{% if from_ccsteam %}.gitlab-ci.yml{% endif %}.jinja

# YAML objects named with dot is anchors, which are not recognized as jobs
.run_bot: &run_bot
  - docker rm -f ${CONTAINER_NAME} || true
  - docker pull ${CONTAINER_RELEASE_IMAGE}
  # Add envs for app here. Don't forget to add them in example.env and docker-compose files.
  - docker run
    -d
    $MEMORY_LIMIT
    --name ${CONTAINER_NAME}
    --restart always
    --label traefik.http.routers.${BOT_PROJECT_NAME}.rule="Host(\`${BOT_URL}\`)"
    --label traefik.enable=true
    --label traefik.http.services.${BOT_PROJECT_NAME}.loadbalancer.server.port="8000"
    --log-opt max-size=10m
    --log-opt max-file=5
    -e POSTGRES_DSN="${POSTGRES_DSN}"
    -e REDIS_DSN="${REDIS_DSN}"
    -e BOT_CREDENTIALS="${BOT_CREDENTIALS}"
    -e DEBUG="${DEBUG:-false}"
    ${CONTAINER_RELEASE_IMAGE}
  {% if add_worker -%}
  - docker rm -f ${CONTAINER_NAME}-worker || true
  # Add envs for worker here
  - docker run
    -d
    $MEMORY_LIMIT_WORKER
    --name ${CONTAINER_NAME}-worker
    --restart always
    --log-opt max-size=10m
    --log-opt max-file=5
    -e POSTGRES_DSN="${POSTGRES_DSN}"
    -e REDIS_DSN="${REDIS_DSN}"
    -e BOT_CREDENTIALS="${BOT_CREDENTIALS}"
    -e DEBUG="${DEBUG:-false}"
    ${CONTAINER_RELEASE_IMAGE}
    bash -c 'PYTHONPATH="$PYTHONPATH:$PWD" saq app.worker.worker.settings'
  {%- endif %}

.create_db: &create_db
  - psql -c "create user \"${POSTGRES_USER}\"" postgres || true
  - psql -c "alter user \"${POSTGRES_USER}\" with password '${POSTGRES_PASSWORD}'" postgres
  - psql -c "create database \"${POSTGRES_DB}\" with owner \"${POSTGRES_USER}\"" postgres || true

.install_dependencies: &install_dependencies
  - echo -e "machine ${GIT_HOST}\nlogin gitlab-ci-token\npassword ${CI_JOB_TOKEN}" > ~/.netrc
  - pip install -q poetry
  - poetry config virtualenvs.in-project true
  - poetry install

.cache_dependencies: &cache_dependencies
  key:
    files:
      - poetry.lock
    prefix: "venv"
  paths:
    - .cache/pip
    - .venv

.postgres_envs: &postgres_envs
  - POSTGRES_USER=${CONTAINER_NAME}
  - POSTGRES_DB=${CONTAINER_NAME}
  - POSTGRES_PASSWORD=$(openssl rand -hex 16)
  - POSTGRES_HOST=${PROD_POSTGRES_HOST}
  - POSTGRES_DSN=postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST/$POSTGRES_DB

# Jobs
variables:
  GIT_DEPTH: 1  # Fetch only latest commit
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"

stages:
  - check
  - build
  - security
  - deploy

default:
  interruptible: true

lint:
  image: python:3.10
  stage: check
  tags:
    - docker
  cache: *cache_dependencies
  before_script:
    - *install_dependencies
  script:
    - poetry run ./scripts/lint

test:
  image: python:3.10
  stage: check
  tags:
    - docker
  services:
    - postgres:15.3-alpine
    - redis:7.0-alpine
  cache: *cache_dependencies
  variables:
    BOT_CREDENTIALS: cts.example.com@secret@123e4567-e89b-12d3-a456-426655440000
    POSTGRES_DSN: postgres://postgres:postgres@postgres/postgres
    REDIS_DSN: redis://redis/0
  before_script:
    - *install_dependencies
  script:
    - poetry run pytest --cov-config=setup.cfg
  coverage: '/Total coverage: \d\d\d.\d\d%/'

security:
  stage: security
  allow_failure: true
  trigger:
    include:
      - project: devsecops/pipelines
        file: integration_templates/python.yml


build:
  image: docker:latest
  stage: build
  tags:
    - docker
  before_script:
    - docker info
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - CONTAINER_RELEASE_IMAGE="$CI_REGISTRY_IMAGE:${CI_COMMIT_TAG:-$CI_COMMIT_REF_SLUG}"
  script:
    - docker pull $CONTAINER_RELEASE_IMAGE || true
    - docker build
      --cache-from $CONTAINER_RELEASE_IMAGE
      --build-arg GIT_HOST=$GIT_HOST
      --build-arg CI_JOB_TOKEN=$CI_JOB_TOKEN
      --build-arg CI_COMMIT_SHA=$CI_COMMIT_SHA
      --force-rm
      -t $CONTAINER_RELEASE_IMAGE .
    - docker push $CONTAINER_RELEASE_IMAGE
    - docker rmi $CONTAINER_RELEASE_IMAGE

deploy.botstest:
  image: docker:latest
  stage: deploy
  tags:
    - bots-test
  only:
    - branches
  when: manual
  environment:
    name: test
    on_stop: deploy.botstest.stop
  variables:
    # https://docs.gitlab.com/ee/ci/runners/configure_runners.html#git-strategy
    GIT_STRATEGY: none
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - if [ -z ${BOT_PROJECT_NAME:-} ]; then BOT_PROJECT_NAME=${CI_PROJECT_PATH_SLUG#"$CI_PROJECT_NAMESPACE-"}; fi
    - CONTAINER_NAME=$BOT_PROJECT_NAME
    - CONTAINER_RELEASE_IMAGE="$CI_REGISTRY_IMAGE:${CI_COMMIT_TAG:-$CI_COMMIT_REF_SLUG}"
    - BOT_URL="${BOT_PROJECT_NAME}.${DEV_SERVER_HOST}"
    - BOT_CREDENTIALS=$DEV_BOT_CREDENTIALS
    - *postgres_envs
    - REDIS_DSN=redis://${DOCKER_NETWORK_IP}/1
  script:
    - echo "Use URL 'https://${BOT_URL}/' in your cts admin site"
    - echo "Using credentials ${BOT_CREDENTIALS}"
    - echo "Deploing Docker container ${CONTAINER_NAME}"
    - *create_db
    - *run_bot

deploy.botstest.stop:
  when: manual
  environment:
    name: test
    action: stop
  extends: deploy.botstest
  script:
    - docker rm -f ${CONTAINER_NAME} || true
    {% if add_worker -%}
    - docker rm -f ${CONTAINER_NAME} ${CONTAINER_NAME}-worker || true
    {%- endif %}  
    - psql -c "select pg_terminate_backend(pid) from pg_stat_activity \
      where datname = '${POSTGRES_DB}';" postgres || true
    - psql -c "drop database \"${POSTGRES_DB}\"" postgres || true
    - psql -c "drop user \"${POSTGRES_USER}\"" postgres || true

deploy.botsprod:
  stage: deploy
  image: docker:latest
  tags:
    - bots-prod
  only:
    # Note the bots-prod worker requires branch to be protected
    - master
  when: manual
  environment:
    name: production
  variables:
    # https://docs.gitlab.com/ee/ci/runners/configure_runners.html#git-strategy
    GIT_STRATEGY: none
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - if [ -z ${BOT_PROJECT_NAME:-} ]; then BOT_PROJECT_NAME=${CI_PROJECT_PATH_SLUG#"$CI_PROJECT_NAMESPACE-"}; fi
    - CONTAINER_NAME=$BOT_PROJECT_NAME
    - CONTAINER_RELEASE_IMAGE="$CI_REGISTRY_IMAGE:${CI_COMMIT_TAG:-$CI_COMMIT_REF_SLUG}"
    - BOT_URL="${BOT_PROJECT_NAME}.${PROD_SERVER_HOST}"
    - *postgres_envs
    - REDIS_DSN=redis://${DOCKER_NETWORK_IP}/1
    - MEMORY_LIMIT=--memory=100m
    {% if add_worker -%}
    - MEMORY_LIMIT_WORKER=-memory=130m
    {%- endif %}
  script:
    - echo "Use URL 'https://${BOT_URL}/' in your cts admin site"
    - echo "Using credentials ${BOT_CREDENTIALS}"
    - echo "Deploing Docker container ${CONTAINER_NAME}"
    - *create_db
    - *run_bot
  needs:
    - job: security