CI/CD variables

Use CI/CD variables to set up the Auto DevOps domain, provide a custom Helm chart, or scale your application.

Build and deployment variables

Use these variables to customize and deploy your build.

CI/CD variableDescription
ADDITIONAL_HOSTSFully qualified domain names specified as a comma-separated list that are added to the Ingress hosts.
<ENVIRONMENT>_ADDITIONAL_HOSTSFor a specific environment, the fully qualified domain names specified as a comma-separated list that are added to the Ingress hosts. This takes precedence over ADDITIONAL_HOSTS.
AUTO_BUILD_IMAGE_VERSIONCustomize the image version used for the build job. See list of versions.
AUTO_DEPLOY_IMAGE_VERSIONCustomize the image version used for Kubernetes deployment jobs. See list of versions.
AUTO_DEVOPS_ATOMIC_RELEASEAs of GitLab 13.0, Auto DevOps uses --atomic for Helm deployments by default. Set this variable to false to disable the use of --atomic
AUTO_DEVOPS_BUILD_IMAGE_CNB_ENABLEDSet to false to use Herokuish instead of Cloud Native Buildpacks with Auto Build. More details.
AUTO_DEVOPS_BUILD_IMAGE_CNB_BUILDERThe builder used when building with Cloud Native Buildpacks. The default builder is heroku/buildpacks:18. More details.
AUTO_DEVOPS_BUILD_IMAGE_EXTRA_ARGSExtra arguments to be passed to the docker build command. Using quotes doesn’t prevent word splitting. More details.
AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLESA comma-separated list of CI/CD variable names to be forwarded to the build environment (the buildpack builder or docker build).
AUTO_DEVOPS_BUILD_IMAGE_CNB_PORTIn GitLab 15.0 and later, port exposed by the generated Docker image. Set to false to prevent exposing any ports. Defaults to 5000.
AUTO_DEVOPS_CHARTHelm Chart used to deploy your apps. Defaults to the one provided by GitLab.
AUTO_DEVOPS_CHART_REPOSITORYHelm Chart repository used to search for charts. Defaults to https://charts.gitlab.io.
AUTO_DEVOPS_CHART_REPOSITORY_NAMEUsed to set the name of the Helm repository. Defaults to gitlab.
AUTO_DEVOPS_CHART_REPOSITORY_USERNAMEUsed to set a username to connect to the Helm repository. Defaults to no credentials. Also set AUTO_DEVOPS_CHART_REPOSITORY_PASSWORD.
AUTO_DEVOPS_CHART_REPOSITORY_PASSWORDUsed to set a password to connect to the Helm repository. Defaults to no credentials. Also set AUTO_DEVOPS_CHART_REPOSITORY_USERNAME.
AUTO_DEVOPS_CHART_REPOSITORY_PASS_CREDENTIALSFrom GitLab 14.2, set to a non-empty value to enable forwarding of the Helm repository credentials to the chart server when the chart artifacts are on a different host than repository.
AUTO_DEVOPS_COMMON_NAMEFrom GitLab 15.5, set to a valid domain name to customize the common name used for the TLS certificate. Defaults to le-$CI_PROJECT_ID.$KUBE_INGRESS_BASE_DOMAIN. Set to false to not set this alternative host on the Ingress.
AUTO_DEVOPS_DEPLOY_DEBUGFrom GitLab 13.1, if this variable is present, Helm outputs debug logs.
AUTO_DEVOPS_ALLOW_TO_FORCE_DEPLOY_V<N>From auto-deploy-image v1.0.0, if this variable is present, a new major version of chart is forcibly deployed. For more information, see Ignore warnings and continue deploying.
BUILDPACK_URLA full Buildpack URL. Must point to a URL supported by Pack or Herokuish.
CANARY_ENABLEDUsed to define a deploy policy for canary environments.
BUILDPACK_VOLUMESSpecify one or more Buildpack volumes to mount. Use a pipe | as list separator.
CANARY_PRODUCTION_REPLICASNumber of canary replicas to deploy for Canary Deployments in the production environment. Takes precedence over CANARY_REPLICAS. Defaults to 1.
CANARY_REPLICASNumber of canary replicas to deploy for Canary Deployments. Defaults to 1.
CI_APPLICATION_REPOSITORYThe repository of container image being built or deployed, $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG. For more details, read Custom container image.
CI_APPLICATION_TAGThe tag of the container image being built or deployed, $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG. For more details, read Custom container image.
DAST_AUTO_DEPLOY_IMAGE_VERSIONCustomize the image version used for DAST deployments on the default branch. Should usually be the same as AUTO_DEPLOY_IMAGE_VERSION. See list of versions.
DOCKERFILE_PATHFrom GitLab 13.2, allows overriding the default Dockerfile path for the build stage
HELM_RELEASE_NAMEAllows the helm release name to be overridden. Can be used to assign unique release names when deploying multiple projects to a single namespace.
HELM_UPGRADE_VALUES_FILEAllows the helm upgrade values file to be overridden. Defaults to .gitlab/auto-deploy-values.yaml.
HELM_UPGRADE_EXTRA_ARGSAllows extra options in helm upgrade commands when deploying the application. Using quotes doesn’t prevent word splitting.
INCREMENTAL_ROLLOUT_MODEIf present, can be used to enable an incremental rollout of your application for the production environment. Set to manual for manual deployment jobs or timed for automatic rollout deployments with a 5 minute delay each one.
K8S_SECRET_*Any variable prefixed with K8S_SECRET_ is made available by Auto DevOps as environment variables to the deployed application.
KUBE_CONTEXTFrom GitLab 14.5, can be used to select a context to use from KUBECONFIG. When KUBE_CONTEXT is blank, the default context in KUBECONFIG (if any) is used. A context must be selected when used with the agent for Kubernetes.
KUBE_INGRESS_BASE_DOMAINCan be used to set a domain per cluster. See cluster domains for more information.
KUBE_NAMESPACEThe namespace used for deployments. When using certificate-based clusters, this value should not be overwritten directly.
KUBECONFIGThe kubeconfig to use for deployments. User-provided values take priority over GitLab-provided values.
PRODUCTION_REPLICASNumber of replicas to deploy in the production environment. Takes precedence over REPLICAS and defaults to 1. For zero downtime upgrades, set to 2 or greater.
REPLICASNumber of replicas to deploy. Defaults to 1. Change this variable instead of modifying replicaCount.
ROLLOUT_RESOURCE_TYPEAllows specification of the resource type being deployed when using a custom Helm chart. Default value is deployment.
ROLLOUT_STATUS_DISABLEDUsed to disable rollout status check because it does not support all resource types, for example, cronjob.
STAGING_ENABLEDUsed to define a deploy policy for staging and production environments.
TRACESet to any value to make Helm commands produce verbose output. You can use this setting to help diagnose Auto DevOps deployment problems.

Database variables

caution
The default value of true for POSTGRES_ENABLED was deprecated in GitLab 15.8. In GitLab 16.0, the default value will change to false.

Use these variables to integrate CI/CD with PostgreSQL databases.

CI/CD variableDescription
DB_INITIALIZEUsed to specify the command to run to initialize the application’s PostgreSQL database. Runs inside the application pod.
DB_MIGRATEUsed to specify the command to run to migrate the application’s PostgreSQL database. Runs inside the application pod.
POSTGRES_ENABLEDWhether PostgreSQL is enabled. Defaults to true until GitLab 16.0, when the default will change to false. Set to false to disable the automatic deployment of PostgreSQL.
POSTGRES_USERThe PostgreSQL user. Defaults to user. Set it to use a custom username.
POSTGRES_PASSWORDThe PostgreSQL password. Defaults to testing-password. Set it to use a custom password.
POSTGRES_DBThe PostgreSQL database name. Defaults to the value of $CI_ENVIRONMENT_SLUG. Set it to use a custom database name.
POSTGRES_VERSIONTag for the postgres Docker image to use. Defaults to 9.6.16 for tests and deployments as of GitLab 13.0 (previously 9.6.2). If AUTO_DEVOPS_POSTGRES_CHANNEL is set to 1, deployments uses the default version 9.6.2.
POSTGRES_HELM_UPGRADE_VALUES_FILEIn GitLab 13.8 and later, and when using auto-deploy-image v2, this variable allows the helm upgrade values file for PostgreSQL to be overridden. Defaults to .gitlab/auto-deploy-postgres-values.yaml.
POSTGRES_HELM_UPGRADE_EXTRA_ARGSIn GitLab 13.8 and later, and when using auto-deploy-image v2, this variable allows extra PostgreSQL options in helm upgrade commands when deploying the application. Using quotes doesn’t prevent word splitting.
POSTGRES_CHART_REPOSITORYHelm Chart repository used to search for PostgreSQL chart. Defaults to https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami.
POSTGRES_CHART_VERSIONHelm Chart version used for PostgreSQL chart. Defaults to 8.2.1.

Job-disabling variables

Use these variables to disable CI/CD jobs.

Job nameCI/CD variableGitLab versionDescription
.fuzz_baseCOVFUZZ_DISABLEDFrom GitLab 13.2 Read more about how .fuzz_base provide capability for your own jobs. If the variable is present, your jobs aren’t created.
apifuzzer_fuzzAPI_FUZZING_DISABLEDFrom GitLab 13.3If the variable is present, the job isn’t created.
buildBUILD_DISABLED If the variable is present, the job isn’t created.
build_artifactBUILD_DISABLED If the variable is present, the job isn’t created.
bandit-sastSAST_DISABLED If the variable is present, the job isn’t created.
brakeman-sastSAST_DISABLED If the variable is present, the job isn’t created.
canaryCANARY_ENABLED This manual job is created if the variable is present.
cluster_image_scanningCLUSTER_IMAGE_SCANNING_DISABLED If the variable is present, the job isn’t created.
code_intelligenceCODE_INTELLIGENCE_DISABLEDFrom GitLab 13.6If the variable is present, the job isn’t created.
code_qualityCODE_QUALITY_DISABLED If the variable is present, the job isn’t created.
container_scanningCONTAINER_SCANNING_DISABLED If the variable is present, the job isn’t created.
dastDAST_DISABLED If the variable is present, the job isn’t created.
dast_environment_deploy DAST_DISABLED_FOR_DEFAULT_BRANCH or DAST_DISABLED From GitLab 12.4If either variable is present, the job isn’t created.
dependency_scanningDEPENDENCY_SCANNING_DISABLED If the variable is present, the job isn’t created.
eslint-sastSAST_DISABLED If the variable is present, the job isn’t created.
flawfinder-sastSAST_DISABLED If the variable is present, the job isn’t created.
gemnasium-dependency_scanningDEPENDENCY_SCANNING_DISABLED If the variable is present, the job isn’t created.
gemnasium-maven-dependency_scanningDEPENDENCY_SCANNING_DISABLED If the variable is present, the job isn’t created.
gemnasium-python-dependency_scanningDEPENDENCY_SCANNING_DISABLED If the variable is present, the job isn’t created.
gosec-sastSAST_DISABLED If the variable is present, the job isn’t created.
kubesec-sastSAST_DISABLED If the variable is present, the job isn’t created.
license_managementLICENSE_MANAGEMENT_DISABLEDGitLab 12.7 and earlierIf the variable is present, the job isn’t created. Job deprecated from GitLab 12.8
license_scanningLICENSE_MANAGEMENT_DISABLEDFrom GitLab 12.8If the variable is present, the job isn’t created.
load_performanceLOAD_PERFORMANCE_DISABLEDFrom GitLab 13.2If the variable is present, the job isn’t created.
nodejs-scan-sastSAST_DISABLED If the variable is present, the job isn’t created.
performancePERFORMANCE_DISABLEDGitLab 13.12 and earlierBrowser performance. If the variable is present, the job isn’t created. Replaced by browser_performance.
browser_performanceBROWSER_PERFORMANCE_DISABLEDFrom GitLab 14.0Browser performance. If the variable is present, the job isn’t created. Replaces performance.
phpcs-security-audit-sastSAST_DISABLED If the variable is present, the job isn’t created.
pmd-apex-sastSAST_DISABLED If the variable is present, the job isn’t created.
reviewREVIEW_DISABLED If the variable is present, the job isn’t created.
review:stopREVIEW_DISABLED Manual job. If the variable is present, the job isn’t created.
sastSAST_DISABLED If the variable is present, the job isn’t created.
sast:containerCONTAINER_SCANNING_DISABLED If the variable is present, the job isn’t created.
secret_detectionSECRET_DETECTION_DISABLEDFrom GitLab 13.1If the variable is present, the job isn’t created.
secret_detection_default_branchSECRET_DETECTION_DISABLEDFrom GitLab 13.2If the variable is present, the job isn’t created.
security-code-scan-sastSAST_DISABLED If the variable is present, the job isn’t created.
secrets-sastSAST_DISABLED If the variable is present, the job isn’t created.
sobelaw-sastSAST_DISABLED If the variable is present, the job isn’t created.
stop_dast_environment DAST_DISABLED_FOR_DEFAULT_BRANCH or DAST_DISABLED From GitLab 12.4If either variable is present, the job isn’t created.
spotbugs-sastSAST_DISABLED If the variable is present, the job isn’t created.
testTEST_DISABLED If the variable is present, the job isn’t created.
stagingSTAGING_ENABLED The job is created if the variable is present.
stop_reviewREVIEW_DISABLED If the variable is present, the job isn’t created.

Configure application secret variables

Some deployed applications require access to secret variables. Auto DevOps detects CI/CD variables starting with K8S_SECRET_, and makes them available to the deployed application as environment variables.

Prerequisite:

  • The variable value must be a single line.

To configure secret variables:

  1. On the top bar, select Main menu > Projects and find your project.
  2. On the left sidebar, select Settings > CI/CD.
  3. Expand Variables.
  4. Create a CI/CD variable with the prefix K8S_SECRET_. For example, you can create a variable called K8S_SECRET_RAILS_MASTER_KEY.
  5. Run an Auto DevOps pipeline, either by manually creating a new pipeline or by pushing a code change to GitLab.

Kubernetes secrets

Auto DevOps pipelines use your application secret variables to populate a Kubernetes secret. This secret is unique per environment. When deploying your application, the secret is loaded as environment variables in the container running the application. For example, if you create a secret called K8S_SECRET_RAILS_MASTER_KEY, your Kubernetes secret might look like:

$ kubectl get secret production-secret -n minimal-ruby-app-54 -o yaml

apiVersion: v1
data:
  RAILS_MASTER_KEY: MTIzNC10ZXN0
kind: Secret
metadata:
  creationTimestamp: 2018-12-20T01:48:26Z
  name: production-secret
  namespace: minimal-ruby-app-54
  resourceVersion: "429422"
  selfLink: /api/v1/namespaces/minimal-ruby-app-54/secrets/production-secret
  uid: 57ac2bfd-03f9-11e9-b812-42010a9400e4
type: Opaque

Update application secrets

Environment variables are generally immutable in a Kubernetes pod. If you update an application secret and then manually create a new pipeline, running applications do not receive the updated secret.

To update application secrets, either:

  • Push a code update to GitLab to force the Kubernetes deployment to recreate pods.
  • Manually delete running pods to cause Kubernetes to create new pods with updated secrets.

Variables with multi-line values are not supported due to limitations with the Auto DevOps scripting environment.

Configure replica variables

Add replica variables when you want to scale your deployments:

  1. Add a replica variable as a project CI/CD variable.
  2. To scale your application, redeploy it.

    caution
    Do not scale your application using Kubernetes directly. Helm might not detect the change, and subsequent deployments with Auto DevOps can undo your changes.

Custom replica variables

You can create custom replica variables with the format <TRACK>_<ENV>_REPLICAS:

  • <TRACK> is the all-caps value of the track Kubernetes label set in the Helm Chart app definition. If track is not set, omit <TRACK> from the custom variable.
  • <ENV> is the all-caps environment name of the deploy job set in .gitlab-ci.yml.

For example, if the environment is qa and the track is foo, create an environment variable called FOO_QA_REPLICAS:

QA testing:
  stage: deploy
  environment:
    name: qa
  script:
    - deploy foo

The track foo must be defined in the application’s Helm chart. For example:

replicaCount: 1
image:
  repository: gitlab.example.com/group/project
  tag: stable
  pullPolicy: Always
  secrets:
    - name: gitlab-registry
application:
  track: foo
  tier: web
service:
  enabled: true
  name: web
  type: ClusterIP
  url: http://my.host.com/
  externalPort: 5000
  internalPort: 5000

Deploy policy for staging and production environments

Auto DevOps typically uses continuous deployment, and pushes automatically to the production environment whenever a new pipeline runs on the default branch. To deploy to production manually, you can use the STAGING_ENABLED CI/CD variable.

If you set STAGING_ENABLED, GitLab automatically deploys the application to a staging environment. When you’re ready to deploy to production, GitLab creates a production_manual job.

You can also enable manual deployment in your project settings.

Deploy policy for canary environments

You can use a canary environment before deploying any changes to production.

If you set CANARY_ENABLED, GitLab creates two manual jobs:

  • canary - Deploys the application to the canary environment.
  • production_manual - Deploys the application to production.

Incremental rollout to production

Use an incremental rollout to continuously deploy your application, starting with only a few pods. You can increase the number of pods manually.

You can enable manual deployment in your project settings, or by setting INCREMENTAL_ROLLOUT_MODE to manual.

If you set INCREMENTAL_ROLLOUT_MODE to manual, GitLab creates four manual jobs:

  1. rollout 10%
  2. rollout 25%
  3. rollout 50%
  4. rollout 100%

The percentage is based on the REPLICAS CI/CD variable, and defines the number of pods used for deployment. For example, if the value is 10 and you run the 10% rollout job, your application is deployed to only one pod.

You can run the rollout jobs in any order. To scale down, rerun a lower percentage job.

After you run the rollout 100% job, you cannot scale down, and must roll back your deployment.

Example incremental rollout configurations

Without INCREMENTAL_ROLLOUT_MODE and without STAGING_ENABLED:

Staging and rollout disabled

Without INCREMENTAL_ROLLOUT_MODE and with STAGING_ENABLED:

Staging enabled

With INCREMENTAL_ROLLOUT_MODE set to manual and without STAGING_ENABLED:

Rollout enabled

With INCREMENTAL_ROLLOUT_MODE set to manual and with STAGING_ENABLED:

Rollout and staging enabled

Timed incremental rollout to production

Use a timed incremental rollout to continuously deploy your application, starting with only a few pods.

You can enable timed incremental deployment in your project settings, or by setting the INCREMENTAL_ROLLOUT_MODE CI/CD variable to timed.

If you set INCREMENTAL_ROLLOUT_MODE to timed, GitLab creates four jobs:

  1. timed rollout 10%
  2. timed rollout 25%
  3. timed rollout 50%
  4. timed rollout 100%

There is a five-minute delay between jobs.