Use Google CDN if enabled for CI job artifacts
What does this MR do and why?
This builds upon !96336 (merged) to provide configuration support and hooks to serve CI artifacts via Google CDN if it is configured in front of a Google Cloud Storage bucket.
This is currently behind the ci_job_artifacts_cdn
feature flag.
Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/360462
How to set up and validate locally
As described in https://gitlab.com/gitlab-org/container-registry/-/issues/535#note_792288038:
Setting up Google CDN
- Created an GCS test bucket.
- Followed https://cloud.google.com/cdn/docs/setting-up-cdn-with-bucket to create an HTTPS load balancer with a static IP. I let Google create the HTTPS certs and assigned the domain
stanhu-cdn.example.org
. - Registered the load balancer IP with that domain.
- Continued https://cloud.google.com/cdn/docs/using-signed-urls with registering a signing key and giving permissions to the bucket.
Testing this merge request
- Create a GCS VM and install the latest GitLab nightly build.
- Per https://docs.gitlab.com/ee/administration/object_storage.html#google-example-with-adc-consolidated-form, I had to stop the VM and grant it
Allow full access to all Cloud APIs
. - Tweaked the default service account permissions by limiting access with
Service Account Token Creator
and giving it access to read/write storage buckets. - Enabled
IAM Service Account Credentials API
in https://console.cloud.google.com/apis/library/iamcredentials.googleapis.com. (This wasn't documented; I ran into error messages before I enabled it). - Download the latest nightly build and apply this patch. In my Omnibus config, I have:
external_url 'https://gitlab.example.com'
gitlab_rails['object_store']['enabled'] = true
gitlab_rails['object_store']['connection'] = {
'provider' => 'Google',
'google_project' => 'stan-redacted',
'google_application_default' => true
}
gitlab_rails['object_store']['proxy_download'] = false
bucket = 'stanhu-test'
gitlab_rails['object_store']['objects']['artifacts']['bucket'] = "#{bucket}/artifacts"
gitlab_rails['object_store']['objects']['artifacts']['cdn'] = {
'provider' => 'Google',
'url' => 'https://stanhu-cdn.example.org',
'key_name' => 'stanhu-key',
'key' => '<REDACTED KEY>'
}
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = "#{bucket}/external_diffs"
gitlab_rails['object_store']['objects']['lfs']['bucket'] = "#{bucket}/lfs"
gitlab_rails['object_store']['objects']['uploads']['bucket'] = "#{bucket}/uploads"
gitlab_rails['object_store']['objects']['packages']['bucket'] = "#{bucket}/packages"
gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = "#{bucket}/dependency_proxy"
gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = "#{bucket}/terraform_state"
gitlab_rails['object_store']['objects']['ci_secure_files']['bucket'] = "#{bucket}/ci_secure_files"
-
Enable the feature flag:
Feature.enable(:ci_job_artifacts_cdn)
. -
Use the artifacts API (e.g.
https://stanhu.example.org/api/v4/projects/2/jobs/4/artifacts
) to download the file. Notice the URL has the CDN. -
Check that
/var/log/gitlab/gitlab-rails/api_json.log
hasmeta.artifact_used_cdn
:
"meta.feature_category": "build_artifacts",
"meta.user": "root",
"meta.project": "root/simple-ci",
"meta.root_namespace": "root",
"meta.client_id": "user/1",
"meta.artifact_size": 209,
"meta.artifact_used_cdn": true,
- If you use a runner within Google Cloud (or localhost), you'll notice
meta.artifact_used_cdn
is omitted because a CDN is not needed.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.