.gitlab-ci.yml

# Unless explicitly stated otherwise all files in this repository are licensed
# under the Apache License Version 2.0.
# This product includes software developed at Datadog (https://www.datadoghq.com/).
# Copyright 2024 Datadog, Inc.

---
variables:
  CURRENT_CI_IMAGE: 0.5.1
  CONTROLLER_IMAGE_NAME: chaos-controller
  INJECTOR_IMAGE_NAME: chaos-injector
  HANDLER_IMAGE_NAME: chaos-handler
  SLACK_NOTIFIER_IMAGE: "registry.ddbuild.io/slack-notifier:v27627802-caa0581-sdm-gbi-focal@sha256:0b8ace5ad00b7be5e8430c5685c2a9b657a6e32f92c826102557146f0095adf5"

stages:
  - build
  - release-staging
  - release-prod
  - release-public
  - notify

.install-make: &install-make
  - apt-get update
  - apt-get install -y --no-install-recommends build-essential git

.docker-runner: &docker-runner
  image: registry.ddbuild.io/docker-push:1.7.0
  tags: ["runner:docker"]

# login into Docker Hub -- allows to not get rate-limited on releases
.docker-hub-login: &docker-hub-login
  <<: *docker-runner
  before_script:
    - echo "Logging into the Docker Hub"
    - DOCKER_REGISTRY_LOGIN=$(aws ssm get-parameter --region us-east-1 --name ci.chaos-engineering.docker_hub_login --with-decryption --query "Parameter.Value" --out text)
    - aws ssm get-parameter --region us-east-1 --name ci.chaos-engineering.docker_hub_pwd --with-decryption --query "Parameter.Value" --out text | docker login --username "$DOCKER_REGISTRY_LOGIN" --password-stdin docker.io

# main make build
build:make:
  <<: *docker-hub-login
  stage: build
  when: always
  script:
    - *install-make
    - export PATH="/usr/local/go/bin:${PATH}"
    - make GOBIN=/usr/local/go/bin install-go all docker-build-ebpf
  artifacts:
    paths:
      - bin/manager/manager_amd64
      - bin/manager/manager_arm64
      - bin/injector/injector_amd64
      - bin/injector/injector_arm64
      - bin/handler/handler_amd64
      - bin/handler/handler_arm64
      - bin/injector/ebpf/*

# build the target from the local Dockerfile and push it to the registry
# replication will depend on the TARGET_LABEL set by parent job
# we always push images with the exact commit SHA on top of any other TAG based images
.build-image: &build-image
  <<: *docker-hub-login
  id_tokens:
    DDSIGN_ID_TOKEN:
      aud: image-integrity
  script:
    - docker buildx create --use
    - *install-make
    - >
      make docker-build-only-all \
        CONTAINER_REGISTRY=registry.ddbuild.io \
        CONTAINER_TAG=${TAG} \
        CONTAINER_VERSION=${CI_COMMIT_SHA} \
        CONTAINER_BUILD_EXTRA_ARGS='-t $$(CONTAINER_NAME):$(CONTAINER_VERSION)'" --platform=linux/amd64,linux/arm64 --label target=${TARGET_LABEL} --push" \
        SIGN_IMAGE=true
  dependencies:
    - build:make

# release a ref on the staging ECRs
.release-staging: &release-staging
  <<: *build-image
  stage: release-staging

# pre-release-tag
# build a tag image tag for controller images
.release-prod: &release-prod
  <<: *build-image
  stage: release-prod

release-staging-ref:
  <<: *release-staging
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_COMMIT_BRANCH =~ /^.*-staging$/
      when: on_success
    - when: manual
      allow_failure: true
  variables:
    TARGET_LABEL: "staging"
    TAG: "${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}"

release-prod-ref:
  <<: *release-prod
  when: manual
  except:
    - tags
  variables:
    TARGET_LABEL: "prod"
    TAG: "${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}"

release-staging-tag:
  <<: *release-staging
  when: manual
  only:
    - tags
  variables:
    TARGET_LABEL: "staging"
    TAG: "${CI_COMMIT_TAG}"

release-prod-tag:
  <<: *release-prod
  when: always
  only:
    - tags
  variables:
    TARGET_LABEL: "prod"
    TAG: "${CI_COMMIT_TAG}"

## Docker Hub Release

.release-docker-hub: &release-docker-hub
  <<: *docker-hub-login
  stage: release-public
  tags: ["runner:docker"]
  script:
    - docker buildx create --use
    - *install-make
    - >
      make docker-build-only-all \
        CONTAINER_REGISTRY=docker.io/datadog \
        CONTAINER_TAG=${TAG} \
        CONTAINER_VERSION=${CI_COMMIT_SHA} \
        CONTAINER_BUILD_EXTRA_ARGS="--platform=linux/amd64,linux/arm64 --label target=${TARGET_LABEL} --push" \
        SIGN_IMAGE=false
  dependencies:
    - build:make

release-docker-hub-ref:
  <<: *release-docker-hub
  when: manual
  except:
    - tags
  variables:
    TARGET_LABEL: "prod"
    TAG: "${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}"

release-docker-hub-tag:
  <<: *release-docker-hub
  when: always
  only:
    - tags
  variables:
    TAG: "${CI_COMMIT_TAG}"

# Slack Notify
.slack-notifier-base:
  tags: ["runner:main", "size:large"]
  image: $SLACK_NOTIFIER_IMAGE
  allow_failure: true
  when: on_failure
  script:
    - BUILD_URL="$CI_PROJECT_URL/pipelines/$CI_PIPELINE_ID"
    - 'MESSAGE_TEXT=":siren: | $CI_PIPELINE_NAME Pipeline Failure | [ $CI_PROJECT_NAME ][ $CI_COMMIT_REF_NAME ] [ <$BUILD_URL|$CI_PIPELINE_ID> ]   :siren:"'
    - postmessage "#chaos-ops" "$MESSAGE_TEXT"

slack-notifier-build.on-failure:
  extends: .slack-notifier-base
  variables:
    CI_PIPELINE_NAME: "Build"
  stage: build
  only:
    - main
    - tags

.slack-notifier-release-staging: &slack-notifier-release-staging
  image: $SLACK_NOTIFIER_IMAGE
  tags: ["runner:main"]
  stage: notify
  only:
    - /^.*-staging$/
  script:
    - /usr/local/bin/notify.sh

slack-notifier-release-staging.on-success:
  <<: *slack-notifier-release-staging
  when: on_success
  variables:
    MESSAGE: ":check: | Staging Image Build Complete | [ $CI_PROJECT_NAME ][ $CI_COMMIT_REF_NAME ][ $CI_COMMIT_SHA ]"

slack-notifier-release-staging.on-failure:
  <<: *slack-notifier-release-staging
  when: on_failure
  variables:
    MESSAGE: ":siren: | Staging Image Build Failed | [ $CI_PROJECT_NAME ][ $CI_COMMIT_REF_NAME ][ $CI_COMMIT_SHA ] :siren:"