forked from NVIDIA/k8s-device-plugin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.nvidia-ci.yml
124 lines (110 loc) · 3.14 KB
/
.nvidia-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
---
##
## Variables that control the CI artifacts (private registry, for scanning and testing):
## CI_REGISTRY
## CI_REGISTRY_IMAGE
## CI_REGISTRY_USER
## CI_REGISTRY_PASSWORD
##
## Variables that control where NGC release artifacts go:
## NGC_REGISTRY
## NGC_REGISTRY_IMAGE
## NGC_REGISTRY_USER
## NGC_REGISTRY_TOKEN
##
## Variables that control where Docker Hub release artifacts go:
## REGISTRY_TOKEN
## REGISTRY_USER
## DOCKERHUB_REGISTRY_IMAGE
##
include:
- .common-ci.yml
default:
tags:
- cnt
- container-dev
- docker/multi-arch
- docker/privileged
- os/linux
- type/docker
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
# Release "devel"-tagged images off the master branch
RELEASE_DEVEL_BRANCH: "master"
DEVEL_RELEASE_IMAGE_VERSION: "devel"
# On the multi-arch builder we don't need the qemu setup.
SKIP_QEMU_SETUP: "1"
# The .scan step forms the base of the image scan operation performed before releasing
# images.
.scan:
stage: scan
image: "${PULSE_IMAGE}"
variables:
IMAGE: "${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHORT_SHA}-${DIST}"
IMAGE_ARCHIVE: "k8s-device-plugin.tar"
except:
variables:
- $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
- $SKIP_SCANS
before_script:
- docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
# TODO: We should specify the architecture here and scan all architectures
- docker pull "${IMAGE}"
- docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}"
- AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0)
- >
export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" | tr -d '"')
- if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi
script:
- pulse-cli -n $NSPECT_ID --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o
artifacts:
when: always
expire_in: 1 week
paths:
- pulse-cli.log
- licenses.json
- sbom.json
- vulns.json
- policy_evaluation.json
scan:device-plugin:ubuntu20.04:
extends:
- .scan
- .dist:ubuntu20.04
scan:device-plugin:ubi8:
extends:
- .scan
- .dist:ubi8
# Define the external release steps for NGC and Dockerhub
.release:ngc:
extends:
- .release:external
variables:
OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}"
OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}"
OUT_REGISTRY: "${NGC_REGISTRY}"
OUT_IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
.release:dockerhub:
extends:
- .release:external
variables:
OUT_REGISTRY_USER: "${REGISTRY_USER}"
OUT_REGISTRY_TOKEN: "${REGISTRY_TOKEN}"
OUT_REGISTRY: "${DOCKERHUB_REGISTRY}"
OUT_IMAGE_NAME: "${DOCKERHUB_REGISTRY_IMAGE}"
release:ngc:device-plugin:ubuntu20.04:
extends:
- .release:ngc
- .dist:ubuntu20.04
release:dockerhub:device-plugin:ubuntu20.04:
extends:
- .release:dockerhub
- .dist:ubuntu20.04
release:ngc:device-plugin:ubi8:
extends:
- .release:ngc
- .dist:ubi8
release:dockerhub:device-plugin:ubi8:
extends:
- .release:dockerhub
- .dist:ubi8