Skip to content

Commit

Permalink
add ngc signing job for auto signing
Browse files Browse the repository at this point in the history
Signed-off-by: shiva kumar <[email protected]>
  • Loading branch information
shivakunv committed Jul 18, 2024
1 parent 65ed719 commit 04f4c9d
Show file tree
Hide file tree
Showing 3 changed files with 95 additions and 1 deletion.
1 change: 1 addition & 0 deletions .common-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ stages:
- test
- scan
- release
- sign

.pipeline-trigger-rules:
rules:
Expand Down
90 changes: 90 additions & 0 deletions .nvidia-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -419,3 +419,93 @@ release:ngc-rhel9.3:
- .dist-rhel9
variables:
OUT_DIST: "rhel9.3"

# Define the external image signing steps for NGC
# Download the ngc cli binary for use in the sign steps
.ngccli-setup:
before_script:
- apt-get update && apt-get install -y curl unzip jq bash make
- export REGCTL_VERSION=v0.4.7
- mkdir -p bin
- curl -sSLo bin/regctl https://github.com/regclient/regclient/releases/download/${REGCTL_VERSION}/regctl-linux-amd64
- chmod a+x bin/regctl
- export PATH=$(pwd)/bin:${PATH}
- |
if [ -z "${NGCCLI_VERSION}" ]; then
NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
# Extract the latest version from the JSON data using jq
export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
fi
echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
- curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
- unzip ngccli_linux.zip
- chmod u+x ngc-cli/ngc

# .sign forms the base of the deployment jobs which signs images in the CI registry.
# This is extended with the image name and version to be deployed.
.sign:ngc:
image: ubuntu:latest
timeout: 30 minutes
when: always
stage: sign
rules:
- if: $CI_COMMIT_TAG
variables:
DIST: "${SIGN_JOB_NAME}${VERSION}"
variables:
OUT_REGISTRY_USER: "${CI_REGISTRY_USER}"
OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}"
OUT_REGISTRY: "${CI_REGISTRY}"
NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
IMAGE_TAG: "${CI_COMMIT_TAG}"
before_script:
- !reference [.ngccli-setup, before_script]
- 'if [[ "${PRECOMPILED}" != "true" ]]; then echo DRIVER_VERSION: ${DRIVER_VERSION} ; [[ -n "${DRIVER_VERSION}" ]] || exit 1; fi'
- regctl registry login "${OUT_REGISTRY}" -u "${OUT_REGISTRY_USER}" -p "${OUT_REGISTRY_TOKEN}"
- |
if [[ "${PRECOMPILED}" == "true" ]]; then
./scripts/precompiled.sh version;
source kernel_version.txt
export IMAGE_TAG=${DRIVER_BRANCH}-${KERNEL_VERSION}-${DIST##*_}
else
export IMAGE_TAG=${DRIVER_VERSION}-${DIST##*_}
fi
# We ensure that the IMAGE_NAME and IMAGE_TAG is set
- 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
- 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
script:
- 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
- ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia

sign:ngc-precompiled-ubuntu22.04:
extends:
- .driver-versions-precompiled-ubuntu22.04
- .dist-ubuntu22.04
- .release-generic
- .release:ngc-variables
- .sign:ngc
variables:
DIST: signed_ubuntu22.04
BASE_TARGET: jammy
PRECOMPILED: "true"
needs:
- release:ngc-precompiled-ubuntu22.04

sign:ngc-ubuntu-rhel-rhcos:
extends:
- .sign:ngc
parallel:
matrix:
- SIGN_JOB_NAME: ["ubuntu"]
VERSION: ["22.04"]
DRIVER_VERSION: ["535.183.06", "550.90.07"]
- SIGN_JOB_NAME: ["ubuntu"]
VERSION: ["20.04"]
DRIVER_VERSION: ["470.256.02", "535.183.06", "550.90.07"]
- SIGN_JOB_NAME: ["rhel"]
VERSION: ["8.6", "8.7", "8.8", "8.9","8.10"]
DRIVER_VERSION: ["470.256.02", "535.183.06", "550.90.07"]
- SIGN_JOB_NAME: ["rhcos"]
VERSION: ["4.9", "4.10", "4.11", "4.12","4.13","4.14","4.15"]
DRIVER_VERSION: ["470.256.02", "535.183.06", "550.90.07"]
5 changes: 4 additions & 1 deletion scripts/precompiled.sh
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,10 @@ case $1 in
sourceVersions
archiveImage
;;
version)
sourceVersions
;;
*)
echo "Usage: $0 {build|push|pull|archive}"
echo "Usage: $0 {build|push|pull|archive|version}"
exit 1
esac

0 comments on commit 04f4c9d

Please sign in to comment.