Page MenuHomePhabricator
Create Task
Maniphest T287211

Figure out the future of (or replacements for) PipelineLib in a GitLab world
Closed, ResolvedPublic
Actions

Description

This task is something of a loosely-sketched placeholder, but I figured I should get this conversation started.

We plan to migrate CI to GitLab, which in practice means using .gitlab-ci.yml.

Comparison

There's a lot of overlap between .gitlab-ci.yml concepts and what PipelineLib and our .pipeline/config.yaml provide. Below is a simple requirements/feature matrix based off of current PipelineLib features that should be filled in to compare against GitLab's CI features and used to further evaluate the cost/benefit of migrating vs. porting.

A red flag question mark (❓) denotes an item needing more research. A red flag (🚩) denotes an item where the answer is mostly known, concerning, and would require a workaround.

CategoryFeatureGitLab CI (How it could be done)PipelineLib (How it's done now)
Running jobsenvironment imagesarbitrary image ref [1]local Blubber config/variant
argumentssimple configsimple config
environment variablessimple configsimple config
custom executiondefined stages or DAGdefined DAG
credentialsmasked group/project level variableswhitelisted by admin and bound in config
save/pass artifactssimple config and central storesimple config and local build context (temporary)
process outputusing artifacts.output run-stage variables
Building imagesimage definitionsBlubber configBlubber config
image builderssimple config (via include that uses BuildKit + Blubber; see T308271)blubberoid + docker
operator constraintsBlubber conventionsBlubber conventions/policy
Publishing imagesnaming/taggingsimple config (via include)simple config
push to registrysimple config (via include that uses existing GitLab JSON Web Token; see T308501)hidden credentials (docker-pusher)
registry/repo enforcementenforced by jwt-authorizerenforced by admin
Testing deploymentstaging deploymentuser script (helm) but k8s credentials exposed 🚩simple config
testing deploymentuser script (helm test or other) but k8s credentials exposed 🚩simple config
Promoting versionbumping chart valueuser script (git commit/review) but needs downstream git creds 🚩simple config
  1. Are users restricted to external image refs or can they specify a locally built image (without first publishing it)? It's not clear whether a restriction would be of concern.
  2. Using docker-in-docker is a security concern as it would require privileged containers.

Evaluation

Given the comparison. Can we answer the following?

  1. Is .pipeline/config.yaml or something like it still a desirable abstraction for Wikimedia projects? updated: Not enought to port and maintain. We will likely rely directly on .gitlab-ci-yml and provide includes for backwards compatibility.
  2. If so, what parts would need ported over from the current Groovy implementation and where would they fit? updated: No porting. We'll provide GitLab CI includes*
  3. If not, what do we need to do to migrate existing projects / users to a pure GitLab CI approach? updated: See above

I think @dduvall probably best knows the current PipelineLib implementation and design goals; hoping for input from @dancy and @jeena as well.

Related Objects

Event Timeline

brennen created this task.Jul 22 2021, 8:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 22 2021, 8:43 PM
dduvall awarded a token.Jul 22 2021, 8:55 PM
thcipriani edited projects, added Release-Engineering-Team (Doing); removed Release-Engineering-Team.Jul 27 2021, 5:20 PM
brennen moved this task from Backlog to Next on the User-brennen board.Jul 29 2021, 1:27 PM
Izno subscribed.Aug 29 2021, 9:54 PM
brennen moved this task from Next to Doing on the User-brennen board.Sep 1 2021, 7:04 PM
brennen moved this task from Migration to Next on the GitLab board.Sep 1 2021, 7:58 PM
dduvall triaged this task as Medium priority.Sep 1 2021, 10:21 PM
dduvall updated the task description. (Show Details)
dduvall updated the task description. (Show Details)
dduvall updated the task description. (Show Details)
Jimman2003 subscribed.Sep 1 2021, 10:25 PM

maybe https://docs.gitlab.com/ee/user/admin_area/credentials_inventory.html for creds?

dduvall added a comment.EditedSep 1 2021, 10:27 PM

I've started a feature comparison table in the description to explore what requirements PipelineLib is currently satisfying, how GitLab CI might be able to meet those requirements, and what requirements would remain unfulfilled (where a GitLab or external solution is needed).

dduvall added a comment.Sep 1 2021, 10:29 PM
In T287211#7326398, @Jimman2003 wrote:

maybe https://docs.gitlab.com/ee/user/admin_area/credentials_inventory.html for creds?

Thanks for linking that. @brennen do you have thoughts?

dduvall updated the task description. (Show Details)Sep 1 2021, 10:43 PM
dduvall updated the task description. (Show Details)
Jimman2003 awarded a token.Sep 1 2021, 10:48 PM
dduvall updated the task description. (Show Details)Sep 1 2021, 10:58 PM
dancy updated the task description. (Show Details)Sep 2 2021, 2:56 PM
brennen added a comment.Sep 2 2021, 4:37 PM

Thanks for linking that. @brennen do you have thoughts?

I think this is more for tracking GitLab-specific user credentials (and I'm not clear if it's available in GitLab CE), but I'll have to take a closer look.

Thanks for the detailed breakdown of features! I'm AFK for the next several days, but this is top of my list to dig into once I'm back.

Jimman2003 added a comment.EditedSep 2 2021, 4:55 PM

yeah, it is for the self-hosted ultimate edition (but not gitlab-specific) creds :(

Addshore subscribed.Sep 13 2021, 9:14 PM
dduvall mentioned this in T291017: Proof of concept for Buildpacks as WMF image build tool in GitLab.Sep 14 2021, 10:42 PM
brennen moved this task from Next to Inbox on the GitLab board.Sep 21 2021, 7:26 PM
brennen moved this task from Inbox to CI & Job Runners on the GitLab board.Sep 21 2021, 7:47 PM
brennen edited projects, added GitLab (CI & Job Runners); removed GitLab.
brennen moved this task from Doing to Radar on the User-brennen board.Sep 28 2021, 9:56 PM
brennen added a project: Security-Team.Sep 28 2021, 10:42 PM

Tagging Security-Team for awareness, per discussion.

sbassett added a project: SecTeam-Processed.Oct 26 2021, 7:52 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.
In T287211#7386319, @brennen wrote:

Tagging Security-Team for awareness, per discussion.

The only comments the Security-Team have right now are:

  1. Some of the red flags seem a bit concerning, especially if there's no immediately obvious work-around or alternative.
  2. The above ^ is disappointing in that the seemingly obvious choice would be to heavily leverage Gitlab's CI/CD features as that was, in our mind anyways, a key selling point of migrating to Gitlab and a baseline assumption we are making in the development of our appsec ci/pipeline work (T289290).
LSobanski subscribed.Dec 16 2021, 10:14 AM
bd808 subscribed.Mar 9 2022, 11:01 PM
hashar removed a project: Continuous-Integration-Infrastructure.Apr 20 2022, 1:43 PM
sbassett mentioned this in T307523: Investigate container scanning options within the context of the Gitlab appsec pipeline.May 3 2022, 9:33 PM
sbassett mentioned this in T308789: Determine CI best practices for service which connects to MySQL.Jun 8 2022, 7:04 PM
dduvall added a comment.Jun 8 2022, 9:37 PM

A lot of progress was made during Release Engineering's recent Release-Engineering-Team (GitLab-a-thon 🦊) sprint. In short, we're very close to having a working image build system leveraging BuildKit (see T308271: Deploy buildkitd to trusted GitLab runners) and an auth scheme in place to allow trusted runners secure access to the production registry (see T308501: Authenticate trusted runners for registry access against GitLab using temporary JSON Web Token).

We'll continue to maintain and use Blubber for image building as it now features a native BuildKit based frontend. Other configuration options may be made available in the future as the number of frontends for BuildKit is growing (and many build tools like docker build/buildx and Kaniko are using BuildKit under the hood).

I will update the table in the description to better reflect the progress we've made. There are still open questions as to how to provide feature parity with PipelineLib but I believe at this point it's safe to say we'll be promoting use of .gitlab-ci.yaml for CI configuration and providing includes to achieve a degree of backwards compatibility with PipelineLib.

dduvall updated the task description. (Show Details)Jun 8 2022, 9:51 PM
dduvall updated the task description. (Show Details)Jun 8 2022, 9:55 PM
gmodena subscribed.Sep 1 2022, 5:55 PM
thcipriani edited projects, added Release-Engineering-Team (Priority Backlog 📥); removed Release-Engineering-Team (Doing).Sep 7 2022, 3:51 PM
dancy added a subtask: T327332: Make a tool to convert .pipeline/config.yaml to .gitlab-ci.yaml.Jan 18 2023, 7:11 PM
thcipriani edited projects, added Release-Engineering-Team (GitLab IV: Mise En Place 🍱); removed Release-Engineering-Team (Priority Backlog 📥).Jan 19 2023, 3:48 PM
dduvall closed this task as Resolved.Jan 19 2023, 5:08 PM
dduvall claimed this task.
dduvall removed a subtask: T327332: Make a tool to convert .pipeline/config.yaml to .gitlab-ci.yaml.

This is done. Evaluation has long been done and we have a working image build system that can also publish (and soon will perform test deployments).

dancy moved this task from Backlog to Done on the Release-Engineering-Team (GitLab IV: Mise En Place 🍱) board.Jan 23 2023, 5:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL