From d560888f1f79930995676e8e7dcf7a642fe87402 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Tue, 17 Jun 2025 15:32:35 +0200 Subject: [PATCH 1/2] Use single version tag for image Signed-off-by: Evan Lezar --- .github/workflows/e2e.yaml | 2 +- deployments/container/Makefile | 39 ++++++++-------------------- deployments/container/native-only.mk | 8 ------ 3 files changed, 12 insertions(+), 37 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index acfb4e48..e8401871 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -72,7 +72,7 @@ jobs: env: E2E_INSTALL_CTK: "true" E2E_IMAGE_NAME: ghcr.io/nvidia/container-toolkit - E2E_IMAGE_TAG: ${{ inputs.version }}-ubi8 + E2E_IMAGE_TAG: ${{ inputs.version }} E2E_SSH_USER: ${{ secrets.E2E_SSH_USER }} E2E_SSH_HOST: ${{ steps.holodeck_public_dns_name.outputs.result }} run: | diff --git a/deployments/container/Makefile b/deployments/container/Makefile index caf57ad1..5c90f9c2 100644 --- a/deployments/container/Makefile +++ b/deployments/container/Makefile @@ -29,12 +29,12 @@ include $(CURDIR)/versions.mk IMAGE_VERSION := $(VERSION) -IMAGE_TAG ?= $(VERSION)-$(DIST) +IMAGE_TAG ?= $(VERSION) IMAGE = $(IMAGE_NAME):$(IMAGE_TAG) OUT_IMAGE_NAME ?= $(IMAGE_NAME) OUT_IMAGE_VERSION ?= $(IMAGE_VERSION) -OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION)-$(DIST) +OUT_IMAGE_TAG = $(OUT_IMAGE_VERSION) OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_TAG) ##### Public rules ##### @@ -56,30 +56,16 @@ else include $(CURDIR)/deployments/container/multi-arch.mk endif -# For the default push target we also push a short tag equal to the version. -# We skip this for the development release -DEVEL_RELEASE_IMAGE_VERSION ?= devel -PUSH_MULTIPLE_TAGS ?= true -ifeq ($(strip $(OUT_IMAGE_VERSION)),$(DEVEL_RELEASE_IMAGE_VERSION)) -PUSH_MULTIPLE_TAGS = false -endif -ifeq ($(PUSH_MULTIPLE_TAGS),true) -push-$(DEFAULT_PUSH_TARGET): push-short -endif - -push-%: DIST = $(*) -push-short: DIST = $(DEFAULT_PUSH_TARGET) - # Define the push targets $(PUSH_TARGETS): push-%: $(CURDIR)/scripts/publish-image.sh $(IMAGE) $(OUT_IMAGE) -push-short: - $(CURDIR)/scripts/publish-image.sh $(IMAGE) $(OUT_IMAGE) +DOCKERFILE = $(CURDIR)/deployments/container/Dockerfile - -build-%: DIST = $(*) -build-%: DOCKERFILE = $(CURDIR)/deployments/container/Dockerfile +# For packaging targets we set the output image tag to include the -packaging suffix. +%-packaging: INTERMEDIATE_TARGET := --target=packaging +%-packaging: IMAGE_TAG = $(IMAGE_VERSION)-packaging +%-packaging: OUT_IMAGE_TAG = $(IMAGE_VERSION)-packaging ARTIFACTS_ROOT ?= $(shell realpath --relative-to=$(CURDIR) $(DIST_DIR)) @@ -110,17 +96,14 @@ PACKAGE_DIST_DEB = ubuntu18.04 # TODO: This needs to be set to centos8 for ppc64le builds PACKAGE_DIST_RPM = centos7 -build-packaging: INTERMEDIATE_TARGET := --target=packaging +# Handle the default build target. +.PHONY: build push +build: build-$(DEFAULT_PUSH_TARGET) +push: push-$(DEFAULT_PUSH_TARGET) # Test targets test-%: DIST = $(*) -# Handle the default build target. -.PHONY: build -build: $(DEFAULT_PUSH_TARGET) -$(DEFAULT_PUSH_TARGET): build-$(DEFAULT_PUSH_TARGET) -$(DEFAULT_PUSH_TARGET): DIST = $(DEFAULT_PUSH_TARGET) - TEST_CASES ?= docker crio containerd $(TEST_TARGETS): test-%: TEST_CASES="$(TEST_CASES)" bash -x $(CURDIR)/test/container/main.sh run \ diff --git a/deployments/container/native-only.mk b/deployments/container/native-only.mk index 79d7fa99..38ef9009 100644 --- a/deployments/container/native-only.mk +++ b/deployments/container/native-only.mk @@ -23,11 +23,3 @@ $(BUILD_TARGETS): build-%: image-% else $(BUILD_TARGETS): build-%: image-% endif - -# For the default distribution we also retag the image. -# Note: This needs to be updated for multi-arch images. -ifeq ($(IMAGE_TAG),$(VERSION)-$(DIST)) -$(DEFAULT_PUSH_TARGET): - $(DOCKER) image inspect $(IMAGE) > /dev/null || $(DOCKER) pull $(IMAGE) - $(DOCKER) tag $(IMAGE) $(subst :$(IMAGE_TAG),:$(VERSION),$(IMAGE)) -endif From 7e1beb7aa64ab7cade899408ce5a3f3b4a841f86 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Tue, 17 Jun 2025 15:38:06 +0200 Subject: [PATCH 2/2] [no-relnote] Update gitlab CI for new image names We now release all images with vX.Y.Z and vX.Y.Z-packaging tags. This change updates the gitlab CI to allow for this. Signed-off-by: Evan Lezar --- .common-ci.yml | 193 +----------------------------- .gitlab-ci.yml | 228 ------------------------------------ .nvidia-ci.yml | 311 +++++++++++++++++++++++++------------------------ 3 files changed, 158 insertions(+), 574 deletions(-) delete mode 100644 .gitlab-ci.yml diff --git a/.common-ci.yml b/.common-ci.yml index 8986c30a..440262cc 100644 --- a/.common-ci.yml +++ b/.common-ci.yml @@ -22,15 +22,7 @@ variables: BUILD_MULTI_ARCH_IMAGES: "true" stages: - - trigger - - image - - lint - - go-checks - - go-build - - unit-tests - - package-build - - image-build - - test + - pull - scan - release - sign @@ -53,108 +45,6 @@ workflow: # We then add all the regular triggers - !reference [.pipeline-trigger-rules, rules] -# The main or manual job is used to filter out distributions or architectures that are not required on -# every build. -.main-or-manual: - rules: - - !reference [.pipeline-trigger-rules, rules] - - if: $CI_PIPELINE_SOURCE == "schedule" - when: manual - -# The trigger-pipeline job adds a manualy triggered job to the pipeline on merge requests. -trigger-pipeline: - stage: trigger - script: - - echo "starting pipeline" - rules: - - !reference [.main-or-manual, rules] - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - when: manual - allow_failure: false - - when: always - -# Define the distribution targets -.dist-centos7: - rules: - - !reference [.main-or-manual, rules] - variables: - DIST: centos7 - -.dist-centos8: - variables: - DIST: centos8 - -.dist-ubi8: - rules: - - !reference [.main-or-manual, rules] - variables: - DIST: ubi8 - -.dist-ubuntu18.04: - variables: - DIST: ubuntu18.04 - -.dist-ubuntu20.04: - variables: - DIST: ubuntu20.04 - -.dist-packaging: - variables: - DIST: packaging - -# Define architecture targets -.arch-aarch64: - variables: - ARCH: aarch64 - -.arch-amd64: - variables: - ARCH: amd64 - -.arch-arm64: - variables: - ARCH: arm64 - -.arch-ppc64le: - rules: - - !reference [.main-or-manual, rules] - variables: - ARCH: ppc64le - -.arch-x86_64: - variables: - ARCH: x86_64 - -# Define the platform targets -.platform-amd64: - variables: - PLATFORM: linux/amd64 - -.platform-arm64: - variables: - PLATFORM: linux/arm64 - -# Define test helpers -.integration: - stage: test - variables: - IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit" - VERSION: "${CI_COMMIT_SHORT_SHA}" - before_script: - - apk add --no-cache make bash jq - - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" - - docker pull "${IMAGE_NAME}:${VERSION}-${DIST}" - script: - - make -f deployments/container/Makefile test-${DIST} - -# Define the test targets -test-packaging: - extends: - - .integration - - .dist-packaging - needs: - - image-packaging - # Download the regctl binary for use in the release steps .regctl-setup: before_script: @@ -164,84 +54,3 @@ test-packaging: - curl -sSLo bin/regctl https://github.com/regclient/regclient/releases/download/${REGCTL_VERSION}/regctl-linux-amd64 - chmod a+x bin/regctl - export PATH=$(pwd)/bin:${PATH} - -# .release forms the base of the deployment jobs which push images to the CI registry. -# This is extended with the version to be deployed (e.g. the SHA or TAG) and the -# target os. -.release: - stage: release - variables: - # Define the source image for the release - IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit" - VERSION: "${CI_COMMIT_SHORT_SHA}" - # OUT_IMAGE_VERSION is overridden for external releases - OUT_IMAGE_VERSION: "${CI_COMMIT_SHORT_SHA}" - before_script: - - !reference [.regctl-setup, before_script] - # We ensure that the components of the output image are set: - - 'echo Image Name: ${OUT_IMAGE_NAME} ; [[ -n "${OUT_IMAGE_NAME}" ]] || exit 1' - - 'echo Version: ${OUT_IMAGE_VERSION} ; [[ -n "${OUT_IMAGE_VERSION}" ]] || exit 1' - - - apk add --no-cache make bash - script: - # Log in to the "output" registry, tag the image and push the image - - 'echo "Logging in to CI registry ${CI_REGISTRY}"' - - regctl registry login "${CI_REGISTRY}" -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" - - '[ ${CI_REGISTRY} = ${OUT_REGISTRY} ] || echo "Logging in to output registry ${OUT_REGISTRY}"' - - '[ ${CI_REGISTRY} = ${OUT_REGISTRY} ] || regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}"' - - # Since OUT_IMAGE_NAME and OUT_IMAGE_VERSION are set, this will push the CI image to the - # Target - - make -f deployments/container/Makefile push-${DIST} - -# Define a staging release step that pushes an image to an internal "staging" repository -# This is triggered for all pipelines (i.e. not only tags) to test the pipeline steps -# outside of the release process. -.release:staging: - extends: - - .release - variables: - OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}" - OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}" - OUT_REGISTRY: "${NGC_REGISTRY}" - OUT_IMAGE_NAME: "${NGC_REGISTRY_STAGING_IMAGE_NAME}" - -# Define an external release step that pushes an image to an external repository. -# This includes a devlopment image off main. -.release:external: - extends: - - .release - variables: - FORCE_PUBLISH_IMAGES: "yes" - rules: - - if: $CI_COMMIT_TAG - variables: - OUT_IMAGE_VERSION: "${CI_COMMIT_TAG}" - - if: $CI_COMMIT_BRANCH == $RELEASE_DEVEL_BRANCH - variables: - OUT_IMAGE_VERSION: "${DEVEL_RELEASE_IMAGE_VERSION}" - -# Define the release jobs -release:staging-ubi8: - extends: - - .release:staging - - .dist-ubi8 - needs: - - image-ubi8 - -release:staging-ubuntu20.04: - extends: - - .release:staging - - .dist-ubuntu20.04 - needs: - - test-toolkit-ubuntu20.04 - - test-containerd-ubuntu20.04 - - test-crio-ubuntu20.04 - - test-docker-ubuntu20.04 - -release:staging-packaging: - extends: - - .release:staging - - .dist-packaging - needs: - - test-packaging diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index a9da30a0..00000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,228 +0,0 @@ -# Copyright (c) 2019-2022, NVIDIA CORPORATION. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -include: - - .common-ci.yml - -# Define the package build helpers -.multi-arch-build: - before_script: - - apk add --no-cache coreutils build-base sed git bash make - - '[[ -n "${SKIP_QEMU_SETUP}" ]] || docker run --rm --privileged multiarch/qemu-user-static --reset -p yes -c yes' - -.package-artifacts: - variables: - ARTIFACTS_NAME: "toolkit-container-${CI_PIPELINE_ID}" - ARTIFACTS_ROOT: "toolkit-container-${CI_PIPELINE_ID}" - DIST_DIR: ${CI_PROJECT_DIR}/${ARTIFACTS_ROOT} - -.package-build: - extends: - - .multi-arch-build - - .package-artifacts - stage: package-build - timeout: 3h - script: - - ./scripts/build-packages.sh ${DIST}-${ARCH} - - artifacts: - name: ${ARTIFACTS_NAME} - paths: - - ${ARTIFACTS_ROOT} - needs: - - job: package-meta-packages - artifacts: true - -# Define the package build targets -package-meta-packages: - extends: - - .package-artifacts - stage: package-build - variables: - SKIP_LIBNVIDIA_CONTAINER: "yes" - SKIP_NVIDIA_CONTAINER_TOOLKIT: "yes" - parallel: - matrix: - - PACKAGING: [deb, rpm] - before_script: - - apk add --no-cache coreutils build-base sed git bash make - script: - - ./scripts/build-packages.sh ${PACKAGING} - artifacts: - name: ${ARTIFACTS_NAME} - paths: - - ${ARTIFACTS_ROOT} - -package-centos7-aarch64: - extends: - - .package-build - - .dist-centos7 - - .arch-aarch64 - -package-centos7-x86_64: - extends: - - .package-build - - .dist-centos7 - - .arch-x86_64 - -package-centos8-ppc64le: - extends: - - .package-build - - .dist-centos8 - - .arch-ppc64le - -package-ubuntu18.04-amd64: - extends: - - .package-build - - .dist-ubuntu18.04 - - .arch-amd64 - -package-ubuntu18.04-arm64: - extends: - - .package-build - - .dist-ubuntu18.04 - - .arch-arm64 - -package-ubuntu18.04-ppc64le: - extends: - - .package-build - - .dist-ubuntu18.04 - - .arch-ppc64le - -.buildx-setup: - before_script: - - export BUILDX_VERSION=v0.6.3 - - apk add --no-cache curl - - mkdir -p ~/.docker/cli-plugins - - curl -sSLo ~/.docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${BUILDX_VERSION}/buildx-${BUILDX_VERSION}.linux-amd64" - - chmod a+x ~/.docker/cli-plugins/docker-buildx - - - docker buildx create --use --platform=linux/amd64,linux/arm64 - - - '[[ -n "${SKIP_QEMU_SETUP}" ]] || docker run --rm --privileged multiarch/qemu-user-static --reset -p yes' - -# Define the image build targets -.image-build: - stage: image-build - variables: - IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit" - VERSION: "${CI_COMMIT_SHORT_SHA}" - PUSH_ON_BUILD: "true" - before_script: - - !reference [.buildx-setup, before_script] - - - apk add --no-cache bash make git - - 'echo "Logging in to CI registry ${CI_REGISTRY}"' - - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" - script: - - make -f deployments/container/Makefile build-${DIST} - -image-ubi8: - extends: - - .image-build - - .package-artifacts - - .dist-ubi8 - needs: - # Note: The ubi8 image uses the centos7 packages - - package-centos7-aarch64 - - package-centos7-x86_64 - -image-ubuntu20.04: - extends: - - .image-build - - .package-artifacts - - .dist-ubuntu20.04 - needs: - - package-ubuntu18.04-amd64 - - package-ubuntu18.04-arm64 - - job: package-ubuntu18.04-ppc64le - optional: true - -# The DIST=packaging target creates an image containing all built packages -image-packaging: - extends: - - .image-build - - .package-artifacts - - .dist-packaging - needs: - - job: package-ubuntu18.04-amd64 - - job: package-ubuntu18.04-arm64 - - job: package-amazonlinux2-aarch64 - optional: true - - job: package-amazonlinux2-x86_64 - optional: true - - job: package-centos7-aarch64 - optional: true - - job: package-centos7-x86_64 - optional: true - - job: package-centos8-ppc64le - optional: true - - job: package-debian10-amd64 - optional: true - - job: package-opensuse-leap15.1-x86_64 - optional: true - - job: package-ubuntu18.04-ppc64le - optional: true - -# Define publish test helpers -.test:docker: - extends: - - .integration - variables: - TEST_CASES: "docker" - -.test:containerd: - # TODO: The containerd tests fail due to issues with SIGHUP. - # Until this is resolved with retry up to twice and allow failure here. - retry: 2 - allow_failure: true - extends: - - .integration - variables: - TEST_CASES: "containerd" - -.test:crio: - extends: - - .integration - variables: - TEST_CASES: "crio" - -# Define the test targets -test-toolkit-ubuntu20.04: - extends: - - .test:toolkit - - .dist-ubuntu20.04 - needs: - - image-ubuntu20.04 - -test-containerd-ubuntu20.04: - extends: - - .test:containerd - - .dist-ubuntu20.04 - needs: - - image-ubuntu20.04 - -test-crio-ubuntu20.04: - extends: - - .test:crio - - .dist-ubuntu20.04 - needs: - - image-ubuntu20.04 - -test-docker-ubuntu20.04: - extends: - - .test:docker - - .dist-ubuntu20.04 - needs: - - image-ubuntu20.04 diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml index 5aabdf0e..937780a1 100644 --- a/.nvidia-ci.yml +++ b/.nvidia-ci.yml @@ -39,19 +39,62 @@ variables: KITMAKER_RELEASE_FOLDER: "kitmaker" PACKAGE_ARCHIVE_RELEASE_FOLDER: "releases" -.image-pull: - stage: image-build +# .copy-images copies the required application and packaging images from the +# IN_IMAGE="${IN_IMAGE_NAME}:${IN_IMAGE_TAG}${TAG_SUFFIX}" +# to +# OUT_IMAGE="${OUT_IMAGE_NAME}:${OUT_IMAGE_TAG}${TAG_SUFFIX}" +# The script also logs into IN_REGISTRY and OUT_REGISTRY using the supplied +# username and tokens. +.copy-images: + parallel: + matrix: + - TAG_SUFFIX: ["", "-packaging"] + before_script: + - !reference [.regctl-setup, before_script] + - apk add --no-cache make bash + variables: + REGCTL: regctl + script: + - | + if [ -n ${IN_REGISTRY} ] && [ -n ${IN_REGISTRY_USER} ]; then + echo "Logging in to ${IN_REGISTRY}" + ${REGCTL} registry login "${IN_REGISTRY}" -u "${IN_REGISTRY_USER}" -p "${IN_REGISTRY_TOKEN}" || exit 1 + fi + + if [ -n ${OUT_REGISTRY} ] && [ -n ${OUT_REGISTRY_USER} ] && [ "${IN_REGISTRY}" != "${OUT_REGISTRY}" ]; then + echo "Logging in to ${OUT_REGISTRY}" + ${REGCTL} registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}" || exit 1 + fi + + export IN_IMAGE="${IN_IMAGE_NAME}:${IN_IMAGE_TAG}${TAG_SUFFIX}" + export OUT_IMAGE="${OUT_IMAGE_NAME}:${OUT_IMAGE_TAG}${TAG_SUFFIX}" + + echo "Copying ${IN_IMAGE} to ${OUT_IMAGE}" + ${REGCTL} image copy ${IN_IMAGE} ${OUT_IMAGE} + +# pull-images pulls images from the public CI registry to the internal CI registry. +pull-images: + extends: + - .copy-images + stage: pull variables: IN_REGISTRY: "${STAGING_REGISTRY}" - IN_IMAGE_NAME: container-toolkit - IN_VERSION: "${STAGING_VERSION}" + IN_IMAGE_NAME: ${STAGING_REGISTRY}/container-toolkit + IN_IMAGE_TAG: "${STAGING_VERSION}" + + OUT_REGISTRY: "${CI_REGISTRY}" OUT_REGISTRY_USER: "${CI_REGISTRY_USER}" OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}" - OUT_REGISTRY: "${CI_REGISTRY}" OUT_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit" - PUSH_MULTIPLE_TAGS: "false" + OUT_IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}" # We delay the job start to allow the public pipeline to generate the required images. rules: + # If the pipeline is triggered from a tag or the WEB UI we don't delay the + # start of the pipeline. + - if: $CI_COMMIT_TAG || $CI_PIPELINE_SOURCE == "web" + # If the pipeline is triggered through other means (i.e. a branch or MR) + # we add a 30 minute delay to ensure that the images are available in the + # public CI registry. - when: delayed start_in: 30 minutes timeout: 30 minutes @@ -60,30 +103,6 @@ variables: when: - job_execution_timeout - stuck_or_timeout_failure - before_script: - - !reference [.regctl-setup, before_script] - - apk add --no-cache make bash - - > - regctl manifest get ${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} --list > /dev/null && echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST}" || ( echo "${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} does not exist" && sleep infinity ) - script: - - regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}" - - make -f deployments/container/Makefile IMAGE=${IN_REGISTRY}/${IN_IMAGE_NAME}:${IN_VERSION}-${DIST} OUT_IMAGE=${OUT_IMAGE_NAME}:${CI_COMMIT_SHORT_SHA}-${DIST} push-${DIST} - -image-ubi8: - extends: - - .dist-ubi8 - - .image-pull - -image-ubuntu20.04: - extends: - - .dist-ubuntu20.04 - - .image-pull - -# The DIST=packaging target creates an image containing all built packages -image-packaging: - extends: - - .dist-packaging - - .image-pull # We skip the integration tests for the internal CI: .integration: @@ -95,27 +114,37 @@ image-packaging: # The .scan step forms the base of the image scan operation performed before releasing # images. -.scan: +scan-images: stage: scan + needs: + - pull-images image: "${PULSE_IMAGE}" + parallel: + matrix: + - TAG_SUFFIX: [""] + PLATFORM: ["linux/amd64", "linux/arm64"] + - TAG_SUFFIX: "-packaging" + PLATFORM: "linux/amd64" variables: - IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}-${DIST}" - IMAGE_ARCHIVE: "container-toolkit-${DIST}-${ARCH}-${CI_JOB_ID}.tar" + IMAGE: "${CI_REGISTRY_IMAGE}/container-toolkit:${CI_COMMIT_SHORT_SHA}" + IMAGE_ARCHIVE: "container-toolkit-${CI_JOB_ID}.tar" rules: - - if: $SKIP_SCANS != "yes" - - when: manual - before_script: - - docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" - # TODO: We should specify the architecture here and scan all architectures - - docker pull --platform="${PLATFORM}" "${IMAGE}" - - docker save "${IMAGE}" -o "${IMAGE_ARCHIVE}" - - AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0) - - > - export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" | tr -d '"') - - if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi + - if: $IGNORE_SCANS == "yes" + allow_failure: true + - when: on_success script: - - pulse-cli -n $NSPECT_ID --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o - - rm -f "${IMAGE_ARCHIVE}" + - | + docker login -u "${CI_REGISTRY_USER}" -p "${CI_REGISTRY_PASSWORD}" "${CI_REGISTRY}" + export SCAN_IMAGE=${IMAGE}${TAG_SUFFIX} + echo "Scanning image ${SCAN_IMAGE} for ${PLATFORM}" + docker pull --platform="${PLATFORM}" "${SCAN_IMAGE}" + docker save "${SCAN_IMAGE}" -o "${IMAGE_ARCHIVE}" + AuthHeader=$(echo -n $SSA_CLIENT_ID:$SSA_CLIENT_SECRET | base64 -w0) + export SSA_TOKEN=$(curl --request POST --header "Authorization: Basic $AuthHeader" --header "Content-Type: application/x-www-form-urlencoded" ${SSA_ISSUER_URL} | jq ".access_token" | tr -d '"') + if [ -z "$SSA_TOKEN" ]; then exit 1; else echo "SSA_TOKEN set!"; fi + + pulse-cli -n $NSPECT_ID --ssa $SSA_TOKEN scan -i $IMAGE_ARCHIVE -p $CONTAINER_POLICY -o + rm -f "${IMAGE_ARCHIVE}" artifacts: when: always expire_in: 1 week @@ -126,62 +155,10 @@ image-packaging: - vulns.json - policy_evaluation.json -# Define the scan targets -scan-ubuntu20.04-amd64: - extends: - - .dist-ubuntu20.04 - - .platform-amd64 - - .scan - needs: - - image-ubuntu20.04 - -scan-ubuntu20.04-arm64: - extends: - - .dist-ubuntu20.04 - - .platform-arm64 - - .scan - needs: - - image-ubuntu20.04 - - scan-ubuntu20.04-amd64 - -scan-ubi8-amd64: - extends: - - .dist-ubi8 - - .platform-amd64 - - .scan - needs: - - image-ubi8 - -scan-ubi8-arm64: - extends: - - .dist-ubi8 - - .platform-arm64 - - .scan - needs: - - image-ubi8 - - scan-ubi8-amd64 - -scan-packaging: - extends: - - .dist-packaging - - .scan - needs: - - image-packaging - -# Define external release helpers -.release:ngc: - extends: - - .release:external - variables: - OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}" - OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}" - OUT_REGISTRY: "${NGC_REGISTRY}" - OUT_IMAGE_NAME: "${NGC_REGISTRY_IMAGE}" - -.release:packages: +upload-kitmaker-packages: stage: release needs: - - image-packaging + - pull-images variables: VERSION: "${CI_COMMIT_SHORT_SHA}" PACKAGE_REGISTRY: "${CI_REGISTRY}" @@ -199,34 +176,81 @@ scan-packaging: - ./scripts/release-kitmaker-artifactory.sh "${KITMAKER_ARTIFACTORY_REPO}" - rm -rf ${ARTIFACTS_DIR} -# Define the package release targets -release:packages:kitmaker: +push-images-to-staging: extends: - - .release:packages - -release:staging-ubuntu20.04: - extends: - - .release:staging - - .dist-ubuntu20.04 + - .copy-images + stage: release needs: - - image-ubuntu20.04 + - scan-images + variables: + IN_REGISTRY: "${CI_REGISTRY}" + IN_REGISTRY_USER: "${CI_REGISTRY_USER}" + IN_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}" + IN_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit" + IN_IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}" -# Define the external release targets -# Release to NGC -release:ngc-ubuntu20.04: - extends: - - .dist-ubuntu20.04 - - .release:ngc + OUT_REGISTRY: "${NGC_REGISTRY}" + OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}" + OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}" + OUT_IMAGE_NAME: "${NGC_STAGING_REGISTRY}/container-toolkit" + OUT_IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}" -release:ngc-ubi8: +.release-images: extends: - - .dist-ubi8 - - .release:ngc + - .copy-images + stage: release + needs: + - scan-images + - push-images-to-staging + variables: + IN_REGISTRY: "${CI_REGISTRY}" + IN_REGISTRY_USER: "${CI_REGISTRY_USER}" + IN_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}" + IN_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/container-toolkit" + IN_IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}" -release:ngc-packaging: + OUT_REGISTRY: "${NGC_REGISTRY}" + OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}" + OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}" + OUT_IMAGE_NAME: "${NGC_REGISTRY_IMAGE}" + OUT_IMAGE_TAG: "${CI_COMMIT_TAG}" + +release-images-to-ngc: extends: - - .dist-packaging - - .release:ngc + - .release-images + rules: + - if: $CI_COMMIT_TAG + +release-images-dummy: + extends: + - .release-images + variables: + REGCTL: "echo [DUMMY] regctl" + rules: + - if: $CI_COMMIT_TAG == null || $CI_COMMIT_TAG == "" + +# .sign-images forms the base of the jobs which sign images in the NGC registry. +.sign-images: + stage: sign + image: ubuntu:latest + parallel: + matrix: + - TAG_SUFFIX: ["", "-packaging"] + variables: + IMAGE_NAME: "${NGC_REGISTRY_IMAGE}" + IMAGE_TAG: "${CI_COMMIT_TAG}" + NGC_CLI: "ngc-cli/ngc" + before_script: + - !reference [.ngccli-setup, before_script] + script: + - | + # We ensure that the IMAGE_NAME and IMAGE_TAG is set + echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1 + echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1 + + export IMAGE=${IMAGE_NAME}:${IMAGE_TAG}${TAG_SUFFIX} + echo "Signing the image ${IMAGE}" + ${NGC_CLI} registry image publish --source ${IMAGE} ${IMAGE} --public --discoverable --allow-guest --sign --org nvidia # Define the external image signing steps for NGC # Download the ngc cli binary for use in the sign steps @@ -244,45 +268,24 @@ release:ngc-packaging: - unzip ngccli_linux.zip - chmod u+x ngc-cli/ngc -# .sign forms the base of the deployment jobs which signs images in the CI registry. -# This is extended with the image name and version to be deployed. -.sign:ngc: - image: ubuntu:latest - stage: sign +sign-ngc-images: + extends: + - .sign-images + needs: + - release-images-to-ngc rules: - if: $CI_COMMIT_TAG variables: NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}" - IMAGE_NAME: "${NGC_REGISTRY_IMAGE}" - IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}" retry: max: 2 - before_script: - - !reference [.ngccli-setup, before_script] - # We ensure that the IMAGE_NAME and IMAGE_TAG is set - - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1' - - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1' - script: - - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"' - - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia -sign:ngc-ubuntu20.04: +sign-images-dummy: extends: - - .dist-ubuntu20.04 - - .sign:ngc + - .sign-images needs: - - release:ngc-ubuntu20.04 - -sign:ngc-ubi8: - extends: - - .dist-ubi8 - - .sign:ngc - needs: - - release:ngc-ubi8 - -sign:ngc-packaging: - extends: - - .dist-packaging - - .sign:ngc - needs: - - release:ngc-packaging + - release-images-dummy + variables: + NGC_CLI: "echo [DUMMY] ngc-cli/ngc" + rules: + - if: $CI_COMMIT_TAG == null || $CI_COMMIT_TAG == ""