From 2e947edbe45b872f138c02da47e7c1ed8bafa7aa Mon Sep 17 00:00:00 2001 From: shiva kumar Date: Wed, 29 May 2024 20:59:07 +0530 Subject: [PATCH] add ngc image signing job for auto signing Signed-off-by: shiva kumar --- .common-ci.yml | 1 + .nvidia-ci.yml | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) diff --git a/.common-ci.yml b/.common-ci.yml index 63797c21..3b08e2e8 100644 --- a/.common-ci.yml +++ b/.common-ci.yml @@ -33,6 +33,7 @@ stages: - test - scan - release + - sign .pipeline-trigger-rules: rules: diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml index 0b6d0ab8..dd470d78 100644 --- a/.nvidia-ci.yml +++ b/.nvidia-ci.yml @@ -244,3 +244,62 @@ release:ngc-packaging: extends: - .dist-packaging - .release:ngc + +# Define the external image signing steps for NGC +# Download the ngc cli binary for use in the sign steps +.ngccli-setup: + before_script: + - apt-get update && apt-get install -y curl unzip jq + - | + if [ -z "${NGCCLI_VERSION}" ]; then + NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions" + # Extract the latest version from the JSON data using jq + export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr') + fi + echo "NGCCLI_VERSION ${NGCCLI_VERSION}" + - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip + - unzip ngccli_linux.zip + - chmod u+x ngc-cli/ngc + +# .sign forms the base of the deployment jobs which signs images in the CI registry. +# This is extended with the image name and version to be deployed. +.sign:ngc: + image: ubuntu:latest + stage: sign + rules: + - if: $CI_COMMIT_TAG + variables: + NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}" + IMAGE_NAME: "${NGC_REGISTRY_IMAGE}" + IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}" + retry: + max: 2 + before_script: + - !reference [.ngccli-setup, before_script] + # We ensure that the IMAGE_NAME and IMAGE_TAG is set + - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1' + - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1' + script: + - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"' + - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia + +sign:ngc-ubuntu20.04: + extends: + - .dist-ubuntu20.04 + - .sign:ngc + needs: + - release:ngc-ubuntu20.04 + +sign:ngc-ubi8: + extends: + - .dist-ubi8 + - .sign:ngc + needs: + - release:ngc-ubi8 + +sign:ngc-packaging: + extends: + - .dist-packaging + - .sign:ngc + needs: + - release:ngc-packaging