My attempt at Gitlab PR review environments with Nomad (opens in new tab)

(blog.mattsbit.co.uk)

40 pointsmrmattyboy2y ago9 comments

9 comments

heh, terraform is just ... special

  resource "nomad_job" "terrareg" {
    jobspec = <<EOHCL
  job "terrareg" {

but to be actually constructive, a fun trick is that one can patch this stanza in via the GL pipeline and thus allow local $(tofu plan) runs without needing, or running the risk of, live gitlab credentials

  variables:
    # Backend required for Gitlab state
    BACKEND_TF: |
      terraform {
        backend "http" {
        }
      }
  before_script:
  - echo "$BACKEND_TF" > backend.tf

it may also interest this audience that due to gitlab's in-container shell detection scheme, often a better entrypoint override is entrypoint: ["/usr/bin/env"] (assuming such a thing exists, of course)

mrmattyboyOP2y ago

Hey :)

That's a good idea for the backend - thank you!

And yes, I should have used the used a separate HCL file for the nomad_job - aside from being cleaner, it would have also avoided some horrific JSON encode that I had to use for an environment variable (think: `env { blah = eplace("\"", "\\\"", jsonencode(local.something))`), since I could just pass the jsonencode value straight to the value of the parameter, rather than getting Terraform to convert it to a string for the template.

neomantra2y ago

Thanks for sharing this; happy to see the spreading of Nomad insights. I had once upon a time done this with GitLab and Kubernetes, but now that I switched to Nomad, I lost that... will explore this further.

I manage a lot of these sorts of templates... I "Terraform template" the "Nomad Job", which also sometimes has its own Nomad template stanzas. [1] Separating it all makes things easier to track, although I suspect that when you have that scaffolding set up, you don't need to look at it or modify it much.

If I know I want something JSON, then I include "_JSON" in the variable name and then it's clear I should have a `jsonencode` there. [2]

[1] https://github.com/neomantra/terraform-nomad-temporal/blob/m... [2] https://github.com/neomantra/terraform-nomad-temporal/blob/m...

1 more reply

jen202y ago

Not really sure what's wrong with the Terraform example, other than the lack of use of the heredoc with hanging indents, which would correctly nest the job spec.

salamander0142y ago

Hey this is very cool.

I did something similar with Kubernetes, work has some OSE clusters that will generate DNS for you, it works great and the devs love using it. It’s a little bespoke but its simple and gets a lot of attention.

Plus since the namespaces preexist the workloads, we spin them up for the entire branch lifetime (times out after n days). Makes everyones jobs a lot easier.

Anything that helps shift lifecycle requirements and testing left has huge impact on DX.

mrmattyboyOP2y ago

One thing that I haven't out how to do is allowing unauthenticated Gitlab users to view deployments/environments for public projects.

Not only is the "deployments" tab missing (which isn't the _end_ of the world), but the environment (with the link to the instance) isn't shown in pull requests until the user logs in.

Does anyone know if this is possible? I couldn't find much in Gitlab's docs

wdb2y ago

Think it is only possible with public projects

mrmattyboyOP2y ago

It's definitely a public project :)

Edit: Ah, I found it - it's the permissions for 'Operations'

j / k navigate · click thread line to collapse

9 comments

mdaniel2y ago

heh, terraform is just ... special

  resource "nomad_job" "terrareg" {
    jobspec = <<EOHCL
  job "terrareg" {

  variables:
    # Backend required for Gitlab state
    BACKEND_TF: |
      terraform {
        backend "http" {
        }
      }
  before_script:
  - echo "$BACKEND_TF" > backend.tf

mrmattyboyOP2y ago

Hey :)

That's a good idea for the backend - thank you!

neomantra2y ago

If I know I want something JSON, then I include "_JSON" in the variable name and then it's clear I should have a `jsonencode` there. [2]

[1] https://github.com/neomantra/terraform-nomad-temporal/blob/m... [2] https://github.com/neomantra/terraform-nomad-temporal/blob/m...

1 more reply

jen202y ago

Not really sure what's wrong with the Terraform example, other than the lack of use of the heredoc with hanging indents, which would correctly nest the job spec.

salamander0142y ago

Hey this is very cool.

Plus since the namespaces preexist the workloads, we spin them up for the entire branch lifetime (times out after n days). Makes everyones jobs a lot easier.

Anything that helps shift lifecycle requirements and testing left has huge impact on DX.

mrmattyboyOP2y ago

One thing that I haven't out how to do is allowing unauthenticated Gitlab users to view deployments/environments for public projects.

Not only is the "deployments" tab missing (which isn't the _end_ of the world), but the environment (with the link to the instance) isn't shown in pull requests until the user logs in.

Does anyone know if this is possible? I couldn't find much in Gitlab's docs

wdb2y ago

Think it is only possible with public projects

mrmattyboyOP2y ago

It's definitely a public project :)

Edit: Ah, I found it - it's the permissions for 'Operations'

j / k navigate · click thread line to collapse