Skip to content

Commit

Permalink
fix(CLOUDDST-25034): run rh-sign-image-cosign signing in parallel
Browse files Browse the repository at this point in the history 
Verify images by digest not tag

Signed-off-by: Jindrich Luza <[email protected]>
  • Loading branch information
@midnightercz
midnightercz committed Jan 30, 2025
1 parent 028af7e commit 18d4b00
Show file tree
Hide file tree
Showing 4 changed files with 110 additions and 80 deletions.
66 changes: 49 additions & 17 deletions tasks/managed/rh-sign-image-cosign/rh-sign-image-cosign.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,13 +123,14 @@ spec:
local identity=$1
local reference=$2
local digest=$3
declare -a COSIGN_REKOR_ARGS=()
if [ -v REKOR_URL ]; then
COSIGN_REKOR_ARGS="--rekor-url=$REKOR_URL"
COSIGN_REKOR_ARGS+=("--rekor-url=$REKOR_URL")
REKOR_PUBLIC_KEY_FILE=$(mktemp)
echo -n "$REKOR_PUBLIC_KEY" > "$REKOR_PUBLIC_KEY_FILE"
export SIGSTORE_REKOR_PUBLIC_KEY="$REKOR_PUBLIC_KEY_FILE"
else
COSIGN_REKOR_ARGS="--insecure-ignore-tlog=true"
COSIGN_REKOR_ARGS=+("--insecure-ignore-tlog=true")
fi
verify_output=$(run_cosign verify "${COSIGN_REKOR_ARGS[@]}" --key "$PUBLIC_KEY_FILE" "$reference")
found_signatures=$(echo "$verify_output" | jq -j '['\
Expand All @@ -141,21 +142,21 @@ spec:
function check_and_sign() {
local identity=$1
local reference=$2
local tag=$3
local digest=$4
found_signatures=$(check_existing_signatures "$identity" "$reference:$tag" "$digest")
local digest=$3
declare -a COSIGN_REKOR_ARGS=()
found_signatures=$(check_existing_signatures "$identity" "$reference@$digest" "$digest")
if [ -z "$found_signatures" ]; then
found_signatures=0
fi
echopid "FOUND SIGNATURES for ${identity} ${digest}: $found_signatures"
if [ -v REKOR_URL ]; then
COSIGN_REKOR_ARGS="-y --rekor-url=$REKOR_URL"
COSIGN_REKOR_ARGS+=("-y" "--rekor-url=$REKOR_URL")
REKOR_PUBLIC_KEY_FILE=$(mktemp)
echo -n "$REKOR_PUBLIC_KEY" > "$REKOR_PUBLIC_KEY_FILE"
export SIGSTORE_REKOR_PUBLIC_KEY="$REKOR_PUBLIC_KEY_FILE"
else
COSIGN_REKOR_ARGS="--tlog-upload=false"
COSIGN_REKOR_ARGS+=("--tlog-upload=false")
fi
if [ "$found_signatures" -eq 0 ]; then
Expand All @@ -167,6 +168,7 @@ spec:
fi
}
declare -a to_sign=()
for (( COMPONENTS_INDEX=0; COMPONENTS_INDEX<COMPONENTS_LENGTH; COMPONENTS_INDEX++ )); do
COMPONENT_NAME=$(jq -r ".components[${COMPONENTS_INDEX}].name" "${SNAPSHOT_PATH}")
echo "Processing component ${COMPONENT_NAME}"
Expand Down Expand Up @@ -195,30 +197,60 @@ spec:
if [ "$MEDIA_TYPE" = "application/vnd.docker.distribution.manifest.list.v2+json" ]; then LIST=1; fi
if [ "$MEDIA_TYPE" = "application/vnd.oci.image.index.v1+json" ]; then LIST=1; fi
# Sign each manifest in manifest list
# Collect data for signing
# Sign each manifest in the manifest list
if [ $LIST -eq 1 ]; then
for REGISTRY_REF in "${REGISTRY_REFERENCES[@]}"; do
for MDIGEST in $(echo "$IMAGE" | jq -r '.manifests[]|.digest'); do
for TAG in $TAGS; do
while (( ${RUNNING_JOBS@P} >= $(params.concurrentLimit) )); do
wait -n
done
check_and_sign "${REGISTRY_REF}:${TAG}" "${INTERNAL_CONTAINER_REF}" "${TAG}" "${MDIGEST}" &
to_sign+=("${REGISTRY_REF}:${TAG}@${MDIGEST}#${INTERNAL_CONTAINER_REF}")
done
done
done
fi
# Sign manifest list itself or manifest if it's not list
for REGISTRY_REF in "${REGISTRY_REFERENCES[@]}"; do
for TAG in $TAGS; do
while (( ${RUNNING_JOBS@P} >= $(params.concurrentLimit) )); do
wait -n
done
check_and_sign "${REGISTRY_REF}:${TAG}" "${INTERNAL_CONTAINER_REF}" "${TAG}" "${DIGEST}" &
to_sign+=("${REGISTRY_REF}:${TAG}@${DIGEST}#${INTERNAL_CONTAINER_REF}")
done
done
done
echo "${to_sign[@]}" | python3 -c "
import sys
from itertools import zip_longest
digest_groups = {}
# #
# Make groups based on reference + digest to avoid signing same digest in parallel
# #
for x in sys.stdin.read().strip().split(' '):
rest, internal_ref = x.split('#')
rest, digest = rest.split('@')
public_ref, tag = rest.split(':')
digest_groups.setdefault(internal_ref+'@'+digest, []).append(
(internal_container_ref, public_ref, digest, tag)
)
for to_yield in zip_longest(*digest_groups.values()):
for entry in filter(None, to_yield):
print(' '.join(entry))
print('---') # group separator
" | while read -r ENTRY; do
if [ "$ENTRY" = "---" ]; then
echo "... waiting for group to be signed ..."
# wait for group to finish
while (( ${RUNNING_JOBS@P} > 0 )); do
wait -n
done
continue
fi
INTERNAL_REF=$(echo "$ENTRY" | cut -d' ' -f1)
PUBLIC_REF=$(echo "$ENTRY" | cut -d' ' -f2)
DIGEST=$(echo "$ENTRY" | cut -d' ' -f3)
TAG=$(echo "$ENTRY" | cut -d' ' -f4)
while (( ${RUNNING_JOBS@P} >= $(params.concurrentLimit) )); do
wait -n
done
check_and_sign "${PUBLIC_REF}:${TAG}" "${INTERNAL_REF}" "${DIGEST}" &
done
while (( ${RUNNING_JOBS@P} > 0 )); do
wait -n
done
Expand Down
96 changes: 47 additions & 49 deletions tasks/managed/rh-sign-image-cosign/tests/test-rh-sign-image-cosign-multiple-components.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,15 @@ spec:
]
}
EOF
REF11="quay.io/redhat-pending/test-product----test-image0:t1"
REF12="quay.io/redhat-pending/test-product----test-image0:t2"
REF21="quay.io/redhat-pending/test-product----test-image1:t1"
REF22="quay.io/redhat-pending/test-product----test-image1:t2"
# create empty cosign verify mock files
touch "$(workspaces.data.path)/$(echo $REF11 | tr '/' '-')"
touch "$(workspaces.data.path)/$(echo $REF12 | tr '/' '-')"
touch "$(workspaces.data.path)/$(echo $REF21 | tr '/' '-')"
touch "$(workspaces.data.path)/$(echo $REF22 | tr '/' '-')"
for D in sha256:0000 sha256:0000-1 sha256:0000-2 sha256:0000-3 ; do
REF="quay.io/redhat-pending/test-product----test-image0@${D}"
touch "$(workspaces.data.path)/$(echo $REF | tr '/' '-')"
done
for D in sha256:1111 sha256:1111-1 sha256:1111-2 sha256:1111-3 ; do
REF="quay.io/redhat-pending/test-product----test-image1@${D}"
touch "$(workspaces.data.path)/$(echo $REF | tr '/' '-')"
done
# setup cosign success calls - all calls should pass
for _ in $(seq 1 48); do
echo "1" >> "$(workspaces.data.path)/mock_cosign_success_calls"
Expand Down Expand Up @@ -115,29 +113,29 @@ spec:
--sign-container-identity"
EXPECTED=$(cat <<EOF
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t1 ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t1 ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t1 ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t1 ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t1 ${_TEST_REPO2}@sha256:1111-1
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t2 ${_TEST_REPO2}@sha256:1111-1
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t1 ${_TEST_REPO2}@sha256:1111-2
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t2 ${_TEST_REPO2}@sha256:1111-2
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t1 ${_TEST_REPO2}@sha256:1111-3
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t2 ${_TEST_REPO2}@sha256:1111-3
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t1 ${_TEST_REPO2}@sha256:1111
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_PUB_REPO1}:t2 ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t2 ${_TEST_REPO2}@sha256:1111-1
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t2 ${_TEST_REPO2}@sha256:1111-2
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t2 ${_TEST_REPO2}@sha256:1111-3
$COSIGN_COMMON ${_TEST_PUB_REPO3}:t2 ${_TEST_REPO2}@sha256:1111
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t1 ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_PUB_REPO2}:t2 ${_TEST_REPO1}@sha256:0000
EOF
)
echo "TESTING"
Expand All @@ -154,30 +152,30 @@ spec:
CALLS=$(cat "$(workspaces.data.path)/mock_cosign_verify_calls")
COSIGN_COMMON="verify --rekor-url=https://fake-rekor-server --key temp_key_file"
EXPECTED=$(cat <<EOF
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO1}:t1
$COSIGN_COMMON ${_TEST_REPO1}:t2
$COSIGN_COMMON ${_TEST_REPO2}:t1
$COSIGN_COMMON ${_TEST_REPO2}:t2
$COSIGN_COMMON ${_TEST_REPO2}:t1
$COSIGN_COMMON ${_TEST_REPO2}:t2
$COSIGN_COMMON ${_TEST_REPO2}:t1
$COSIGN_COMMON ${_TEST_REPO2}:t2
$COSIGN_COMMON ${_TEST_REPO2}:t1
$COSIGN_COMMON ${_TEST_REPO2}:t2
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111-1
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111-2
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111-3
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111-1
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111-2
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111-3
$COSIGN_COMMON ${_TEST_REPO2}@sha256:1111
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-1
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-2
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000-3
$COSIGN_COMMON ${_TEST_REPO1}@sha256:0000
EOF
)
echo "TESTING VERIFY CALLS"
Expand Down
12 changes: 6 additions & 6 deletions tasks/managed/rh-sign-image-cosign/tests/test-rh-sign-image-cosign-retries.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ spec:
EOF
# create empty cosign verify mock files
REF1="quay.io/redhat-pending/test-product----test-image2:t1"
touch "$(workspaces.data.path)/$(echo $REF1 | tr '/' '-')"
REF2="quay.io/redhat-pending/test-product----test-image2:t2"
touch "$(workspaces.data.path)/$(echo $REF2 | tr '/' '-')"
for D in sha256:0000 sha256:1111 sha256:2222 ; do
REF="quay.io/redhat-pending/test-product----test-image2@${D}"
touch "$(workspaces.data.path)/$(echo $REF | tr '/' '-')"
done
# first 3 cosign calls should end with success
for _ in $(seq 1 3); do
Expand Down Expand Up @@ -113,8 +113,8 @@ spec:
CALLS=$(cat "$(workspaces.data.path)/mock_cosign_verify_calls")
COSIGN_COMMON="verify --insecure-ignore-tlog=true --key temp_key_file"
EXPECTED=$(cat <<EOF
$COSIGN_COMMON ${_TEST_REPO}:t1
$COSIGN_COMMON ${_TEST_REPO}:t2
$COSIGN_COMMON ${_TEST_REPO}@sha256:2222
$COSIGN_COMMON ${_TEST_REPO}@sha256:2222
EOF
)
echo "TESTING VERIFY CALLS"
Expand Down
16 changes: 8 additions & 8 deletions tasks/managed/rh-sign-image-cosign/tests/test-rh-sign-image-cosign-single-component.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,10 @@ spec:
}
EOF
# create empty cosign verify mock files
REF1="quay.io/redhat-pending/test-product----test-image2:t1"
touch "$(workspaces.data.path)/$(echo $REF1 | tr '/' '-')"
REF2="quay.io/redhat-pending/test-product----test-image2:t2"
touch "$(workspaces.data.path)/$(echo $REF2 | tr '/' '-')"
for D in sha256:0000 sha256:1111 sha256:2222 ; do
REF="quay.io/redhat-pending/test-product----test-image2@${D}"
touch "$(workspaces.data.path)/$(echo $REF | tr '/' '-')"
done
# first 8 cosign calls should end with success
for _ in $(seq 1 8); do
Expand Down Expand Up @@ -111,10 +111,10 @@ spec:
CALLS=$(cat "$(workspaces.data.path)/mock_cosign_verify_calls")
COSIGN_COMMON="verify --insecure-ignore-tlog=true --key temp_key_file"
EXPECTED=$(cat <<EOF
$COSIGN_COMMON ${_TEST_REPO}:t1
$COSIGN_COMMON ${_TEST_REPO}:t2
$COSIGN_COMMON ${_TEST_REPO}:t1
$COSIGN_COMMON ${_TEST_REPO}:t2
$COSIGN_COMMON ${_TEST_REPO}@sha256:2222
$COSIGN_COMMON ${_TEST_REPO}@sha256:2222
$COSIGN_COMMON ${_TEST_REPO}@sha256:2222
$COSIGN_COMMON ${_TEST_REPO}@sha256:2222
EOF
)
echo "TESTING VERIFY CALLS"
Expand Down

0 comments on commit 18d4b00

Please sign in to comment.