add ngc signing job for auto signing

Signed-off-by: shiva kumar <[email protected]>
NVIDIA · Jul 16, 2024 · f66cab1 · f66cab1
1 parent 6acbddc
commit f66cab1
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 2 deletions.
diff --git a/.common-ci.yml b/.common-ci.yml
@@ -26,6 +26,7 @@ stages:
   - test
   - scan
   - release
+  - sign
 
 # Define the distribution targets
 .dist-ubi8:

diff --git a/.nvidia-ci.yml b/.nvidia-ci.yml
@@ -148,3 +148,56 @@ release:ngc-ubi8:
   extends:
     - .release:ngc
     - .dist-ubi8
+
+# Define the external image signing steps for NGC
+# Download the ngc cli binary for use in the sign steps
+.ngccli-setup:
+  before_script:
+    - apt-get update && apt-get install -y curl unzip jq
+    - |
+      if [ -z "${NGCCLI_VERSION}" ]; then
+        NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
+        # Extract the latest version from the JSON data using jq
+        export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
+      fi
+      echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
+    - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
+    - unzip ngccli_linux.zip
+    - chmod u+x ngc-cli/ngc
+
+# .sign forms the base of the deployment jobs which signs images in the CI registry.
+# This is extended with the image name and version to be deployed.
+.sign:ngc:
+  image: ubuntu:latest
+  stage: sign
+  rules:
+    - if: $CI_COMMIT_TAG
+  variables:
+    NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
+    IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
+  retry:
+    max: 2
+  before_script:
+    - !reference [.ngccli-setup, before_script]
+    # We ensure that the IMAGE_NAME and IMAGE_TAG is set
+    - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
+    - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
+  script:
+    - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
+    - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia 
+
+sign:ngc:
+  extends:
+    - .sign:ngc
+  parallel:
+    matrix:
+    - SIGN_JOB_NAME: [""]
+      DIST: ["CI_COMMIT_TAG", "ubi8"]
+  rules:
+    - if: '$DIST == "CI_COMMIT_TAG"'
+      variables:
+        IMAGE_TAG: "${SIGN_JOB_NAME}${CI_COMMIT_TAG}"
+    - when: always
+      variables:
+        IMAGE_TAG: "${SIGN_JOB_NAME}${CI_COMMIT_TAG}-${DIST}"
+
diff --git a/deployments/container/Dockerfile.ubi8 b/deployments/container/Dockerfile.ubi8
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM nvcr.io/nvidia/cuda:12.5.0-base-ubi8 AS build
+FROM nvcr.io/nvidia/cuda:12.5.1-base-ubi8 AS build
 
 WORKDIR /work
 
@@ -41,7 +41,7 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
 
 RUN GOOS=linux go build -o nvdrain ./cmd/nvdrain
 
-FROM nvcr.io/nvidia/cuda:12.5.0-base-ubi8
+FROM nvcr.io/nvidia/cuda:12.5.1-base-ubi8
 
 ARG TARGETARCH
-Original file line number
+Diff line change
@@ Expand Up / @@ -26,6 +26,7 @@ stages: @@
       - test
       - scan
       - release
+      - sign
     # Define the distribution targets
     .dist-ubi8:
@@ Expand Down @@