Domain 2 of 4 · Chapter 3 of 7

Building a GitLab CI/CD Pipeline

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Designing, Deploying and Managing Network Automation Systems premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • The four-stage network-automation pipeline
  • Anatomy of a job: script, image, and tags
  • Build: render the artifact, never touch a device
  • Prevalidation: prove it is safe, change nothing
  • Deploy: the one stage that changes devices
  • Post-validation: verify the outcome, not the exit code
  • Artifacts, needs, and dependencies
  • Rules, variables, and secrets

The four network-automation pipeline stages

AspectBuildPrevalidationDeployPost-validation
When it runsFirstBefore deployThe change itselfAfter deploy
Device I/ONoneRead-only (predict)Writes configRead-only (verify)
What it doesRender/package the artifactLint + dry-run itApply it to devicesConfirm the result
Typical toolsAnsible template, docker:dind/Kanikoyamllint, --syntax-check, --check, terraform planansible-playbook, terraform apply, RESTCONF/NETCONFpyATS learn/diff/assert, ping
On failurePipeline stops, nothing changedDeploy skipped, nothing changedState may be partialChange is live; triggers rollback or alert

Decision tree

Writes config to a device? Yes Deploy stage writes config No Runs before deploy? predicts the change Yes Prevalidation reads to predict No Reads state after deploy? verifies the result Yes Post-validation reads to verify No Build stage renders the artifact

Cheat sheet

  • stages defines execution order; same-stage jobs run in parallel
  • Jobs are placed into stages via stage:
  • A normal job requires a script
  • image selects the container; tags select the runner
  • variables scope: global vs per-job
  • The build stage packages the automation artifact
  • Build exposes outputs via artifacts:paths
  • Building a container image inside CI
  • Build renders intended configs from the source of truth
  • Prevalidation checks the artifact before touching devices
  • Dry-run previews changes without applying
  • Prevalidation is the gate protecting production
  • Cheap prevalidation checks: yamllint and syntax-check
  • Deploy applies validated config to devices
  • Deploy only on the default branch
  • Manual approval and environment tracking on deploy
  • needs makes deploy start as soon as its dependency finishes
  • Post-validation verifies the deployed state
  • pyATS learn/assert in post-validation
  • A failing post-validation closes the deploy loop
  • Publishing test reports to the MR
  • artifacts:paths uploads files for later stages
  • needs changes ordering; dependencies only selects artifacts
  • Ordering without downloading artifacts
  • Artifacts carry build output across the stages
  • rules evaluate if conditions top-down
  • Runner executors: shell, docker, kubernetes
  • Predefined variables drive rules decisions
  • workflow:rules control whole-pipeline creation
  • Masked vs protected GitLab CI/CD variables
  • Injecting secrets into the deploy stage securely

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://docs.gitlab.com/ci/yaml/
  2. https://docs.gitlab.com/ci/pipelines/pipeline_architectures/
  3. https://docs.gitlab.com/runner/executors/
  4. https://docs.gitlab.com/runner/executors/shell/
  5. https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html
  6. https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_templating.html
  7. https://docs.gitlab.com/ci/docker/using_docker_build/
  8. https://docs.gitlab.com/ci/docker/using_kaniko/
  9. https://docs.ansible.com/ansible/latest/cli/ansible-playbook.html
  10. https://developer.hashicorp.com/terraform/cli/commands/validate
  11. https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_checkmode.html
  12. https://developer.hashicorp.com/terraform/cli/commands/plan
  13. https://docs.gitlab.com/ci/variables/predefined_variables/
  14. https://docs.gitlab.com/ci/yaml/deprecated_keywords/
  15. https://docs.gitlab.com/ci/jobs/job_control/
  16. https://docs.gitlab.com/ci/environments/protected_environments/
  17. https://docs.gitlab.com/ci/environments/
  18. https://docs.gitlab.com/ci/environments/deployments/
  19. https://developer.cisco.com/docs/pyats/
  20. https://developer.cisco.com/docs/ansible-fest-lab-guide/gitlab-cicd/
  21. https://docs.gitlab.com/ci/testing/unit_test_reports/
  22. https://docs.gitlab.com/ci/jobs/job_artifacts/
  23. https://docs.gitlab.com/ci/yaml/workflow/
  24. https://docs.gitlab.com/ci/variables/
  25. https://docs.gitlab.com/ci/secrets/id_token_authentication/