From 219fb3e15b0c5ddcfef4e58804b96950112c25fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= <marcelo@openops.com>
Date: Sun, 10 May 2026 16:00:24 +0100
Subject: [PATCH 1/2] WIP

---
 .../cronjob-ecr-credential-refresh.yaml          | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/chart/templates/cronjob-ecr-credential-refresh.yaml b/chart/templates/cronjob-ecr-credential-refresh.yaml
index d2d6ec2..ee2b60b 100644
--- a/chart/templates/cronjob-ecr-credential-refresh.yaml
+++ b/chart/templates/cronjob-ecr-credential-refresh.yaml
@@ -86,9 +86,11 @@ spec:
                 - |
                   set -euo pipefail
                   KUBECTL_VERSION="v1.32.3"
-                  KUBECTL_SHA256="ab209d0c5134b61486a0486585604a616a5bb2fc07df46d304b3c95817b2d79f"
-                  curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
-                  echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c -
+                  ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+                  curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
+                  curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256"
+                  echo "$(cat kubectl.sha256)  kubectl" | sha256sum -c -
+                  rm kubectl.sha256
                   chmod +x kubectl && mv kubectl /usr/local/bin/
                   TOKEN=$(aws ecr get-login-password --region "$AWS_REGION")
                   kubectl create secret docker-registry "$SECRET_NAME" \
@@ -152,9 +154,11 @@ spec:
             - |
               set -euo pipefail
               KUBECTL_VERSION="v1.32.3"
-              KUBECTL_SHA256="ab209d0c5134b61486a0486585604a616a5bb2fc07df46d304b3c95817b2d79f"
-              curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
-              echo "${KUBECTL_SHA256}  kubectl" | sha256sum -c -
+              ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+              curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
+              curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256"
+              echo "$(cat kubectl.sha256)  kubectl" | sha256sum -c -
+              rm kubectl.sha256
               chmod +x kubectl && mv kubectl /usr/local/bin/
               TOKEN=$(aws ecr get-login-password --region "$AWS_REGION")
               kubectl create secret docker-registry "$SECRET_NAME" \

From 8521df0ddb2d423c399248bbf05ad7e60f8dcaa8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcelo=20Gon=C3=A7alves?= <marcelo@openops.com>
Date: Mon, 11 May 2026 11:15:09 +0100
Subject: [PATCH 2/2] Add arch validation and curl fail-fast to ECR credential
 refresh

- Validate architecture is amd64 or arm64 before downloading kubectl
- Use curl -fSL instead of -sLO to fail on HTTP errors (e.g., 404)
- Both CronJob and init Job updated

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../templates/cronjob-ecr-credential-refresh.yaml  | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/chart/templates/cronjob-ecr-credential-refresh.yaml b/chart/templates/cronjob-ecr-credential-refresh.yaml
index ee2b60b..da2abf2 100644
--- a/chart/templates/cronjob-ecr-credential-refresh.yaml
+++ b/chart/templates/cronjob-ecr-credential-refresh.yaml
@@ -87,8 +87,11 @@ spec:
                   set -euo pipefail
                   KUBECTL_VERSION="v1.32.3"
                   ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
-                  curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
-                  curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256"
+                  if [[ "$ARCH" != "amd64" && "$ARCH" != "arm64" ]]; then
+                    echo "❌ Unsupported architecture: $(uname -m)" >&2; exit 1
+                  fi
+                  curl -fSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
+                  curl -fSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256"
                   echo "$(cat kubectl.sha256)  kubectl" | sha256sum -c -
                   rm kubectl.sha256
                   chmod +x kubectl && mv kubectl /usr/local/bin/
@@ -155,8 +158,11 @@ spec:
               set -euo pipefail
               KUBECTL_VERSION="v1.32.3"
               ARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
-              curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
-              curl -sLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256"
+              if [[ "$ARCH" != "amd64" && "$ARCH" != "arm64" ]]; then
+                echo "❌ Unsupported architecture: $(uname -m)" >&2; exit 1
+              fi
+              curl -fSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl"
+              curl -fSLO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256"
               echo "$(cat kubectl.sha256)  kubectl" | sha256sum -c -
               rm kubectl.sha256
               chmod +x kubectl && mv kubectl /usr/local/bin/