Skip to content

feat(license-validation): add application example with custom field consumption and signature validation#138

Draft
kriscoleman wants to merge 9 commits intomainfrom
kriscoleman/license-validation-app
Draft

feat(license-validation): add application example with custom field consumption and signature validation#138
kriscoleman wants to merge 9 commits intomainfrom
kriscoleman/license-validation-app

Conversation

@kriscoleman
Copy link
Copy Markdown
Member

@kriscoleman kriscoleman commented Mar 23, 2026

Summary

New example application demonstrating the full lifecycle of consuming custom Replicated license fields and validating their cryptographic signatures:

  • Go web dashboard consuming edition tier and seat_count entitlements from the Replicated SDK
  • RSA-PSS/SHA-256 signature validation on each license field to detect tampering
  • Observable behavioral enforcement: UI theme changes by edition, features gate by tier, seat usage meter with warnings, and feature lockdown on invalid signatures
  • Complete Helm chart with Replicated SDK subchart, KOTS integration, preflight checks, and support bundles
  • Comprehensive README with 10-step demo walkthrough using Vendor Portal and Compatibility Matrix

Test Plan

  • Review app code (app/main.go) for signature validation logic and license field handling
  • Verify Helm chart lints and templates render correctly
  • Follow README demo walkthrough: set up custom license fields, create release, deploy to CMX cluster, observe theme/feature changes as license fields change
  • Test signature validation by changing app public key in KOTS config and verify features lock

@kriscoleman kriscoleman mentioned this pull request Mar 23, 2026
Closed
@adamancini adamancini mentioned this pull request Mar 26, 2026
Open
@adamancini
Copy link
Copy Markdown
Member

adamancini commented Mar 26, 2026

closes #85

@kriscoleman kriscoleman mentioned this pull request Mar 31, 2026
Merged
2 tasks
kriscoleman and others added 4 commits March 31, 2026 14:32
@kriscoleman @claude
feat(license-validation): add application example demonstrating custo…
6b98999 
…m license field consumption and signature validation

This new example application showcases the full lifecycle of custom Replicated license field consumption and cryptographic validation:

- A Go web dashboard that consumes edition tier (community/trial/enterprise) and seat_count entitlements from the Replicated SDK
- Cryptographic signature validation (RSA-PSS/SHA-256) on each license field to detect tampering
- Observable behavioral enforcement: UI theme changes by edition tier, features gate by license tier, seat usage meter with color-coded warnings, and complete feature lockdown on invalid signatures or expired licenses
- Full Helm chart with Replicated SDK subchart dependency, KOTS integration, preflight checks, and support bundles
- Comprehensive README with demo walkthrough using Replicated Vendor Portal and Compatibility Matrix clusters
- Dockerfile and Taskfile for easy build and release automation

Follows the monolithic pattern established by storagebox and mlflow with the four-way contract: development-values ↔ kots-config ↔ HelmChart CR ↔ chart values.

Closes #3

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@kriscoleman @claude
fix(license-validation): update image refs, RBAC, docs from demo walk…
615564d 
…through + add CI workflow

- Switch image from ghcr.io to ttl.sh for demo accessibility
- Disable minimal RBAC to fix preflight check permissions
- Fix README: correct vendor portal paths, kubeconfig CLI syntax, add license download step, add /unstable channel to KOTS install
- Add sbom/ to .gitignore
- Add GitHub Actions CI workflow (lint, build, Helm install test, KOTS install test, cleanup)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kriscoleman @claude
chore: gitignore Replicated license files
837f5e1 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kriscoleman @claude
fix(license-validation): replace macOS-only sed with yq for cross-pla…
6e6758d 
…tform CI

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kriscoleman kriscoleman force-pushed the kriscoleman/license-validation-app branch from 367513e to 6e6758d Compare March 31, 2026 18:32
@kriscoleman kriscoleman mentioned this pull request Mar 31, 2026
Merged
jmboby
jmboby reviewed Apr 1, 2026
View reviewed changes
@jmboby
Copy link
Copy Markdown
Member

jmboby commented Apr 1, 2026

The license-validation Pod can't reach the Replicated SDK service due to DNS

2026/04/01 03:52:09 WARNING: REPLICATED_APP_PUBLIC_KEY not set - signature validation disabled
2026/04/01 03:52:09 License Validation app listening on :8080
2026/04/01 03:52:09 SDK error (license/info): Get "http://license-validation-replicated:3000/api/v1/license/info": dial tcp: lookup license-validation-replicated on 10.43.0.10:53: no such host
2026/04/01 03:52:39 SDK error (license/info): Get "http://license-validation-replicated:3000/api/v1/license/info": dial tcp: lookup license-validation-replicated on 10.43.0.10:53: no such host

# Checking services:
k get svc -n license-validation
NAME                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
license-validation   ClusterIP   10.43.199.70   <none>        80/TCP     21m
replicated           ClusterIP   10.43.34.106   <none>        3000/TCP   21m

#This resolves fine within the Pod:

nslookup replicated.license-validation.svc.cluster.local
Server:         10.43.0.10
Address:        10.43.0.10:53

Name:   replicated.license-validation.svc.cluster.local
Address: 10.43.34.106

But not license-validation-replicated, we need to change this in your Go app?

jmboby
jmboby reviewed Apr 1, 2026
View reviewed changes
adamancini and others added 2 commits April 1, 2026 15:21
@adamancini
fix(license-validation): fix SDK address and multi-arch image build
a319864 
- Change default SDK address from http://license-validation-replicated:3000
  to http://replicated:3000 to match the actual service name deployed by
  the Replicated SDK subchart
- Add --platform linux/amd64,linux/arm64 to docker build command so the
  image runs on CMX K3s clusters when built on Apple Silicon
@adamancini
Merge branch 'main' into kriscoleman/license-validation-app
b80aaa8
@adamancini adamancini enabled auto-merge (squash) April 1, 2026 19:22
jmboby
jmboby reviewed Apr 1, 2026
View reviewed changes
jmboby
jmboby reviewed Apr 1, 2026
View reviewed changes
@kriscoleman kriscoleman marked this pull request as draft April 1, 2026 20:05
auto-merge was automatically disabled April 1, 2026 20:05

Pull request was converted to draft

@kriscoleman
Copy link
Copy Markdown
Member Author

kriscoleman commented Apr 1, 2026

looks like I need to circle back to this one, going to keep this in draft mode until it's ready

@kriscoleman
Copy link
Copy Markdown
Member Author

kriscoleman commented Apr 1, 2026

@jmboby gave me some great feedback:

The current docker:build target doesn't include the ttl.sh container registry, so that would only work for local dev, does it make sense to include the registry as a var and include this in the build?

I realise it's after hours for you so no need to reply but I'm thinking this Helm helper is redundant since the replicated SDK service name is always 'replicated' regardless of your helm release name? Happy to be wrong however

{{/*
Replicated SDK address - auto-detect from release name if not explicitly set.
*/}}
{{- define "license-validation.sdkAddress" -}}
{{- if .Values.replicatedSDKAddress }}
{{- .Values.replicatedSDKAddress }}
{{- else }}
{{- printf "http://%s-replicated:3000" .Release.Name }}
{{- end }}
{{- end }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmboby jmboby jmboby left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kriscoleman @adamancini @jmboby