Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add ngc signing job for auto signing #31

Merged
merged 1 commit into from
Jul 16, 2024
Merged

add ngc signing job for auto signing #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .common-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ stages:
- test
- scan
- release
- sign

# Define the distribution targets
.dist-ubi8:
Expand Down
53 changes: 53 additions & 0 deletions .nvidia-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,3 +148,56 @@ release:ngc-ubi8:
extends:
- .release:ngc
- .dist-ubi8

# Define the external image signing steps for NGC
# Download the ngc cli binary for use in the sign steps
.ngccli-setup:
before_script:
- apt-get update && apt-get install -y curl unzip jq
- |
if [ -z "${NGCCLI_VERSION}" ]; then
NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
# Extract the latest version from the JSON data using jq
export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
fi
echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
- curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
- unzip ngccli_linux.zip
- chmod u+x ngc-cli/ngc

# .sign forms the base of the deployment jobs which signs images in the CI registry.
# This is extended with the image name and version to be deployed.
.sign:ngc:
image: ubuntu:latest
stage: sign
rules:
- if: $CI_COMMIT_TAG
variables:
NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
retry:
max: 2
before_script:
- !reference [.ngccli-setup, before_script]
# We ensure that the IMAGE_NAME and IMAGE_TAG is set
- 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
- 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
script:
- 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
- ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia

sign:ngc:
extends:
- .sign:ngc
parallel:
matrix:
- SIGN_JOB_NAME: [""]
DIST: ["CI_COMMIT_TAG", "ubi8"]
rules:
- if: '$DIST == "CI_COMMIT_TAG"'
variables:
IMAGE_TAG: "${SIGN_JOB_NAME}${CI_COMMIT_TAG}"
- when: always
variables:
IMAGE_TAG: "${SIGN_JOB_NAME}${CI_COMMIT_TAG}-${DIST}"
Comment on lines +189 to +202
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shivakunv I have some comments:

  1. Specifying when: always is incorrect since now the sign job is always added to every pipeline (not just pipelines triggered from tag events).
  2. Can we simplify this a bit since SIGN_JOB_NAME is never used?

What about my below suggestion?

sign:ngc:
  extends:
    - .sign:ngc
  variables:
    IMAGE_TAG: "${CI_COMMIT_TAG}-${DIST}"
  parallel:
    matrix:
    - DIST: ["SHORT_TAG", "ubi8"]
  rules:
    - if: $CI_COMMIT_TAG && $DIST == "SHORT_TAG"
      variables:
        IMAGE_TAG: "${CI_COMMIT_TAG}"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cdesiniotis addressed in :
#35
thanks @elezar


4 changes: 2 additions & 2 deletions deployments/container/Dockerfile.ubi8
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM nvcr.io/nvidia/cuda:12.5.0-base-ubi8 AS build
FROM nvcr.io/nvidia/cuda:12.5.1-base-ubi8 AS build

WORKDIR /work

Expand Down Expand Up @@ -41,7 +41,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH

RUN GOOS=linux go build -o nvdrain ./cmd/nvdrain

FROM nvcr.io/nvidia/cuda:12.5.0-base-ubi8
FROM nvcr.io/nvidia/cuda:12.5.1-base-ubi8

ARG TARGETARCH

Expand Down