Select entrypoint command based on runtime platform

[imjasonh]

This fixes a long-standing bug affecting heterogenous clusters, where the controller's platform would be used to lookup the image's entrypoint, instead of the platform of the node where the workload would eventually run.

With this change, the controller looks up all the image's entrypoints and passes them to the entrypoint binary on the node, where it uses its current runtime platform to lookup the correct entrypoint to execute.

This has the added benefit that we can now pass the entire image@digest of the multi-platform image down to the Pod, instead of the (controller's) platform-specific image. This has benefits for scenarios where Pods may be blocked from running unsigned/untrusted images, since it might be the multi-platform image index that's signed/trusted, and not any particular platform-specific constituent image.

NB: There is still a small bug here with Windows images specifically. If a multi-platform image contains multiple entries for the same OS+arch+variant, but with different osversion, like golang for instance, this change may not select the right command, and may instead take the last matching platform's command instead of the "correct" one for the runtime platform. When that happens, the "correct" image will be selected for the runtime node's platform (taking osversion into account), but will use the "incorrect" image's command. In practice, every image I could find that's in this state has the same command for all osversions, so it's moot. But it's possible a multi-platform image will tickle this bug. The "good" news is that this bug also existed in the previous incarnation of the code -- the code would select the command for the first matching platform (not taking into account variant or osversion), then would pass it to the runtime node which may expect a possibly-different command. To fix this bug, you'd need to include the osversion in the command map key, and (somehow) detect the node's osversion from the entrypoint binary at runtime, to select the correct platform (including osversion). In practice AFAIK this never happened, but just in case, it's worth calling out while I'm still thinking about it, in case something fishy happens on Windows clusters in the future, this comment might be useful to someone. If you're reading this and nodding in excitement that I might be describing your bug, may god have mercy on your soul.

Fixes #4299
/kind bug

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Docs included if any changes are user facing
• Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

Changes the way image commands are passed to the entrypoint executor, enabling more correct behavior in heterogeneous clusters, and allowing for multi-platform image references to be passed to generated Pods.

cc @mattmoor

[linux-foundation-easycla]

• ❌ The commit (e7d02c9) is missing the User's ID, preventing the EasyCLA check. Consult GitHub Help to resolve.For further assistance with EasyCLA, please submit a support request ticket.

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/pod/entrypoint.go	86.8%	87.8%	1.0
pkg/pod/entrypoint_lookup.go	79.4%	85.7%	6.3

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/pod/entrypoint.go	86.8%	87.8%	1.0
pkg/pod/entrypoint_lookup.go	79.4%	85.7%	6.3

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	87.8%	1.0
pkg/pod/entrypoint_lookup.go	79.4%	85.7%	6.3

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	87.8%	1.0
pkg/pod/entrypoint_lookup.go	79.4%	85.7%	6.3

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.2%	1.3
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[imjasonh]

/test check-pr-has-kind-label

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[WillsonHG]

/easycla

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	88.0%	8.6

[imjasonh]

I've managed to appease EasyCLA, just needs an approval @vdemeester @afrittoli 🙏

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	85.7%	6.3

[mattmoor]

/test check-pr-has-kind-label

This also needs a kick and I'm not sure it'll listen to me, but YOLO

/lgtm

[imjasonh]

/test check-pr-has-kind-label

[vdemeester]

/test check-pr-has-kind-label

[vdemeester]

One nit comment on a comment, otherwise, looking very good 😬
/lgtm

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-pipeline-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/entrypoint/entrypointer.go	71.0%	70.1%	-0.9
pkg/pod/entrypoint.go	86.8%	88.0%	1.2
pkg/pod/entrypoint_lookup.go	79.4%	85.7%	6.3

[vdemeester]

/lgtm

[imjasonh]

/test check-pr-has-kind-label

[dlorenc]

/approve

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dlorenc, mattmoor

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dlorenc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[imjasonh]

/kind bug

[tekton-robot]

@imjasonh: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-tekton-pipeline-alpha-integration-tests	81691e9	link	/test pull-tekton-pipeline-alpha-integration-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[tekton-robot]

@imjasonh: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-tekton-pipeline-alpha-integration-tests	81691e9	link	/test pull-tekton-pipeline-alpha-integration-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.