Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: add tag labels to patch output #833

Closed
wants to merge 4 commits into from
Closed

Fix: add tag labels to patch output #833

wants to merge 4 commits into from

Conversation

richgerrard
Copy link
Contributor

@richgerrard richgerrard commented Nov 28, 2022
edited
Loading

Fixes # n/a
Extends: #800

Description

The mutating controller is stripping the human-readable element from the patch, and therefore the deployment artifacts that are mutated.
This results in pain and frustration for humans and tools that are relying on the human-readable element. This includes kubectl output, metrics tools like grafana dashboards that have suddenly lost tag elements, security monitoring tools that can no longer see the deployed version by parsing a tag, and many more.
Essentially, we will have to select a different tool and move away from connaisseur if the image tags can not be preserved.
Chainguard allegedly handles tags the way that I desire.

Checklist

  • PR is rebased to/aimed at branch develop
  • PR follows Contributing Guide
  • Added tests (if necessary)
  • Extended README/Documentation (if necessary)
  • Adjusted versions of image and Helm chart in values.yaml and Chart.yaml (if necessary)

@richgerrard
Modify string representation to include original tag
a16cac3 
Original behaviour
input:
999999999999.dkr.ecr.ap-west-7.amazonaws.com/repo-alice/image-bob:v0.0.1
output:
999999999999.dkr.ecr.ap-west-7.amazonaws.com/repo-alice/image-bob@sha256:01aaa1a11aa11011a1a01a1111a11a1aaaa0aa1aa1a1a1aa1a11a0111a11a

New behaviour:
input:
999999999999.dkr.ecr.ap-west-7.amazonaws.com/repo-alice/image-bob:v0.0.1
output:
999999999999.dkr.ecr.ap-west-7.amazonaws.com/repo-alice/image-bob:v0.0.1@sha256:01aaa1a11aa11011a1a01a1111a11a1aaaa0aa1aa1a1a1aa1a11a0111a11a


Previously, the mutating webhook would mutilate the human-readable portion of the image identifier, and patch the images in a deployment with the validated sha string.  This led to angry humans who appreciated the validation and the trust of the mutation, but not the loss of the human-readable portion which is used in metrics, in observability suites, in kubectl output, and numerous other things that human beings care about.

NB
@richgerrard
Modify string representation to include tag if one exists
fd1dc0d 
Nested if
@richgerrard
Add test for tag and digest combination
f2b319d
@richgerrard
PEP 8 line break on nested check
fdf4043 
implicit line join
@phbelitz
Copy link
Member

phbelitz commented Dec 2, 2022

Closing in favor of #763
May add you as co-author if desired.

@phbelitz phbelitz closed this Dec 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aravandi aravandi aravandi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@richgerrard @phbelitz @aravandi