# Copyright (c) 2021, NVIDIA CORPORATION.  All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

include:
  - local: '.common-ci.yml'

default:
  tags:
    - cnt
    - container-dev
    - docker/multi-arch
    - docker/privileged
    - os/linux
    - type/docker

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: "/certs"
  # Release "devel"-tagged images off the master branch
  RELEASE_DEVEL_BRANCH: "master"
  DEVEL_RELEASE_IMAGE_VERSION: "devel"
  # On the multi-arch builder we don't need the qemu setup.
  SKIP_QEMU_SETUP: "1"
  # Define the public staging registry
  STAGING_REGISTRY: registry.gitlab.com/nvidia/container-toolkit/container-toolkit/staging
  STAGING_VERSION: ${CI_COMMIT_SHORT_SHA}

.image-pull:
  stage: image-build
  variables:
    IN_REGISTRY: "${STAGING_REGISTRY}"
    IN_IMAGE_NAME: container-toolkit
    IN_VERSION: "${STAGING_VERSION}"
    OUT_REGISTRY_USER: "${CI_REGISTRY_USER}"
    OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}"
    OUT_REGISTRY: "${CI_REGISTRY}"
    OUT_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit"
    PUSH_MULTIPLE_TAGS: "false"
  # We delay the job start to allow the public pipeline to generate the required images.
  when: delayed
  start_in: 30 minutes
  timeout: 30 minutes
  retry:
    max: 2
    when:
      - job_execution_timeout
      - stuck_or_timeout_failure
  before_script:
    - !reference [.regctl-setup, before_script]
    - apk add --no-cache make bash
    - >
      regctl manifest get ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} --list > /dev/null && echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}" || ( echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} does not exist" && sleep infinity )
  script:
    - regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}"
    - make -f build/container/Makefile IMAGE=${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} OUT_IMAGE=${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST} push-${DIST}

image-centos7:
  extends:
    - .image-pull
    - .dist-centos7

image-centos8:
  extends:
    - .image-pull
    - .dist-centos8

image-ubi8:
  extends:
    - .image-pull
    - .dist-ubi8

image-ubuntu18.04:
  extends:
    - .image-pull
    - .dist-ubuntu18.04

image-ubuntu20.04:
  extends:
    - .image-pull
    - .dist-ubuntu20.04

# The DIST=packaging target creates an image containing all built packages
image-packaging:
  extends:
    - .image-pull
    - .dist-packaging

# We skip the integration tests for the internal CI:
.integration:
  stage: test
  before_script:
    - echo "Skipped in internal CI"
  script:
    - echo "Skipped in internal CI"

# The .scan step forms the base of the image scan operation performed before releasing
# images.
.scan:
  stage: scan
  image: "${PULSE_IMAGE}"
  variables:
    IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}"
    IMAGE_ARCHIVE: "container-toolkit.tar"
  except:
    variables:
      - $SKIP_SCANS && $SKIP_SCANS == "yes"
  before_script:
    - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
    # TODO: We should specify the architecture here and scan all architectures
    - docker pull --platform="${PLATFORM}" "${IMAGE}"
    - docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}"
    - AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0)
    - >
      export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" |  tr -d '"')
    - if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi
  script:
    - pulse-cli -n $NSPECT_ID --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o
  artifacts:
    when: always
    expire_in: 1 week
    paths:
      - pulse-cli.log
      - licenses.json
      - sbom.json
      - vulns.json
      - policy_evaluation.json

# Define the scan targets
scan-centos7-amd64:
  extends:
    - .scan
    - .dist-centos7
    - .platform-amd64
  needs:
    - image-centos7

scan-centos7-arm64:
  extends:
    - .scan
    - .dist-centos7
    - .platform-arm64
  needs:
    - image-centos7
    - scan-centos7-amd64

scan-centos8-amd64:
  extends:
    - .scan
    - .dist-centos8
    - .platform-amd64
  needs:
    - image-centos8

scan-centos8-arm64:
  extends:
    - .scan
    - .dist-centos8
    - .platform-arm64
  needs:
    - image-centos8
    - scan-centos8-amd64

scan-ubuntu18.04-amd64:
  extends:
    - .scan
    - .dist-ubuntu18.04
    - .platform-amd64
  needs:
    - image-ubuntu18.04

scan-ubuntu18.04-arm64:
  extends:
    - .scan
    - .dist-ubuntu18.04
    - .platform-arm64
  needs:
    - image-ubuntu18.04
    - scan-ubuntu18.04-amd64

scan-ubuntu20.04-amd64:
  extends:
    - .scan
    - .dist-ubuntu20.04
    - .platform-amd64
  needs:
    - image-ubuntu20.04

scan-ubuntu20.04-arm64:
  extends:
    - .scan
    - .dist-ubuntu20.04
    - .platform-arm64
  needs:
    - image-ubuntu20.04
    - scan-ubuntu20.04-amd64

scan-ubi8-amd64:
  extends:
    - .scan
    - .dist-ubi8
    - .platform-amd64
  needs:
    - image-ubi8

scan-ubi8-arm64:
  extends:
    - .scan
    - .dist-ubi8
    - .platform-arm64
  needs:
    - image-ubi8
    - scan-ubi8-amd64

# Define external release helpers
.release:ngc:
  extends:
    - .release:external
  variables:
    OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}"
    OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}"
    OUT_REGISTRY: "${NGC_REGISTRY}"
    OUT_IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
    SKIP_RELEASE: "${NGC_SKIP_RELEASE}"
    DRYRUN_RELEASE: "${NGC_DRYRUN_RELEASE}"

.release:dockerhub:
  extends:
    - .release:external
  variables:
    OUT_REGISTRY_USER: "${REGISTRY_USER}"
    OUT_REGISTRY_TOKEN: "${REGISTRY_TOKEN}"
    OUT_REGISTRY: "${DOCKERHUB_REGISTRY}"
    OUT_IMAGE_NAME: "${REGISTRY_IMAGE}"
    SKIP_RELEASE: "${DOCKERHUB_SKIP_RELEASE}"
    DRYRUN_RELEASE: "${DOCKERHUB_DRYRUN_RELEASE}"

release:staging-ubuntu18.04:
  extends:
    - .release:staging
    - .dist-ubuntu18.04
  needs:
    - image-ubuntu18.04

release:staging-ubuntu20.04:
  extends:
    - .release:staging
    - .dist-ubuntu20.04
  needs:
    - image-ubuntu20.04

# Define the external release targets
# Release to NGC
release:ngc-centos7:
  extends:
    - .release:ngc
    - .dist-centos7

release:ngc-centos8:
  extends:
    - .release:ngc
    - .dist-centos8

release:ngc-ubuntu18.04:
  extends:
    - .release:ngc
    - .dist-ubuntu18.04

release:ngc-ubuntu20.04:
  extends:
    - .release:ngc
    - .dist-ubuntu20.04

release:ngc-ubi8:
  extends:
    - .release:ngc
    - .dist-ubi8

# Release to Dockerhub
release:dockerhub-centos7:
  extends:
    - .release:dockerhub
    - .dist-centos7

release:dockerhub-centos8:
  extends:
    - .release:dockerhub
    - .dist-centos8

release:dockerhub-ubuntu18.04:
  extends:
    - .release:dockerhub
    - .dist-ubuntu18.04

release:dockerhub-ubuntu20.04:
  extends:
    - .release:dockerhub
    - .dist-ubuntu20.04

release:dockerhub-ubi8:
  extends:
    - .release:dockerhub
    - .dist-ubi8