Skip to content

fix(RELEASE-1728): rh-sign-image optimization #1174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 16, 2025
Merged

fix(RELEASE-1728): rh-sign-image optimization #1174

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 55 additions & 10 deletions tasks/managed/rh-sign-image/rh-sign-image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,11 @@ spec:
declare -a to_sign_references=()
declare -a to_sign_digests=()
# Arrays to store information for parallel processing
declare -a find_signatures_jobs=()
declare -a component_data=()
# First pass: collect all find_signatures calls and start them in parallel
for (( COMPONENTS_INDEX=0; COMPONENTS_INDEX<COMPONENTS_LENGTH; COMPONENTS_INDEX++ )); do
referenceContainerImage=$(jq -r ".components[${COMPONENTS_INDEX}].containerImage" "${SNAPSHOT_PATH}")
Expand All @@ -268,7 +273,7 @@ spec:
manifest_digests="${referenceContainerImage#*@}"
# For multi arch, also sign all the manifests inside
if [ "$(jq -r '.mediaType' <<< "$RAW_OUTPUT")" != "application/vnd.oci.image.manifest.v1+json" ] ; then
nested_digests=$(jq -r '.manifests[].digest' <<< "$RAW_OUTPUT")
nested_digests=$(jq -r '[.manifests[].digest] | join(" ")' <<< "$RAW_OUTPUT")
manifest_digests="$manifest_digests $nested_digests"
fi
Expand Down Expand Up @@ -298,13 +303,59 @@ spec:
REGISTRY_REFERENCES+=("${registry_access_repo}")
fi
for manifest_digest in $manifest_digests; do
# Store component data for later processing
component_data+=("${COMPONENTS_INDEX}|${repository}|${TAGS}|${manifest_digests}|${sourceContainerDigest}|${rh_registry_repo}|${registry_access_repo}")
# Start find_signatures jobs in parallel for manifest digests
for manifest_digest in $manifest_digests; do
echo "Starting find_signatures job for manifest digest: ${manifest_digest}"
find_signatures --pyxis-graphql-api "${PYXIS_GRAPHQL_URL}" \
--manifest_digest "${manifest_digest}" \
--repository "${repository}" \
--output_file "/tmp/${manifest_digest}"
--output_file "/tmp/${manifest_digest}" &
find_signatures_jobs+=($!)
done
# Start find_signatures job for source container digest if it exists
if [ "${sourceContainerDigest}" != "" ] ; then
echo "Starting find_signatures job for source container digest: ${sourceContainerDigest}"
find_signatures --pyxis-graphql-api "${PYXIS_GRAPHQL_URL}" \
--manifest_digest "${sourceContainerDigest}" \
--repository "${repository}" \
--output_file "/tmp/${sourceContainerDigest}" &
find_signatures_jobs+=($!)
fi
done
# Wait for all find_signatures jobs to complete
echo "Waiting for ${#find_signatures_jobs[@]} find_signatures jobs to complete..."
for job in "${find_signatures_jobs[@]}"; do
wait "$job"
done
echo "All find_signatures jobs completed"
# Second pass: process the results now that all find_signatures calls are complete
for component_info in "${component_data[@]}"; do
echo "Processing component_info: ${component_info}"
IFS='|' read -r COMPONENTS_INDEX repository TAGS manifest_digests sourceContainerDigest \
rh_registry_repo registry_access_repo <<< "$component_info"
echo "repository: ${repository}"
echo "TAGS: ${TAGS}"
echo "manifest_digests: ${manifest_digests}"
echo "sourceContainerDigest: ${sourceContainerDigest}"
echo "rh_registry_repo: ${rh_registry_repo}"
echo "registry_access_repo: ${registry_access_repo}"
# Sign rh-registry-repo references (always) and registry-access-repo references
# (only if signatures for this registry are required)
REGISTRY_REFERENCES=("${rh_registry_repo}")
if grep -q "^${repository}$" "${SIGN_REGISTRY_ACCESS_FILE}"; then
REGISTRY_REFERENCES+=("${registry_access_repo}")
fi
for manifest_digest in $manifest_digests; do
# Iterate over both rh-registry-repo and registry-access-repo
for registry_reference in "${REGISTRY_REFERENCES[@]}"; do
Expand All @@ -324,12 +375,6 @@ spec:
done
if [ "${sourceContainerDigest}" != "" ] ; then
find_signatures --pyxis-graphql-api "${PYXIS_GRAPHQL_URL}" \
--manifest_digest "${sourceContainerDigest}" \
--repository "${repository}" \
--output_file "/tmp/${sourceContainerDigest}"
for registry_reference in "${REGISTRY_REFERENCES[@]}"; do
for tag in ${TAGS}; do
Expand All @@ -343,8 +388,8 @@ spec:
echo "- reference=${registry_reference}:${sourceTag}"
echo "- manifest_digest=${sourceContainerDigest}"
fi
done
done
done
fi
done
Expand Down