GH GambleHub

iGaming loyihalari uchun GitLab CI/CD

(Bo’lim: Texnologiyalar va infratuzilma)

Qisqacha xulosa

GitLab CI/CD - iGaming ilovalari, tahlillari va ML-xizmatlari uchun yetkazib berish «konveyeri». U quyidagilarni birlashtiradi: repozitoriya, kod sifatida payplaynlar, atrof-muhit va xavfsizlikni boshqarish, konteyner/paketlarning o’z reyestri, Kubernetes va Terraform bilan integratsiya, shuningdek zaifliklar va litsenziyalarni skanerlash. Muvaffaqiyat kaliti - payplaynlarning bir xil shablonlari, avto-skeylli efemer rannerlari, huquqlar va sirlarning qat’iy modeli, GitOps-jarayonlar va xarajatlarni nazorat qilish.

1) Arxitektura va rollar

GitLab (SaaS yoki Self-Managed): guruhlar/loyihalar, Protected branches/tags, Merge Request Approvals.
Runners: Docker/Kubernetes/Virtual Machine executors. K8s efemer podlari muhit dreyfini kamaytiradi.
Registrlar: Container/Package/Dependency Proxy - asosiy tasvirlar va qaramliklarni keshlaydi.
Observability: job logs, job artifacts, pipeline insights, metriklarni monitoringga eksport qilish.

Rollar: ishlab chiquvchilar (MR), meynteynerlar (approve/release), SecOps (skaner siyosati), Platform/DevOps (rannerlar, shablonlar, GitOps).

2) Asoslari’.gitlab-ci. yml’: bosqichlar, qoidalar, qaramliklar

yaml stages: [lint, test, build, security, package, deploy]

variables:
DOCKER_DRIVER: overlay2
IMAGE: "$CI_REGISTRY_IMAGE/app:$CI_COMMIT_SHA"

workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

.default:
image: alpine:3. 20 before_script: [ 'apk add --no-cache bash curl jq' ]

lint:
stage: lint script: [ "make lint" ]
rules: [ { if: '$CI_PIPELINE_SOURCE == "merge_request_event"' } ]

unit:
stage: test script: [ "make test" ]
artifacts:
when: always reports: { junit: "reports/junit. xml" }
needs: [ "lint" ]

build_image:
stage: build image: docker:27 services: [ 'docker:27-dind' ]
variables: { DOCKER_TLS_CERTDIR: "" }
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build -t $IMAGE.
- docker push $IMAGE cache:
key: "docker-${CI_COMMIT_REF_SLUG}"
paths: [ "/var/lib/docker" ]
policy: pull-push needs: [ "unit" ]
Amaliyot:
  • ’rules’ shoxlari/MR/teglar uchun;’needs’DAG-parallelizm uchun;’artifacts: reports’JUnit/coverage uchun;’workflow’- ortiqcha payplaynlarni ishga tushirmaslik uchun.

3) Rannerlar va avto-skeyl

Kubernetes executor (tavsiya etiladi)

Efemer pod, CPU/RAM kvotalari, nodeSelector/taints, sirlarni izolyatsiya qilish.
Kesh/artefaktlar: obyekt ombori; dependency proxy для NPM/Maven/PyPI/Docker.

Docker executor

Oddiy boshlash; DinD yoki Kaniko/BuildKit’dan imtiyozsiz yigʻish uchun foydalaning.

Maslahatlar:
  • Yuklama turlari bo’yicha alohida ranner pullari (Build/Test/Security/ML); guruh/loyiha uchun concurrency limitlari; ranner teglari (’k8s’,’gpu’,’security’).

4) Kesh, artefaktlar va matritsalar

yaml cache:
key: "pip-${CI_COMMIT_REF_SLUG}"
paths: [ "venv/", ".cache/pip/" ]
policy: pull-push

test:py:
stage: test parallel:
matrix:
- PY: ["3. 10", "3. 12"]
image: python:${PY}
script:
- python -m venv venv &&. venv/bin/activate
- pip install -r requirements. txt
- pytest -q

Trafikni va vaqtni tejash uchun global dependency proxy, matritsada split-tests, gigiyena uchun artifacts:expire_in.

5) Xavfsizlik va muvofiqlik (Shift-Left)

Namunaviy «security-stage»: 
yaml sast:
stage: security image: registry. gitlab. com/security-products/sast:latest script: [ "analyzer run" ]
artifacts: { reports: { sast: "gl-sast-report. json" } }
rules: [ { if: '$CI_PIPELINE_SOURCE == "merge_request_event"' } ]

secret_detection:
stage: security image: registry. gitlab. com/security-products/secret-detection:latest script: [ "analyzer run" ]
artifacts: { reports: { secret_detection: "gl-secret-report. json" } }

sbom:
stage: security image: alpine:3. 20 script:
- apk add syft cosign
- syft $IMAGE -o cyclonedx-json > sbom. json
- cosign sign --key $COSIGN_KEY $IMAGE artifacts:
reports: { cyclonedx: "sbom. json" }

Shuningdek: stendlar uchun DAST, Dependency/License Compliance, tanqidiy findinglarda majburiy MR-approvals, oʻzgaruvchilarni yashirish.

6) Atrof-muhit, Review Apps va relizlar

yaml review:
stage: deploy image: bitnami/kubectl environment:
name: review/$CI_COMMIT_REF_SLUG url: https://$CI_COMMIT_REF_SLUG. apps. example. com on_stop: stop_review script:
-./deploy. sh --env=review --image=$IMAGE rules: [ { if: '$CI_PIPELINE_SOURCE == "merge_request_event"' } ]

stop_review:
stage: deploy when: manual environment:
name: review/$CI_COMMIT_REF_SLUG action: stop script: [ "./deploy. sh --env=review --delete" ]

Release/Tag paypline: Helm-chart/artefaktlarni chop etish, reliz-notalarni yaratish, tasvirlarni imzolash.

7) Progressive delivery: canary/blue-green

yaml deploy_canary:
stage: deploy script: [ "./helm_upgrade. sh --set canary. weight=10 --image=$IMAGE" ]
environment: { name: production }
rules: [ { if: '$CI_COMMIT_TAG' } ]

promote_100:
stage: deploy when: manual script: [ "./helm_upgrade. sh --set canary. weight=100" ]
needs: [ "deploy_canary" ]

quality gates qoʻshing: SLO latency/error-rate monitoringdan → ruxsat/orqaga qaytish.

8) Parent/Child va multiproektli payplaynlar

Parent/Child: katta monoreponi tezlashtiradi (har bir komponent - child pipeline).

yaml trigger_components:
stage: build trigger:
include: [ "ci/component-a. yml", "ci/component-b. yml" ]
strategy: depend

Multi-Project: «Release» loyihasi CDni manifest-repoga (GitOps) aylantiradi.

9) GitOps и Terraform/IaC

GitOps MR orqali manifest-repozitoriyaga

yaml gitops_bump:
stage: deploy image: alpine/git script:
- git clone $MANIFESTS_REPO manifests
- yq -i '.image = env(IMAGE)' manifests/apps/app/values. yaml
- cd manifests && git commit -am "bump $CI_COMMIT_SHA" && git push origin HEAD:$TARGET_BRANCH

Terraform в CI

yaml terraform:
stage: deploy image: hashicorp/terraform:1. 9 script:
- terraform init -backend-config="bucket=$TF_BUCKET"
- terraform plan -out tfplan
- terraform apply -auto-approve tfplan rules: [ { if: '$CI_COMMIT_BRANCH == "infra"'} ]

10) Sirlar va imkoniyatlar

CI Variables: masked/protected; doiralar/guruhlarga bo’linadi.
Protected branches/tags: deploy v prod - faqat himoyalangan shoxlardan va qo’lda tasdiqlangan.
Tashqi sirlar: Secrets Manager/HashiCorp Vault (JWT/OIDC) bilan integratsiyalash, faqat job vaqtinchalik rannerlarda montaj qilish.

11) Payplaynlar va SLO kuzatilishi

Pipeline DORA/KPI: lead time, deployment frequency, change fail rate, MTTR.
Asboblar: retraj/taymautlar, bloklamaydigan vazifalar uchun’allow _ failure’, kodni qoplash hisoboti.
Metriklarni eksport qilish: bosqichlar davomiyligi, rannerlar navbati, success ratio; ChatOpsdagi alertlar.

12) FinOps: qiymati va unumdorligi

Dependency Proxy + Docker bogʻliqlik va qatlamlar kesh.
Ranner pullarini (prod/security/ML) concurrency limitlari bilan ajratish.
Review Apps va aktiv boʻlmagan muhitning avto-pauzasi;’artifacts: expire _ in’.
Yirik yig’ilishlar - spot/premptabel pullarda; asosiy tasvirlarni oldindan isitish.

13) iGaming-keys uchun namunalar

Backend/API servisi

yaml include: [ "ci/includes/security. yml", "ci/includes/docker. yml" ]
deploy_prod:
stage: deploy environment: { name: production, url: https://api. example. com }
script: [ "./helm_upgrade. sh --env=prod --image=$IMAGE" ]
rules: [ { if: '$CI_COMMIT_TAG' } ]

ETL/DBT modeli

yaml dbt_run:
stage: build image: ghcr. io/dbt-labs/dbt-snowflake:latest script: [ "dbt deps", "dbt run --profiles-dir. ", "dbt test" ]
artifacts: { paths: [ "target/" ], expire_in: 3 days }

ML/LLM artefakt

yaml ml_pack:
stage: package image: nvidia/cuda:12. 1. 0-runtime-ubuntu22. 04 tags: [ "gpu" ]
script:
- python export_onnx. py
- trtexec --onnx=model. onnx --saveEngine=model. plan artifacts: { paths: [ "model. plan", "model. onnx" ] }

14) Joriy etish chek-varaqasi

1. Buyruqlar uchun payplayn va Shared Includes namunalarini aniqlang (lint/test/build/security/deploy).
2. Efemer K8s-rannerlarni oching, dependency proxy, obʼekt storage’ni qoʻshing.
3. rules/needs/DAG, matritsalar va parallellikni kiriting.
4. Siyosat boʻyicha SAST/DAST/Secret/SBOM/License va MR-approvals moslamalarini oʻrnating.
5. Environments/Review Apps, avtomashinalar va toza URLlarni tashkil qiling.
6. GitOps: alohida manifest-repo, rasmlar/chartlarning MR-bampini kiriting.
7. Maxfiy maʼlumotlarni boshqarish (masked/protected, Vault/OIDC), protected branches/tags.
8. Terraform/IaC va «kod sifatida monitoring» ga ulaning.
9. FinOps amaliyotini kiriting: runner limitlari, kesh/proksi, ekspire artefaktlari, avtopauza stendlari.
10. Muntazam game-day: rannerning tushishi, kesh toʻldirilishi, reyestrning mavjud emasligi.

15) Antipatternlar

Izolyatsiyasiz va kvotasiz bitta «universal» ranner.
Payplaynlar’rules’(«doimo» ishga tushiriladi),’needs’(sekin).
Prod-rannerlarda cheklovlarsiz imtiyozli DinD toʻplamlari.
Sirlarni repozitoriyada/job.
Security-bosqich va MR-approvals yo’qligi.
Cheksiz Review Apps’on _ stop’va’expire _ in’.
Qo’l relizlari prod protected tags’da.

Yakunlar

GitLab CI/CD iGaming jamoalariga tezkor va oldindan aytib bo’ladigan relizlar beradi: yagona shablonlar, rannerlarning avto skeyli, sifatli xavfsizlik geytlari, muhit va progressiv deploi, GitOps va Terraform integratsiyasi. FinOps ham kuzatishni qo’shing - ilovalaringiz, ETL va ML-xizmatlaringiz muntazam, xavfsiz va nazorat qilinadigan narxlarda ishlab chiqariladi.

Contact

Biz bilan bog‘laning

Har qanday savol yoki yordam bo‘yicha bizga murojaat qiling.Doimo yordam berishga tayyormiz.

Integratsiyani boshlash

Email — majburiy. Telegram yoki WhatsApp — ixtiyoriy.

Ismingiz ixtiyoriy
Email ixtiyoriy
Mavzu ixtiyoriy
Xabar ixtiyoriy
Telegram ixtiyoriy
@
Agar Telegram qoldirilgan bo‘lsa — javob Email bilan birga o‘sha yerga ham yuboriladi.
WhatsApp ixtiyoriy
Format: mamlakat kodi va raqam (masalan, +998XXXXXXXX).

Yuborish orqali ma'lumotlaringiz qayta ishlanishiga rozilik bildirasiz.