Merge pull request #123 from JunAr7112/ngc_pipeline_changes

NGC Pipeline changes

Author: cdesiniotis

.common-ci.yml

@@ -31,7 +31,7 @@ stages:
   - test
   - scan
   - release
-  - sign
+  - ngc-publish
 
 .dist-ubi9:
   variables:
@@ -106,10 +106,10 @@ stages:
   extends:
     - .release
   variables:
-    OUT_REGISTRY_USER: "${CI_REGISTRY_USER}"
-    OUT_REGISTRY_TOKEN: "${CI_REGISTRY_PASSWORD}"
-    OUT_REGISTRY: "${CI_REGISTRY}"
-    OUT_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/staging/k8s-kata-manager"
+    OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}"
+    OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}"
+    OUT_REGISTRY: "${NGC_REGISTRY}"
+    OUT_IMAGE_NAME: "${NGC_STAGING_REGISTRY}/k8s-kata-manager"
 
 # Define an external release step that pushes an image to an external repository.
 .release:external:

.nvidia-ci.yml

@@ -111,64 +111,87 @@ scan-arm64:
     - .dist-ubi9
     - .platform-arm64
 
-# Define the external release helpers
-.release:ngc:
-  extends: .release:external
-  variables:
-    OUT_REGISTRY_USER: "${NGC_REGISTRY_USER}"
-    OUT_REGISTRY_TOKEN: "${NGC_REGISTRY_TOKEN}"
-    OUT_REGISTRY: "${NGC_REGISTRY}"
-    OUT_IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
-
-# Define the external release targets
-# Release to NGC
-release:ngc-ubi9:
-  extends:
-    - .release:ngc
-    - .dist-ubi9
-
-# Define the external image signing steps for NGC
-# Download the ngc cli binary for use in the sign steps
-.ngccli-setup:
+.ngc-publish-variables:
   before_script:
-    - apt-get update && apt-get install -y curl unzip jq
     - |
-      if [ -z "${NGCCLI_VERSION}" ]; then
-        NGC_VERSION_URL="https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions"
-        # Extract the latest version from the JSON data using jq
-        export NGCCLI_VERSION=$(curl -s $NGC_VERSION_URL | jq -r '.recipe.latestVersionIdStr')
+      if [ -n "${CI_COMMIT_TAG}" ]; then
+        echo "${CI_COMMIT_SHORT_SHA} ${CI_COMMIT_TAG}" > build-info-${CI_PIPELINE_ID}.txt
+      else
+        echo "${CI_COMMIT_SHORT_SHA} ${CI_COMMIT_SHORT_SHA}" > build-info-${CI_PIPELINE_ID}.txt 
       fi
-      echo "NGCCLI_VERSION ${NGCCLI_VERSION}"
-    - curl -sSLo ngccli_linux.zip https://api.ngc.nvidia.com/v2/resources/nvidia/ngc-apps/ngc_cli/versions/${NGCCLI_VERSION}/files/ngccli_linux.zip
-    - unzip ngccli_linux.zip
-    - chmod u+x ngc-cli/ngc
 
-# .sign forms the base of the deployment jobs which signs images in the CI registry.
-# This is extended with the image name and version to be deployed.
-.sign:ngc:
-  image: ubuntu:latest
-  when: always
-  stage: sign
+.update-nspect:
+  stage: ngc-publish
+  needs:
+    - job: release:staging-ubi9
+  extends:
+    - .ngc-publish-variables
+  image: 
+    name: "${CNT_NGC_PUBLISH_IMAGE}"
+    pull_policy: always
+  variables:
+    PROJECT_NAME: "k8s-kata-manager"
+    REPO_URL: "https://github.com/NVIDIA/k8s-kata-manager.git"
+  script:
+    - |
+      cnt-ngc-publish nspect --versions-file "build-info-${CI_PIPELINE_ID}.txt"
+
+# Update the nspect staging environment to test the nspect publishing logic
+update-nspect-staging:
+  extends:
+    - .update-nspect
+  except:
+    - tags
+  variables:
+    ENV: "stage"
+    RELEASE_VERSION: "test"
+    NSPECT_CLIENT_ID: "${NSPECT_STAGING_CLIENT_ID}" 
+    NSPECT_CLIENT_SECRET: "${NSPECT_STAGING_CLIENT_SECRET}"
+
+# Update the nspect production environment with the new release
+update-nspect:
+  extends:
+    - .update-nspect
   rules:
     - if: $CI_COMMIT_TAG
   variables:
-    NGC_CLI_API_KEY: "${NGC_REGISTRY_TOKEN}"
-    IMAGE_NAME: "${NGC_REGISTRY_IMAGE}"
-    IMAGE_TAG: "${CI_COMMIT_TAG}"
-  retry:
-    max: 2
-  before_script:
-    - !reference [.ngccli-setup, before_script]
-    # We ensure that the IMAGE_NAME and IMAGE_TAG is set
-    - 'echo Image Name: ${IMAGE_NAME} && [[ -n "${IMAGE_NAME}" ]] || exit 1'
-    - 'echo Image Tag: ${IMAGE_TAG} && [[ -n "${IMAGE_TAG}" ]] || exit 1'
+    OSRB_BUG_ID: "${OSRB_BUG_ID}"
+    ENV: "prod"
+    RELEASE_VERSION: "${CI_COMMIT_TAG}"
+    NSPECT_CLIENT_ID: "${NSPECT_PROD_CLIENT_ID}" 
+    NSPECT_CLIENT_SECRET: "${NSPECT_PROD_CLIENT_SECRET}"
+
+.publish-images:
+  stage: ngc-publish
+  extends:
+    - .ngc-publish-variables
+  image:
+    name: "${CNT_NGC_PUBLISH_IMAGE}"
+    pull_policy: always
+  variables:
+    GITLAB_ACCESS_TOKEN: "${CNT_GITLAB_TOKEN}"
   script:
-    - 'echo "Signing the image ${IMAGE_NAME}:${IMAGE_TAG}"'
-    - ngc-cli/ngc registry image publish --source ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG} --public --discoverable --allow-guest --sign --org nvidia
+    - cnt-ngc-publish render --project-name "k8s-kata-manager" --versions-file "build-info-${CI_PIPELINE_ID}.txt" --output k8s-kata-manager.yaml
+    - cnt-ngc-publish merge-request --files "k8s-kata-manager.yaml"
 
-sign:ngc-ubi9:
+# Raise an MR to publish the image to NGC
+ngc-image-publish:
   extends:
-    - .dist-ubi9
-    - .sign:ngc
+    - .publish-images
+  rules:
+    - if: $CI_COMMIT_TAG
   needs:
-    - release:ngc-ubi9
+    - job: update-nspect
+  variables:
+    NGC_PUBLISHING_PROJECT_PATH: "${NGC_PUBLISHING_PROD_PROJECT_PATH}"
+
+# Create a dummy MR that exercises the publishing logic
+mock-image-publish:
+  extends:
+    - .publish-images
+  except:
+    - tags
+  needs:
+    - job: update-nspect-staging
+  variables:
+    NGC_PUBLISHING_PROJECT_PATH: "${NGC_PUBLISHING_TEST_PROJECT_PATH}"