.pipeline.yml

include:
  - project: "devops/gitlab/ci-templates/deploy"
    file: ".hashicorp_vault.yml"
  - project: "devops/gitlab/ci-templates/ruby"
    ref: "sans-dind"
    file:
      - ".rspec.yml"
      - ".rubocop.yml"
  - project: "devops/gitlab/ci-templates/docker"
    ref: "1.0.0"
    file:
      - ".amend_manifests.yml"
      - ".build_and_push_docker_images.yml"
      - ".copy_docker_images.yml"
      - ".remove_tmp_registry.yml"
  - project: "devops/gitlab/ci-templates/general"
    file:
      - ".install_hashicorp_vault.yml"
      - ".vault_jwt_auth.yml"
  - project: "devops/gitlab/ci-templates/sast"
    ref: "master"
    file:
      - ".trivy_container_scanning.yml"

workflow:
  rules:
    - if: "$CI_MERGE_REQUEST_IID"
    - if: "$CI_COMMIT_TAG"
    - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"

stages:
  - build_and_push:tmp_base_image
  - build_and_push:tmp_dev_image
  - amend_tmp_base_dev_images
  - test
  - build_and_push:tmp_prod_image
  - amend_prod_image
  - sast
  - copy_docker_images
  - remove_tmp_registry
  - deploy

# -- Start - build and push base image
build_and_push_base_app_image:
  stage: build_and_push:tmp_base_image
  extends:
    - .build_and_push_docker_images
  parallel:
    matrix:
      - RUNNER: build-arm
        DOCKER_BUILD_PLATFORM: "linux/arm64"
      - RUNNER: build
        DOCKER_BUILD_PLATFORM: "linux/amd64"
  before_script:
    - !reference [.install_hashicorp_vault, before_script]
    - !reference [.vault_jwt_auth, before_script]
    - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
    - export SIDEKIQ_PRO_CREDENTIALS="$(vault kv get -field=credentials ${VAULT_SIDEKIQ_ENDPOINT})"
  variables:
    DOCKER_BUILD_CONTEXT: "rails_app/"
    DOCKER_BUILD_SECRETS: "--secret id=sidekiq_pro_credentials,env=SIDEKIQ_PRO_CREDENTIALS"
    DOCKER_TARGET: "base"
    DOCKERFILE_PATH: "rails_app/"
    JWT_ROLE: "sidekiq_pro_ro"
    REGISTRY_REPOSITORY: "${CI_PIPELINE_ID}"
  tags:
    - ${RUNNER}
# -- End - build and push base image

# -- Start - build, push temp dev image
build_and_push_dev_app_image:
  stage: build_and_push:tmp_dev_image
  extends:
    - .build_and_push_docker_images
  parallel:
    matrix:
      - RUNNER: build-arm
        DOCKER_BUILD_PLATFORM: "linux/arm64"
      - RUNNER: build
        DOCKER_BUILD_PLATFORM: "linux/amd64"
  before_script:
    - !reference [.install_hashicorp_vault, before_script]
    - !reference [.vault_jwt_auth, before_script]
    - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
    - export SIDEKIQ_PRO_CREDENTIALS="$(vault kv get -field=credentials ${VAULT_SIDEKIQ_ENDPOINT})"
  variables:
    DOCKER_BUILD_ARGS: "--build-arg RAILS_ENV=development"
    DOCKER_BUILD_CONTEXT: "rails_app/"
    DOCKER_BUILD_SECRETS: "--secret id=sidekiq_pro_credentials,env=SIDEKIQ_PRO_CREDENTIALS"
    DOCKER_TARGET: "development"
    DOCKERFILE_PATH: "rails_app/"
    JWT_ROLE: "sidekiq_pro_ro"
    REGISTRY_REPOSITORY: "${CI_PIPELINE_ID}"
  needs:
    - build_and_push_base_app_image
  tags:
    - ${RUNNER}

amend_tmp_base_dev_images:
  stage: amend_tmp_base_dev_images
  extends:
    - .amend_manifests
  needs:
    - build_and_push_base_app_image
    - build_and_push_dev_app_image
  variables:
    REGISTRY_REPOSITORY: "${CI_PIPELINE_ID}"
  tags:
    - build
# -- End - build, push temp dev image

# -- Start - test dev image
rspec_app_test:
  stage: test
  image: ${CI_REGISTRY_IMAGE}/${CI_PIPELINE_ID}:${CI_COMMIT_SHORT_SHA}-development
  services:
    - name: browserless/chrome:latest
      alias: chrome
      variables:
        CONNECTION_TIMEOUT: 600000
    - name: postgres:14
      variables:
        POSTGRES_DB: "catalog_indexing_test"
        POSTGRES_PASSWORD: "rspec_test"
        POSTGRES_USER: "rspec_test"
    - name: browserless/chrome:latest
      alias: redis
    - name: bitnami/solr:9.3.0
      alias: solr
      entrypoint: [""]
      command: [
        "/bin/bash",
        "-c",
        "./opt/bitnami/scripts/solr/entrypoint.sh /opt/bitnami/scripts/solr/run.sh & \n
        for ((i = 0; i <= 9; i += 1)); do \n
          curl --silent 'http://solr:8983/api/' && break; \n
          echo 'Waiting for solr api to be ready'; \n
          sleep '10s'; \n
        done \n
        .${ZK_SCRIPT_LOCATION}/zkcli.sh -zkhost 127.0.0.1:9983 -cmd upconfig -confname ${SOLR_TEST_CONFIGNAME} -confdir ${CI_PROJECT_DIR}/rails_app/solr/conf && \n
        ./opt/bitnami/solr/bin/solr create_collection -c ${SOLR_TEST_COLLECTION} && \n
        .${ZK_SCRIPT_LOCATION}/zkcli.sh -zkhost 127.0.0.1:9983 -cmd linkconfig -collection ${SOLR_TEST_COLLECTION} -confname ${SOLR_TEST_CONFIGNAME} \n
        wait"
      ]
      variables:
        SOLR_CLOUD_BOOTSTRAP: "yes"
        SOLR_ENABLE_AUTHENTICATION: "yes"
        SOLR_HOST: "solr"
        SOLR_JAVA_MEM: "-Xms4g -Xmx4g"
        SOLR_MODE: "solrcloud"
        SOLR_OPTS: "-Dsolr.disableConfigSetsCreateAuthChecks=true"
        SOLR_TEST_COLLECTION: "catalog-indexing-test"
        SOLR_TEST_CONFIGNAME: "catalog-indexing"
        ZK_CREATE_CHROOT: "true"
        ZK_SCRIPT_LOCATION: "/opt/bitnami/solr/server/scripts/cloud-scripts"
  extends:
    - .rspec
  variables:
    APP_URL: "indexing.test.com"
    # CI_DEBUG_SERVICES: "true"
    CHROME_URL: "http://chrome:3000"
    DATABASE_NAME: "indexing_test"
    DATABASE_PASSWORD: "rspec_test"
    DATABASE_USER: "rspec_test"
    FF_NETWORK_PER_BUILD: "true"
    RAILS_ENV: "test"
    RAILS_SYSTEM_TESTING_SCREENSHOT_HTML: "1"
    REDIS_URL: "redis:6379"
    SOLR_URL: "http://solr:8983"
  script:
    - >
      for ((i = 0; i <= 9; i += 1)); do
        curl --silent "http://solr:8983/api/" "-H" "'Content-type:application/json'" && break
        echo "Waiting for solr api to be ready"
        sleep "10s"
      done
    - cd ${CI_PROJECT_DIR}/rails_app/
    - bundle add rspec_junit_formatter
    - bundle exec rake db:migrate
    - bundle exec rspec --format progress --format RspecJunitFormatter --out rspec.xml
  needs:
    - amend_tmp_base_dev_images
  coverage: '/\(\d+.\d+\%\) covered/'
  artifacts:
    paths:
      - rails_app/tmp/coverage/index.html
      - rails_app/tmp/capybara
      - rails_app/rspec.xml
    expire_in: 1 week
    reports:
      junit: rails_app/rspec.xml
  rules:
    - if: $DISABLE_RSPEC_TEST == "true"
      when: never
    - exists:
        - rails_app/spec/**.rb
        - rails_app/spec/**/**.rb
  tags:
    - build

rubocop_app_test:
  stage: test
  image: ${CI_REGISTRY_IMAGE}/${CI_PIPELINE_ID}:${CI_COMMIT_SHORT_SHA}-development
  needs:
    - amend_tmp_base_dev_images
  extends:
    - .rubocop
  before_script:
    - cd ${CI_PROJECT_DIR}/rails_app/
  rules:
    - if: $DISABLE_RUBOCOP == "true"
      when: never
    - exists:
        - rails_app/.rubocop.yml
  tags:
    - build
# -- End - test dev image

# -- Start - build and push temp prod image
build_and_push_prod_app_image:
  stage: build_and_push:tmp_prod_image
  extends:
    - .build_and_push_docker_images
  parallel:
    matrix:
      - RUNNER: build-arm
        DOCKER_BUILD_PLATFORM: "linux/arm64"
      - RUNNER: build
        DOCKER_BUILD_PLATFORM: "linux/amd64"
  before_script:
    - !reference [.install_hashicorp_vault, before_script]
    - !reference [.vault_jwt_auth, before_script]
    - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
    - export SIDEKIQ_PRO_CREDENTIALS="$(vault kv get -field=credentials ${VAULT_SIDEKIQ_ENDPOINT})"
  variables:
    DOCKER_BUILD_ARGS: "--build-arg RAILS_ENV=production"
    DOCKER_BUILD_CONTEXT: "rails_app/"
    DOCKER_BUILD_SECRETS: "--secret id=sidekiq_pro_credentials,env=SIDEKIQ_PRO_CREDENTIALS"
    DOCKER_TARGET: "production"
    DOCKERFILE_PATH: "rails_app/"
    JWT_ROLE: "sidekiq_pro_ro"
    REGISTRY_REPOSITORY: "${CI_PIPELINE_ID}"
  needs:
    - rspec_app_test
    - rubocop_app_test
  tags:
    - ${RUNNER}

amend_prod_image:
  stage: amend_prod_image
  extends:
    - .amend_manifests
  needs:
    - build_and_push_prod_app_image
  variables:
    DOCKER_TARGET: "production"
    REGISTRY_REPOSITORY: "${CI_PIPELINE_ID}"
    TAG_WITH_DOCKER_TARGET: "false"
  tags:
    - build
# -- End - build and push temp prod image

# -- Start - SAST images
trivy_app_container_scanning:
  stage: sast
  extends:
    - .trivy_container_scanning
  before_script:
    - apk add --no-cache docker
    - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
  after_script:
    - docker logout ${CI_REGISTRY}
  needs:
    - amend_prod_image
  variables:
    CI_IMAGE_NAME: ${CI_REGISTRY_IMAGE}/${CI_PIPELINE_ID}:${CI_COMMIT_SHORT_SHA}
  allow_failure: true
  tags:
    - build
# -- End - SAST images

# -- Start - Copy app docker images
copy_app_docker_images:
  stage: copy_docker_images
  variables:
    ORIGINAL_REGISTRY_REPOSITORY: "${CI_PIPELINE_ID}"
  needs:
    - trivy_app_container_scanning
  extends:
    - .copy_docker_images
  tags:
    - build
# -- End - Copy app docker images

# -- Start - remove tmp registry repository
remove_tmp_registry:
  stage: remove_tmp_registry
  extends:
    - .remove_tmp_registry
  rules:
    - when: always
  needs:
    - copy_app_docker_images
  allow_failure: true
  tags:
    - build
# -- End - remove tmp registry repository

# Deploy staging
deploy_staging:
  stage: deploy
  extends:
    - .deploy
  variables:
    ANSIBLE_HOST_KEY_CHECKING: "false"
    IMAGE_TAG: ${CI_COMMIT_SHORT_SHA}
  environment:
    name: staging
    url: https://indexing-staging.library.upenn.edu
  needs:
    - copy_app_docker_images
  before_script:
    - ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -P ""

    # Get Vault token via JWT auth locked to this project
    - export VAULT_ADDR=${VAULT_URL}
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/${CI_SERVER_HOST}/login role=${JWT_ROLE} jwt=${CI_JOB_JWT})"

    # Generate signed key and write to a new pub key
    - vault write -field=signed_key ${VAULT_SSH_CLIENT_ENDPOINT}/sign/${VAULT_SSH_CLIENT_ROLE} public_key=@${HOME}/.ssh/id_ed25519.pub valid_principals=${VALID_PRINCIPALS} > ~/.ssh/id_ed25519-cert.pub
    - chmod 0400 ~/.ssh/id_ed25519-cert.pub

    # Set the remote user for ansible
    - export ANSIBLE_REMOTE_USER=${DEPLOY_USER}

    # Set the private key for ansible
    - export ANSIBLE_PRIVATE_KEY_FILE=~/.ssh/id_ed25519

    # Set the vault id
    - export ANSIBLE_VAULT_ID_MATCH=${DEPLOY_ENVIRONMENT}
  script:
    # Ensure dynamic inventory file is executable
    - chmod +x ansible/inventories/${DEPLOY_ENVIRONMENT}/inventory.py

    # Install ansible requirements
    - ansible-galaxy install -g -f -r ansible/roles/requirements.yml

    # Run ansible playbook
    - ansible-playbook -e "image_tag=${IMAGE_TAG}" -i ansible/inventories/${DEPLOY_ENVIRONMENT}/inventory.py ansible/site.yml
  only:
    - main
  tags:
    - deploy

#Deploy production
deploy_production:
  stage: deploy
  extends:
    - .deploy
  variables:
    ANSIBLE_HOST_KEY_CHECKING: "false"
    IMAGE_TAG: ${CI_COMMIT_SHORT_SHA}
  environment:
    name: production
    url: https://indexing.library.upenn.edu
  needs:
    - copy_app_docker_images
  before_script:
    - ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -P ""

    # Get Vault token via JWT auth locked to this project
    - export VAULT_ADDR=${VAULT_URL}
    - export VAULT_TOKEN="$(vault write -field=token auth/jwt/${CI_SERVER_HOST}/login role=${JWT_ROLE} jwt=${CI_JOB_JWT})"

    # Generate signed key and write to a new pub key
    - vault write -field=signed_key ${VAULT_SSH_CLIENT_ENDPOINT}/sign/${VAULT_SSH_CLIENT_ROLE} public_key=@${HOME}/.ssh/id_ed25519.pub valid_principals=${VALID_PRINCIPALS} > ~/.ssh/id_ed25519-cert.pub
    - chmod 0400 ~/.ssh/id_ed25519-cert.pub

    # Set the remote user for ansible
    - export ANSIBLE_REMOTE_USER=${DEPLOY_USER}

    # Set the private key for ansible
    - export ANSIBLE_PRIVATE_KEY_FILE=~/.ssh/id_ed25519

    # Set the vault id
    - export ANSIBLE_VAULT_ID_MATCH=${DEPLOY_ENVIRONMENT}
  script:
    # Ensure dynamic inventory file is executable
    - chmod +x ansible/inventories/${DEPLOY_ENVIRONMENT}/inventory.py

    # Install ansible requirements
    - ansible-galaxy install -g -f -r ansible/roles/requirements.yml

    # Run ansible playbook
    - ansible-playbook -e "image_tag=${IMAGE_TAG}" -i ansible/inventories/${DEPLOY_ENVIRONMENT}/inventory.py ansible/site.yml
  rules:
    - if: $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+(\.[a-zA-Z0-9]+)?$/
  tags:
    - deploy
#-- End - deployment