[env_op_images] Add CRI-O pull verification to pulled-images report

Cross-reference the pulled-images report with CRI-O journal logs
from cluster nodes to confirm which images were actually pulled by
the container runtime. Runs automatically when kubeconfig is defined,
same as the pulled-images report itself.

Co-authored-by: Cursor <cursor@cursor.com>

Signed-off-by: nemarjan <nemarjan@redhat.com>

Author: nemarjan

plugins/modules/verify_pulled_report_crio.py

@@ -1,19 +1,7 @@
 #!/usr/bin/python
 
-# Copyright Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
+# Copyright: (c) 2026, Nemanja Marjanovic <nemarjan@redhat.com>
+# Apache License Version 2.0 (see LICENSE)
 
 from __future__ import absolute_import, division, print_function
 
@@ -27,7 +15,7 @@
 
 description:
   - Reads the YAML produced by the env_op_images pulled-images report role task.
-  - Parses CRI-O journal lines for C(msg="Pulled image: ...@sha256:...").
+  - "Parses CRI-O journal lines for C(msg=\"Pulled image: ...@sha256:...\")."
   - Adds per-row verification fields using trusted mirror domains from
     C(summary.mirror_rules).
 
@@ -60,7 +48,7 @@
     type: str
 
 author:
-  - Red Hat
+  - "Nemanja Marjanovic (@nemarjan)"
 
 notes:
   - Requires PyYAML on the controller (same as other cifmw.general modules).
@@ -78,16 +66,20 @@
 changed:
   description: Whether the output file was written.
   type: bool
+  returned: always
 trusted_mirrors:
   description: Hostnames extracted from mirror rules in the report summary.
   type: list
   elements: str
+  returned: always
 log_files:
   description: Number of log files read.
   type: int
+  returned: always
 entries_with_digest:
   description: Image rows that had a sha256 digest in C(image_id).
   type: int
+  returned: always
 """
 
 import glob
@@ -186,7 +178,9 @@ def run_module():
             actual_uri = log_evidence[img_sha]
             actual_domain = actual_uri.split("/")[0].strip()
             is_mirror_domain = actual_domain in trusted_mirrors
-            img["node_verified_image_origin"] = "mirror" if is_mirror_domain else "source"
+            img["node_verified_image_origin"] = (
+                "mirror" if is_mirror_domain else "source"
+            )
             img["log_evidence_uri"] = actual_uri
             expected_domain = img.get("expected_pull_location") or ""
             img["verification_status"] = (

tests/sanity/ignore.txt

@@ -5,3 +5,4 @@ plugins/modules/tempest_list_skipped.py validate-modules:missing-gplv3-license #
 plugins/modules/cephx_key.py validate-modules:missing-gplv3-license # ignore license check
 plugins/modules/krb_request.py validate-modules:missing-gplv3-license # ignore license check
 plugins/modules/pem_read.py validate-modules:missing-gplv3-license # ignore license check
+plugins/modules/verify_pulled_report_crio.py validate-modules:missing-gplv3-license # ignore license check