[env_op_images] Add pulled images report to env_op_images role

Cross-references pod images against ICSP/IDMS mirror rules to report which images have a mirror configured and which pull directly from the original registry.

Co-authored-by: Cursor <cursor@cursor.com>

Signed-off-by: nemarjan <nemarjan@redhat.com>

Author: nemarjan

roles/env_op_images/defaults/main.yml

@@ -21,3 +21,8 @@
 cifmw_env_op_images_dir: "{{ cifmw_basedir }}"
 cifmw_env_op_images_file: operator_images.yaml
 cifmw_env_op_images_dryrun: false
+
+cifmw_env_op_images_pulled_report_file: pulled_images_report.yaml
+cifmw_env_op_images_pulled_report_namespaces:
+  - "{{ cifmw_openstack_namespace | default('openstack') }}"
+  - "{{ operator_namespace | default('openstack-operators') }}"

roles/env_op_images/tasks/main.yml

@@ -155,3 +155,6 @@
         dest: "{{ cifmw_env_op_images_dir }}/artifacts/{{ cifmw_env_op_images_file }}"
         content: "{{ _content | to_nice_yaml }}"
         mode: "0644"
+
+- name: Generate pulled images registry report
+  ansible.builtin.include_tasks: pulled_images_report.yml

roles/env_op_images/tasks/pulled_images_report.yml

@@ -0,0 +1,230 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# Pulled-images report (policy view, not node-verified pulls):
+# - Load cluster ImageContentSourcePolicy + ImageDigestMirrorSet objects via oc.
+# - Flatten them into {source, mirror} pairs (repository prefix -> mirror ref).
+# - For each container/initContainer in selected namespaces, compare the pod
+#   status image string to those prefixes: first matching rule yields
+#   expected_pull_basis mirror and expected_pull_location from the mirror host;
+#   otherwise basis source and location from the image ref host.
+# Matching uses image (reference string), not imageID; pod status often keeps
+# the upstream registry name even when the runtime used a mirror.
+
+- name: Report pulled image registries per pod
+  when:
+    - cifmw_openshift_kubeconfig is defined
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  block:
+    - name: Ensure artifacts directory exists
+      ansible.builtin.file:
+        path: "{{ cifmw_env_op_images_dir }}/artifacts"
+        state: directory
+        mode: "0755"
+
+    # Legacy OpenShift mirror CRD; empty or error is OK (parsed as no items).
+    - name: Get ICSP mirror rules
+      ansible.builtin.command:
+        cmd: oc get imagecontentsourcepolicy -o json
+      register: _pulled_report_icsp
+      failed_when: false
+
+    # Preferred / current mirror CRD alongside ICSP.
+    - name: Get IDMS mirror rules
+      ansible.builtin.command:
+        cmd: oc get imagedigestmirrorset -o json
+      register: _pulled_report_idms
+      failed_when: false
+
+    # One flat list of rules for templating: each mirror list entry becomes
+    # its own row so prefix matching can use the same loop for all mirrors.
+    - name: Build source-to-mirror mapping from ICSP/IDMS
+      vars:
+        _icsp_items: >-
+          {{ (_pulled_report_icsp.stdout | default('{}') | from_json).get('items', []) }}
+        _idms_items: >-
+          {{ (_pulled_report_idms.stdout | default('{}') | from_json).get('items', []) }}
+        _mappings: >-
+          {% set maps = [] %}
+          {# ICSP spec.repositoryDigestMirrors: source repo + mirrors[] #}
+          {% for icsp in _icsp_items %}
+          {%   for rdm in icsp.spec.get('repositoryDigestMirrors', []) %}
+          {%     if rdm.source is defined and rdm.source %}
+          {%       for m in rdm.get('mirrors', []) %}
+          {%         set _ = maps.append({'source': rdm.source, 'mirror': m}) %}
+          {%       endfor %}
+          {%     endif %}
+          {%   endfor %}
+          {% endfor %}
+          {# IDMS spec.imageDigestMirrors: same shape for matching purposes #}
+          {% for idms in _idms_items %}
+          {%   for rdm in idms.spec.get('imageDigestMirrors', []) %}
+          {%     if rdm.source is defined and rdm.source %}
+          {%       for m in rdm.get('mirrors', []) %}
+          {%         set _ = maps.append({'source': rdm.source, 'mirror': m}) %}
+          {%       endfor %}
+          {%     endif %}
+          {%   endfor %}
+          {% endfor %}
+          {{ maps }}
+      ansible.builtin.set_fact:
+        _pulled_report_mirror_mappings: "{{ _mappings | trim | from_yaml }}"
+
+    - name: Report ICSP/IDMS mirror rules found
+      when: _pulled_report_mirror_mappings | length > 0
+      ansible.builtin.debug:
+        msg: >-
+          {{ item.source }} -> {{ item.mirror }}
+      loop: "{{ _pulled_report_mirror_mappings }}"
+      loop_control:
+        label: "{{ item.source }}"
+
+    - name: Warn if no ICSP/IDMS mirror rules found
+      when: _pulled_report_mirror_mappings | length == 0
+      ansible.builtin.debug:
+        msg: >-
+          No ICSP or IDMS mirror rules found on the cluster.
+          All rows will have expected_pull_basis: source and expected_pull_location from the image ref.
+
+    # Namespaces come from role default / caller; failed namespaces skip via failed_when: false.
+    - name: Get pods per namespace
+      kubernetes.core.k8s_info:
+        kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
+        api_key: "{{ cifmw_openshift_token | default(omit) }}"
+        context: "{{ cifmw_openshift_context | default(omit) }}"
+        kind: Pod
+        namespace: "{{ item }}"
+      register: _pulled_report_pods
+      loop: "{{ cifmw_env_op_images_pulled_report_namespaces | unique }}"
+      loop_control:
+        label: "{{ item }}"
+      failed_when: false
+
+    # Flatten all loop results, then one report row per container + initContainer.
+    - name: Build per-pod pulled images report
+      vars:
+        _report: >-
+          {% set entries = [] %}
+          {% set all_pods = _pulled_report_pods.results |
+                            map(attribute='resources', default=[]) | flatten %}
+          {% for pod in all_pods %}
+          {%   set pod_labels = pod.metadata.labels | default({}) %}
+          {%   set operator_name = pod_labels.get('openstack.org/operator-name', '') %}
+          {%   set app_label = pod_labels.get('app', pod_labels.get('app.kubernetes.io/name', '')) %}
+          {# Build a single list so regular and init containers share one loop #}
+          {%   set image_statuses = [] %}
+          {%   for cs in pod.status.containerStatuses | default([]) %}
+          {%     set _ = image_statuses.append({'cs': cs, 'type': 'container'}) %}
+          {%   endfor %}
+          {%   for cs in pod.status.initContainerStatuses | default([]) %}
+          {%     set _ = image_statuses.append({'cs': cs, 'type': 'init_container'}) %}
+          {%   endfor %}
+          {%   for entry in image_statuses %}
+          {%     set cs = entry.cs %}
+          {%     set image = cs.image | default('unknown') %}
+          {%     set image_id = cs.imageID | default('') %}
+          {%     set image_repo = image.split('@')[0].split(':')[0] %}
+          {%     set image_name = image_repo.split('/')[-1] %}
+          {# Default: host = first path segment of image ref; basis = source #}
+          {%     set match = namespace(host=image.split('/')[0], expected_pull_basis='source') %}
+          {# First mapping where image startswith source: use mirror registry host #}
+          {%     for m in _pulled_report_mirror_mappings if m.source is defined and m.source and image.startswith(m.source) %}
+          {%       if loop.first %}
+          {%         set match.host = m.mirror.split('/')[0] %}
+          {%         set match.expected_pull_basis = 'mirror' %}
+          {%       endif %}
+          {%     endfor %}
+          {%     set _ = entries.append({
+                   'namespace': pod.metadata.namespace,
+                   'pod': pod.metadata.name,
+                   'container': cs.name,
+                   'container_type': entry.type,
+                   'operator': operator_name if operator_name else 'N/A',
+                   'app': app_label if app_label else image_name,
+                   'image': image,
+                   'image_id': image_id,
+                   'expected_pull_location': match.host,
+                   'expected_pull_basis': match.expected_pull_basis
+                 }) %}
+          {%   endfor %}
+          {% endfor %}
+          {{ entries }}
+      ansible.builtin.set_fact:
+        _pulled_images_report: "{{ _report | trim | from_yaml }}"
+
+    # Counts for the YAML artifact summary section.
+    - name: Build report summary
+      vars:
+        _total: "{{ _pulled_images_report | length }}"
+        _basis_mirror: >-
+          {{ _pulled_images_report |
+             selectattr('expected_pull_basis', 'equalto', 'mirror') | list | length }}
+        _basis_source: >-
+          {{ _pulled_images_report |
+             selectattr('expected_pull_basis', 'equalto', 'source') | list | length }}
+        _mirror_rules: "{{ _pulled_report_mirror_mappings | length }}"
+      ansible.builtin.set_fact:
+        _pulled_report_summary:
+          mirror_rules_found: "{{ _mirror_rules | int }}"
+          mirror_rules: "{{ _pulled_report_mirror_mappings }}"
+          total_containers: "{{ _total | int }}"
+          containers_expected_basis_source: "{{ _basis_source | int }}"
+          containers_expected_basis_mirror: "{{ _basis_mirror | int }}"
+
+    - name: Save pulled images report to artifacts
+      vars:
+        _full_report:
+          summary: "{{ _pulled_report_summary }}"
+          images: "{{ _pulled_images_report }}"
+      ansible.builtin.copy:
+        dest: >-
+          {{
+            (cifmw_env_op_images_dir, 'artifacts',
+             cifmw_env_op_images_pulled_report_file) | path_join
+          }}
+        content: "{{ _full_report | to_nice_yaml }}"
+        mode: "0644"
+
+    # Console visibility: split rows by how ICSP/IDMS classification turned out.
+    - name: Images with expected_pull_basis source
+      ansible.builtin.debug:
+        msg: >-
+          [{{ item.app }}] {{ item.image }} ->
+          expected pull location {{ item.expected_pull_location }}
+          ({{ item.container_type }}: {{ item.container }}
+          | operator: {{ item.operator }}
+          | pod: {{ item.namespace }}/{{ item.pod }})
+      loop: >-
+        {{ _pulled_images_report |
+           selectattr('expected_pull_basis', 'equalto', 'source') | list }}
+      loop_control:
+        label: "{{ item.app }}/{{ item.container }}"
+
+    - name: Images with expected_pull_basis mirror
+      ansible.builtin.debug:
+        msg: >-
+          [{{ item.app }}] {{ item.image }} ->
+          expected pull location {{ item.expected_pull_location }}
+          ({{ item.container_type }}: {{ item.container }}
+          | operator: {{ item.operator }}
+          | pod: {{ item.namespace }}/{{ item.pod }})
+      loop: >-
+        {{ _pulled_images_report |
+           selectattr('expected_pull_basis', 'equalto', 'mirror') | list }}
+      loop_control:
+        label: "{{ item.app }}/{{ item.container }}"