fix: handle multi-architecture images in registry lookup#631
Merged
csatib02 merged 1 commit intobank-vaults:mainfrom Feb 10, 2025
Merged
fix: handle multi-architecture images in registry lookup#631csatib02 merged 1 commit intobank-vaults:mainfrom
csatib02 merged 1 commit intobank-vaults:mainfrom
Conversation
Tolsto
force-pushed
the
fix-arm64-only-manifest
branch
2 times, most recently
from
fbb3a79 to
e861db9
Compare
The webhook was failing when trying to inspect images that only had arm64 variants available, as it defaulted to looking up amd64 images first. This was problematic because the webhook runs before pod scheduling, so we don't yet know which architecture the pod will run on. The fix modifies the image lookup logic to take the first available image manifest from the registry's manifest list, regardless of architecture. This works because the core image configuration (entrypoint, env vars, etc.) that we need to inspect is typically identical across architectures. Signed-off-by: Nils Mueller <20240901+Tolsto@users.noreply.github.com>
Tolsto
force-pushed
the
fix-arm64-only-manifest
branch
from
e861db9 to
e096cc0
Compare
csatib02
approved these changes
Feb 2, 2025
Member
csatib02
left a comment
csatib02
left a comment
There was a problem hiding this comment.
LGTM! Thanks for the contribution!
Could you please open a PR in the new Webhook's repo too? https://github.com/bank-vaults/secrets-webhook
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The webhook was failing when trying to inspect images that only had arm64 variants available, as it defaulted to looking up amd64 images first. This was problematic because the webhook runs before pod scheduling, so we don't yet know which architecture the pod will run on.
The fix modifies the image lookup logic to take the first available image manifest from the registry's manifest list, regardless of architecture. This works because the core image configuration (entrypoint, env vars, etc.) that we need to inspect is typically identical across architectures.
Fixes
could not mutate object: cannot convert image descriptor to v1.Image: no child with platform linux/amd64 in index ...