-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path.nvidia-ci.yml
191 lines (165 loc) · 4.83 KB
/
.nvidia-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
---
##
## Variables that control where build artifacts are places for scanning and testing:
## CI_REGISTRY
## CI_REGISTRY_IMAGE
## CI_REGISTRY_USER
## CI_REGISTRY_PASSWORD
##
## Variables that control where release artifacts go:
## RELEASE_REGISTRY
## RELEASE_REGISTRY_IMAGE
## RELEASE_REGISTRY_USER
## RELEASE_REGISTRY_PASSWORD
##
default:
image: docker:stable
services:
- docker:stable-dind
tags:
- type/docker
- docker/privileged
- cnt
- container-dev
- os/linux
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
# project specific variables
DRIVER_VERSION: "450.80.02"
GIT_SSL_NO_VERIFY: "true"
TF_VERSION: "0.12.18"
stages:
- syntax-check
- build
- test
- scan
- deploy
- release
.builddep_setup: &builddep_setup
- apk add --no-cache bash findutils libmagic curl make git jq openssh-client libressl-dev
- curl -fsSL https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip -o terraform.zip
- unzip terraform.zip && mv terraform /usr/local/bin/terraform && rm terraform.zip
.testdep_setup: &testdep_setup
- apk add --no-cache bash make perl
.python_setup: &python_setup
- apk add --no-cache python3 python3-dev py3-pip py3-wheel
.dockerlogin_setup: &dockerlogin_setup
- docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}"
# tags pulled images with $CI_PROJECT_NAME to work-around issue with contamer's support for local scans.
.pull_images: &pull_images
- "HEADER=\"PRIVATE-TOKEN: ${API_TOKEN}\""
- IMAGES_URL="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/registry/repositories"
- IMAGE_ID=$(curl -fsSL --header "${HEADER}" "${IMAGES_URL}" | jq -r --arg CI_PROJECT_PATH "${CI_PROJECT_PATH}" '.[] | select(.path == $CI_PROJECT_PATH) | .id')
- TAGS_URL="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/registry/repositories/${IMAGE_ID}/tags"
- TAGS_REGEX=${TAGS_REGEX:-"$DRIVER_VERSION"}
- tags=$(curl -fsSL --header "${HEADER}" "${TAGS_URL}" | jq -r --arg TAGS_REGEX "$TAGS_REGEX" '.[] | select(.name|test($TAGS_REGEX)) | .location')
- echo $tags
- |
for tag in $tags;
do
docker pull $tag;
done
.releasedockerlogin_setup: &releasedockerlogin_setup
- 'docker login -u "${RELEASE_REGISTRY_USER}" -p "${RELEASE_REGISTRY_PASSWORD}" "${RELEASE_REGISTRY}"'
.build_action: &build_action
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${DRIVER_VERSION}" all
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${DRIVER_VERSION}" push
.test_action: &test_action
- "true"
.deploy_action: &deploy_action
- make IMAGE="${CI_REGISTRY_IMAGE}" VERSION="${DRIVER_VERSION}" push
- |
for tag in $tags
do
docker push $tag
done
# contamer does not support local scans on images that contain a port number
.scan_action: &scan_action
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab-master.nvidia.com/sectooling/scanning/contamer.git
- cd contamer
- pip3 install -r requirements.txt
- |
for tag in $tags;
do
docker tag $tag $(basename $tag);
python3 contamer.py -ls --fail-on-non-os --suppress-vulns CVE-2020-14352 CVE-2020-15888 -- $(basename $tag);
done
.release_action: &release_action
- make IMAGE="${RELEASE_REGISTRY_IMAGE}" VERSION="${DRIVER_VERSION}" all
- make IMAGE="${RELEASE_REGISTRY_IMAGE}" VERSION="${DRIVER_VERSION}" push
shellcheck:
stage: syntax-check
image:
name: koalaman/shellcheck-alpine
services: []
before_script: []
script:
- shellcheck --version
- shellcheck --external-sources ci/run.sh
except:
- schedules
build:
stage: build
script:
- *builddep_setup
- *dockerlogin_setup
- *pull_images
- *build_action
test:
stage: test
script:
- *testdep_setup
- *test_action
.scan_template: &scan_definition
stage: scan
except:
variables:
- $CI_COMMIT_MESSAGE =~ /\[skip[ _-]scans?\]/i
- $SKIP_SCANS
script:
- *builddep_setup
- *python_setup
- *dockerlogin_setup
- *pull_images
- *scan_action
ubuntu16.04-scan:
variables:
TAGS_REGEX: "$DRIVER_VERSION.*ubuntu16.04"
<<: *scan_definition
ubuntu18.04-scan:
variables:
TAGS_REGEX: "$DRIVER_VERSION.*ubuntu18.04"
<<: *scan_definition
centos7-scan:
variables:
TAGS_REGEX: "$DRIVER_VERSION.*centos7"
<<: *scan_definition
rhel-scan:
variables:
TAGS_REGEX: "$DRIVER_VERSION.*rhel"
<<: *scan_definition
rhcos-scan:
variables:
TAGS_REGEX: "$DRIVER_VERSION.*rhcos"
<<: *scan_definition
coreos-scan:
variables:
TAGS_REGEX: "$DRIVER_VERSION.*coreos"
<<: *scan_definition
deploy:
stage: deploy
script:
- *builddep_setup
- *dockerlogin_setup
- *pull_images
- *deploy_action
release:
stage: release
only:
- tags
script:
- 'echo Commit Tag: $CI_COMMIT_TAG ; [[ -n "$CI_COMMIT_TAG" ]] || exit 1'
- *builddep_setup
- *releasedockerlogin_setup
- *release_action