.gitlab-ci.yml

include:
  - remote: https://raw.githubusercontent.com/ambient-innovation/gitlab-trivy-checks/main/gitlab-trivy-checks.yaml
  - remote: https://raw.githubusercontent.com/ambient-innovation/gitlab-retry-runners/master/gitlab-retry-runners.yaml
  
image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:${DOCKER_VERSION}

stages:
  - pre-build
  - build
  - post-build
  - test # Needed for scanning jobs result
  - deploy
  - post-deploy

# When using dind, it's wise to use the overlays driver for improved performance.
variables:
  TEST_HELM_CHART_VERSION: "1.2.1"  # <-- helm chart version for test server
  IMAGE_TAG_BACKEND: $CI_REGISTRY_IMAGE/backend:$CI_COMMIT_REF_SLUG
  IMAGE_TAG_FRONTEND: $CI_REGISTRY_IMAGE/frontend:$CI_COMMIT_REF_SLUG
  IMAGE_TAG_FRONTEND_E2E: $CI_REGISTRY_IMAGE/frontende2e:$CI_COMMIT_REF_SLUG
  IMAGE_TAG_BACKEND_SHA: $CI_REGISTRY_IMAGE/backend:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA
  IMAGE_TAG_FRONTEND_SHA: $CI_REGISTRY_IMAGE/frontend:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA
  FF_ENABLE_BASH_EXIT_CODE_CHECK: "true"
  DOCKER_DRIVER: overlay2
  DOCKER_HOST: tcp://docker:2376
  DOCKER_VERSION: "24.0.6" # This needed for the security scanning
  DOCKER_TLS_VERIFY: 1
  DOCKER_TLS_CERTDIR: "/certs"
  DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
  # variables for backend test
  TEST_POSTGRES_CONTAINER_NAME: epr_tool_db
  TEST_POSTGRES_DB: epr-tool
  TEST_POSTGRES_USERNAME: epr-tool
  TEST_POSTGRES_PASSWORD: top-secret
  TEST_POSTGRES_PORT: 5432

backend:lint:
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/python:3.9-slim
  stage: pre-build
  tags:
    - low-load
  script:
    - cd backend
    - pip install flake8~=3.9.2 pep8-naming~=0.12.1 black==22.3.0 isort==5.9.3
    - ./scripts/lint.sh
  except:
    - /^helm[-/\/].*$/
    - triggers

backend:build-and-push:
  stage: build
  needs: [ ]
  tags:
    - normal-load
  before_script:
    # this needed, or you will get the error:
    # "unable to resolve docker endpoint: open /certs/client/ca.pem: no such file or directory"
    # generating certs is too slow: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27384
    - until docker info; do sleep 1; done
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
  script:
    - DOCKER_BUILDKIT=1 docker build
      --compress
      --cache-from $IMAGE_TAG_BACKEND
      --build-arg BUILDKIT_INLINE_CACHE=1
      -t $IMAGE_TAG_BACKEND
      -t $IMAGE_TAG_BACKEND_SHA
      ./backend

    - docker push $IMAGE_TAG_BACKEND
    - docker push $IMAGE_TAG_BACKEND_SHA
  except:
    - /^helm[-/\/].*$/
    - triggers
  services:
    - name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:${DOCKER_VERSION}-dind
      alias: docker

backend:post-build-checks:
  stage: post-build
  needs: [ "backend:build-and-push" ]
  tags:
    - normal-load
  variables:
    GIT_STRATEGY: none
  before_script:
    # this needed, or you will get the error:
    # "unable to resolve docker endpoint: open /certs/client/ca.pem: no such file or directory"
    # generating certs is too slow: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27384
    - until docker info; do sleep 1; done
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
  script:
    - docker run
      --rm --entrypoint=/bin/bash
      -e USE_POSTGRES_DATABASE=False
      $IMAGE_TAG_BACKEND
      -c "./scripts/check_migrations.sh && ./scripts/check_graphql_schema.sh"
  except:
    - /^helm[-/\/].*$/
    - triggers
  services:
    - name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:${DOCKER_VERSION}-dind
      alias: docker

backend:test:
  stage: post-build
  needs: [ "backend:build-and-push" ]
  tags:
    - normal-load
  variables:
    GIT_STRATEGY: none
  artifacts:
    when: always
    reports:
      junit: [ 'test-reports/TEST-*.xml' ]
      coverage_report:
        coverage_format: cobertura
        path: 'coverage/report.xml'
  coverage: '/TOTAL.*\s+(\d+.?\d*%)$/'
  before_script:
    # this needed, or you will get the error:
    # "unable to resolve docker endpoint: open /certs/client/ca.pem: no such file or directory"
    # generating certs is too slow: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27384
    - until docker info; do sleep 1; done

    # login to registry
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

    # start DB container
    - docker run
      --name $TEST_POSTGRES_CONTAINER_NAME
      -d
      -e POSTGRES_DB=$TEST_POSTGRES_DB
      -e POSTGRES_USER=$TEST_POSTGRES_USERNAME
      -e POSTGRES_PASSWORD=$TEST_POSTGRES_PASSWORD
      library/postgres:14-alpine
  script:
    # wait for db
    - sleep 5
    - mkdir -p ${PWD}/coverage || true
    - mkdir -p ${PWD}/test-reports || true
    # we make it public, so the docker user can use it and write report.xml in it
    - chmod -R 777 ${PWD}/coverage
    - chmod -R 777 ${PWD}/test-reports
    - docker run
      --rm
      -v ${PWD}/coverage:/app/coverage
      -v ${PWD}/test-reports:/app/test-reports
      --entrypoint=/bin/sh
      -e DATABASE_NAME=ptp
      -e DATABASE_USERNAME=$TEST_POSTGRES_USERNAME
      -e DATABASE_PASSWORD=$TEST_POSTGRES_PASSWORD
      -e DATABASE_HOST=$TEST_POSTGRES_CONTAINER_NAME
      -e DATABASE_PORT=$TEST_POSTGRES_PORT
      -e DJANGO_SESSION_COOKIE_SECURE=False
      --link $TEST_POSTGRES_CONTAINER_NAME
      $IMAGE_TAG_BACKEND
      ./scripts/test.sh
    - sed -i 's:<source>/app/apps</source>:<source>'`pwd`'/backend/apps</source>:' ${PWD}/coverage/report.xml
  after_script:
    # Stop DB container
    - docker stop $POSTGRES_CONTAINER_NAME && docker rm $POSTGRES_CONTAINER_NAME || true
  except:
    - /^helm[-/\/].*$/
    - triggers
  services:
    - name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:${DOCKER_VERSION}-dind
      alias: docker

deploy:test:
  stage: deploy
  tags:
    - low-load
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/k8s:1.25.13
  variables:
    TARGET_CLUSTER: test-ambient-eks
    CATALOG_NAME: epr-registration-tool-test
    HELM_CHART_VERSION: $TEST_HELM_CHART_VERSION
    HELM_CHART_NAME: epr-tool
    NAMESPACE: epr-registration-tool-test
    TARGET_VALUES_YAML_PATH: "./charts/epr-registration-tool/values.test.yaml"
    RELEASE_NAME: epr-registration-tool-test
  environment:
    name: test
    url: https://api.epr-test.ambient.digital
  script:
    - echo "Authenticating."
    - export AWS_DEFAULT_REGION=eu-central-1
    - export AWS_ACCESS_KEY_ID=$DEPLOYMENT_AWS_ACCESS_KEY_ID
    - export AWS_SECRET_ACCESS_KEY=$DEPLOYMENT_AWS_SECRET_ACCESS_KEY
    - echo "Fetching target cluster kubeconfig for deployment."
    - aws eks update-kubeconfig --name $TARGET_CLUSTER
    - echo "Adding catalog from https://chartmuseum.ambient-innovation.com/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME"
    - helm repo add $CATALOG_NAME
      https://chartmuseum.ambient-innovation.com/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
      --username $CHARTMUSEUM_USER
      --password $CHARTMUSEUM_PASSWORD
    - echo "Deploying."
    - helm upgrade -n $NAMESPACE --version $HELM_CHART_VERSION --wait --install
      --timeout 10m0s
      -f $TARGET_VALUES_YAML_PATH
      --set backend.image.tag=$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA
      --set frontend.image.tag=$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA
      --set forceRestartAt=${CI_JOB_ID}
      $RELEASE_NAME $CATALOG_NAME/$HELM_CHART_NAME
  only:
    - develop
  except:
    - /^helm[-/\/].*$/

frontend:lint:
  stage: pre-build
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/node:18.18.2-bullseye-slim
  tags:
    - low-load
  cache:
    key:
      files:
        - frontend/yarn.lock
        - frontend/.yarn/
    paths:
      - frontend/node_modules/
  script:
    - cd frontend
    - yarn install --frozen-lockfile --cache-folder .yarn
    - ./check_generated_types.sh
    - yarn lint
  except:
    - /^helm[-/\/].*$/
    - triggers


frontend:test:
  stage: pre-build
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/node:18.18.2-bullseye-slim
  tags:
    - normal-load
  needs:
    - frontend:lint
  cache:
    key:
      files:
        - frontend/yarn.lock
        - frontend/.yarn/
    paths:
      - frontend/node_modules/
  script:
    - cd frontend
    - yarn install --frozen-lockfile --cache-folder .yarn
    - yarn test:ci
  except:
    - /^helm[-/\/].*$/
    - triggers

# check https://github.com/ambient-innovation/gitlab-trivy-checks
license_scanning:
  stage: post-build
  tags:
    - low-load
  needs: [ "frontend:build-and-push" ]
  interruptible: true
  # We won't get the license scanner job to 0 errors, so we have to allow failure
  allow_failure: true
  variables:
    IMAGE: $IMAGE_TAG_FRONTEND
    TRIVY_YAML: trivy.yaml
  except:
    - /^helm[-/\/].*$/
    - triggers

license_scanning_backend:
  extends:
    - license_scanning
  needs: [ "backend:build-and-push" ]
  variables:
    IMAGE: $IMAGE_TAG_BACKEND
    TRIVY_YAML: trivy.yaml

container_scanning:
  stage: post-build
  tags:
    - low-load
  needs: [ "frontend:build-and-push" ]
  interruptible: true
  variables:
    IMAGE: $IMAGE_TAG_FRONTEND
    DIRECTORY: "frontend"
  except:
    - /^helm[-/\/].*$/
    - triggers

container_scanning_backend:
  extends:
    - container_scanning
  needs: [ "backend:build-and-push" ]
  variables:
    IMAGE: $IMAGE_TAG_BACKEND
    DIRECTORY: "backend"

# This job will scan "aws" directory for config errors. 
# This folder contains my cloudformation stacks.
config_scanning:
  variables:
    DIRECTORY: aws
    TRIVY_IGNOREFILE_DIR: .trivyignore.yaml
  allow_failure: true
  tags:
    - low-load
  interruptible: true

# In case of failing but no artifacts uploaded, you can use this api, just replace set job-id of the `check trivy scan results`
# https://gitlab.ambient-innovation.com/giz/epr-registration-tool/-/jobs/<job-id>/artifacts/download?file_type=codequality 
check trivy scan results:
  needs:
    - container_scanning
    - container_scanning_backend
  allow_failure: true
  except:
    - /^helm[-/\/].*$/
    - triggers

frontend:build-and-push:
  stage: build
  needs: [ ]
  tags:
    - high-load
  before_script:
    # this needed, or you will get the error:
    # "unable to resolve docker endpoint: open /certs/client/ca.pem: no such file or directory"
    # generating certs is too slow: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27384
    - until docker info; do sleep 1; done
    - docker login -u $CI_DEPENDENCY_PROXY_USER -p $CI_DEPENDENCY_PROXY_PASSWORD $CI_DEPENDENCY_PROXY_SERVER
  script:
    - DOCKER_BUILDKIT=1 docker build
      --target prod
      --compress
      --cache-from $CI_REGISTRY_IMAGE/frontend:develop
      -t $IMAGE_TAG_FRONTEND
      -t $IMAGE_TAG_FRONTEND_SHA
      --build-arg BUILDKIT_INLINE_CACHE=1
      --build-arg DOCKER_IMAGE_PREFIX=${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/
      ./frontend
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - docker push $IMAGE_TAG_FRONTEND
    - docker push $IMAGE_TAG_FRONTEND_SHA
  except:
    - /^helm[-/\/].*$/
  services:
    - name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:${DOCKER_VERSION}-dind
      alias: docker

helm:lint:
  stage: pre-build
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/helm
  tags:
    - low-load
  script:
    - cd charts/epr-registration-tool
    - helm lint .
  only:
    - /^helm[-/\/].*$/

# Run this job manually if you need to debug your helm chart as in, your pipeline passed just fine but your app got stuck in installing state in the rancher stating some error, complaining that something is wrong with your template. In that case, it is really helpful to see what are the actual kubernetes objects that your chart is trying to install that is causing the issue.
helm:render:
  stage: pre-build
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/helm:3.5.4
  tags:
    - low-load
  script:
    - cd charts/epr-registration-tool
    - echo "The rendering is done so that if linting for your helm chart passes but you see YAML error in the Rancher, you can have a look to renderings to see if something looks wrong, which makes it easy for you to debug."
    - echo "Rendering test values."
    - helm template --debug --values values.test.yaml .
  only:
    - /^helm[-/\/].*$/

# Release with tags in this format: helm-1.0.0 (adjust version number)
helm:deploy:
  stage: deploy
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/alpine/helm
  tags:
    - low-load
  script:
    - VERSION=${CI_COMMIT_REF_SLUG:5}
    - VERSION=`echo $VERSION | tr - .`
    - cd charts/epr-registration-tool
    - helm package .
    - apk update
    - apk add curl
    - status=$(curl -i -X POST -s -o /dev/null -w "%{http_code}" -u "$CHARTMUSEUM_USER:$CHARTMUSEUM_PASSWORD" --data-binary "@epr-tool-$VERSION.tgz" https://chartmuseum.ambient-innovation.com/api/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/charts &> /dev/stdout) && if [ $status -gt 300 ]; then echo "Failed with HTTP CODE $status"; exit 1; else echo "success"; fi
  only:
    - /^helm[-/\/].*$/

# If you want the e2e job config please check the history

.playwright_cache:
  cache:
    paths:
      - ms-playwright/
      - .yarn/
      - node_modules/
    key: ms-playwright

e2e:test:
  stage: post-build
  image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:${DOCKER_VERSION}
  needs: [ 'backend:build-and-push' ]
  artifacts:
    when: always
    paths:
      - e2e/playwright-report/
      - e2e/test-results/
  extends: .playwright_cache
  tags:
    - very-high-load
  variables:
    FF_NETWORK_PER_BUILD: "true"
    FRONTEND_CONTAINER_NAME: epr_frontend_test_e2e

    DJANGO_ALLOWED_HOSTS: 127.0.0.1,localhost,0.0.0.0
    DJANGO_CELERY_TASK_ALWAYS_EAGER: "True"
    USE_POSTGRES_DATABASE: "False"
    DJANGO_SESSION_COOKIE_SECURE: "False"
    DJANGO_SERVER_URL: http://localhost:8000
    DJANGO_FRONTEND_URL: http://localhost:3000
    DJANGO_CORS_ORIGIN_WHITELIST: http://0.0.0.0:8000,http://0.0.0.0:3000,http://localhost:8000,http://localhost:3000,http://127.0.0.1:3000,http://localhost:9009,http://127.0.0.1:9009
    DJANGO_CSRF_TRUSTED_ORIGINS: http://0.0.0.0:8000,http://0.0.0.0:3000,http://localhost:8000,http://localhost:3000,http://127.0.0.1:3000,http://127.0.0.1:8000
    DJANGO_DEBUG: "True"
    DJANGO_GRAPHQL_CSRF_EXEMPT: "True"
    AXES_ENABLED: "False"
    ENABLE_DEBUG_TOOLBAR: "False"
    DJANGO_COOKIE_DOMAIN: localhost

    # Overwrite default request/limit of "very-high-load".
    # This is only possible because it will still request a complete node,
    # so the approach of "take whatever you want" cannot break other pipelines.
    KUBERNETES_CPU_REQUEST: "100m"
    KUBERNETES_CPU_LIMIT: "200m"
    KUBERNETES_MEMORY_REQUEST: "400Mi"
    KUBERNETES_MEMORY_LIMIT: "800Mi"

    KUBERNETES_HELPER_CPU_REQUEST: "100m"
    KUBERNETES_HELPER_CPU_LIMIT: "200m"
    KUBERNETES_HELPER_MEMORY_REQUEST: "500Mi"
    KUBERNETES_HELPER_MEMORY_LIMIT: "1000Mi"

    KUBERNETES_SERVICE_CPU_REQUEST: "100m"
    KUBERNETES_SERVICE_CPU_LIMIT: "3800m"
    KUBERNETES_SERVICE_MEMORY_REQUEST: "1000Mi"
    KUBERNETES_SERVICE_MEMORY_LIMIT: "14000Mi"
  services:
    - name: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/docker:${DOCKER_VERSION}-dind
      alias: docker
    - name: $IMAGE_TAG_BACKEND
      entrypoint: [ "/bin/sh" ]
      command: [ "./scripts/run_e2e.sh" ]
  before_script:
    # this needed, or you will get the error:
    # "unable to resolve docker endpoint: open /certs/client/ca.pem: no such file or directory"
    # generating certs is too slow: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27384
    - until docker info; do sleep 1; done

    # login to registry
    - docker login -u $CI_DEPENDENCY_PROXY_USER -p $CI_DEPENDENCY_PROXY_PASSWORD $CI_DEPENDENCY_PROXY_SERVER
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY

    # wait for backend service
    - sleep 5

    # build production build with test env. See --target test. Build also needs to be connected to host network as
    # CMS pages will be fetched while build and generated.
    - DOCKER_BUILDKIT=1 docker build
      --target test
      --compress
      --network=host
      -t $IMAGE_TAG_FRONTEND_E2E
      --build-arg BUILDKIT_INLINE_CACHE=1
      --build-arg DOCKER_IMAGE_PREFIX=${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/
      ./frontend

    - docker run
      --name $FRONTEND_CONTAINER_NAME
      -d
      --network=host
      $IMAGE_TAG_FRONTEND_E2E
  script:
    - docker run --rm
      --name playwright
      --volume  "$(pwd)/e2e":"$(pwd)"
      --workdir "$(pwd)"
      --env CI="true"
      --env PLAYWRIGHT_BROWSERS_PATH="$(pwd)/ms-playwright"
      --network=host
      --ipc=host
      --user "${CURRENT_USER:-pwuser:pwuser}"
      mcr.microsoft.com/playwright:v1.24.2-focal
      bash -c 'yarn install --pure-lockfile --cache-folder .yarn; yarn playwright install; yarn playwright test'

  after_script:
    - docker stop $FRONTEND_CONTAINER_NAME && docker rm $FRONTEND_CONTAINER_NAME || true
  except:
    - /^helm[-/\/].*$/
    - triggers