fix(RELEASE-1728): rh-sign-image optimization

scoheb · scoheb · commit 344e391da0c8 · 2025-07-15T10:56:02.000-04:00
- parallelize calls to find-signature in an effort to
  improve performance.

Assisted-by: Cursor
Signed-off-by: Scott Hebert &lt;scoheb@gmail.com&gt;
diff --git a/tasks/managed/rh-sign-image/rh-sign-image.yaml b/tasks/managed/rh-sign-image/rh-sign-image.yaml
@@ -251,6 +251,11 @@ spec:
         declare -a to_sign_references=()
         declare -a to_sign_digests=()
 
+        # Arrays to store information for parallel processing
+        declare -a find_signatures_jobs=()
+        declare -a component_data=()
+
+        # First pass: collect all find_signatures calls and start them in parallel
         for (( COMPONENTS_INDEX=0; COMPONENTS_INDEX<COMPONENTS_LENGTH; COMPONENTS_INDEX++ )); do
 
             referenceContainerImage=$(jq -r ".components[${COMPONENTS_INDEX}].containerImage" "${SNAPSHOT_PATH}")
@@ -268,7 +273,7 @@ spec:
             manifest_digests="${referenceContainerImage#*@}"
             # For multi arch, also sign all the manifests inside
             if [ "$(jq -r '.mediaType' <<< "$RAW_OUTPUT")" != "application/vnd.oci.image.manifest.v1+json" ] ; then
-              nested_digests=$(jq -r '.manifests[].digest' <<< "$RAW_OUTPUT")
+              nested_digests=$(jq -r '[.manifests[].digest] | join(" ")' <<< "$RAW_OUTPUT")
               manifest_digests="$manifest_digests $nested_digests"
             fi
 
@@ -298,13 +303,59 @@ spec:
               REGISTRY_REFERENCES+=("${registry_access_repo}")
             fi
 
-            for manifest_digest in $manifest_digests; do
+            # Store component data for later processing
+            component_data+=("${COMPONENTS_INDEX}|${repository}|${TAGS}|${manifest_digests}|${sourceContainerDigest}|${rh_registry_repo}|${registry_access_repo}")
 
+            # Start find_signatures jobs in parallel for manifest digests
+            for manifest_digest in $manifest_digests; do
+              echo "Starting find_signatures job for manifest digest: ${manifest_digest}"
               find_signatures --pyxis-graphql-api "${PYXIS_GRAPHQL_URL}" \
                   --manifest_digest "${manifest_digest}" \
                   --repository "${repository}" \
-                  --output_file "/tmp/${manifest_digest}"
+                  --output_file "/tmp/${manifest_digest}" &
+              find_signatures_jobs+=($!)
+            done
+
+            # Start find_signatures job for source container digest if it exists
+            if [ "${sourceContainerDigest}" != "" ] ; then
+              echo "Starting find_signatures job for source container digest: ${sourceContainerDigest}"
+              find_signatures --pyxis-graphql-api "${PYXIS_GRAPHQL_URL}" \
+                  --manifest_digest "${sourceContainerDigest}" \
+                  --repository "${repository}" \
+                  --output_file "/tmp/${sourceContainerDigest}" &
+              find_signatures_jobs+=($!)
+            fi
+        done
+
+        # Wait for all find_signatures jobs to complete
+        echo "Waiting for ${#find_signatures_jobs[@]} find_signatures jobs to complete..."
+        for job in "${find_signatures_jobs[@]}"; do
+          wait "$job"
+        done
+        echo "All find_signatures jobs completed"
+
+        # Second pass: process the results now that all find_signatures calls are complete
+        for component_info in "${component_data[@]}"; do
+            echo "Processing component_info: ${component_info}"
 
+            IFS='|' read -r COMPONENTS_INDEX repository TAGS manifest_digests sourceContainerDigest \
+              rh_registry_repo registry_access_repo <<< "$component_info"
+
+            echo "repository: ${repository}"
+            echo "TAGS: ${TAGS}"
+            echo "manifest_digests: ${manifest_digests}"
+            echo "sourceContainerDigest: ${sourceContainerDigest}"
+            echo "rh_registry_repo: ${rh_registry_repo}"
+            echo "registry_access_repo: ${registry_access_repo}"
+
+            # Sign rh-registry-repo references (always) and registry-access-repo references
+            # (only if signatures for this registry are required)
+            REGISTRY_REFERENCES=("${rh_registry_repo}")
+            if grep -q "^${repository}$" "${SIGN_REGISTRY_ACCESS_FILE}"; then
+              REGISTRY_REFERENCES+=("${registry_access_repo}")
+            fi
+
+            for manifest_digest in $manifest_digests; do
               # Iterate over both rh-registry-repo and registry-access-repo
               for registry_reference in "${REGISTRY_REFERENCES[@]}"; do
 
@@ -324,12 +375,6 @@ spec:
             done
 
             if [ "${sourceContainerDigest}" != "" ] ; then
-
-                find_signatures --pyxis-graphql-api "${PYXIS_GRAPHQL_URL}" \
-                    --manifest_digest "${sourceContainerDigest}" \
-                    --repository "${repository}" \
-                    --output_file "/tmp/${sourceContainerDigest}"
-
                 for registry_reference in "${REGISTRY_REFERENCES[@]}"; do
 
                   for tag in ${TAGS}; do
@@ -343,8 +388,8 @@ spec:
                       echo "- reference=${registry_reference}:${sourceTag}"
                       echo "- manifest_digest=${sourceContainerDigest}"
                     fi
+                  done
                 done
-              done
             fi
         done
 
