send image digests with reporting info (#306)

* create a listener that watches pods created by the helm chart and extracts their images

* send all images from all tracked namespaces

* move image sha storage/list/etc logic to store

* ensure pod handler makes requests as expected

* parse images list in replicated helm values

* only persist/report image shas that match the image list

* use releaseImages not images

* various fixes

* unit test fix

* better naming, deployment image diversity

* get list of images after CI run

* api endpoint F

* use replicated CLI instead

* log URL

* fix url

* look for correct image names, expect non-app image alpine/curl to not be present

* add app and config files to test chart

* skip unit and pact tests

* add replicated chart file

* print expected images

* fix path in images

* normalize images before filtering them

* reenable unit and pact tests

* make mock

Author: laverya

chart/templates/_helpers.tpl

@@ -94,6 +94,21 @@ License Fields
   {{- end -}}
 {{- end -}}
 
+{{/*
+Release Images
+Looks up list of images from values provided by the parent app/release. Supports both
+global.replicated.releaseImages and replicated.releaseImages locations.
+*/}}
+{{- define "replicated.releaseImages" -}}
+  {{- if and .Values.global .Values.global.replicated .Values.global.replicated.releaseImages -}}
+    {{- .Values.global.replicated.releaseImages | toYaml -}}
+  {{- else if and .Values.replicated .Values.replicated.releaseImages -}}
+    {{- .Values.replicated.releaseImages | toYaml -}}
+  {{- else if .Values.releaseImages -}}
+    {{- .Values.releaseImages | toYaml -}}
+  {{- end -}}
+{{- end -}}
+
 {{/*
 Detect if we're running on OpenShift
 */}}

chart/templates/replicated-role.yaml

@@ -71,6 +71,8 @@ rules:
   - "pods"
   verbs:
   - "get"
+  - "list"
+  - "watch"
 # the SDK secret is required by default (to determine if integration test mode is enabled)
 - apiGroups:
   - ""

chart/templates/replicated-secret.yaml

@@ -30,6 +30,12 @@ stringData:
       {{- .Values.releaseNotes | default "" | nindent 6 }}
     versionLabel: {{ .Values.versionLabel | default "" | quote }}
     replicatedAppEndpoint: {{ include "replicated.appEndpoint" . | quote }}
+    {{- /* Optionally include release images if provided by parent values */}}
+    {{- $releaseImages := include "replicated.releaseImages" . -}}
+    {{- if $releaseImages }}
+    releaseImages:
+      {{- $releaseImages | nindent 6 }}
+    {{- end }}
     {{- if .Values.statusInformers }}
     statusInformers:
       {{- .Values.statusInformers | toYaml | nindent 6 }}

chart/values.yaml

@@ -286,6 +286,7 @@ versionLabel: ""
 parentChartURL: ""
 statusInformers: null
 replicatedAppEndpoint: ""
+releaseImages: []
 
 # Domain for the Replicated App Service - takes precedence over replicatedAppEndpoint if set
 # If not specified, the default domain "replicated.app" will be used

cmd/replicated/api.go

@@ -70,6 +70,7 @@ func APICmd() *cobra.Command {
 				ReleaseNotes:          replicatedConfig.ReleaseNotes,
 				VersionLabel:          replicatedConfig.VersionLabel,
 				ReplicatedAppEndpoint: replicatedConfig.ReplicatedAppEndpoint,
+				ReleaseImages:         replicatedConfig.ReleaseImages,
 				StatusInformers:       replicatedConfig.StatusInformers,
 				ReplicatedID:          replicatedConfig.ReplicatedID,
 				AppID:                 replicatedConfig.AppID,

dagger/e2e.go

@@ -21,6 +21,9 @@ func e2e(
 	ctx context.Context,
 	source *dagger.Directory,
 	opServiceAccount *dagger.Secret,
+	appID string,
+	customerID string,
+	sdkImage string,
 	licenseID string,
 	distribution string,
 	version string,
@@ -416,22 +419,22 @@ spec:
 	fmt.Println("SDK logs after minimal RBAC test:")
 	fmt.Println(out)
 
-	// Extract appID from the SDK logs
-	var appID string
+	// Extract instanceAppID from the SDK logs
+	var instanceAppID string
 	lines := strings.Split(out, "\n")
-	appIDRegex := regexp.MustCompile(`appID:\s+([a-f0-9-]+)`)
+	instanceAppIDRegex := regexp.MustCompile(`appID:\s+([a-f0-9-]+)`)
 	for _, line := range lines {
-		if match := appIDRegex.FindStringSubmatch(line); match != nil {
-			appID = match[1]
-			fmt.Printf("Extracted appID: %s\n", appID)
+		if match := instanceAppIDRegex.FindStringSubmatch(line); match != nil {
+			instanceAppID = match[1]
+			fmt.Printf("Extracted instanceAppID: %s\n", instanceAppID)
 			break
 		}
 	}
-	if appID == "" {
-		return fmt.Errorf("appID not found in SDK logs")
+	if instanceAppID == "" {
+		return fmt.Errorf("instanceAppID not found in SDK logs")
 	}
 
-	// make a request to https://api.replicated.com/v1/instance/{appid}/events?pageSize=500
+	// make a request to https://api.replicated.com/v1/instance/{instanceID}/events?pageSize=500
 	tokenPlaintext, err := replicatedServiceAccount.Plaintext(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to get service account token: %w", err)
@@ -446,7 +449,7 @@ spec:
 	}
 
 	// Retry up to 5 times with 30 seconds between attempts
-	err = waitForResourcesReady(ctx, resourceNames, 30, 5*time.Second, tokenPlaintext, appID, distribution)
+	err = waitForResourcesReady(ctx, resourceNames, 30, 5*time.Second, tokenPlaintext, instanceAppID, distribution)
 	if err != nil {
 		return fmt.Errorf("failed to wait for resources to be ready: %w", err)
 	}
@@ -465,12 +468,46 @@ spec:
 		{Kind: "deployment", Name: "second-test-chart"},
 		{Kind: "service", Name: "replicated"},
 	}
-	err = waitForResourcesReady(ctx, newResourceNames, 30, 5*time.Second, tokenPlaintext, appID, distribution)
+	err = waitForResourcesReady(ctx, newResourceNames, 30, 5*time.Second, tokenPlaintext, instanceAppID, distribution)
 	if err != nil {
 		return fmt.Errorf("failed to wait for resources to be ready: %w", err)
 	}
 
 	fmt.Printf("E2E test for distribution %s and version %s passed\n", distribution, version)
+
+	// Validate running images via vendor API
+	// 1. Call vendor API to get running images for this instance
+	imagesSet, err := getRunningImages(ctx, appID, customerID, instanceAppID, tokenPlaintext)
+	if err != nil {
+		return fmt.Errorf("failed to get running images: %w", err)
+	}
+
+	// 2. Validate expected images
+	required := []string{"docker.io/library/nginx:latest", "docker.io/library/nginx:alpine", strings.TrimSpace(sdkImage)}
+	forbidden := []string{"docker.io/alpine/curl:latest"}
+	missing := []string{}
+	for _, img := range required {
+		if img == "" {
+			continue
+		}
+		if _, ok := imagesSet[img]; !ok {
+			missing = append(missing, img)
+		}
+	}
+	if len(missing) > 0 {
+		// Build a small preview of what we saw for debugging
+		seen := make([]string, 0, len(imagesSet))
+		for k := range imagesSet {
+			seen = append(seen, k)
+		}
+		return fmt.Errorf("running images missing expected entries: %v. Seen: %v", missing, seen)
+	}
+	for _, img := range forbidden {
+		if _, ok := imagesSet[img]; ok {
+			return fmt.Errorf("running images contains forbidden entry: %s", img)
+		}
+	}
+
 	return nil
 }
 
@@ -490,8 +527,8 @@ type Event struct {
 	} `json:"meta"`
 }
 
-func getEvents(ctx context.Context, authToken string, appID string) ([]Event, error) {
-	url := fmt.Sprintf("https://api.replicated.com/v1/instance/%s/events?pageSize=500", appID)
+func getEvents(ctx context.Context, authToken string, instanceAppID string) ([]Event, error) {
+	url := fmt.Sprintf("https://api.replicated.com/v1/instance/%s/events?pageSize=500", instanceAppID)
 	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create request: %w", err)
@@ -561,12 +598,12 @@ type Resource struct {
 	Name string
 }
 
-func waitForResourcesReady(ctx context.Context, resources []Resource, maxRetries int, retryInterval time.Duration, authToken string, appID string, distribution string) error {
+func waitForResourcesReady(ctx context.Context, resources []Resource, maxRetries int, retryInterval time.Duration, authToken string, instanceAppID string, distribution string) error {
 
 	for attempt := 1; attempt <= maxRetries; attempt++ {
 		fmt.Printf("Attempt %d/%d: Checking resource states...\n", attempt, maxRetries)
 
-		events, err := getEvents(ctx, authToken, appID)
+		events, err := getEvents(ctx, authToken, instanceAppID)
 		if err != nil {
 			if attempt == maxRetries {
 				return fmt.Errorf("failed to get events after %d attempts: %w", maxRetries, err)
@@ -606,6 +643,53 @@ func waitForResourcesReady(ctx context.Context, resources []Resource, maxRetries
 	return fmt.Errorf("unreachable code")
 }
 
+// getRunningImages calls the vendor API to retrieve running images for the given instance and returns a set of image names.
+func getRunningImages(ctx context.Context, appID string, customerID string, instanceAppID string, authToken string) (map[string]struct{}, error) {
+	url := fmt.Sprintf("https://api.replicated.com/vendor/v3/app/%s/customer/%s/instance/%s/running-images", appID, customerID, instanceAppID)
+
+	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", authToken)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("vendor API request failed with status %d: %s", resp.StatusCode, string(body))
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var response struct {
+		RunningImages map[string][]string `json:"running_images"`
+	}
+	if err := json.Unmarshal(body, &response); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal vendor API response: %w", err)
+	}
+	if len(response.RunningImages) == 0 {
+		return nil, fmt.Errorf("vendor API returned no running_images: %s", string(body))
+	}
+
+	imagesSet := map[string]struct{}{}
+	for name := range response.RunningImages {
+		if name != "" {
+			imagesSet[name] = struct{}{}
+		}
+	}
+	return imagesSet, nil
+}
+
 // upgradeChartAndRestart upgrades the helm chart with the provided arguments and restarts deployments
 func upgradeChartAndRestart(
 	ctx context.Context,
@@ -685,7 +769,7 @@ func upgradeChartAndRestart(
 			[]string{
 				"kubectl", "rollout", "restart", "deploy/test-chart",
 			}))
-	out, err = ctr.Stdout(ctx)
+	_, err = ctr.Stdout(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to restart test-chart deployment: %w", err)
 	}

dagger/replicated.go

@@ -5,6 +5,8 @@ import (
 	"dagger/replicated-sdk/internal/dagger"
 	"encoding/json"
 	"fmt"
+	"regexp"
+	"strings"
 	"time"
 )
 
@@ -58,11 +60,61 @@ func createAppTestRelease(
 	now := time.Now().Format("20060102150405")
 	channelName := fmt.Sprintf("automated-%s", now)
 
+	// create non-chart files for the app
+	replicatedAppFile := dag.File("app.yaml", `
+apiVersion: kots.io/v1beta1
+kind: Application
+metadata:
+  name: replicated-sdk-e2e
+spec:
+  title: Replicated SDK E2E
+  icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubernetes/icon/color/kubernetes-icon-color.png
+`)
+
+	replicatedConfigFile := dag.File("config.yaml", `
+apiVersion: kots.io/v1beta1
+kind: Config
+metadata:
+  name: my-application
+spec:
+  groups:
+    - name: replicated_sdk_e2e
+      title: Replicated SDK E2E
+      description: Configuration for the Replicated SDK E2E
+      items:
+        - name: test_item
+          type: bool
+          default: "0"
+`)
+
+	replicatedHelmFile := dag.File("helm.yaml", `
+apiVersion: kots.io/v1beta2
+kind: HelmChart
+metadata:
+  name: replicated-sdk-e2e
+spec:
+  # chart identifies a matching chart from a .tgz
+  chart:
+    name: test-chart
+    chartVersion: 0.1.0
+  
+  # values are used in the customer environment, as a pre-render step
+  # these values will be supplied to helm template
+  values: {}
+
+  # builder values provide a way to render the chart with all images
+  # and manifests. this is used in replicated to create air gap packages
+  builder: {}
+`)
+
 	ctr := dag.Container().From("replicated/vendor-cli:latest").
 		WithSecretVariable("REPLICATED_API_TOKEN", replicatedServiceAccount).
-		WithMountedFile("/test-chart-0.1.0.tgz", testChartFile).
+		WithMountedFile("/chart/test-chart-0.1.0.tgz", testChartFile).
+		WithMountedFile("/chart/app.yaml", replicatedAppFile).
+		WithMountedFile("/chart/config.yaml", replicatedConfigFile).
+		WithMountedFile("/chart/helm.yaml", replicatedHelmFile).
 		WithExec([]string{"/replicated", "channel", "create", "--app", "replicated-sdk-e2e", "--name", channelName}).
-		WithExec([]string{"/replicated", "release", "create", "--app", "replicated-sdk-e2e", "--version", "0.1.0", "--promote", channelName, "--chart", "/test-chart-0.1.0.tgz"})
+		WithExec([]string{"/replicated", "release", "create", "--app", "replicated-sdk-e2e", "--version", "0.1.0", "--promote", channelName, "--yaml-dir", "/chart"})
 
 	out, err := ctr.Stdout(ctx)
 	if err != nil {
@@ -101,3 +153,44 @@ func createCustomer(
 
 	return replicatedCustomer.ID, replicatedCustomer.InstallationID, nil
 }
+
+// getAppID resolves the application ID for a given app slug via the vendor API
+func getAppID(
+	ctx context.Context,
+	opServiceAccount *dagger.Secret,
+	appSlug string,
+) (string, error) {
+	// Use vendor CLI output from `replicated app ls`
+	replicatedServiceAccount := mustGetSecret(ctx, opServiceAccount, "Replicated", "service_account", VaultDeveloperAutomation)
+	ctr := dag.Container().From("replicated/vendor-cli:latest").
+		WithSecretVariable("REPLICATED_API_TOKEN", replicatedServiceAccount).
+		WithExec([]string{"/replicated", "app", "ls"})
+
+	out, err := ctr.Stdout(ctx)
+	if err != nil {
+		return "", fmt.Errorf("failed to list apps: %w", err)
+	}
+
+	// Parse table rows; columns: ID NAME SLUG SCHEDULER
+	rowRE := regexp.MustCompile(`^\s*-?([A-Za-z0-9._\-]+)\s+.+?\s+([A-Za-z0-9._\-]+)\s+[A-Za-z0-9._\-]+\s*$`)
+	for _, line := range strings.Split(out, "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		upper := strings.ToUpper(line)
+		if strings.HasPrefix(upper, "ID ") || strings.HasPrefix(upper, "ID\t") {
+			continue
+		}
+		m := rowRE.FindStringSubmatch(line)
+		if len(m) == 0 {
+			continue
+		}
+		id := m[1]
+		slug := m[2]
+		if slug == appSlug {
+			return id, nil
+		}
+	}
+	return "", fmt.Errorf("app with slug %q not found in 'replicated app ls' output", appSlug)
+}

dagger/validate.go

@@ -29,7 +29,8 @@ func (m *ReplicatedSdk) Validate(
 	if err != nil {
 		return err
 	}
-	fmt.Printf("Image pushed to %s/%s:%s\n", imageRegistry, imageRepository, imageTag)
+	sdkImage := fmt.Sprintf("%s/%s:%s", imageRegistry, imageRepository, imageTag)
+	fmt.Printf("Image pushed to %s\n", sdkImage)
 
 	chart, err := buildAndPushChartToTTL(ctx, source, imageRegistry, imageRepository, imageTag)
 	if err != nil {
@@ -48,6 +49,12 @@ func (m *ReplicatedSdk) Validate(
 	}
 	fmt.Println(customerID, licenseID)
 
+	// Resolve app ID for replicated-sdk-e2e (used by vendor API checks)
+	appID, err := getAppID(ctx, opServiceAccount, "replicated-sdk-e2e")
+	if err != nil {
+		return err
+	}
+
 	cmxDistributions, err := listCMXDistributionsAndVersions(ctx, opServiceAccount)
 	if err != nil {
 		return err
@@ -58,7 +65,7 @@ func (m *ReplicatedSdk) Validate(
 		wg.Add(1)
 		go func(distribution DistributionVersion) {
 			defer wg.Done()
-			if err := e2e(ctx, source, opServiceAccount, licenseID, distribution.Distribution, distribution.Version, channelSlug); err != nil {
+			if err := e2e(ctx, source, opServiceAccount, appID, customerID, sdkImage, licenseID, distribution.Distribution, distribution.Version, channelSlug); err != nil {
 				panic(fmt.Sprintf("E2E test failed for distribution %s %s: %v", distribution.Distribution, distribution.Version, err))
 			}
 		}(distribution)