Skip to content

Configuration Reference

---
# Log level: "debug", "info", "warning", "error", "fatal". Defaults to "info".
log_level: info

# URL of the registry where the images should be stored.
#
# dib will use the local docker configuration to fetch metadata about existing images. You may use the DOCKER_CONFIG
# environment variable to set a custom docker config path.
# See the official Docker documentation (https://docs.docker.com/engine/reference/commandline/cli/#configuration-files).
# The build backend must also be authenticated to have permission to push images.
registry_url: registry.example.org

# The placeholder tag dib uses to mark which images are the reference. Defaults to "latest".
# Change this value if you don't want to use "latest" tags, or if images may be tagged "latest" by other sources.
placeholder_tag: latest

# The rate limit can be increased to allow parallel builds. This dramatically reduces the build times
# when using the Kubernetes executor as build pods are scheduled across multiple nodes.
rate_limit: 1

# Use build arguments to set build-time variables. The format is a list of strings. Env vars are expanded.
build_arg:
  - FOO1="bar1"
  - FOO2=$BAR
  - FOO3=${BAR}

# Path to the directory where the reports are generated. The directory will be created if it doesn't exist.
reports_dir: reports

# The build backend. Can either be set to "docker" or "kaniko".
#
# Note: the kaniko backend must be run in a containerized environment such as Docker or Kubernetes.
# See the "executor" section below.
backend: docker

# Kaniko settings. Required only if using the Kaniko build backend.
kaniko:
  # The build context directory has to be uploaded somewhere in order for the Kaniko pod to retrieve it,
  # when using remote executor (Kuberentes or remote docker host). Currently, only AWS S3 is supported.
  context:
    # Store the build context in an AWS S3 bucket.
    s3:
      bucket: my-bucket
      region: eu-west-3
  # Executor configuration. It is only necessary to provide valid configurations for all of them,
  # just pick one up according to your needs.
  executor:
    # Configuration for the "docker" executor.
    docker:
      image: eu.gcr.io/radio-france-k8s/kaniko:latest
    # Configuration for the "kubernetes" executor.
    kubernetes:
      namespace: kaniko
      image: eu.gcr.io/radio-france-k8s/kaniko:latest
      # References a secret containing the Docker configuration file used to authenticate to the registry.
      docker_config_secret: docker-config-prod
      env_secrets:
        # Additional Secret mounted as environment variables.
        # Used for instance to download the build context from AWS S3.
        - aws-s3-secret
      container_override: |
        resources:
          limits:
            cpu: 2
            memory: 8Gi
          requests:
            cpu: 1
            memory: 2Gi
      pod_template_override: |
        spec:
          affinity:
            nodeAffinity:
              requiredDuringSchedulingIgnoredDuringExecution:
                nodeSelectorTerms:
                - matchExpressions:
                  - key: kops.k8s.io/instancegroup
                    operator: In
                    values:
                    - spot-instances

# Enable test suites execution after each image build.
include_tests:
  # Enable Goss tests. See the "goss" configuration section below.
  # To test an image, place a goss.yml file in its build context.
  # Learn more about Goss: https://github.com/goss-org/goss
  - goss
  # Enable trivy vulnerability scans. See the "trivy" configuration section below.
  # Learn more about Trivy: https://aquasecurity.github.io/trivy
  - trivy

goss:
  executor:
    # Kubernetes executor configuration. Required when using the kubernetes build executor.
    kubernetes:
      enabled: true
      namespace: goss
      image: aelsabbahy/goss:latest
      image_pull_secrets:
      # - private-container-registry

trivy:
  executor:
    # Kubernetes executor configuration. Required when using the kubernetes build executor.
    kubernetes:
      enabled: true
      namespace: trivy
      image: ghcr.io/aquasecurity/trivy:latest
      # References a secret containing the Docker configuration file used to authenticate to the registry.
      docker_config_secret: docker-config-ci
      image_pull_secrets:
      # - private-container-registry
      container_override: |
        resources:
          limits:
            cpu: 2
            memory: 3Gi
          requests:
            cpu: 2
            memory: 1Gi
        env:
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /credentials/gcr_service_account.json
          - name: TRIVY_TIMEOUT
            value: "30m0s"
        volumeMounts:
          - mountPath: /credentials
            name: private-registry-credentials
            readOnly: true
      pod_template_override: |
        spec:
          volumes:
          - name: private-registry-credentials
            secret:
              defaultMode: 420
              secretName: private-registry-credentials

# Easter egg: A path to a file containing a custom wordlist that will be used to
# generate the humanized hashes for image tags. The list must contain exactly 256 words.
# You can enable the usage of this list in each Dockerfile with a custom label :
#   LABEL dib.use-custom-hash-list="true"
# Please keep in mind each time you change this list the images using the
# use-custom-hash-list label may see their hashes regenerated.
humanized_hash_list: ""
# humanized_hash_list: "custom_wordlist.txt"