►
From YouTube: GitLab.com Kubernetes Deployment Pipelines
Description
Rehab Hassanein and John Skarbek discuss the pipelines for how we deploy configuration changes and deployments for GitLab.com
Timeline:
* 00:24 - Configuration Pipelines
* 09:39 - Why we use a different instance to Deploy changes to GitLab.com
* 11:15 - Auto-Deploy Pipelines
References:
* GitLab.com Configuration Repository: https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com
* GitLab Helm Chart: https://gitlab.com/gitlab-org/charts/gitlab/
* Reference Issue for this video and more to come: https://gitlab.com/gitlab-com/gl-infra/infrastructure/-/issues/13980 - Drop a comment for some ideas of what to cover!
B
B
All
of
those
are
cases
where
we
have
a
specific
style
of
pipeline
that
runs.
It
starts
with
our
non-prod
environments.
It
moves
on
to
our
production
environments
over
the
course
of
the
length
of
the
pipeline
or,
however,
the
person
committing
the
changes
chooses
to
roll
the
change
out.
Some
changes
are
safe
to
roll
across
the
entire
pipeline.
Some
are
not
that
all
depends
on
what
that
specific
change
is
all
that
is
to
be
evaluated
by
the
engineer
at
that
moment
in
time.
B
B
This
may
seem
like
a
deployment
style
configuration
change,
but
the
container
registry
does
not
have
the
tooling
necessary
to
auto
deploy
itself,
so
this
falls
into
the
category
of
the
configuration
change.
So
if
we
look
at
the
diff
we'll
see
that
we
have
a
file,
that's
specific
to
staging,
we
are
bumping
the
version.
We
have
a
file
specific
to
the
pre-prod
environment
and
we
are
bumping
the
version
here.
B
B
In
order
to
make
that
process
a
little
easier
for
the
person
who
is
doing
the
reviews,
we
have
links
that
come
from
ops
and
provide
us
with
the
necessary
details
to
link
us
to
where
those
pipelines
are.
So
if
we
click
on
this
excellent
link
inside
this
comment,
we
get
dropped
into
the
pipeline.
That's
run
on
the
ops
instance
that
gives
us
the
details
of
what
that
merge.
Request
is
attempting
to
do
so.
In
this
particular
case,
the
reviewer
is
going
to
see.
B
B
Unfortunately,
we
were
running
this
across
all
environments,
future
improvement,
but
what
the
reviewer
would
do
is
they
would
click
on
the
necessary
pipelines.
I'll
look
at
three
very
quickly
and
we'll
see
that
we
have
a
change
which
I'm
not
going
to
talk
about
because
it's
out
of
the
scope
of
this
particular
discussion.
B
But
what
we
have
is
a
change
to
our
configuration
map,
which
contains
our
version
of
the
application.
So
this
is
probably
some
configuration
inside
of
the
container
registry
that
requires
this
and
then
because
of
that
configuration
map
change.
We
also
see
that
change
happening
in
our
deployment
as
well,
where
the
sha
sum
of
that
config
map
gets
updated.
But
the
most
important
thing
that
we
see
is
that
for
the
registry
container
we
see
that
the
version
is
updated.
B
So
this
these
dry
run
drops
provide
us
a
diff
mechanism
for
which
we
can
see
what
changes
are
being
proposed
by
the
person
that
is
asking
for
the
change
and
if
we
go
to
staging,
the
container
registry
does
not
run
here.
So
we
do
not
see
those
dip
jobs
there
for
our
staging
environment,
which
does
run
the
container
registry,
you
can
see
that
we
do
have
the
same
precise
version
bump
happening
in
all
the
necessary
locations.
B
B
A
B
B
We
still
have
both
our
dry
runs
run
for
production
and
we
still
have
later
down
in
the
pipeline
stuff
that
goes
to
our
production
environments
as
well
I'll
discuss
that
in
a
second.
But
here
these
dry
runs
are
essentially
a
repeat
of
what
the
merge
request
was,
but
we
had
the
additional
stage
where
we
actually
performed
the
deploy
of
those
changes.
B
B
There's
like
a
five
minute
wait
period
between
each
time
it
attempts
to
mirror.
So,
if
we're
inside
of
that
five
minute
window,
we'll
see
awkward
things
inside
of
the
diff
that
may
not
necessarily
match
up
now,
hopefully
the
person
who's
doing.
The
review
is
aware
that
there
might
be
multiple
merge
requests
happening,
but
currently
there's
no
protection.
That
states
hey.
Let's
wait
for
this
to
occur.
What
we
do
have
in
place
in
ci
is
we
set
a
we're
leveraging?
The
resource
groups,
I
believe,
is
what
it's
called
that
way.
B
B
The
other
case
in
which
we
would
see
a
differing
diff
show
up
is
if
a
merge
request
is
merged
during
an
auto
deploy
that
is
active
now.
That
has
to
be
timed
very
at
the
right
moment
in
time
and
for
the
right
environment,
and
hopefully
again,
we
mitigate
that
with
the
fact
that
we're
using
resource
groups
as
well.
B
So
continuing
forward
after
we
actually
perform
deploy,
we
run
a
qa,
and
this
just
reaches
out
to
our
quality
project
to
initiate
smoke
tests
specifically
and
as
long
as
that
passes,
we'll
continue
forward
with
the
rest
of
our
pipeline,
which
includes
production.
This
particular
merge
request
only
impacted
staging,
so
these
jobs
were
essentially
no
ops
and
if
I
go
into
one
of
these,
we'll
see
that
no
upgrade
actually
occurred,
we'll
see
that
we
did
a
comparison
well,
this
is
canary.
So
this
is
called
lab
canary.
B
We
did
a
comparison,
but
there
was
no
changes,
so
nothing
actually
happened
in
this
job
at
all
and
same
thing
for
the
rest
of
these
production
jobs.
One
thing
that
you'll
note
that
pre-prod,
I
actually
had
a
failed
qa
for
this
particular
merge
request.
Pre-Pride,
that's
a
very
specific
environment.
We
don't
care
it's
okay,
that
this
qa
pipeline
failed
for
pre-prod
staging
is
different.
If
this
fails,
these
this
pipeline
will
not
continue.
B
So
gitlab.com
is
where
we
do
everyday
work
for
our
transparency
value.
We
want
to
be
as
public
as
possible
or
public
first.
I
guess
so.
Therefore,
all
the
work
that
we
do
all
the
reviews,
all
our
commits
and
merge
requests
all
that
is
in
the
public
forum,
but
gitlab.com
cannot
depend
on
itself.
So
we
don't
want
to
provide
the
ci
runners
that
operate
inside
of.com
access
to
the
dot
com
infrastructure
that
would
be
unsafe
if
we
had
a
security
breach
of
some
kind.
B
B
Ops
is
what
has
the
necessary
runners,
which
have
the
necessary
access
to
talk
to
our
clusters.
That
wave.com
is
down.
The
ops
instance
can
then
be
used
as
a
backup
mechanism
to
submit
the
necessary
merge
request
to
make
the
necessary
change,
and
those
runners
are
the
ones
that
have
the
necessary
access
to
speak
to
our
clusters
and
perform
those
changes
in
cases
where
we
may
be
down.
We
may
be
able
to
leverage
a
change
inside
this
repository
to
bring
gitlab
back
up,
for
example.
A
B
So
autodeploy
is
a
whole
topic
in
of
itself,
so
I
don't
want
to
delve
into
a
lot
of
details
here,
but
I
just
want
to
show
how
things
get
kicked
off
prior
to
showing
you
how
or
what
the
deploy
pipeline
looks
like.
So
what
we
are
looking
at
right
now
is
the
release
coordinated
pipeline,
which
is
initiated
by
release
tools
again,
keep
in
mind
that
we're
on
the
alps
instance.
So
just
a
very
quick
overview.
B
B
We
then
have
a
management
task
for
release
tools
itself,
and
then
we
start
the
auto
deploy
process
for
staging,
so
that
auto
deploy
process
happens
in
a
tooling.
We
call
deployer
deployer
is
an
ansible
tool.
This
was
implemented
because,
prior
to
having
kubernetes
in
place,
we
deployed
everything
inside
of
virtual
machines.
B
Ansible
is
a
fantastic
tool
for
orchestrating
specific
changes
such
as
deployments.
So
this
is
what
we
utilized,
so
we
have
a
couple
of
stages
where
we
do
some
pre-steps
that
are
required
for
deployments
to
occur,
and
then
we
start
deploying
to
each
of
our
fleets.
In
our
particular
case,
giddily,
followed
by
prefix,
followed
by
our
entire
fleet.
This
looks
a
little
different
today.
This
is
an
older
pipeline,
but
kubernetes
and
our
any
of
our
virtual
machine
fleets
will
happen
at
the
same
time.
B
B
What
we
check
here
is
to
make
sure
that
the
changes
inside
of
these
diff
jobs
only
contain
changes
to
the
deployment
objects
for
the
resources
being
changed.
We
don't
want
to
see
any
configuration.
Changes
occur
at
the
same
time
that
we
do
in
autodeploy,
so
objects
such
as
secrets
or
configuration
maps.
If
those
get
changed,
that's
a
red
flag
and
we
will
fail
this
job,
which
will
send
the
corresponding
flag
to
the
release.
Major
saying
please
investigate
as
necessary.
B
If
we
look
at
one
of
these
jobs,
it
doesn't
look
terribly
exciting,
because
other
tooling
tells
us
what
happens,
but
we
document
what
we
want
to
change
so,
for
example,
in
this
particular
job.
We're
looking
for
the
deployment
object
for
psychic
urgent
other.
That
particular
shard
should
change,
but
nothing
else
related,
psychic,
urgent,
other
should
ever
change.
So
we
should
never
see
a
config
map
change
or
a
secret
related
to
this
particular
deploy
change.
B
If
that
were
to
be
seen,
that
means
that
we
probably
have
a
merge
request
that
happened
at
the
wrong
time
that
got
merged
or
maybe
something
where
we
are
reaching
out
to
other
infrastructure
for
configurations
may
have
changed
outside
of
the
kubernetes
pipelines,
and
we
need
to
be
aware
of
that.
Such
that
we're
not
making
two
changes
at
the
same
time.
B
So
if
we
pass
our
diff
jobs,
we
then
proceed
with
the
auto
deploy
and
if
we
go
into
here,
the
only
thing
that
you're
going
to
see
is
the
actual
image
changes
as
necessary
for
those
deployments,
which
we
don't
compress
these
at
all.
But
you
can
see
that
here
we
changed
the
image
from
a
package
that
was
built
at
six
in
the
morning
on
the
18th
to
a
package
that
was
built
at
11
00
in
the
morning
on
the
18th.
B
We
need
to
make
sure
those
happen
at
a
specific
step.
So
deployer
is
what
manages
that
so
you'll
see
post
deploy
migrations
happen
after
our
fleet
deploy,
we've
got
some
tracking
stuff
that
happens,
whoops,
followed
by
our
qa
jobs,
so
deployer
manages
everything
related
to
upping
the
version
of
the
git
lab
that
we
are
running.