feat: using image digest in deployment (#4515)

* wip: pull image using digest support

* api spec for saving digest enforcement config

* wip

* adding get api for digest config

* wip

* policy save and use code

* removing unused code

* dev testing fixes

* refactoring transaction

* imageDigest service name change

* fixing json nam

* removing hard coded config

* removing unnecessary space

* marking images superseded and duplicate flag

* marking image superseded - dev testing changes

* adding in precd-postcd

* wip

* wip

* digest support in app clone

* updating cd-pipeline api

* removing superseded code

* refactoring policy configuration code

* refactoring

* wip

* refactoring

* pr review changes

* removing unused method

* metadata in logs

* refactoring and code cleanuo

* migration script refactoring

* migration script refactoring

* wip: fixing create flow id

* wip

* wire fix

* wip

* wip

---------

Co-authored-by: Ash-exp <[email protected]>

Author: iamayushm

Wire.go

@@ -107,6 +107,7 @@ import (
 	"github.com/devtron-labs/devtron/pkg/generateManifest"
 	"github.com/devtron-labs/devtron/pkg/git"
 	"github.com/devtron-labs/devtron/pkg/gitops"
+	"github.com/devtron-labs/devtron/pkg/imageDigestPolicy"
 	"github.com/devtron-labs/devtron/pkg/kubernetesResourceAuditLogs"
 	repository7 "github.com/devtron-labs/devtron/pkg/kubernetesResourceAuditLogs/repository"
 	"github.com/devtron-labs/devtron/pkg/notifier"
@@ -942,6 +943,9 @@ func InitializeApp() (*App, error) {
 		pipeline.NewPipelineConfigListenerServiceImpl,
 		wire.Bind(new(pipeline.PipelineConfigListenerService), new(*pipeline.PipelineConfigListenerServiceImpl)),
 		cron2.NewCronLoggerImpl,
+
+		imageDigestPolicy.NewImageDigestPolicyServiceImpl,
+		wire.Bind(new(imageDigestPolicy.ImageDigestPolicyService), new(*imageDigestPolicy.ImageDigestPolicyServiceImpl)),
 	)
 	return &App{}, nil
 }

cmd/external-app/wire_gen.go

@@ -1021,6 +1021,7 @@ func (impl *AppCloneServiceImpl) CreateCdPipeline(req *cloneCdPipelineRequest, c
 		SourceToNewPipelineId:         refCdPipeline.SourceToNewPipelineId,
 		RefPipelineId:                 refCdPipeline.Id,
 		ParentPipelineType:            refCdPipeline.ParentPipelineType,
+		IsDigestEnforcedForPipeline:   refCdPipeline.IsDigestEnforcedForPipeline,
 	}
 	if refCdPipeline.ParentPipelineType == "WEBHOOK" {
 		cdPipeline.CiPipelineId = 0

pkg/appClone/AppCloneService.go

@@ -590,6 +590,8 @@ type CDPipelineConfigObject struct {
 	SwitchFromCiPipelineId        int                                    `json:"switchFromCiPipelineId"`
 	CDPipelineAddType             CDPipelineAddType                      `json:"addType"`
 	ChildPipelineId               int                                    `json:"childPipelineId"`
+	IsDigestEnforcedForPipeline   bool                                   `json:"isDigestEnforcedForPipeline"`
+	IsDigestEnforcedForEnv        bool                                   `json:"isDigestEnforcedForEnv"`
 }
 
 type CDPipelineAddType string

pkg/bean/app.go

@@ -53,6 +53,7 @@ type EnvironmentBean struct {
 	AppCount               int      `json:"appCount"`
 	IsVirtualEnvironment   bool     `json:"isVirtualEnvironment"`
 	AllowedDeploymentTypes []string `json:"allowedDeploymentTypes"`
+	IsDigestEnforcedForEnv bool     `json:"isDigestEnforcedForEnv"`
 }
 
 type EnvDto struct {

pkg/cluster/EnvironmentService.go

@@ -11,6 +11,7 @@ const (
 	DEVTRON_RESOURCE_SEARCHABLE_KEY_APP_ID                     DevtronResourceSearchableKeyName = "APP_ID"
 	DEVTRON_RESOURCE_SEARCHABLE_KEY_ENV_ID                     DevtronResourceSearchableKeyName = "ENV_ID"
 	DEVTRON_RESOURCE_SEARCHABLE_KEY_CLUSTER_ID                 DevtronResourceSearchableKeyName = "CLUSTER_ID"
+	DEVTRON_RESOURCE_SEARCHABLE_KEY_PIPELINE_ID                DevtronResourceSearchableKeyName = "PIPELINE_ID"
 )
 
 func (n DevtronResourceSearchableKeyName) ToString() string {

pkg/devtronResource/bean/bean.go

@@ -0,0 +1,48 @@
+package imageDigestPolicy
+
+import (
+	"github.com/devtron-labs/devtron/pkg/resourceQualifiers"
+	"github.com/devtron-labs/devtron/pkg/sql"
+	"time"
+)
+
+func QualifierMappingDao(qualifierId, identifierKey, IdentifierValueInt int, identifierValueName string, userId int32) *resourceQualifiers.QualifierMapping {
+	return &resourceQualifiers.QualifierMapping{
+		ResourceId:            resourceQualifiers.ImageDigestResourceId,
+		ResourceType:          resourceQualifiers.ImageDigest,
+		QualifierId:           qualifierId,
+		IdentifierKey:         identifierKey,
+		IdentifierValueInt:    IdentifierValueInt,
+		IdentifierValueString: identifierValueName,
+		Active:                true,
+		AuditLog: sql.AuditLog{
+			CreatedOn: time.Now(),
+			CreatedBy: userId,
+			UpdatedOn: time.Now(),
+			UpdatedBy: userId,
+		},
+	}
+}
+
+type DigestPolicyConfigurationRequest struct {
+	PipelineId    int
+	ClusterId     int
+	EnvironmentId int
+}
+
+func (request DigestPolicyConfigurationRequest) getQualifierMappingScope() *resourceQualifiers.Scope {
+	return &resourceQualifiers.Scope{
+		EnvId:      request.EnvironmentId,
+		ClusterId:  request.ClusterId,
+		PipelineId: request.PipelineId,
+	}
+}
+
+type DigestPolicyConfigurationResponse struct {
+	DigestConfiguredForPipeline     bool
+	DigestConfiguredForEnvOrCluster bool
+}
+
+func (config DigestPolicyConfigurationResponse) UseDigestForTrigger() bool {
+	return config.DigestConfiguredForPipeline
+}

pkg/imageDigestPolicy/bean.go

@@ -0,0 +1,131 @@
+package imageDigestPolicy
+
+import (
+	"github.com/devtron-labs/devtron/pkg/devtronResource"
+	"github.com/devtron-labs/devtron/pkg/devtronResource/bean"
+	"github.com/devtron-labs/devtron/pkg/resourceQualifiers"
+	"github.com/devtron-labs/devtron/pkg/sql"
+	"github.com/go-pg/pg"
+	"go.uber.org/zap"
+	"time"
+)
+
+type ImageDigestPolicyService interface {
+
+	//CreatePolicyForPipeline creates image digest policy for pipeline
+	CreatePolicyForPipeline(tx *pg.Tx, pipelineId int, pipelineName string, UserId int32) (int, error)
+
+	//CreatePolicyForPipelineIfNotExist creates image digest policy for pipeline if not already created
+	CreatePolicyForPipelineIfNotExist(tx *pg.Tx, pipelineId int, pipelineName string, UserId int32) (int, error)
+
+	//GetDigestPolicyConfigurations returns true if pipeline or env or cluster has image digest policy enabled
+	GetDigestPolicyConfigurations(digestConfigurationRequest DigestPolicyConfigurationRequest) (digestPolicyConfiguration DigestPolicyConfigurationResponse, err error)
+
+	//DeletePolicyForPipeline deletes image digest policy for a pipeline
+	DeletePolicyForPipeline(tx *pg.Tx, pipelineId int, userId int32) (int, error)
+}
+
+type ImageDigestPolicyServiceImpl struct {
+	logger                       *zap.SugaredLogger
+	qualifierMappingService      resourceQualifiers.QualifierMappingService
+	devtronResourceSearchableKey devtronResource.DevtronResourceSearchableKeyService
+}
+
+func NewImageDigestPolicyServiceImpl(
+	logger *zap.SugaredLogger,
+	qualifierMappingService resourceQualifiers.QualifierMappingService,
+	devtronResourceSearchableKey devtronResource.DevtronResourceSearchableKeyService,
+) *ImageDigestPolicyServiceImpl {
+	return &ImageDigestPolicyServiceImpl{
+		logger:                       logger,
+		qualifierMappingService:      qualifierMappingService,
+		devtronResourceSearchableKey: devtronResourceSearchableKey,
+	}
+}
+
+func (impl ImageDigestPolicyServiceImpl) CreatePolicyForPipeline(tx *pg.Tx, pipelineId int, pipelineName string, UserId int32) (int, error) {
+
+	var qualifierMappingId int
+
+	devtronResourceSearchableKeyMap := impl.devtronResourceSearchableKey.GetAllSearchableKeyNameIdMap()
+
+	identifierKey := devtronResourceSearchableKeyMap[bean.DEVTRON_RESOURCE_SEARCHABLE_KEY_PIPELINE_ID]
+	identifierValue := pipelineId
+	qualifierMapping := QualifierMappingDao(int(resourceQualifiers.PIPELINE_QUALIFIER), identifierKey, identifierValue, pipelineName, UserId)
+	_, err := impl.qualifierMappingService.CreateQualifierMappings([]*resourceQualifiers.QualifierMapping{qualifierMapping}, tx)
+	if err != nil {
+		impl.logger.Errorw("error in creating image digest policy for pipeline", "err", err, "pipelineId", pipelineId)
+		return qualifierMapping.Id, err
+	}
+	qualifierMappingId = qualifierMapping.Id
+
+	return qualifierMappingId, nil
+}
+
+func (impl ImageDigestPolicyServiceImpl) CreatePolicyForPipelineIfNotExist(tx *pg.Tx, pipelineId int, pipelineName string, UserId int32) (int, error) {
+
+	var qualifierMappingId int
+
+	policyConfigurationRequest := DigestPolicyConfigurationRequest{PipelineId: pipelineId}
+	digestPolicyConfigurations, err := impl.GetDigestPolicyConfigurations(policyConfigurationRequest)
+	if err != nil {
+		impl.logger.Errorw("Error in checking if isDigestPolicyConfiguredForPipeline", "err", err, "pipelineId", pipelineId)
+		return 0, err
+	}
+
+	if !digestPolicyConfigurations.DigestConfiguredForPipeline {
+		qualifierMappingId, err = impl.CreatePolicyForPipeline(tx, pipelineId, pipelineName, UserId)
+		if err != nil {
+			impl.logger.Errorw("error in creating policy for pipeline", "err", "pipelineId", pipelineId)
+			return qualifierMappingId, nil
+		}
+	}
+	return qualifierMappingId, nil
+}
+
+func (impl ImageDigestPolicyServiceImpl) GetDigestPolicyConfigurations(digestConfigurationRequest DigestPolicyConfigurationRequest) (digestPolicyConfiguration DigestPolicyConfigurationResponse, err error) {
+
+	resourceIds := []int{resourceQualifiers.ImageDigestResourceId}
+
+	scope := digestConfigurationRequest.getQualifierMappingScope()
+
+	policyMappings, err := impl.qualifierMappingService.GetQualifierMappings(resourceQualifiers.ImageDigest, scope, resourceIds)
+	if err != nil && err != pg.ErrNoRows {
+		return digestPolicyConfiguration, err
+	}
+	if err == pg.ErrNoRows || len(policyMappings) == 0 {
+		return digestPolicyConfiguration, nil
+	}
+
+	devtronResourceSearchableKeyMap := impl.devtronResourceSearchableKey.GetAllSearchableKeyNameIdMap()
+	clusterIdentifierKey := devtronResourceSearchableKeyMap[bean.DEVTRON_RESOURCE_SEARCHABLE_KEY_CLUSTER_ID]
+	envIdentifierKey := devtronResourceSearchableKeyMap[bean.DEVTRON_RESOURCE_SEARCHABLE_KEY_ENV_ID]
+	pipelineIdentifierKey := devtronResourceSearchableKeyMap[bean.DEVTRON_RESOURCE_SEARCHABLE_KEY_PIPELINE_ID]
+
+	for _, policy := range policyMappings {
+		switch policy.IdentifierKey {
+		case clusterIdentifierKey, envIdentifierKey:
+			digestPolicyConfiguration.DigestConfiguredForEnvOrCluster = true
+		case pipelineIdentifierKey:
+			digestPolicyConfiguration.DigestConfiguredForPipeline = true
+		}
+	}
+
+	return digestPolicyConfiguration, nil
+}
+
+func (impl ImageDigestPolicyServiceImpl) DeletePolicyForPipeline(tx *pg.Tx, pipelineId int, userId int32) (int, error) {
+	auditLog := sql.AuditLog{
+		CreatedOn: time.Now(),
+		CreatedBy: userId,
+		UpdatedOn: time.Now(),
+		UpdatedBy: userId,
+	}
+	devtronResourceSearchableKeyMap := impl.devtronResourceSearchableKey.GetAllSearchableKeyNameIdMap()
+	err := impl.qualifierMappingService.DeleteByIdentifierKeyValue(resourceQualifiers.ImageDigest, devtronResourceSearchableKeyMap[bean.DEVTRON_RESOURCE_SEARCHABLE_KEY_PIPELINE_ID], pipelineId, auditLog, tx)
+	if err != nil {
+		impl.logger.Errorw("error in deleting image digest policy for pipeline", "err", err, "pipelineId", pipelineId)
+		return pipelineId, err
+	}
+	return pipelineId, nil
+}