Run rh-sign-image-cosign signing in parallel [CLOUDDST-25034]

[midnightercz]

rh-sign-image-cosign now checks for existing signatures and sign only when signature for given identity and digest is not found.
Also whole procedure now runs in parallel.

[openshift-ci]

Hi @midnightercz. Thanks for your PR.

I'm waiting for a konflux-ci member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[midnightercz]

I still need to apply some retry mechanism

[johnbieren]

rh-sign-image-cosign now checks for existing signatures and sign only when signature for given identity and digest is not found. Also whole procedure now runs in parallel.

So this makes the task idempotent too? Sounds like it may resolve https://issues.redhat.com/browse/RELEASE-1251

[johnbieren]

All the tests have concurrentLimit: 1. It would be nice to have one testing the parallel functionality since this PR introduces it

[midnightercz]

rh-sign-image-cosign now checks for existing signatures and sign only when signature for given identity and digest is not found. Also whole procedure now runs in parallel.

So this makes the task idempotent too? Sounds like it may resolve https://issues.redhat.com/browse/RELEASE-1251

Well, it was idempotent even before - cosign checks before pushing signature to the server, point is that now it doesn't even build the signature layer.

All the tests have concurrentLimit: 1. It would be nice to have one testing the parallel functionality since this PR introduces it
Yes, I thought for testing it's fine. With concurrencyLimit set to >1 I need to change way how expected results are checked. But it's possible.

[johnbieren]

rh-sign-image-cosign now checks for existing signatures and sign only when signature for given identity and digest is not found. Also whole procedure now runs in parallel.

So this makes the task idempotent too? Sounds like it may resolve https://issues.redhat.com/browse/RELEASE-1251

Well, it was idempotent even before - cosign checks before pushing signature to the server, point is that now it doesn't even build the signature layer.

Okay, I am going to assign the ticket to you and put it in review since you did all the work here. Thank you!

All the tests have concurrentLimit: 1. It would be nice to have one testing the parallel functionality since this PR introduces it
Yes, I thought for testing it's fine. With concurrencyLimit set to >1 I need to change way how expected results are checked. But it's possible.

If it wouldn't take too long to add, I think it would be nice to have

[johnbieren]

Can you squash it down to one commit and make it pass gitlint (and rebase)? Then I will trigger the e2e

[johnbieren]

One outstanding nit pick about the rm in the test cleanups, but otherwise lgtm. Can you fix the checkton issues, rebase and squash it down to one commit that fits gitlint standards?

[johnbieren]

/ok-to-test

[johnbieren]

@midnightercz okay to merge it if we get an e2e pass?

[openshift-ci]

New changes are detected. LGTM label has been removed.

[johnbieren]

/ok-to-test

[johnbieren]

/ok-to-test

[johnbieren]

/ok-to-test

[johnbieren]

/ok-to-test

[konflux-ci-qe-bot]

@midnightercz: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name	Status	Rerun command	Build Log	Test Log
konflux-e2e-tests-catalog-tlx6g	Failed	/retest	View Pipeline Log	View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

1. Install ORAS (see the ORAS installation guide).
2. Download artifacts with the following commands:

mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/konflux-team/release-service-catalog:konflux-e2e-tests-catalog-tlx6g

[johnbieren]

container "step-sign-image" in pod "managed-vlnqf-rh-sign-image-cosign-pod" is waiting to start: CreateContainerConfigError I am guessing the secret is missing PUBLIC_KEY but I will have to confirm after meetings

[johnbieren]

container "step-sign-image" in pod "managed-vlnqf-rh-sign-image-cosign-pod" is waiting to start: CreateContainerConfigError I am guessing the secret is missing PUBLIC_KEY but I will have to confirm after meetings

Yes, that is the issue. @midnightercz how do we derive the proper PUBLIC_KEY values to put in the secret?

[johnbieren]

@midnightercz ping

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.