Add latest changes from gitlab-org/gitlab@13-2-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-07-20 15:26:25 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-07-20 15:26:25 +0300
commit: a09983ae35713f5a2bbb100981116d31ce99826e (patch)
tree: 2ee2af7bd104d57086db360a7e6d8c9d5d43667a /scripts/review_apps
parent: 18c5ab32b738c0b6ecb4d0df3994000482f34bd8 (diff)
4 files changed, 88 insertions, 18 deletions
diff --git a/scripts/review_apps/automated_cleanup.rb b/scripts/review_apps/automated_cleanup.rb
index a9659071a2f..e40c6cd7276 100755
--- a/scripts/review_apps/automated_cleanup.rb
+++ b/scripts/review_apps/automated_cleanup.rb
@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 require 'gitlab'
-require_relative File.expand_path('../../lib/quality/helm3_client.rb', __dir__)
-require_relative File.expand_path('../../lib/quality/kubernetes_client.rb', __dir__)
+require_relative File.expand_path('../../tooling/lib/tooling/helm3_client.rb', __dir__)
+require_relative File.expand_path('../../tooling/lib/tooling/kubernetes_client.rb', __dir__)
 
 class AutomatedCleanup
   attr_reader :project_path, :gitlab_token
@@ -40,15 +40,15 @@ class AutomatedCleanup
   end
 
   def review_apps_namespace
-    self.class.ee? ? 'review-apps-ee' : 'review-apps-ce'
+    'review-apps'
   end
 
   def helm
-    @helm ||= Quality::Helm3Client.new(namespace: review_apps_namespace)
+    @helm ||= Tooling::Helm3Client.new(namespace: review_apps_namespace)
   end
 
   def kubernetes
-    @kubernetes ||= Quality::KubernetesClient.new(namespace: review_apps_namespace)
+    @kubernetes ||= Tooling::KubernetesClient.new(namespace: review_apps_namespace)
   end
 
   def perform_gitlab_environment_cleanup!(days_for_stop:, days_for_delete:)
@@ -76,7 +76,7 @@ class AutomatedCleanup
       if deployed_at < delete_threshold
         deleted_environment = delete_environment(environment, deployment)
         if deleted_environment
-          release = Quality::Helm3Client::Release.new(environment.slug, 1, deployed_at.to_s, nil, nil, review_apps_namespace)
+          release = Tooling::Helm3Client::Release.new(environment.slug, 1, deployed_at.to_s, nil, nil, review_apps_namespace)
           releases_to_delete << release
         end
       else
@@ -157,11 +157,11 @@ class AutomatedCleanup
     helm.delete(release_name: releases_names)
     kubernetes.cleanup(release_name: releases_names, wait: false)
 
-  rescue Quality::Helm3Client::CommandFailedError => ex
+  rescue Tooling::Helm3Client::CommandFailedError => ex
     raise ex unless ignore_exception?(ex.message, IGNORED_HELM_ERRORS)
 
     puts "Ignoring the following Helm error:\n#{ex}\n"
-  rescue Quality::KubernetesClient::CommandFailedError => ex
+  rescue Tooling::KubernetesClient::CommandFailedError => ex
     raise ex unless ignore_exception?(ex.message, IGNORED_KUBERNETES_ERRORS)
 
     puts "Ignoring the following Kubernetes error:\n#{ex}\n"
diff --git a/scripts/review_apps/base-config.yaml b/scripts/review_apps/base-config.yaml
index 6fb6943fb90..82be2d3a691 100644
--- a/scripts/review_apps/base-config.yaml
+++ b/scripts/review_apps/base-config.yaml
@@ -7,7 +7,7 @@ global:
       external-dns.alpha.kubernetes.io/ttl: 10
     configureCertmanager: false
     tls:
-      secretName: tls-cert
+      secretName: review-apps-tls
   initialRootPassword:
     secret: shared-gitlab-initial-root-password
 certmanager:
@@ -61,11 +61,11 @@ gitlab:
   task-runner:
     resources:
       requests:
-        cpu: 50m
-        memory: 350M
+        cpu: 300m
+        memory: 800M
       limits:
-        cpu: 100m
-        memory: 700M
+        cpu: 450m
+        memory: 1200M
   webservice:
     resources:
       requests:
@@ -137,10 +137,10 @@ postgresql:
     enabled: false
   resources:
     requests:
-      cpu: 347m
+      cpu: 550m
       memory: 250M
     limits:
-      cpu: 520m
+      cpu: 825m
       memory: 375M
 prometheus:
   install: false
diff --git a/scripts/review_apps/gcp_cleanup.sh b/scripts/review_apps/gcp_cleanup.sh
index f289a50f629..3225631e8c7 100755
--- a/scripts/review_apps/gcp_cleanup.sh
+++ b/scripts/review_apps/gcp_cleanup.sh
@@ -11,7 +11,7 @@ function setup_gcp_dependencies() {
 
 # These scripts require the following environment variables:
 # - REVIEW_APPS_GCP_REGION - e.g `us-central1`
-# - KUBE_NAMESPACE - e.g `review-apps-ee`
+# - KUBE_NAMESPACE - e.g `review-apps`
 
 function delete_firewall_rules() {
   if [[ ${#@} -eq 0 ]]; then
diff --git a/scripts/review_apps/review-apps.sh b/scripts/review_apps/review-apps.sh
index 1214ee5f462..74291f6aef4 100755
--- a/scripts/review_apps/review-apps.sh
+++ b/scripts/review_apps/review-apps.sh
@@ -66,7 +66,7 @@ function kubectl_cleanup_release() {
   local release="${2}"
 
   echoinfo "Deleting all K8s resources matching '${release}'..." true
-  kubectl --namespace "${namespace}" get ingress,svc,pdb,hpa,deploy,statefulset,job,pod,secret,configmap,pvc,secret,clusterrole,clusterrolebinding,role,rolebinding,sa,crd 2>&1 \
+  kubectl --namespace "${namespace}" get ingress,svc,pdb,hpa,deploy,statefulset,job,pod,secret,configmap,pvc,clusterrole,clusterrolebinding,role,rolebinding,sa,crd 2>&1 \
     | grep "${release}" \
     | awk '{print $1}' \
     | xargs kubectl --namespace "${namespace}" delete \
@@ -126,6 +126,38 @@ function get_pod() {
   echo "${pod_name}"
 }
 
+function run_task() {
+  local namespace="${KUBE_NAMESPACE}"
+  local ruby_cmd="${1}"
+  local task_runner_pod=$(get_pod "task-runner")
+
+  kubectl exec -it --namespace "${namespace}" "${task_runner_pod}" -- gitlab-rails runner "${ruby_cmd}"
+}
+
+function disable_sign_ups() {
+  if [ -z ${REVIEW_APPS_ROOT_TOKEN+x} ]; then
+    echoerr "In order to protect Review Apps, REVIEW_APPS_ROOT_TOKEN variable must be set"
+    false
+  else
+    true
+  fi
+
+  # Create the root token
+  local ruby_cmd="token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api], name: 'Token to disable sign-ups'); token.set_token('${REVIEW_APPS_ROOT_TOKEN}'); begin; token.save!; rescue(ActiveRecord::RecordNotUnique); end"
+  run_task "${ruby_cmd}"
+
+  # Disable sign-ups
+  curl  --silent --show-error --request PUT --header "PRIVATE-TOKEN: ${REVIEW_APPS_ROOT_TOKEN}" "${CI_ENVIRONMENT_URL}/api/v4/application/settings?signup_enabled=false"
+
+  local signup_enabled=$(curl --silent --show-error --request GET --header "PRIVATE-TOKEN: ${REVIEW_APPS_ROOT_TOKEN}" "${CI_ENVIRONMENT_URL}/api/v4/application/settings" | jq ".signup_enabled")
+  if [[ "${signup_enabled}" == "false" ]]; then
+    echoinfo "Sign-ups have been disabled successfully."
+  else
+    echoerr "Sign-ups should be disabled but are still enabled!"
+    false
+  fi
+}
+
 function check_kube_domain() {
   echoinfo "Checking that Kube domain exists..." true
 
@@ -181,6 +213,32 @@ function install_external_dns() {
   fi
 }
 
+# This script is used to install cert-manager in the cluster
+# The installation steps are documented in
+# https://gitlab.com/gitlab-org/quality/team-tasks/snippets/1990286
+function install_certmanager() {
+  local namespace="${KUBE_NAMESPACE}"
+  local release="cert-manager-review-app-helm3"
+
+  echoinfo "Installing cert-manager..." true
+
+  if ! deploy_exists "${namespace}" "${release}" || previous_deploy_failed "${namespace}" "${release}" ; then
+    kubectl apply \
+    -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.10/deploy/manifests/00-crds.yaml
+
+    echoinfo "Installing cert-manager Helm chart"
+    helm repo add jetstack https://charts.jetstack.io
+    helm repo update
+
+    helm install "${release}" jetstack/cert-manager \
+      --namespace "${namespace}" \
+      --version v0.15.1 \
+      --set installCRDS=true
+  else
+    echoinfo "The cert-manager Helm chart is already successfully deployed."
+  fi
+}
+
 function create_application_secret() {
   local namespace="${KUBE_NAMESPACE}"
   local release="${CI_ENVIRONMENT_SLUG}"
@@ -233,6 +291,17 @@ function base_config_changed() {
   curl "${CI_API_V4_URL}/projects/${CI_MERGE_REQUEST_PROJECT_ID}/merge_requests/${CI_MERGE_REQUEST_IID}/changes" | jq '.changes | any(.old_path == "scripts/review_apps/base-config.yaml")'
 }
 
+function parse_gitaly_image_tag() {
+  local gitaly_version="${GITALY_VERSION}"
+
+  # prepend semver version with `v`
+  if [[ $gitaly_version =~  ^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)?(-ee)?$ ]]; then
+    echo "v${gitaly_version}"
+  else
+    echo "${gitaly_version}"
+  fi
+}
+
 function deploy() {
   local namespace="${KUBE_NAMESPACE}"
   local release="${CI_ENVIRONMENT_SLUG}"
@@ -248,6 +317,7 @@ function deploy() {
   gitlab_webservice_image_repository="${IMAGE_REPOSITORY}/gitlab-webservice-ee"
   gitlab_task_runner_image_repository="${IMAGE_REPOSITORY}/gitlab-task-runner-ee"
   gitlab_gitaly_image_repository="${IMAGE_REPOSITORY}/gitaly"
+  gitaly_image_tag=$(parse_gitaly_image_tag)
   gitlab_shell_image_repository="${IMAGE_REPOSITORY}/gitlab-shell"
   gitlab_workhorse_image_repository="${IMAGE_REPOSITORY}/gitlab-workhorse-ee"
 
@@ -269,7 +339,7 @@ HELM_CMD=$(cat << EOF
     --set gitlab.migrations.image.repository="${gitlab_migrations_image_repository}" \
     --set gitlab.migrations.image.tag="${CI_COMMIT_REF_SLUG}" \
     --set gitlab.gitaly.image.repository="${gitlab_gitaly_image_repository}" \
-    --set gitlab.gitaly.image.tag="v${GITALY_VERSION}" \
+    --set gitlab.gitaly.image.tag="${gitaly_image_tag}" \
     --set gitlab.gitlab-shell.image.repository="${gitlab_shell_image_repository}" \
     --set gitlab.gitlab-shell.image.tag="v${GITLAB_SHELL_VERSION}" \
     --set gitlab.sidekiq.annotations.commit="${CI_COMMIT_SHORT_SHA}" \
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-07-20 15:26:25 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-07-20 15:26:25 +0300
commit	a09983ae35713f5a2bbb100981116d31ce99826e (patch)
tree	2ee2af7bd104d57086db360a7e6d8c9d5d43667a /scripts/review_apps
parent	18c5ab32b738c0b6ecb4d0df3994000482f34bd8 (diff)