diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3929c4ac22cac07c882f91927453387e54315426..5a1f4dd448a9abcc23927ed5b896ee3f47b26b29 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,7 +9,7 @@ default:
- 1cpu-4gb # build on smaller machine
variables:
- API_DOMAIN_PATH: "$CI_PROJECT_DIR/api_domain"
+ API_DOMAIN_PATH: '$CI_PROJECT_DIR/api_domain'
# job templates
@@ -17,15 +17,15 @@ variables:
image:
name: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/hashicorp/terraform:1.6.6'
# default entrypoint is terraform command, but we want to run shell scripts
- entrypoint: ["/bin/sh", "-c"]
+ entrypoint: ['/bin/sh', '-c']
variables:
ENVIRONMENT_ID: $CI_ENVIRONMENT_SLUG
artifacts:
paths:
- - "terraform/environments/crash.log" # optional, only available in case of a crash/panic
- - "terraform/environments/terraform-*.log" # separate log for every step/command
+ - 'terraform/environments/crash.log' # optional, only available in case of a crash/panic
+ - 'terraform/environments/terraform-*.log' # separate log for every step/command
- $API_DOMAIN_PATH
- name: "${CI_JOB_NAME}_${CI_JOB_ID}"
+ name: '${CI_JOB_NAME}_${CI_JOB_ID}'
#when: on_failure
expire_in: 1 week
script:
@@ -34,12 +34,13 @@ variables:
resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
interruptible: false
-.e2e:
- image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/archlinux:latest'
+.smoketest:
+ image: 'europe-north1-docker.pkg.dev/holi-shared/docker/holi-docker/holi-k6-builder'
script:
- - API_DOMAIN=`cat $API_DOMAIN_PATH`
- - echo "e2e tests against $CI_ENVIRONMENT_SLUG environment go here and against $API_DOMAIN"
+ - API_DOMAIN=$(cat $API_DOMAIN_PATH)
- terraform/environments/scripts/wait-for-ssl.sh "https://${API_DOMAIN}"
+ - BASE_URL="https://${API_DOMAIN}/graphql" k6 run smoketest/main.js
+ # TODO should/could we roll back the service to the last working revision on test failure?
# end job templates
@@ -48,14 +49,13 @@ variables:
## common steps
cache_lint_test:
- image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/denoland/deno:alpine-1.45.2'
+ image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/denoland/deno:2.0.0'
stage: 'test'
script:
- - deno cache --lock=deno.lock app/deps.ts app/dev_deps.ts
+ - deno cache --allow-import --lock=deno.lock app/deps.ts app/dev_deps.ts
- deno fmt --check
- deno lint
- - deno test
-
+ - deno test --allow-import
# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
@@ -68,7 +68,7 @@ sast:
needs: ['cache_lint_test']
stage: test
include:
-- template: Security/SAST.gitlab-ci.yml
+ - template: Security/SAST.gitlab-ci.yml
build_docker:
needs: ['cache_lint_test']
@@ -99,8 +99,8 @@ review_deploy:
- production
- /^noenv\/.*/
-review_e2e:
- extends: .e2e
+review_smoketest:
+ extends: .smoketest
needs: ['review_deploy']
except:
- main
@@ -112,7 +112,7 @@ review_destroy:
image:
name: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/hashicorp/terraform:1.6.6'
# default entrypoint is terraform command, but we want to run shell scripts
- entrypoint: ["/bin/sh", "-c"]
+ entrypoint: ['/bin/sh', '-c']
variables:
# has to be set to none for auto stop
GIT_STRATEGY: none
@@ -123,9 +123,9 @@ review_destroy:
dependencies: [] # explicitly disable artifact usage
artifacts:
paths:
- - "terraform/environments/crash.log" # optional, only available in case of a crash/panic
- - "terraform/environments/terraform-*.log" # separate log for every step/command
- name: "${CI_JOB_NAME}_${CI_JOB_ID}"
+ - 'terraform/environments/crash.log' # optional, only available in case of a crash/panic
+ - 'terraform/environments/terraform-*.log' # separate log for every step/command
+ name: '${CI_JOB_NAME}_${CI_JOB_ID}'
when: on_failure
expire_in: 1 week
script:
@@ -135,7 +135,7 @@ review_destroy:
- terraform/environments/scripts/destroy-env.sh $CI_ENVIRONMENT_SLUG
# can't use rules here: https://gitlab.com/gitlab-org/gitlab/-/issues/34077
when: manual
- allow_failure: false
+ allow_failure: true
except:
- main
- production
@@ -157,19 +157,18 @@ staging_deploy:
only:
- main
-staging_trigger_unified-api_redeployment:
+staging_smoketest:
+ extends: .smoketest
needs: ['staging_deploy']
- trigger:
- project: 'app/holi-unified-api'
- branch: 'main'
only:
- main
+ resource_group: unified-api-staging
-staging_e2e:
- extends: .e2e
- # if staging_e2e would actually run tests (other than ensuring SSL works), we'd have to
- # wait for the unified-api pipeline to finish.
- needs: ['staging_deploy']
+staging_trigger_unified-api_redeployment:
+ needs: ['staging_smoketest']
+ trigger:
+ project: 'app/holi-unified-api'
+ branch: 'main'
only:
- main
@@ -188,10 +187,17 @@ production_deploy:
only:
- production
-production_trigger_unified-api_redeployment:
+production_smoketest:
+ extends: .smoketest
needs: ['production_deploy']
+ only:
+ - production
+
+production_trigger_unified-api_redeployment:
+ needs: ['production_smoketest']
trigger:
project: 'app/holi-unified-api'
branch: 'production'
only:
- production
+ resource_group: unified-api-production
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2f34ebc58adb3df395e52bedee0d670532274122..f4b830c8175179542b86e58cc479dbe443a5adbb 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,7 +1,7 @@
repos:
-- repo: local
+ - repo: local
hooks:
- - id: gitleaks
+ - id: gitleaks
name: gitleaks
language: system
entry: gitleaks protect --staged -v -c ../.gitleaks.toml
diff --git a/Dockerfile b/Dockerfile
index 6351d9e292734360b0361dfb746c25df09c048be..6e4cab70b4335785332371343d64e6bb7805c47b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/denoland/deno:alpine-1.45.2
+FROM europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/denoland/deno:2.0.0
# The port that your application listens to.
EXPOSE 8005
@@ -10,7 +10,7 @@ COPY deno.lock .
COPY deno.json .
COPY ./app ./app
-RUN deno cache app/deps.ts
-RUN deno cache app/main.ts
+RUN deno cache --allow-import app/deps.ts
+RUN deno cache --allow-import app/main.ts
-CMD ["deno", "run", "--allow-net", "--allow-env", "--allow-read", "--lock=deno.lock", "--cached-only", "app/main.ts"]
+CMD ["deno", "run", "--allow-import", "--allow-net", "--allow-env", "--allow-read", "--lock=deno.lock", "--cached-only", "app/main.ts"]
diff --git a/deno.json b/deno.json
index 76adfaa8ca9a4944dc5c19b4dd19cd718ecadb52..943d55b4eab995cad0f340f74bcca95c02c706aa 100644
--- a/deno.json
+++ b/deno.json
@@ -4,14 +4,14 @@
"lint": "deno lint",
"fmt": "deno fmt",
"fmt:check": "deno fmt --check",
- "test": "deno test",
- "updateDeps": "deno cache --lock=deno.lock --lock-write app/deps.ts app/dev_deps.ts",
- "install": "deno cache --reload --lock=deno.lock app/deps.ts app/dev_deps.ts",
- "cache": "deno cache app/main.ts",
- "dev": "deno run --allow-net --allow-env --allow-read --lock=deno.lock --cached-only --watch app/main.ts",
- "start": "deno run --allow-net --allow-env --allow-read --lock=deno.lock --cached-only app/main.ts",
+ "test": "deno test --allow-import ",
+ "updateDeps": "deno cache --allow-import --lock=deno.lock --lock-write app/deps.ts app/dev_deps.ts",
+ "install": "deno cache --allow-import --reload --lock=deno.lock app/deps.ts app/dev_deps.ts",
+ "cache": "deno cache --allow-import app/main.ts",
+ "dev": "deno run --allow-import --allow-net --allow-env --allow-read --lock=deno.lock --cached-only --watch app/main.ts",
+ "start": "deno run --allow-import --allow-net --allow-env --allow-read --lock=deno.lock --cached-only app/main.ts",
"docker": "docker build -t notifications-api . && docker run -it --init -p 8005:8005 notifications-api",
- "coverage": "deno test --coverage=coverage && deno coverage coverage",
+ "coverage": "deno test --allow-import --coverage=coverage && deno coverage coverage",
"pre-commit": {
"cmd": "vr lint && vr fmt:check",
"gitHook": "pre-commit"
diff --git a/smoketest/main.js b/smoketest/main.js
new file mode 100644
index 0000000000000000000000000000000000000000..cc560b525115a2170c64b92d0e70dd3f72566095
--- /dev/null
+++ b/smoketest/main.js
@@ -0,0 +1,40 @@
+import http from 'k6/http'
+import { check } from 'k6'
+
+// You don't need to change anything in this section, it's k6 glue code.
+// See the default function at the end of the file for defining your smoketest.
+// This configuration only executes 1 test, enough for a smoketest. The smoketest will fail on any check failing.
+const allChecksNeedToPassTreshold = { checks: [{ threshold: 'rate==1', abortOnFail: true }] }
+export const options = {
+ vus: 1,
+ iterations: 1,
+ thresholds: allChecksNeedToPassTreshold,
+}
+
+/**
+ * Performs a GraphQL query and checks the response using the provided function. Fails if any of the provided expectations are not met.
+ * @param {string} query The GraphQL query to perform
+ * @param {(response: http.Response) => Array<boolean>} checkFunction
+ * A function that takes the HTTP response as an argument and returns an array
+ * of boolean values, each indicating success or failure of a test.
+ */
+function forQuery(query, checkFunction) {
+ const response = http.post(`${__ENV.BASE_URL}`, JSON.stringify({ query }), {
+ headers: { 'Content-Type': 'application/json' },
+ })
+ checkFunction(response)
+}
+
+// Define your smoketest(s) here.
+export default () => {
+ forQuery(`{preferences{id}}`, (response) => {
+ check(response, {
+ 'is status 200': (r) => r.status === 200,
+ })
+ check(JSON.parse(response.body), {
+ // there can be multiple tests here, e.g.
+ //"contains topics object": (r) => typeof r.data.topics != null,
+ 'returns unauthorized error': (r) => r.errors[0].message === 'Unauthorized',
+ })
+ })
+}
diff --git a/terraform/environments/deployment.tf b/terraform/environments/deployment.tf
index 946edc1e240da5a50377c25e03bac55f4b6f7b3d..e0389608d7b57ec8b5268f798834f92b105c8822 100644
--- a/terraform/environments/deployment.tf
+++ b/terraform/environments/deployment.tf
@@ -85,6 +85,7 @@ resource "google_cloud_run_service" "notifications_api" {
"run.googleapis.com/vpc-access-connector" = data.terraform_remote_state.holi_infra_state.outputs.vpc_access_connector_name
# possible values: all-traffic/private-ranges-only(default) https://cloud.google.com/sdk/gcloud/reference/run/services/update#--vpc-egress
"run.googleapis.com/vpc-access-egress" = "private-ranges-only"
+ "run.googleapis.com/startup-cpu-boost" = "true"
}
# labels set on the revision level
labels = {