Skip to content

Generate authoritative image BOM via helm template #742

Description

@mchmarny

Parent: #739

Summary

Add a tool/CI job that renders every chart in recipes/registry.yaml at its pinned version, extracts all image: references, and produces a sorted, de-duplicated bill-of-materials per component and as a union across all components.

Motivation

Today, ~19 components delegate sub-image selection to upstream Helm chart defaults. Without rendering, we can't list what's actually deployed. This tool eliminates the guesswork and unblocks downstream work (docs, air-gap mirror lists, provenance audit).

Proposed approach

  • New make bom target (or tools/bom/) that:
    1. Iterates components in recipes/registry.yaml.
    2. Runs helm template <chart> --version <pinned> --values recipes/components/<name>/values.yaml for each.
    3. Greps rendered output for image: lines (plus initContainers, sidecars, common annotations).
    4. Also walks embedded manifests under recipes/components/<name>/manifests/ for image refs.
    5. Emits a structured artifact (JSON + Markdown) with: component → image list; plus a top-level union list.
  • CI job runs the tool on PRs that touch recipes/registry.yaml or recipes/components/** and posts a diff comment.
  • Optional: publish the artifact alongside releases.

Success criteria

  • Running make bom produces a complete, deterministic image list given the current registry.
  • Output includes both pinned and chart-default images.
  • CI surfaces image additions/removals in PRs.
  • Artifact is consumed by the docs page (separate issue) and the mirroring guide (separate issue).

Notes

  • Charts hosted via OCI (oci://) need helm pull + helm template against the local copy.
  • Some charts may require dummy values (CRDs, secrets) to render — handle render failures gracefully and report which components failed.
  • Track image refs that resolve via templating (e.g., {{ .Values.image.repository }}:{{ .Values.image.tag }}) — we want the resolved values, not the templates.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions