REQUEST_IID.gitlab.stackspin.net/" values-ci.yaml
+    # Make sure TLS certificate secrets for different MRs do not clash
+    - sed -i "s/files-cert/files-cert-$CI_MERGE_REQUEST_IID/" values-ci.yaml
+    - sed -i "s/office-cert/office-cert-$CI_MERGE_REQUEST_IID/" values-ci.yaml
+    - helm install --wait "nc-$CI_MERGE_REQUEST_IID" . -f values-ci.yaml
+  environment:
+    name: helmrelease/$CI_MERGE_REQUEST_IID
+    url: https://files-$CI_MERGE_REQUEST_IID.gitlab.stackspin.net
+    auto_stop_in: 1 week
+    on_stop: delete-helmrelease
+  extends:
+    - .use-kubernetes
+    - .chart-changes-rules
+
+test-helm-chart:
+  stage: test-helm-chart
+  script:
+    - cd ${CHART_DIR:-"."}
+    - helm test --logs "nc-$CI_MERGE_REQUEST_IID"
+  extends:
+    - .use-kubernetes
+    - .chart-changes-rules
--- a/fully-delete-helmrelease.sh
+++ b/fully-delete-helmrelease.sh
+#! /usr/bin/env bash
+
+if [ -z "$1" ]; then
+    echo "Usage: ./fully-delete-chart RELEASE_NAME"
+    exit 1
+else
+    release="$1"
+fi
+
+kubectl delete pod "$release-onlyoffice-documentserver-taiko-test"
+
+kubectl delete job "$release-setup-apps"
+
+# This command can fail, but that is not a problem
+kubectl delete pvc \
+    "$release-nextcloud-nextcloud" \
+    "data-$release-rabbitmq-0" \
+    "redis-data-$release-redis-master-0" \
+    "redis-data-$release-redis-slave-0" \
+    "redis-data-$release-redis-slave-1" \
+    "data-$release-mariadb-0" || true
+
+helm delete --wait "$release"
+
+output=$(kubectl get pod -l "app.kubernetes.io/instance=$release")
+until [ "$output" == "" ]
+do
+    echo "waiting for pods to be deleted, pods still running:"
+    echo "$output"
+    sleep 5
+    output=$(kubectl get pod -l "app.kubernetes.io/instance=$release")
+done
--- a/values-local.yaml.example
+++ b/values-local.yaml.example
 nextcloud:
  nextcloud:
    host: "files.your.domain"
-    password: Set a password here
+    password: CHANGE_ME

  ingress:
    enabled: true
    annotations:
-      # Tell traefik to automatically get a TLS certificate
+      # Tell cert-manager to automatically get a TLS certificate
      kubernetes.io/tls-acme: "true"
    hosts:
      - "files.your.domain"
+    # This information is important for cert-manager, if you use it.
+    tls:
+      - hosts:
+          - "files.your.domain"
+        secretName: files-cert

-  # Enable and configure MariaDB chart
+  # Configure MariaDB chart
  mariadb:
    auth:
-      password: Set a mysql password
-      rootPassword: Set a mysql root user password
+      password: CHANGE_ME
+      rootPassword: CHANGE_ME
    architecture: standalone
-    primary:
-      persistence:
-        ## Enable mariadb persistence using Persistent Volume Claims.
-        enabled: true
-        size: 512Mi
+    # Enable persistence
+    # primary:
+    #   persistence:
+    #     ## Enable mariadb persistence using Persistent Volume Claims.
+    #     enabled: true
+    #     size: 512Mi
+
+  # Creates a kubernetes cronJob object that runs nextcloud's cron.php
+  # every 5 minutes (*/5 * * * *)
+  # cronjob:
+  #   enabled: true
+
+  # persistence:
+  #   enabled: true
+  #   size: 2Gi

 onlyoffice:
  server_name: "office.your.domain"
-  jwtSecret: Set any random secret for JWT here
+  jwtSecret: CHANGE_ME
  ingress:
    enabled: true
    hosts:
      - "office.your.domain"
+    tls:
+      - hosts:
+          - "office.your.domain"
+        secretName: office-cert
  database:
-    password: Set a database password for onlyoffice
+    password: CHANGE_ME

 rabbitmq:
  auth:
-    password: Set a password for rabbitmq here
+    password: CHANGE_ME

 # apps controls which apps will be installed and enabled in nextcloud
-apps:
-  - name: sociallogin
-    # apps[0].enabled needs to be set to true if you want to enable login via an external
-    # oauth server. In that case you need to configure all the values in `sociallogin`
-    enabled: false
-  - name: onlyoffice
-    enabled: true
+# apps:
+#   - name: sociallogin
+#     # apps[0].enabled needs to be set to true if you want to enable login via an external
+#     # oauth server. In that case you need to configure all the values in `sociallogin`
+#     enabled: false
+#   - name: onlyoffice
+#     enabled: true

 # sociallogin enables login via oAuth/Open-ID Connect
-sociallogin:
-  # Because of how we import these settings, single quotes (') are not allowed
-  # in any of the values below
-  custom_oidc:
-    name: stackspin
-    title: Stackspin
-    # The oAuth server needs to provide the endpoints `/userinfo`,
-    # `/oauth2/token` and `/oauth2/auth` and according to the oauth2 standard it
-    # needs to be accessible via https with valid certificates
-    authorizeUrl: https://sso.stackspin.example.net/oauth2/auth
-    tokenUrl: https://sso.stackspin.example.net/oauth2/token
-    userInfoUrl: https://sso.stackspin.example.net/userinfo
-    logoutUrl: ""
-    # The client name nextcloud will use to communicate with the oAuth server
-    clientId: nextcloud
-    # The password that nextcloud uses when communicating with the oauth server
-    # clientSecret: YouReallyNeedToChangeThis
-    scope: "openid profile email stackspin_roles"
-    # The name of a claim that the nextcloud server can retrieve by querying the
-    # userInfoUrl of the openID Connect server. For every value in the
-    # groups_claim a corresponding group with an `stackspin_` prefix will be created
-    # if they don't exist yet. The user will then be added to those groups.  If
-    # the claim contains the value `admin` the user will be granted admin
-    # privileges.
-    groupsClaim: "stackspin_roles"
-    style: ""
-    defaultGroup: ""
-    groupMapping:
-      admin: admin
+# sociallogin:
+#   # Because of how we import these settings, single quotes (') are not allowed
+#   # in any of the values below
+#   custom_oidc:
+#     name: stackspin
+#     title: Stackspin
+#     # The oAuth server needs to provide the endpoints `/userinfo`,
+#     # `/oauth2/token` and `/oauth2/auth` and according to the oauth2 standard it
+#     # needs to be accessible via https with valid certificates
+#     authorizeUrl: https://sso.stackspin.example.net/oauth2/auth
+#     tokenUrl: https://sso.stackspin.example.net/oauth2/token
+#     userInfoUrl: https://sso.stackspin.example.net/userinfo
+#     logoutUrl: ""
+#     # The client name nextcloud will use to communicate with the oAuth server
+#     clientId: nextcloud
+#     # The password that nextcloud uses when communicating with the oauth server
+#     # clientSecret: YouReallyNeedToChangeThis
+#     scope: "openid profile email stackspin_roles"
+#     # The name of a claim that the nextcloud server can retrieve by querying the
+#     # userInfoUrl of the openID Connect server. For every value in the
+#     # groups_claim a corresponding group with an `stackspin_` prefix will be created
+#     # if they don't exist yet. The user will then be added to those groups.  If
+#     # the claim contains the value `admin` the user will be granted admin
+#     # privileges.
+#     groupsClaim: "stackspin_roles"
+#     style: ""
+#     defaultGroup: ""
+#     groupMapping:
+#       admin: admin
--- a/values.yaml
+++ b/values.yaml
@@ -20,11 +20,6 @@ nextcloud:
    enabled: true
    size: 2Gi

-  # Creates a kubernetes cronJob object that runs nextcloud's cron.php
-  # every 15 minutes (*/15 * * * *)
-  cronjob:
-    enabled: true
-
  startupProbe:
    enabled: true
    failureThreshold: 60