Implement --platform parameter

.github/workflows/release.yml

@@ -30,10 +30,10 @@ jobs:
       CGO_ENABLED: "0"
       COSIGN_VERSION: v2.4.0
       GGCR_VERSION: v0.20.2
-      KUBEBUILDER_VERSION: "2.3.2"
-      KUBECTL_VERSION: v1.30.3
+      KUBEBUILDER_VERSION: "4.2.0"
+      KUBECTL_VERSION: v1.31.1
       REGISTRY: ghcr.io
-      SKAFFOLD_VERSION: v2.13.1
+      SKAFFOLD_VERSION: v2.13.2
       SKAFFOLD_CACHE_ARTIFACTS: "false"
       SKAFFOLD_DETECT_MINIKUBE: "false"
       SKAFFOLD_INTERACTIVE: "false"

cmd/function/function.go

@@ -40,7 +40,11 @@ func Cmd(ctx context.Context) *cobra.Command {
 	log := logging.CreateStdLogger("digester")
 	resourceFn := createResourceFn(ctx, log)
 	cmd := command.Build(framework.ResourceListProcessorFunc(resourceFn), command.StandaloneDisabled, false)
-	customizeCmd(cmd)
+	if err := customizeCmd(cmd); err != nil {
+		_, _ = fmt.Fprintln(os.Stderr, err)
+		os.Exit(1)
+	}
+
 	return cmd
 }
 
@@ -51,6 +55,7 @@ func createResourceFn(ctx context.Context, log logr.Logger) framework.ResourceLi
 		log.V(2).Info("kubeconfig", "kubeconfig", viper.GetString("kubeconfig"))
 		log.V(2).Info("offline", "offline", viper.GetBool("offline"))
 		log.V(2).Info("skip-prefixes", "skip-prefixes", util.StringArray(viper.GetString("skip-prefixes")))
+		log.V(2).Info("platform", "platform", viper.GetString("platform"))
 		var config *rest.Config
 		if !viper.GetBool("offline") {
 			var kubeconfig string
@@ -66,7 +71,7 @@ func createResourceFn(ctx context.Context, log logr.Logger) framework.ResourceLi
 			}
 		}
 		for _, r := range resourceList.Items {
-			if err := resolve.ImageTags(ctx, log, config, r, util.StringArray(viper.GetString("skip-prefixes"))); err != nil {
+			if err := resolve.ImageTags(ctx, log, config, r, util.StringArray(viper.GetString("skip-prefixes")), viper.GetString("platform")); err != nil {
 				return err
 			}
 		}
@@ -76,7 +81,7 @@ func createResourceFn(ctx context.Context, log logr.Logger) framework.ResourceLi
 
 // customizeCmd modifies the kyaml function framework command by adding flags
 // that this KRM function needs, and to make it more user-friendly.
-func customizeCmd(cmd *cobra.Command) {
+func customizeCmd(cmd *cobra.Command) error {
 	cmd.Use = "digester"
 	cmd.Short = "Resolve container image tags to digests"
 	cmd.Long = "Digester adds digests to container and " +
@@ -85,15 +90,34 @@ func customizeCmd(cmd *cobra.Command) {
 		"or as a client-side KRM function with kpt or kustomize."
 	cmd.Flags().String("kubeconfig", getKubeconfigDefault(),
 		"(optional) absolute path to the kubeconfig file. Requires offline=false.")
-	viper.BindPFlag("kubeconfig", cmd.Flags().Lookup("kubeconfig"))
-	viper.BindEnv("kubeconfig")
+	if err := viper.BindPFlag("kubeconfig", cmd.Flags().Lookup("kubeconfig")); err != nil {
+		return err
+	}
+	if err := viper.BindEnv("kubeconfig"); err != nil {
+		return err
+	}
 	cmd.Flags().Bool("offline", true,
 		"do not connect to Kubernetes API server to retrieve imagePullSecrets")
-	viper.BindPFlag("offline", cmd.Flags().Lookup("offline"))
-	viper.BindEnv("offline")
+	if err := viper.BindPFlag("offline", cmd.Flags().Lookup("offline")); err != nil {
+		return err
+	}
+	if err := viper.BindEnv("offline"); err != nil {
+		return err
+	}
 	cmd.Flags().String("skip-prefixes", "", "(optional) image prefixes that should not be resolved to digests, colon separated")
-	viper.BindPFlag("skip-prefixes", cmd.Flags().Lookup("skip-prefixes"))
-	viper.BindEnv("skip-prefixes", "SKIP_PREFIXES")
+	if err := viper.BindPFlag("skip-prefixes", cmd.Flags().Lookup("skip-prefixes")); err != nil {
+		return err
+	}
+	if err := viper.BindEnv("skip-prefixes", "SKIP_PREFIXES"); err != nil {
+		return err
+	}
+	if err := viper.BindPFlag("platform", cmd.Flags().Lookup("platform")); err != nil {
+		return err
+	}
+	if err := viper.BindEnv("platform"); err != nil {
+		return err
+	}
+	return nil
 }
 
 // getKubeconfigDefault determines the default value of the --kubeconfig flag.

cmd/webhook/webhook.go

@@ -81,6 +81,7 @@ var (
 	port                int
 	ignoreErrors        bool
 	skipPrefixes        string
+	platform            string
 )
 
 func init() {
@@ -94,6 +95,7 @@ func init() {
 	Cmd.Flags().IntVar(&port, "port", defaultPort, "webhook server port")
 	Cmd.Flags().BoolVar(&ignoreErrors, "ignore-errors", false, "do not fail on webhook admission errors, just log them")
 	Cmd.Flags().StringVar(&skipPrefixes, "skip-prefixes", "", "(optional) image prefixes that should not be resolved to digests, colon separated")
+	Cmd.Flags().StringVar(&platform, "platform", "", "resolve only to platform specific images i.e. linux/amd64")
 }
 
 func run(ctx context.Context) error {
@@ -156,7 +158,7 @@ func run(ctx context.Context) error {
 		close(certSetupFinished)
 	}
 
-	go setupControllers(mgr, log, dryRun, ignoreErrors, certSetupFinished, util.StringArray(skipPrefixes))
+	go setupControllers(mgr, log, dryRun, ignoreErrors, certSetupFinished, util.StringArray(skipPrefixes), platform)
 
 	log.Info("starting manager")
 	if err := mgr.Start(ctx); err != nil {
@@ -165,7 +167,7 @@ func run(ctx context.Context) error {
 	return nil
 }
 
-func setupControllers(mgr manager.Manager, log logr.Logger, dryRun bool, ignoreErrors bool, certSetupFinished chan struct{}, skipPrefixes []string) {
+func setupControllers(mgr manager.Manager, log logr.Logger, dryRun bool, ignoreErrors bool, certSetupFinished chan struct{}, skipPrefixes []string, platform string) {
 	log.Info("waiting for cert rotation setup")
 	<-certSetupFinished
 	log.Info("done waiting for cert rotation setup")
@@ -179,6 +181,7 @@ func setupControllers(mgr manager.Manager, log logr.Logger, dryRun bool, ignoreE
 		IgnoreErrors: ignoreErrors,
 		Config:       k8sClientConfig,
 		SkipPrefixes: skipPrefixes,
+		Platform:     platform,
 	}
 	mwh := &admission.Webhook{Handler: whh}
 	log.Info("starting webhook server", "path", webhookPath)

docs/authentication.md

@@ -156,6 +156,10 @@ You can provide an alternative kubeconfig file by setting the value of the
 `--kubeconfig` command-line flag or the `KUBECONFIG` environment variable to
 the full path of an alternative kubeconfig file.
 
+You can also limit the resolve of image tags to only a specific platform by 
+specifying the `--platform` command-line flag with the target platform 
+e.g. `linux/amd64`.
+
 ## Webhook online authentication
 
 The webhook uses online authentication by default, and it uses the

go.mod

@@ -14,29 +14,32 @@
 
 module github.com/google/k8s-digester
 
-go 1.22.0
+go 1.23.0
+
+toolchain go1.23.1
 
 require (
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240809155957-ac94a3401898
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240918142057-e21b7a4e92d1
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589
 	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/stdr v1.2.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-containerregistry v0.20.2
-	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240810014151-b8e87ed57b80
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20240826191751-a07d1cab8700
 	github.com/open-policy-agent/cert-controller v0.11.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.19.0
+	github.com/stretchr/testify v1.9.0
 	go.uber.org/zap v1.27.0
 	gomodules.xyz/jsonpatch/v2 v2.4.0
-	k8s.io/api v0.30.3
-	k8s.io/apimachinery v0.30.3
-	k8s.io/client-go v0.30.3
+	k8s.io/api v0.31.1
+	k8s.io/apimachinery v0.31.1
+	k8s.io/client-go v0.31.1
 	k8s.io/klog/v2 v2.130.1
-	sigs.k8s.io/controller-runtime v0.18.4
-	sigs.k8s.io/kustomize/kyaml v0.17.2
+	sigs.k8s.io/controller-runtime v0.19.0
+	sigs.k8s.io/kustomize/kyaml v0.18.0
 )
 
 require (
@@ -51,21 +54,21 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.32.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
-	github.com/aws/smithy-go v1.20.3 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.34 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.25.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect
+	github.com/aws/smithy-go v1.20.4 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
@@ -78,6 +81,7 @@ require (
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
@@ -109,6 +113,7 @@ require (
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
@@ -121,6 +126,7 @@ require (
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
@@ -134,11 +140,12 @@ require (
 	golang.org/x/text v0.17.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.30.3 // indirect
+	k8s.io/apiextensions-apiserver v0.31.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20240808142205-8e686545bdb8 // indirect
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect