forked from NVIDIA/k8s-device-plugin
-
Notifications
You must be signed in to change notification settings - Fork 3
/
.nvidia-ci.yml
157 lines (135 loc) · 4.71 KB
/
.nvidia-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
---
##
## Variables that control the CI artifacts (private registry, for scanning and testing):
## CI_REGISTRY
## CI_REGISTRY_IMAGE
## CI_REGISTRY_USER
## CI_REGISTRY_PASSWORD
##
## Variables that control where NGC release artifacts go:
## NGC_REGISTRY
## NGC_REGISTRY_IMAGE
## NGC_REGISTRY_USER
## NGC_REGISTRY_TOKEN
##
## Variables that control where Docker Hub release artifacts go:
## REGISTRY_TOKEN
## REGISTRY_USER
## DOCKERHUB_REGISTRY_IMAGE
##
default:
image: docker:stable
services:
- docker:stable-dind
tags:
- type/docker
- docker/privileged
- cnt
- container-dev
- os/linux
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
stages:
- build
- test
- scan
- deploy
- release
.builddep_setup: &builddep_setup
- apk add --no-cache bash findutils libmagic curl make git
.testdep_setup: &testdep_setup
- apk add --no-cache bash make perl
.python_setup: &python_setup
- apk add --no-cache python3 python3-dev py3-pip py3-wheel
.dockerlogin_setup: &dockerlogin_setup
- docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
# tags pulled images with $CI_PROJECT_NAME to work-around issue with contamer's support for local scans.
.pull_images: &pull_images
- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-ubuntu16.04
- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-centos7
- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-ubi8
- docker tag ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-ubuntu16.04 ${CI_PROJECT_NAME}:${CI_COMMIT_SHA}-ubuntu16.04
- docker tag ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-centos7 ${CI_PROJECT_NAME}:${CI_COMMIT_SHA}-centos7
- docker tag ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}-ubi8 ${CI_PROJECT_NAME}:${CI_COMMIT_SHA}-ubi8
.ngc_release_login: &ngc_release_login
- 'docker login -u "${NGC_REGISTRY_USER}" -p "${NGC_REGISTRY_TOKEN}" "${NGC_REGISTRY}"'
.dockerhub_login: &dockerhub_login
- 'docker login -u "${REGISTRY_USER}" -p "${REGISTRY_TOKEN}"'
.build_action: &build_action
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_SHA}" all
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_SHA}" push
.test_action: &test_action
- "true"
.deploy_action: &deploy_action
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_SHA}" push-short
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_SHA}" push-latest
# contamer does not support local scans on images that contain a port number
.scan_action: &scan_action
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab-master.nvidia.com/sectooling/scanning/contamer.git
- cd contamer
- pip3 install -r requirements.txt
- python3 contamer.py -ls --fail-on-non-os ${CONTAMER_SUPPRESS_VULNS:+--suppress-vulns ${CONTAMER_SUPPRESS_VULNS}} -- ${CI_PROJECT_NAME}:${CI_COMMIT_SHA}-ubuntu16.04
- python3 contamer.py -ls --fail-on-non-os ${CONTAMER_SUPPRESS_VULNS:+--suppress-vulns ${CONTAMER_SUPPRESS_VULNS}} -- ${CI_PROJECT_NAME}:${CI_COMMIT_SHA}-centos7
- python3 contamer.py -ls --fail-on-non-os ${CONTAMER_SUPPRESS_VULNS:+--suppress-vulns ${CONTAMER_SUPPRESS_VULNS}} -- ${CI_PROJECT_NAME}:${CI_COMMIT_SHA}-ubi8
.release_action: &release_action
- make IMAGE="${NGC_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" all
- make IMAGE="${NGC_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" push
- make IMAGE="${NGC_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" push-short
- make IMAGE="${NGC_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" push-latest
.dockerhub_release_action: &dockerhub_release_action
- make IMAGE="${DOCKERHUB_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" all
- make IMAGE="${DOCKERHUB_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" push
- make IMAGE="${DOCKERHUB_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" push-short
- make IMAGE="${DOCKERHUB_REGISTRY_IMAGE}" VERSION="${CI_COMMIT_TAG}" push-latest
build:
stage: build
script:
- *builddep_setup
- *dockerlogin_setup
- *build_action
test:
stage: test
except:
variables:
- $CI_COMMIT_MESSAGE =~ /\[skip[ _-]tests?\]/i
- $SKIP_TESTS
script:
- *testdep_setup
- *test_action
scan:
stage: scan
except:
variables:
- $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
- $SKIP_SCANS
script:
- *builddep_setup
- *python_setup
- *dockerlogin_setup
- *pull_images
- *scan_action
deploy:
stage: deploy
script:
- *builddep_setup
- *dockerlogin_setup
- *pull_images
- *deploy_action
release:ngc:
stage: release
only:
- tags
script:
- 'echo Commit Tag: $CI_COMMIT_TAG ; [[ -n "$CI_COMMIT_TAG" ]] || exit 1'
- *builddep_setup
- *ngc_release_login
- *release_action
release:dockerhub:
stage: release
only:
- tags
script:
- *builddep_setup
- *dockerhub_login
- *dockerhub_release_action