HowTo: Automated CI/CD with GitLab-CI and Balena

This should be a quick guide on how to get the CI/CD pipeline running inside GitLab.

We have a software stack that should be automatically deployed to our production, staging and dev devices as soon as someone pushes a new commit or release. So very similar to the BalenaCloud build server only that this is available for OpenBalena too.

Challenges

  1. balena deploy needs docker and a running version of balenc-cli.
  2. OpenBalena has custom certificates that need to be integrated

Balena and Docker in Docker

Since dind is only provided on alpine images and the balena-cli can not be installed on alpine we need to find a different way to get this working. Luckily the gitlab-ci.yml has severices that enable us to deploy services (other containers) around our stage task.

build-container:
  image: ubuntu:bionic
  stage: deploy
  services:
    - name: docker:dind
      alias: docker
  script:
    - echo "$CRT" > balena.crt
    - echo "$YML" > ~/.balenarc.yml
    - apt-get update
    - apt-get install -y wget unzip
    # Setup Balena
    - export NODE_EXTRA_CA_CERTS="$PWD/balena.crt"
    - export DEBUG=1
    - wget https://github.com/balena-io/balena-cli/releases/download/v11.23.0/balena-cli-v11.23.0-linux-x64-standalone.zip -O balena.zip
    - unzip balena.zip
    - cp balena-cli/balena ./
    - ./balena login --credentials --email $BALENA_EMAIL --password $BALENA_PASSWORD
    # Setup docker
    - export DOCKER_HOST=tcp://docker:2375
    - apt-get install docker.io -y
    # Build an deploy image
    - ./balena deploy ....
  after_script:
    - rm balena.crt
    - rm ~/.balenarc.yml
  only:
    - master

Custom certs integrated into the dind container

Since the repository needs custom certs the only way is to integrate them into the dind container, therefore build your own one and replace the docker service with your container.

services:
    - name: path/to/your/dind:latest
      alias: docker

Build the container:

ADD balena.crt /usr/local/share/ca-certificates/balena.crt
RUN chmod 644 /usr/local/share/ca-certificates/balena.crt && update-ca-certificates

ENV DOCKER_TLS_CERTDIR = /certs

I could not finde anything i wanted to put this here, in case some one else is looking for a similar way.

I case i was just to stupid to google it, feel free to poste the link of a guide regarding this challenges in the comment.