Fix GCP jobs to use a more generic helm based job template

dee965b9 · David Hoese · f49d090e · dee965b9 · dee965b9 · dee965b9
Verified Commit dee965b9 authored 4 years ago by David Hoese
--- a/admin/GCP_README.md
+++ b/admin/GCP_README.md
@@ -35,7 +35,10 @@ Next, go to your GCP Console, click the menu in the upper-left and go to
 "Project Settings". From there click on "Service Accounts" and then
 "+ CREATE SERVICE ACCOUNT". Follow the instructions to create your service
 account. To give your SA permission to create resources on your Kubernetes
-cluster give it at least the "roles/container.developer" role. See
+cluster give it at least the "roles/container.developer" role
+(Kubernetes Engine Developer). Some helm charts may want to create resources
+like "Roles" (for RBAC) which will require more permissions. One existing
+role that includes these permissions is Kubernetes Engine Service Agent. See
 https://cloud.google.com/iam/docs/understanding-roles#kubernetes-engine-roles
 for more information.

--- a/ci_gcp/gitlab-ci.yaml
+++ b/ci_gcp/gitlab-ci.yaml
 # This file is included as part of the main repository .gitlab-ci.yml file
-.gcloud_base:
-  extends: .helm_based_job
-  before_script:
-    - export KUBECONFIG="/root/.kube/config"
-    - gcloud --verbosity=debug auth activate-service-account "${GEOSPHERE_DEPLOY_GCP_SA_EMAIL}" --key-file="${GEOSPHERE_DEPLOY_GCP_SA_KEY}"
-    # If this produces a warning about not having permission make sure the SA
-    # has the project "Viewer" role. If it still produces a warning then try
-    # enabling this Cloud Resource Manager API. See admin/GCP_README.md
-    # for more information.
-    - gcloud --verbosity=debug config set project "${GEOSPHERE_DEPLOY_GCP_PROJECT_NAME}"
-    - gcloud --verbosity=debug container clusters get-credentials "${GEOSPHERE_DEPLOY_GCP_CLUSTER_NAME}" --zone "${GEOSPHERE_DEPLOY_GCP_ZONE_NAME}";
-    - helm registry login -u ${CI_REGISTRY_USER} -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
-#    - helm repo add stable https://kubernetes-charts.storage.googleapis.com
-#    - helm repo update
-  rules:
-    - if: $CI_COMMIT_TAG !~ /^gcp-r[0-9]+_[0-9]+/
-      when: never
-    - when: on_success
 test gcp connection:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: test
  # don't need any artifacts for this to run
  dependencies: []
@@ -32,7 +13,7 @@ test gcp connection:
      fi
 gcp create geotiff storage:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: create storage
  script:
    - ns=$(./helpers/get_namespace.sh)
@@ -48,7 +29,7 @@ gcp create geotiff storage:
    - if: $CREATE_STORAGE
 gcp create postgres storage:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: create storage
  script:
    - ns=$(./helpers/get_namespace.sh)
@@ -63,7 +44,7 @@ gcp create postgres storage:
    - if: $CREATE_STORAGE
 gcp create shapefile storage:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: create storage
  script:
    - ns=$(./helpers/get_namespace.sh)
@@ -79,7 +60,7 @@ gcp create shapefile storage:
    - if: $CREATE_STORAGE
 gcp deploy rabbit:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: deploy infrastructure
  script:
    - ./helpers/deploy_rabbitmq.sh ci_gcp
@@ -96,7 +77,7 @@ gcp deploy rabbit:
    - if: $DEPLOY_RABBIT
 gcp deploy postgres:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: deploy infrastructure
  script:
    - ./helpers/deploy_postgis.sh ci_gcp
@@ -113,7 +94,7 @@ gcp deploy postgres:
    - if: $DEPLOY_POSTGIS
 gcp deploy grb:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: deploy GRB
  script:
    - ns=$(./helpers/get_namespace.sh)
@@ -169,7 +150,7 @@ gcp deploy mapcache:
    - when: on_success
 gcp deploy client:
-  extends: .gcloud_base
+  extends: .helm_based_job
  stage: deploy Client
  script:
    - ns=$(./helpers/get_namespace.sh)

--- a/helpers/helm_base.yaml
+++ b/helpers/helm_base.yaml
@@ -7,7 +7,14 @@
    - export HELM_EXPERIMENTAL_OCI="1"
    - docker info
    - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
-#    - source ./helpers/shell_aliases.sh
+    # If this produces a warning about not having permission make sure the SA
+    # has the project "Viewer" role. If it still produces a warning then try
+    # enabling this Cloud Resource Manager API. See admin/GCP_README.md
+    # for more information.
+    - if [[ $CI_COMMIT_TAG !~ /^gcp-r[0-9]+_[0-9]+/ ]]; then
+        export KUBECONFIG="/root/.kube/config";
+        gcloud --verbosity=debug auth activate-service-account "${GEOSPHERE_DEPLOY_GCP_SA_EMAIL}" --key-file="${GEOSPHERE_DEPLOY_GCP_SA_KEY}";
+        gcloud --verbosity=debug config set project "${GEOSPHERE_DEPLOY_GCP_PROJECT_NAME}";
+        gcloud --verbosity=debug container clusters get-credentials "${GEOSPHERE_DEPLOY_GCP_CLUSTER_NAME}" --zone "${GEOSPHERE_DEPLOY_GCP_ZONE_NAME}";
+      fi
    - helm registry login -u ${CI_REGISTRY_USER} -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
-#    - helm repo add stable https://kubernetes-charts.storage.googleapis.com
-#    - helm repo update