feat: Add template for Chef tasks

31fe310d · Matt Miller · 407aa6f0 · 31fe310d · 31fe310d
Commit 31fe310d authored 4 months ago by Matt Miller
--- a/templates/chef.md
+++ b/templates/chef.md
+# [`templates/chef.yml`](./templates/chef.yml)
+
+This template should be used by Chef cookbook projects
+
+The common tasks performed by this template are:
+
+1. Lint the cookbook with `cookstyle`
+1. Ensure that test suites included in kitchen.yml have also been added to `.gitlab-ci.yml`
+1. Run rspec tests
+1. Run kitchen tests
+1. Publish the cookbook to the Chef server if running against the master branch.
+
+## Required stages
+
+```yaml
+stages:
+  - prepare
+  - lint
+  - unit
+  - integration
+  - publish
+```
+
+You can override these using input variables, such as:
+```yaml
+  - project: "gitlab-com/gl-infra/common-ci-tasks"
+    ref: master
+    file: templates/chef.yml
+    inputs:
+      lint_stage: test
+```
+
+## Project requirements
+
+At minimum, the following Ruby gems must be included for common testing tasks.
+
+- [chef](https://rubygems.org/gems/chef)
+- [chefspec](https://rubygems.org/gems/chefspec)
+- [cookstyle](https://rubygems.org/gems/cookstyle)
+- [kitchen-google](https://rubygems.org/gems/kitchen-google)
+- [kitchen-inspec](https://rubygems.org/gems/kitchen-inspec)
+- [rspec](https://rubygems.org/gems/rspec)
+- [test-kitchen](https://rubygems.org/gems/test-kitchen)
+
+This has been tested on Ruby 2.6+
+
+## Kitchen testing
+
+This template provides a basic job for executing Kitchen tests during the integration stage.
+
+However, it is likely that you will want to override this in the event you have multiple Kitchen test suites.
+
+An example overridden job that you may have in your repo's local `.gitlab-ci.yml` may look like:
+
+```yaml
+kitchen:
+  stage: integration
+  retry: 2
+  artifacts:
+    expire_in: '2d'
+    when: always
+    paths:
+      - .kitchen/
+    reports:
+      junit: .kitchen/*_inspec.xml
+  cache:
+    paths:
+      - \$BUNDLE_PATH
+  script:
+    - SSH_KEY="$HOME/.ssh/id_ed25519" bundle exec kitchen test --destroy=always $KITCHEN_SUITE
+  parallel:
+    matrix:
+      - KITCHEN_SUITE:
+        # generate with: make update-ci
+        # SUITES_BEGIN
+        # SUITES_END
+```
+
+Note the comments in the KITCHEN_SUITE parallel matrix. These are to be used in conjuncture with a `update-ci` task defined in a common [`Makefile`](https://gitlab.com/gitlab-cookbooks/gitlab-server/-/blob/0ca860808ed4c0ce3e09ec8572563c161eceeb05/Makefile#L63-73). If these comments exist, and multiple kitchen test suites are defined in `kitchen.yml`, this `make` command will automatically add all suites to `.gitlab-ci.yml` when run.
+
+If a cookbook doesn't have kitchen tests, you can remove them from execution by changing the execution stage like:
+
+```yaml
+  - project: "gitlab-com/gl-infra/common-ci-tasks"
+    ref: master
+    file: templates/chef.yml
+    inputs:
+      integration_stage: skip
+```
--- a/templates/chef.yml
+++ b/templates/chef.yml
+spec:
+  inputs:
+    prepare_stage:
+      default: prepare
+    lint_stage:
+      default: lint
+    unit_stage:
+      default: unit
+    integration_stage:
+      default: integration
+    publish_stage:
+      default: publish
+
+---
+.update_ci:
+  script: |
+    echo '        # SUITES_BEGIN' > suites.txt
+    export SSH_KEY="$HOME/.ssh/id_ed25519"; bundle exec kitchen list -j | jq -r '.[] | .instance | "        - " + . ' >> suites.txt
+    echo '        # SUITES_END' >> suites.txt
+    sed -i -e '/SUITES_BEGIN/,/SUITES_END/!b' -e '/SUITES_END/!d;r suites.txt' -e 'd' .gitlab-ci.yml; \
+    rm -f suites.txt
+
+.kitchen_prepare:
+  script: |
+    if [ -z "$GCP_SERVICE_ACCOUNT" ]; then
+      echo "Please set GCP_SERVICE_ACCOUNT in CI/CD settings for this repo"
+      exit 1
+    fi
+
+    # Create the service account credential file
+    mkdir -p "$HOME/.config/gcloud/" && \
+      cp "$GCP_SERVICE_ACCOUNT" "$HOME/.config/gcloud/application_default_credentials.json"
+
+    # Disable strict host checking and generate ephemeral key
+    umask 0077 && \
+      mkdir -p "$HOME/.ssh" && \
+      echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > "$HOME/.ssh/config" && \
+      ssh-keygen -N '' -t ed25519 -C '' -f "$HOME/.ssh/id_ed25519"
+
+variables:
+  DEBIAN_FRONTEND: noninteractive
+  KITCHEN_YAML: "kitchen.yml"
+  BUNDLE_PATH: "$CI_PROJECT_DIR/.bundle"
+  RUBYOPT: "-W0" # Disable ruby warnings.
+  EXTRA_PRODUCTS_FILE: cinc-products.rb
+
+before_script:
+  - eval $(ssh-agent -s)
+  - ssh-add <(echo $CI_PRIVATE_KEY |base64 -d)
+  - mkdir -p ~/.ssh
+  - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
+  - apt-get -qq update && apt-get -yqq install openssh-client rsync make jq libsodium-dev
+  - bundle config set clean 'true'
+  - bundle config set path $BUNDLE_PATH
+  - bundle config build.ffi-yajl --withh-ldflags="-Wl,-undefined,dynamic_lookup"
+  - bundle install --jobs "$(nproc)"
+
+kitchen-suites-updated?:
+  stage: $[[ inputs.lint_stage ]]
+  cache:
+    key: "$CI_COMMIT_REF_SLUG"
+    paths:
+      - "$BUNDLE_PATH"
+  script:
+    - if [[ ! -f $KITCHEN_YAML ]]; then echo "No kitchen.yml found, skipping" ; exit 0 ; fi
+    - !reference [.kitchen_prepare, script]
+    - !reference [.update_ci, script]
+    - git diff -b --exit-code .gitlab-ci.yml
+    # update locally with: make update-ci
+
+gems:
+  stage: $[[ inputs.prepare_stage ]]
+  cache:
+    key: "$CI_COMMIT_REF_SLUG"
+    paths:
+      - $BUNDLE_PATH
+  script:
+    - echo "gems cached"
+
+cookstyle:
+  stage: $[[ inputs.lint_stage ]]
+  cache:
+    key: "$CI_COMMIT_REF_SLUG"
+    paths:
+      - "$BUNDLE_PATH"
+  artifacts:
+    expire_in: '2d'
+    when: always
+    paths:
+      - .bundle/cookstyle_junit.xml
+    reports:
+      junit: .bundle/cookstyle_junit.xml
+  script:
+    - bundle exec cookstyle --fail-level E --display-only-failed -f junit --out .bundle/cookstyle_junit.xml
+
+rspec-test-job:
+  stage: $[[ inputs.unit_stage ]]
+  coverage: "/^\\s*Touch\\sCoverage:\\s*(\\d+\\.\\d+)%/"
+  cache:
+    paths:
+      - "$BUNDLE_PATH"
+  script:
+    - bundle exec rspec -f d
+
+kitchen:
+  stage: $[[ inputs.integration_stage ]]
+  cache:
+    paths:
+      - "$BUNDLE_PATH"
+  script:
+    - !reference [.kitchen_prepare, script]
+    - SSH_KEY="$HOME/.ssh/id_ed25519" bundle exec kitchen test --destroy=always
+
+push-cookbook:
+  stage: $[[ inputs.publish_stage ]]
+  only:
+    refs:
+      - master
+    variables:
+      - "$OPS_CLONE_USERNAME"
+      - "$OPS_CLONE_PASSWORD"
+  script:
+    - rm -rf Gemfile Gemfile.lock || true
+    - git clone https://$OPS_CLONE_USERNAME:$OPS_CLONE_PASSWORD@ops.gitlab.net/gitlab-cookbooks/cookbook-publisher.git /tmp/cookbook-publisher
+    - cp /tmp/cookbook-publisher/publisher.rb /tmp/cookbook-publisher/Gemfile /tmp/cookbook-publisher/Gemfile.lock .
+    - bundle install
+    - bundle exec ruby publisher.rb