nvidia-container-toolkit/.nvidia-ci.yml

# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

include:
  - local: '.common-ci.yml'

default:
  tags:
    - cnt
    - container-dev
    - docker/multi-arch
    - docker/privileged
    - os/linux
    - type/docker

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: "/certs"
  # Release "devel"-tagged images off the master branch
  RELEASE_DEVEL_BRANCH: "master"
  DEVEL_RELEASE_IMAGE_VERSION: "devel"
  # On the multi-arch builder we don't need the qemu setup.
  SKIP_QEMU_SETUP: "1"
  # Define the public staging registry
  STAGING_REGISTRY: registry.gitlab.com/nvidia/container-toolkit/container-toolkit/staging
  STAGING_VERSION: ${CI_COMMIT_SHORT_SHA}

.image-pull:
  stage: image-build
  variables:
    IN_REGISTRY: "${STAGING_REGISTRY}"
    IN_IMAGE_NAME: container-toolkit
    IN_VERSION: "${STAGING_VERSION}"
    OUT_REGISTRY_USER: "${CI_REGISTRY_USER}"
    OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}"
    OUT_REGISTRY: "${CI_REGISTRY}"
    OUT_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit"
  # We delay the job start to allow the public pipeline to generate the required images.
  when: delayed
  start_in: 30 minutes
  timeout: 30 minutes
  retry:
    max: 2
    when:
      - job_execution_timeout
      - stuck_or_timeout_failure
  before_script:
    - >
      docker pull ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} > /dev/null && echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}" || ( echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} does not exist" && sleep infinity )
  script:
    - docker pull ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}
    - docker tag ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} ${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST}
    - docker login -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}" "${OUT_REGISTRY}"
    - docker push ${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST}

image-centos7:
  extends:
    - .image-pull
    - .dist-centos7

image-centos8:
  extends:
    - .image-pull
    - .dist-centos8

image-ubi8:
  extends:
    - .image-pull
    - .dist-ubi8

image-ubuntu18.04:
  extends:
    - .image-pull
    - .dist-ubuntu18.04

# The DIST=packaging target creates an image containing all built packages
image-packaging:
  extends:
    - .image-pull
    - .dist-packaging

# We skip the integration tests for the internal CI:
.integration:
  stage: test
  before_script:
    - echo "Skipped in internal CI"
  script:
    - echo "Skipped in internal CI"

# The .scan step forms the base of the image scan operation performed before releasing
# images.
.scan:
  stage: scan
  image: "${PULSE_IMAGE}"
  variables:
    IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
    IMAGE_ARCHIVE: "container-toolkit.tar"
  except:
    variables:
      - $SKIP_SCANS && $SKIP_SCANS == "yes"
  before_script:
    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
    # TODO: We should specify the architecture here and scan all architectures
    - docker pull "${IMAGE}"
    - docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}"
    - AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0)
    - >
      export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" |  tr -d '"')
    - if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi
  script:
    - pulse-cli -n $NSPECT_ID --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o
  artifacts:
    when: always
    expire_in: 1 week
    paths:
      - pulse-cli.log
      - licenses.json
      - sbom.json
      - vulns.json
      - policy_evaluation.json

# Define the scan targets
scan-centos7:
  extends:
    - .scan
    - .dist-centos7
  needs:
    - image-centos7

scan-centos8:
  extends:
    - .scan
    - .dist-centos8
  needs:
    - image-centos8

scan-ubuntu18.04:
  extends:
    - .scan
    - .dist-ubuntu18.04
  needs:
    - image-ubuntu18.04

scan-ubi8:
  extends:
    - .scan
    - .dist-ubi8
  needs:
    - image-ubi8

# Define external release helpers
.release:ngc:
  extends:
    - .release:external
  variables:
    OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}"
    OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}"
    OUT_REGISTRY: "${NGC_REGISTRY}"
    OUT_IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"

.release:dockerhub:
  extends:
    - .release:external
  variables:
    OUT_REGISTRY_USER: "${REGISTRY_USER}"
    OUT_REGISTRY_TOKEN: "${REGISTRY_TOKEN}"
    OUT_REGISTRY: "${DOCKERHUB_REGISTRY}"
    OUT_IMAGE_NAME: "${REGISTRY_IMAGE}"

release:staging-ubuntu18.04:
  extends:
    - .release:staging
    - .dist-ubuntu18.04
  needs:
    - image-ubuntu18.04

# Define the external release targets
# Release to NGC
release:ngc-centos7:
  extends:
    - .release:ngc
    - .dist-centos7

release:ngc-centos8:
  extends:
    - .release:ngc
    - .dist-centos8

release:ngc-ubuntu18:
  extends:
    - .release:ngc
    - .dist-ubuntu18.04

release:ngc-ubi8:
  extends:
    - .release:ngc
    - .dist-ubi8

# Release to Dockerhub
release:dockerhub-centos7:
  extends:
    - .release:dockerhub
    - .dist-centos7

release:dockerhub-centos8:
  extends:
    - .release:dockerhub
    - .dist-centos8

release:dockerhub-ubuntu18:
  extends:
    - .release:dockerhub
    - .dist-ubuntu18.04

release:dockerhub-ubi8:
  extends:
    - .release:dockerhub
    - .dist-ubi8