Deploying from ops.gitlab.net
Background
Runway workloads that could critically impact gitlab.com’s availability can be deployed from ops.gitlab.net. This decouples the workload’s deployment process from the health of gitlab.com and allows for rollbacks/rollforwards during outages.
Summary of the process:
- As a Runway service owner, you need to ensure your service project is mirrored to
ops.gitlab.net
and file the provisioner MR to add/update your workload. - As a Runway maintainer, you need to review (but not merge) the provisioner change. You also need to file the CR for performing the Terraform state migration.
- As a Runway maintainer, once the CR is approved, you need to follow the steps in the CR.
As a Runway service owner
This process assumes that your service repository is currently managed (or will
be managed) by
infra-mgmt
, which is a
repository (powered by Terraform) that manages projects and groups across
gitlab.com and ops.gitlab.net. It makes setting up and managing projects and
groups, mirrors and Vault configuration very easy.
The following steps will create (or manage) your canonical service repository and
configure push mirroring to ops.gitlab.net
:
-
Create a GitLab project on
ops.gitlab.net
for the service projectThis repository will be the mirror for your canonical service repository.
You can create this repository using the infra-mgmt tooling by creating a
project_*.tf
file in the ops-gitlab-net directory. Refer to topology-service-deployer. -
Create (or manage) your service repository on gitlab.com
For reference, take a look at how topology-service is configured. You will need to create a
project_*.tf
file similar to this and tweak it to your liking. -
Configure push mirroring
In the same file that you edited in the previous step, you need to add a few lines to configure the push mirror settings. We will use a Personal Access Token (PAT) from the
ops-gitlab-net
user for this, which we can lookup in Vault using adata
source.The configuration should look like this:
-
Add (or update) your Runway workload to provisioner
Open an MR on the provisioner project that either adds (if it does not exist) or updates your Runway workload entry with the
deploy_from_ops
field:This MR will need to be reviewed and merged by a Runway maintainer (see next section).
As a Runway maintainer
Runway maintainers need to review the provisioner MR for creating or transitioning a Runway workload to ops.gitlab.net
.
The maintainer will perform the migration of Terraform state from gitlab.com to ops.gitlab.net as part of a change management process.
-
Review provisioner MR to set up ops deployment dependencies
Ensure
deploy_from_ops
is set withenabled: true
and validate the service project IDs. There should be aproject_id
setting abovedeploy_from_ops
that references the service project ID ongitlab.com
, and anotherproject_id
nested belowdeploy_from_ops
that references the service project ID onops.gitlab.net
. -
Set up a local environment for running the migration script
-
Create a temporary folder in a path of your choosing containing 2 files (
.env.sh
andmain.tf
). The.terraform
folder will be created in this folder during the migration process. -
Create a Project Access Token (PrAT) for both deployment projects with a short expiry (long enough to get the CR executed). The token should have
api
scope and maintainer access level. -
Populate an
.env.sh
file like the following ensuring you fill out the values: -
Prepare a
main.tf
for bootstrapping the initialization.
-
-
Open a Change Management issue
You need to create an issue in the production issue tracker using the
change_management
template.For the change steps, you may use the following as a guideline:
Refer to the change management page in the handbook for information on change criticalities, approvals needed, etc.
-
Update infra-mgmt
Add the Runway service id into the
local.projects_deploying_from_ops
list.This will create a project access token for the ops.gitlab.net deployment project which enables the gitlab.com deployment project to perform dry-run jobs.