Closed michaelsauter closed 5 years ago
rattermeyer
commented
5 years ago Actually, I like the idea of the webhook proxy. I would also vote for deploying the proxy into the foo-cd project, rather than the general cd project.
Would it also be an option to use a s2i build in this case?
michaelsauter
commented
5 years ago Cool, thanks for feedback. I can look into whether s2i is an option. Also I have to check if the new OCP version allows multi-stage builds, which would also be handy in this case.
In addition to my proposal above, I realised that the webhook proxy could allow users to use a monorepo without loosing the capability to do individual pipelines/deployments. The basic idea would be to add a query param to the end of the webhook proxy url, e.g. ?dirs=frontend,backend and then the proxy would create/manage one pipeline per specified directory, pointing to the Jenkinsfile in them ... but yea, that would be something for later :)
michaelsauter
commented
5 years ago So s2i might be an option. However, the "official" golang s2i does not support Golang 1.11 on RHEL yet. So I opted for the simplest option, which is to just build the binary in the Docker image (which is now based on golang:1.11-alpineinsteas of alpine).
I'm now at a stage where the proxy image can be built in the cd namespace. In addition, we have a project-specific proxy running that is built that way and it works well. The next steps are:
cd-jenkins-persistent.yml template.All in all, not too much work left :)
michaelsauter
commented
5 years ago Done!
Currently, every component creates two Jenkins pipelines,
devandtest, as OCP resources. In addition, every repo has two webhooks (actually four, but two of them are pointless), which trigger both pipelines for every commit. Inside the pipeline, Jenkins checks whether the pipeline is responsible for the commit (test=master,dev=*) and then continues.This has several drawbacks:
Jenkinsfileis always grabbed frommasterinstead of from the current branch, so changes to theJenkinsfilecannot be tested inside a branchdevpipeline is responsible for all sorts of branches, so its build status is all over the placedevpipeline, we cannot run builds for different branches in parallelTo improve this situation, we have build a "webhook proxy" internally. This proxy provides one endpoint accepting webhooks from BitBucket and forwards them to the corresponding Jenkins pipeline (which is determined based on the branch name). If there is no corresponding pipeline yet, it will be created on the fly. Once a branch is deleted or a pull request declined/merged, the corresponding Jenkins pipeline is deleted automatically. The webhook proxy is a Go application - a single, no-dependency binary, produced from one file using just the standard library.
This works very reliable so far (tested in two initiatives for about a month) and solves all the pain points mentioned above.
To include it in OpenDevStack, the following has to be changed:
cdOCP namespace. This works well, but it requires that the user inside the pod can create/delete resources in all other namespaces. This should not be the case, we would rather have a proxy running in eachfoo-cdproject, and then the user only needs permissions to create/delete resources within its own project.oc start-build webhook-proxy --from-dir . --follow --namespace cd, which copies a binary in the current working dir into the Docker image. While this works well, it requires Go to be installed on the local system which is not something we would want to impose on an ODS user. We either need to create a Jenkins Go slave to build it there, or we would need to build the binary within the OCP build (which is probably the easier option, but increases the size of the Docker image - currently that is based on a barebonesalpineimage).devandtestpipelines from the OCP templates (they are not needed, themasterpipeline will be auto-created on the first push)FYI @tjaeschke @rattermeyer @clemensutschig @stitakis @gerardcl