Skip to content

Commit

Permalink
use workers to limit the paralellism when verifying images
Browse files Browse the repository at this point in the history
Signed-off-by: cpanato <[email protected]>
  • Loading branch information
cpanato committed Jun 21, 2023
1 parent 1e00e41 commit e8de9d6
Show file tree
Hide file tree
Showing 16 changed files with 101 additions and 47 deletions.
1 change: 1 addition & 0 deletions cmd/cosign/cli/dockerfile.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val
Offline: o.CommonVerifyOptions.Offline,
TSACertChainPath: o.CommonVerifyOptions.TSACertChainPath,
IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog,
MaxWorkers: o.CommonVerifyOptions.MaxWorkers,
},
BaseOnly: o.BaseImageOnly,
}
Expand Down
1 change: 1 addition & 0 deletions cmd/cosign/cli/manifest.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ against the transparency log.`,
Offline: o.CommonVerifyOptions.Offline,
TSACertChainPath: o.CommonVerifyOptions.TSACertChainPath,
IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog,
MaxWorkers: o.CommonVerifyOptions.MaxWorkers,
},
}
return v.Exec(cmd.Context(), args)
Expand Down
4 changes: 4 additions & 0 deletions cmd/cosign/cli/options/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ type CommonVerifyOptions struct {
Offline bool // Force offline verification
TSACertChainPath string
IgnoreTlog bool
MaxWorkers int
}

func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
Expand All @@ -36,6 +37,9 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().BoolVar(&o.IgnoreTlog, "insecure-ignore-tlog", false,
"ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts "+
"cannot be publicly verified when not included in a log")

cmd.Flags().IntVar(&o.MaxWorkers, "max-workers", 10,
"the amount of maximum workers for parallel executions")
}

// VerifyOptions is the top level wrapper for the `verify` command.
Expand Down
2 changes: 2 additions & 0 deletions cmd/cosign/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ against the transparency log.`,
Offline: o.CommonVerifyOptions.Offline,
TSACertChainPath: o.CommonVerifyOptions.TSACertChainPath,
IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog,
MaxWorkers: o.CommonVerifyOptions.MaxWorkers,
}

if o.Registry.AllowInsecure {
Expand Down Expand Up @@ -220,6 +221,7 @@ against the transparency log.`,
Offline: o.CommonVerifyOptions.Offline,
TSACertChainPath: o.CommonVerifyOptions.TSACertChainPath,
IgnoreTlog: o.CommonVerifyOptions.IgnoreTlog,
MaxWorkers: o.CommonVerifyOptions.MaxWorkers,
}

ctx := cmd.Context()
Expand Down
2 changes: 2 additions & 0 deletions cmd/cosign/cli/verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ type VerifyCommand struct {
Offline bool
TSACertChainPath string
IgnoreTlog bool
MaxWorkers int
}

// Exec runs the verification command
Expand Down Expand Up @@ -125,6 +126,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
Identities: identities,
Offline: c.Offline,
IgnoreTlog: c.IgnoreTlog,
MaxWorkers: c.MaxWorkers,
}
if c.CheckClaims {
co.ClaimVerifier = cosign.SimpleClaimVerifier
Expand Down
2 changes: 2 additions & 0 deletions cmd/cosign/cli/verify/verify_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ type VerifyAttestationCommand struct {
Offline bool
TSACertChainPath string
IgnoreTlog bool
MaxWorkers int
}

// Exec runs the verification command
Expand Down Expand Up @@ -104,6 +105,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
Identities: identities,
Offline: c.Offline,
IgnoreTlog: c.IgnoreTlog,
MaxWorkers: c.MaxWorkers,
}
if c.CheckClaims {
co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier
Expand Down
1 change: 1 addition & 0 deletions doc/cosign_dockerfile_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_manifest_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-blob-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-blob.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 13 additions & 12 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ require (
github.com/mitchellh/go-wordwrap v1.0.1
github.com/moby/term v0.5.0
github.com/mozillazg/docker-credential-acr-helper v0.3.0
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481
github.com/open-policy-agent/opa v0.52.0
github.com/pkg/errors v0.9.1
github.com/secure-systems-lab/go-securesystemslib v0.6.0
Expand All @@ -52,9 +53,9 @@ require (
golang.org/x/sync v0.3.0
golang.org/x/term v0.9.0
google.golang.org/api v0.128.0
k8s.io/api v0.26.6
k8s.io/apimachinery v0.26.6
k8s.io/client-go v0.26.6
k8s.io/api v0.27.3
k8s.io/apimachinery v0.27.3
k8s.io/client-go v0.27.3
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
sigs.k8s.io/release-utils v0.7.4
)
Expand Down Expand Up @@ -84,7 +85,7 @@ require (
github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
Expand Down Expand Up @@ -145,8 +146,8 @@ require (
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.21.4 // indirect
github.com/go-openapi/errors v0.20.3 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.20.0 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.1 // indirect
github.com/go-openapi/loads v0.21.2 // indirect
github.com/go-openapi/spec v0.20.9 // indirect
github.com/go-openapi/validate v0.22.1 // indirect
Expand Down Expand Up @@ -178,7 +179,7 @@ require (
github.com/hashicorp/go-sockaddr v1.0.2 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/vault/api v1.9.2 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
github.com/jellydator/ttlcache/v3 v3.0.1 // indirect
Expand Down Expand Up @@ -211,14 +212,14 @@ require (
github.com/prometheus/common v0.42.0 // indirect
github.com/prometheus/procfs v0.9.0 // indirect
github.com/protocolbuffers/txtpbfmt v0.0.0-20220428173112-74888fd59c2b // indirect
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/rs/cors v1.9.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/segmentio/ksuid v1.0.4 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
github.com/spf13/afero v1.9.5 // indirect
github.com/spf13/cast v1.5.1 // indirect
Expand All @@ -244,12 +245,12 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.24.0 // indirect
golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
golang.org/x/mod v0.10.0 // indirect
golang.org/x/mod v0.11.0 // indirect
golang.org/x/net v0.11.0 // indirect
golang.org/x/sys v0.9.0 // indirect
golang.org/x/text v0.10.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.8.0 // indirect
golang.org/x/tools v0.9.3 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect
Expand All @@ -262,7 +263,7 @@ require (
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
Expand Down
Loading

0 comments on commit e8de9d6

Please sign in to comment.