Conversation
…hangeType=mutated The ImageRegistry webhook required both OriginalImage and MutatedImage to match spec.host. This blocked the imageinventory controller whenever an admission controller (e.g. Artifact Registry pull-through cache) rewrote docker.io references to europe-docker.pkg.dev: the aggregator groups by the lookup-target host (OriginalImage), but the rewritten MutatedImage points elsewhere by design. spec.host is the registry the controller queries for tags (see resolve_latest_versions.go). Tighten the invariant to match that intent: - changeType=none: both images must match (they are equal). - changeType=mutated: only OriginalImage (the lookup target) must match; MutatedImage may live in a cache/mirror. - changeType=injected: only MutatedImage must match (lookup target by default since OriginalImage is empty). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MutatedImagehost differed fromspec.host, which blockedimageinventoryreconciliation any time an admission controller (e.g. Artifact Registry pull-through cache) rewrotedocker.io/...toeurope-docker.pkg.dev/....spec.hostis the registry the controller queries for tags (resolve_latest_versions.go). Tightened the invariant to enforce this only on the lookup target:changeType=none→ Original and Mutated must both match (equal by definition).changeType=mutated→ onlyOriginalImage(lookup target) must match;MutatedImagemay live in a cache/mirror.changeType=injected→ onlyMutatedImagemust match (lookup target sinceOriginalImageis empty).Observed error before fix
Test plan
make helmregenerates manifests cleanlymake lint— 0 issuesmake test— all packages pass; webhook coverage 81.1%HostCoherence_MutatedDivergesAllowedcovers the regressionHostCoherence_InjectedMutatedMismatchensuresinjectedstill validates the lookup targetHostCoherence_OriginalMismatchkeeps rejecting bad lookup targetsimageinventoryreconciles successfully on a cluster with Artifact Registry pull-through cache🤖 Generated with Claude Code