.gitlab-ci.yml

stages:
  - build-base-image
  - test
  - pack-centos
  - pack-ubuntu
  - pack-debian
  - pack-altlinux
  - pack-redos
  - sign
  - deploy
  - check-deployment

workflow:
  # See https://docs.gitlab.com/ee/ci/jobs/job_control.html#avoid-duplicate-pipelines
  rules:
    # To avoid duplicate pipelines we disable merge request events,
    # leaving only pushes and manual triggering.
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: never
    - if: $CI_PIPELINE_SOURCE == "push"
    - if: $CI_PIPELINE_SOURCE == "web"

variables:
  REGISTRY: docker-public.binary.picodata.io
  BASE_IMAGE: ${REGISTRY}/picodata-build-base
  CARGO_HOME: /shared-storage/picodata/.cargo
  CACHE_PATHS: target .venv
  CACHE_ARCHIVE: /shared-storage/picodata/cache.tar

# job:rules explained:
#
# - if build-base changes on master branch (compared to HEAD~1)
#     * build-base-image (with tag latest) and push
#     * test (on base-image:latest)
# - if build-base changes on development branch (compared to master)
#     * build-base-image (with tag sha)
#     * test (on base-image:sha)
# - else (if build-base doesn't change)
#     * skip build-base-image
#     * just test (on base-image:latest)
#
# Anchor syntax explained here:
# https://docs.gitlab.com/ee/ci/yaml/yaml_optimization.html
#
.rules:
  - &if-build-base-changes-on-master-branch
    if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    changes:
      # implies compare_to HEAD~1
      paths: &build-base-changes-paths
        - docker-build-base/**
        - .gitlab-ci.yml

  - &if-build-base-changes-on-dev-branch
    if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
    changes:
      compare_to: master
      paths: *build-base-changes-paths

  - &else {}

build-base-image:
  stage: build-base-image
  tags:
    - shell
  rules:
    - <<: *if-build-base-changes-on-master-branch
      variables:
        BASE_IMAGE_TAG: latest
    - <<: *if-build-base-changes-on-dev-branch
      variables:
        BASE_IMAGE_TAG: ${CI_COMMIT_SHA}
    - <<: *else
      when: never
  variables:
    GIT_DEPTH: 1
    GIT_STRATEGY: fetch
    GIT_SUBMODULE_STRATEGY: none
  script:
    - docker pull ${BASE_IMAGE}:latest || true
    - >
      docker build
      --cache-from ${BASE_IMAGE}:latest
      --label GIT_COMMIT=${CI_COMMIT_SHA}
      -t ${BASE_IMAGE}:${BASE_IMAGE_TAG}
      -f ./docker-build-base/Dockerfile
      ./docker-build-base
    - |
      # Push image to registry
      if [ "${CI_COMMIT_BRANCH}" == "${CI_DEFAULT_BRANCH}" ]; then
        echo "Pushing ${BASE_IMAGE}:${BASE_IMAGE_TAG}"
        mkdir -p $CI_PROJECT_DIR/.docker
        echo $DOCKER_AUTH_RW > $CI_PROJECT_DIR/.docker/config.json
        docker --config $CI_PROJECT_DIR/.docker/ push ${BASE_IMAGE}:${BASE_IMAGE_TAG}
      else
        echo "Skip pushing image on a non-master branch"
      fi

test:
  stage: test
  tags:
    - docker
  rules:
    - <<: *if-build-base-changes-on-master-branch
      variables:
        BASE_IMAGE_TAG: latest
    - <<: *if-build-base-changes-on-dev-branch
      variables:
        BASE_IMAGE_TAG: ${CI_COMMIT_SHA}
    - <<: *else
      variables:
        BASE_IMAGE_TAG: latest
  image:
    name: ${BASE_IMAGE}:${BASE_IMAGE_TAG}
    pull_policy: if-not-present
  variables:
    GIT_DEPTH: 100
    GIT_SUBMODULE_STRATEGY: recursive
    RUST_BACKTRACE: 1
  before_script:
    # Gitlab CI implicitly clones specific refs (e.g. `refs/pipelines/xxxxxxx`),
    # but it doesn't imply fetching tags. We clone them manually with the
    # `git fetch` command.
    #
    # Tags in `tarantool-sys` and `luajit` submodules are necessary for
    # the build scripts. Without them the job fails.
    - &fetch-tags |
      # Fetch tags
      ci-log-section start "fetch-submodule-tags" Fetching tags for submodules
      for s in tarantool-sys tarantool-sys/third_party/luajit; do
        echo "Fetching tag for $s"
        pushd $s
        until git describe; do git fetch --deepen 100; done
        popd
      done
      ci-log-section end "fetch-submodule-tags"

    # Gitlab CI caching is shit. So we implement it manually
    - |
      # Restore cache
      if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then
        echo "Skip restoring cache on the master branch"
      elif [ -f "${CACHE_ARCHIVE}" ]; then
        ci-log-section start "restore-cache" Restoring cache from ${CACHE_ARCHIVE} ...
        tar -xf ${CACHE_ARCHIVE}
        echo "Ok"
        du -sh ${CACHE_PATHS} || true
        ci-log-section end "restore-cache"
      else
        echo "No cache found"
      fi
  script:
    - cargo -V
    - cargo build --locked
    - cargo test --locked
    - cargo fmt -- -v --check
    - cargo clippy --version
    - cargo clippy -- --deny clippy::all
    - |
      # Pipenv install
      ci-log-section start "pipenv-install" Installing pip dependencies ...
      PIPENV_VENV_IN_PROJECT=1 PIP_NO_CACHE_DIR=true python3.10 -m pipenv install --deploy
      ci-log-section end "pipenv-install"
    - pipenv run pytest --numprocesses auto -v
    - pipenv run lint
    - |
      # Save cache
      if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then
        ci-log-section start "save-cache" Saving cache to ${CACHE_ARCHIVE} ...
        du -sh ${CACHE_PATHS} || true
        TMPEXT=$RANDOM
        tar -cf "${CACHE_ARCHIVE}.${TMPEXT}" ${CACHE_PATHS}
        mv -f "${CACHE_ARCHIVE}.${TMPEXT}" "${CACHE_ARCHIVE}"
        echo Ok
        du -sh ${CACHE_ARCHIVE}
        ci-log-section end "save-cache"
      else
        echo "Skip saving cache on a non-master branch"
      fi

test-docker:
  stage: test
  tags:
    - shell
  rules:
    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        compare_to: master
        paths:
          - helm/picodata.Dockerfile
          - helm/picodata-diag.Dockerfile
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - # else
      when: never
  variables:
    GIT_DEPTH: 100
    GIT_STRATEGY: fetch
    GIT_SUBMODULE_STRATEGY: recursive
  before_script:
    - export PATH=docker-build-base:$PATH
    - *fetch-tags
  script:
    - |
      # Build docker images
      for image in picodata picodata-diag; do
        ci-log-section start "test-docker-${image}" Building docker image ${image}
        docker build \
          --label GIT_COMMIT=${CI_COMMIT_SHA} \
          -f helm/${image}.Dockerfile .
        ci-log-section end "test-docker-${image}"
      done

.pack:
  tags:
    - shell
  only:
    - web
    - tags
  variables:
    PRESERVE_ENVVARS: VER_TNT
    GIT_DEPTH: 100
    GIT_SUBMODULE_STRATEGY: recursive
  before_script:
    - git clone https://github.com/packpack/packpack.git packpack
    - |
      # Describe tarantool-sys
      pushd tarantool-sys
      until git describe; do git fetch --deepen 100; done
      export VER_TNT=$(
        git describe --long |
        sed -n 's/^\([0-9\.]*\)-\([0-9]*\)-\([a-z0-9]*\)/\1.\2/p'
      );
      echo $VER_TNT
      popd
    - |
      # Describe picodata
      until git describe; do git fetch --deepen 100; done
      git describe --long
  timeout: 2h
  dependencies: []

pack-centos:
  stage: pack-centos
  extends: .pack
  script:
    - sed -i "s/(id -u)/(id -u) -o/g" packpack/packpack
    - OS=centos DIST=7 packpack/packpack
    - OS=centos DIST=8 packpack/packpack
  artifacts:
    paths:
      - build/picodata*.rpm

pack-ubuntu:
  stage: pack-ubuntu
  extends: .pack
  script:
    - OS=ubuntu DIST=focal BUILDDIR=$PWD/build_${DIST}/ RELEASE=${DIST} packpack/packpack
    - OS=ubuntu DIST=jammy BUILDDIR=$PWD/build_${DIST}/ RELEASE=${DIST} packpack/packpack
  artifacts:
    paths:
      - build_focal/*.deb
      - build_jammy/*.deb

pack-debian:
  stage: pack-debian
  extends: .pack
  script:
    - OS=debian DIST=bullseye BUILDDIR=$PWD/build_debian/ RELEASE=${DIST} packpack/packpack
  artifacts:
    paths:
      - build_debian/*.deb

pack-altlinux:
  stage: pack-altlinux
  extends: .pack
  script:
    - DOCKER_REPO=docker-picodata.binary.picodata.io/packpack/alt DOCKER_IMAGE=p10 packpack/packpack
    - DOCKER_REPO=docker-picodata.binary.picodata.io/packpack/alt DOCKER_IMAGE=p9 packpack/packpack
  artifacts:
    paths:
      - build/picodata*.rpm

pack-redos:
  stage: pack-redos
  extends: .pack
  script:
    - OS=redos DIST=7.3 BUILDDIR=$PWD/build_redos/ packpack/packpack
  artifacts:
    paths:
      - build_redos/picodata*.rpm

sign-rpm-packages:
  variables:
    DOCKER_AUTH_CONFIG: $DOCKER_AUTH_RO
  stage: sign
  tags:
    - shell
  only:
    - web
    - tags
  before_script:
    - echo "$GPG_KEY_KDY" | base64 -d > build/kdy.asc
    - echo "$GPG_KEY_KDY" | base64 -d > build_redos/kdy.asc
  script:
    - docker run --rm -e KEY_FILE=kdy.asc -v $PWD/build:/build docker-picodata.binary.picodata.io/rpmsign:centos7
    - docker run --rm -e KEY_FILE=kdy.asc -v $PWD/build_redos:/build docker-picodata.binary.picodata.io/rpmsign:centos7
  artifacts:
    paths:
      - build/picodata*.rpm
      - build_redos/picodata*.rpm
  dependencies:
    - pack-centos
    - pack-altlinux
    - pack-redos

deploy-packages:
  stage: deploy
  tags:
    - shell
  only:
    - web
    - tags
  before_script:
    - eval $(ssh-agent -s)
    - echo "$DEPLOY_PROD_SSH_KEY" | base64 -d | ssh-add -
  script:
    # CentOS 7
    - echo "Deploying rpm-centos7-packet..."
    - scp -o stricthostkeychecking=no build/picodata*.el7.*rpm ansible@94.26.239.246:/data/nginx/www/packrepo/tarantool-picodata/el/7/x86_64/
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "cd /data/nginx/www/packrepo/tarantool-picodata/el/7/ && createrepo --update x86_64 && gpg --no-tty --yes -u kdy@picodata.io --detach-sign --armor x86_64/repodata/repomd.xml"
    -  echo "rpm-centos7-packet successfully deployed."
    -  echo
    # CentOS 8
    - echo "Deploying rpm-centos8-packet..."
    - scp -o stricthostkeychecking=no build/picodata*.el8.*rpm ansible@94.26.239.246:/data/nginx/www/packrepo/tarantool-picodata/el/8/x86_64/
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "cd /data/nginx/www/packrepo/tarantool-picodata/el/8/ && createrepo --update x86_64 && gpg --no-tty --yes -u kdy@picodata.io --detach-sign --armor x86_64/repodata/repomd.xml"
    - echo "rpm-centos8-packet successfully deployed."
    - echo
    # Ubuntu focal
    - echo "Deploying ubuntu focal deb-packets..."
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "mkdir -p ~/.deb/ubuntu"
    - scp -o stricthostkeychecking=no build_focal/picodata*deb ansible@94.26.239.246:.deb/ubuntu/
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "reprepro -b /data/nginx/www/packrepo/tarantool-picodata/ubuntu/ -C main includedeb focal ~/.deb/ubuntu/picodata*focal*deb; rm ~/.deb/ubuntu/picodata*focal*deb"
    - echo "ubuntu focal deb-packets successfully deployed."
    - echo
    # Ubuntu jammy
    - echo "Deploying ubuntu jammy deb-packets..."
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "mkdir -p ~/.deb/ubuntu"
    - scp -o stricthostkeychecking=no build_jammy/picodata*deb ansible@94.26.239.246:.deb/ubuntu/
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "reprepro -b /data/nginx/www/packrepo/tarantool-picodata/ubuntu/ -C main includedeb jammy ~/.deb/ubuntu/picodata*jammy*deb; rm ~/.deb/ubuntu/picodata*jammy*deb"
    - echo "ubuntu jammy deb-packets successfully deployed."
    - echo
    # Debian
    - echo "Deploying debian packets..."
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "mkdir -p ~/.deb/debian"
    - scp -o stricthostkeychecking=no build_debian/picodata*deb ansible@94.26.239.246:.deb/debian/
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "reprepro -b /data/nginx/www/packrepo/tarantool-picodata/debian/ -C main includedeb bullseye ~/.deb/debian/picodata*bullseye*deb; rm ~/.deb/debian/picodata*bullseye*deb"
    - echo "debian packets successfully deployed."
    - echo
    # Altlinux p9
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "mkdir -p /tmp/altlinux/"
    - echo "Deploying altlinux-p9 packet..."
    - scp -o stricthostkeychecking=no build/picodata*.p9.*rpm ansible@94.26.239.246:/tmp/altlinux/
    - echo "altlinux-p9 packet successfully deployed."
    - echo
    # Altlinux p10
    - echo "Deploying altlinux-p10 packet..."
    - scp -o stricthostkeychecking=no build/picodata*.p10.*rpm ansible@94.26.239.246:/tmp/altlinux/
    - echo "altlinux-p10 packet successfully deployed."
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "/usr/local/bin/repogen.sh"
    - echo
    # RedOS
    - echo "Deploying RedOS 7 packet..."
    - scp -o stricthostkeychecking=no build_redos/picodata*.el7.*rpm ansible@94.26.239.246:/data/nginx/www/packrepo/tarantool-picodata/redos/7/x86_64/
    - ssh -o stricthostkeychecking=no ansible@94.26.239.246 "cd /data/nginx/www/packrepo/tarantool-picodata/redos/7/ && createrepo --update x86_64 && gpg --no-tty --yes -u kdy@picodata.io --detach-sign --armor x86_64/repodata/repomd.xml"
    - echo
  dependencies:
    - pack-ubuntu
    - pack-debian
    - sign-rpm-packages

deploy-docker:
  stage: deploy
  tags:
    - shell
  only:
    - web
    - tags
  variables:
    GIT_DEPTH: 100
    GIT_STRATEGY: fetch
    GIT_SUBMODULE_STRATEGY: recursive
  before_script:
    - export PATH=docker-build-base:$PATH
    - *fetch-tags
    - mkdir -p $CI_PROJECT_DIR/.docker
    - echo $DOCKER_AUTH_RW > $CI_PROJECT_DIR/.docker/config.json
  script:
    - |
      # Rebuild and push docker images
      for image in picodata picodata-diag; do
        ci-log-section start "deploy-docker-${image}" Building and pushing docker image ${image}
        docker build \
          --label GIT_COMMIT=${CI_COMMIT_SHA} \
          -t ${REGISTRY}/${image}:latest \
          -f helm/${image}.Dockerfile .
        docker --config $CI_PROJECT_DIR/.docker push ${REGISTRY}/${image}:latest
        ci-log-section end "deploy-docker-${image}"
      done

.check-deployment:
  stage: check-deployment
  tags:
    - docker
  only:
    - web
    - tags
  image: ${BASE_IMAGE}
  needs:
    - deploy-packages

check-deployment-rpm:
  extends: .check-deployment
  parallel:
    matrix:
      - BASE_IMAGE: centos:7
        PACKAGE: el/7/x86_64/picodata-release-1.1.1.0-1.el7.x86_64.rpm
      - BASE_IMAGE: rockylinux:8
        PACKAGE: el/8/x86_64/picodata-release-1.1.1.0-1.el8.x86_64.rpm
      - BASE_IMAGE: packpack/packpack:redos-7.3
        PACKAGE: redos/7/x86_64/picodata-release-1.1.1.0-1.el7.x86_64.rpm
  script:
    - rpm --import https://download.picodata.io/tarantool-picodata/el/RPM-GPG-KEY-kdy
    - yum install -y https://download.picodata.io/tarantool-picodata/${PACKAGE}
    - yum install -y picodata

check-deployment-deb:
  extends: .check-deployment
  variables:
    DEBIAN_FRONTEND: noninteractive
    TZ: Europe/Moscow
  parallel:
    matrix:
      - BASE_IMAGE: debian:bullseye
      - BASE_IMAGE: ubuntu:focal
      - BASE_IMAGE: ubuntu:jammy
  before_script:
    - apt update
    - apt install -y curl gpg software-properties-common
    - export DIST=$(lsb_release -si | tr [:upper:] [:lower:])
    - export CODENAME=$(lsb_release -sc)
  script:
    - curl -s https://download.picodata.io/tarantool-picodata/ubuntu/picodata.gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/picodata.gpg --import
    - chmod 644 /etc/apt/trusted.gpg.d/picodata.gpg
    - add-apt-repository -y "deb [arch=amd64] https://download.picodata.io/tarantool-picodata/${DIST}/ ${CODENAME} main"
    - apt update
    - apt install -y picodata

check-deployment-alt:
  extends: .check-deployment
  parallel:
    matrix:
      - DIST: p10
      - DIST: p9
  image: docker.binary.picodata.io/altlinux/base:${DIST}
  before_script:
    - apt-get update
    - apt-get install -y curl git
    - until git describe; do git fetch --deepen 100; done
    - export VER=$(git describe --long | sed -n 's/^\([0-9\.]*\)-\([0-9]*\)-\([a-z0-9]*\)/\1.\2/p')
  script:
    - curl https://download.picodata.io/tarantool-picodata/altlinux/${DIST}/picodata-release-1.0.2.7-1.${DIST}.x86_64.rpm -o picodata-release.rpm
    - apt-get install -y ./picodata-release.rpm
    - apt-get update
    - apt-get install -y picodata
    - apt-get remove -y picodata picodata-release
    - curl https://download.picodata.io/tarantool-picodata/altlinux/${DIST}/x86_64/RPMS.main/picodata-${VER}-1.${DIST}.x86_64.rpm -o picodata.rpm
    - apt-get install -y ./picodata.rpm