feat(crd): add multi-platform fetchStrategy with per-node artifact resolution

Extend the Shim CRD's fetchStrategy to support multi-platform artifact
fetching. A single Shim resource can now target mixed-architecture
clusters (e.g., amd64 + arm64) by specifying per-OS/arch artifact URLs
with optional SHA-256 verification.

Changes:
- Add `platforms[]` field to fetchStrategy with os, arch, location, and
  optional sha256 per entry
- Add CRD enum validation for os (linux) and arch (amd64, arm64,
  x86_64, aarch64)
- Add `resolveArtifactForNode()` controller logic to select the correct
  artifact per node based on node.Status.NodeInfo
- Support both Go-style (amd64) and uname-style (x86_64) arch names
  via normalizeArch()
- Add SHA-256 verification to the downloader init container script
- Retain deprecated `type` and optional `anonHttp` fields for backward
  compatibility with existing manifests
- Consolidate per-arch sample Shim files into single multi-platform CRs
- Add design proposal document

Inspired by the Krew plugin manager's per-platform artifact pattern.
Co-authored with Copilot using Opus 4.6.

Signed-off-by: Kate Goldenring <kate.goldenring@fermyon.com>

Author: kate-goldenring

.github/workflows/helm-chart-node-scaling-test.yml

@@ -108,9 +108,6 @@ jobs:
 
       - name: apply Spin shim
         run: |
-          # Ensure shim binary is compatible with runner arch
-          yq -i '.spec.fetchStrategy.anonHttp.location = "https://github.com/spinkube/containerd-shim-spin/releases/download/${{ env.SHIM_SPIN_VERSION }}/containerd-shim-spin-v2-linux-x86_64.tar.gz"' \
-            config/samples/test_shim_spin.yaml
           kubectl apply -f config/samples/test_shim_spin.yaml
 
       - name: verify shim is installed into one node

.github/workflows/helm-chart-smoketest.yml

@@ -163,9 +163,6 @@ jobs:
             # as there is a known bug that MicroK8s containerd does not pass the options
             yq -i 'del(.spec.containerdRuntimeOptions)' $shim_file
           fi
-          # Ensure shim binary is compatible with runner arch
-          yq -i '.spec.fetchStrategy.anonHttp.location = "https://github.com/spinframework/containerd-shim-spin/releases/download/${{ env.SHIM_SPIN_VERSION }}/containerd-shim-spin-v2-linux-x86_64.tar.gz"' \
-            $shim_file
           kubectl apply -f $shim_file
 
       - name: label nodes

api/v1alpha1/shim_types.go

@@ -32,14 +32,49 @@ type ShimSpec struct {
 }
 
 type FetchStrategy struct {
-	Type     string       `json:"type"`
-	AnonHTTP AnonHTTPSpec `json:"anonHttp"`
+	// Type is the fetch strategy type.
+	//
+	// Deprecated: this field is ignored by the controller and exists only
+	// for backward compatibility with existing manifests that specify it.
+	//
+	// +optional
+	Type string `json:"type,omitempty"`
+
+	// AnonHTTP fetches a binary from a public HTTP(S) URL.
+	// For backward compatibility with single-architecture deployments.
+	// When Platforms is also specified, Platforms takes precedence.
+	// +optional
+	AnonHTTP *AnonHTTPSpec `json:"anonHttp,omitempty"`
+
+	// Platforms lists per-OS/architecture artifact sources.
+	// The controller selects the matching entry for each target node.
+	// When specified, this takes precedence over AnonHTTP.
+	// +optional
+	Platforms []PlatformArtifact `json:"platforms,omitempty"`
 }
 
+// AnonHTTPSpec defines a simple anonymous HTTP fetch (single URL, single architecture).
 type AnonHTTPSpec struct {
+	// Location is the direct URL to the artifact archive.
 	Location string `json:"location"`
 }
 
+// PlatformArtifact maps a specific OS/Arch pair to an artifact URL.
+type PlatformArtifact struct {
+	// OS is the operating system. Currently only "Linux" is supported.
+	// +kubebuilder:validation:Enum=linux
+	OS string `json:"os"`
+	// Arch is the CPU architecture.
+	// Accepts Go-style ("amd64", "arm64") or uname-style ("x86_64", "aarch64").
+	// +kubebuilder:validation:Enum=amd64;arm64;x86_64;aarch64
+	Arch string `json:"arch"`
+	// Location is the URL to the artifact archive for this platform. Must be publicly accessible.
+	Location string `json:"location"`
+	// SHA256 is the optional hex-encoded SHA-256 digest for verification.
+	// +optional
+	SHA256 string `json:"sha256,omitempty"`
+}
+
 type RuntimeClassSpec struct {
 	Name    string `json:"name"`
 	Handler string `json:"handler"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -59,17 +59,61 @@ spec:
               fetchStrategy:
                 properties:
                   anonHttp:
+                    description: |-
+                      AnonHTTP fetches a binary from a public HTTP(S) URL.
+                      For backward compatibility with single-architecture deployments.
+                      When Platforms is also specified, Platforms takes precedence.
                     properties:
                       location:
+                        description: Location is the direct URL to the artifact archive.
                         type: string
                     required:
                     - location
                     type: object
+                  platforms:
+                    description: |-
+                      Platforms lists per-OS/architecture artifact sources.
+                      The controller selects the matching entry for each target node.
+                      When specified, this takes precedence over AnonHTTP.
+                    items:
+                      description: PlatformArtifact maps a specific OS/Arch pair to
+                        an artifact URL.
+                      properties:
+                        arch:
+                          description: |-
+                            Arch is the CPU architecture.
+                            Accepts Go-style ("amd64", "arm64") or uname-style ("x86_64", "aarch64").
+                          enum:
+                          - amd64
+                          - arm64
+                          - x86_64
+                          - aarch64
+                          type: string
+                        location:
+                          description: Location is the URL to the artifact archive
+                            for this platform.
+                          type: string
+                        os:
+                          description: OS is the operating system.
+                          enum:
+                          - linux
+                          type: string
+                        sha256:
+                          description: SHA256 is the optional hex-encoded SHA-256
+                            digest for verification.
+                          type: string
+                      required:
+                      - arch
+                      - location
+                      - os
+                      type: object
+                    type: array
                   type:
+                    description: |-
+                      Type is the fetch strategy type.
+                      Deprecated: this field is ignored by the controller and exists only
+                      for backward compatibility with existing manifests that specify it.
                     type: string
-                required:
-                - anonHttp
-                - type
                 type: object
               nodeSelector:
                 additionalProperties:

config/crd/bases/runtime.spinkube.dev_shims.yaml

@@ -4,8 +4,6 @@ resources:
 - test_shim_slight.yaml
 - test_shim_spin.yaml
 - test_shim_wws.yaml
-- sample_shim_spin_x86_64.yaml
-- sample_shim_spin_aarch64.yaml
-- sample_shim_wasmtime_x86_64.yaml
-- sample_shim_wasmtime_aarch64.yaml
+- sample_shim_spin.yaml
+- sample_shim_wasmtime.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples

config/samples/kustomization.yaml

@@ -13,9 +13,15 @@ spec:
     spin: "true"
 
   fetchStrategy:
-    type: anonymousHttp
-    anonHttp:
-      location: "https://github.com/spinframework/containerd-shim-spin/releases/download/v0.22.0/containerd-shim-spin-v2-linux-aarch64.tar.gz"
+    platforms:
+      - os: linux
+        arch: aarch64
+        location: "https://github.com/spinframework/containerd-shim-spin/releases/download/v0.22.0/containerd-shim-spin-v2-linux-aarch64.tar.gz"
+        sha256: "5fde86c310b8b8ef4c1b19a04eece203f4c308f6fb42bfae3babd99d4c04006b"
+      - os: linux
+        arch: x86_64
+        location: "https://github.com/spinframework/containerd-shim-spin/releases/download/v0.22.0/containerd-shim-spin-v2-linux-x86_64.tar.gz"
+        sha256: "adeb94339c673f09cffe8c45c04f9b18d410f9375d1570b6d1939758b507d257"
 
   # Each runtime can provide a set of containerd runtime options to be set in the containerd
   # configuration file.

…ig/samples/sample_shim_spin_aarch64.yaml config/samples/sample_shim_spin.yamlconfig/samples/sample_shim_spin_aarch64.yaml renamed to config/samples/sample_shim_spin.yaml config/samples/sample_shim_spin_aarch64.yaml renamed to config/samples/sample_shim_spin.yaml

@@ -13,9 +13,13 @@ spec:
     wasmtime: "true"
 
   fetchStrategy:
-    type: anonymousHttp
-    anonHttp:
-      location: "https://github.com/containerd/runwasi/releases/download/containerd-shim-wasmtime%2Fv0.6.0/containerd-shim-wasmtime-aarch64-linux-musl.tar.gz"
+    platforms:
+      - os: linux
+        arch: aarch64
+        location: "https://github.com/containerd/runwasi/releases/download/containerd-shim-wasmtime%2Fv0.6.0/containerd-shim-wasmtime-aarch64-linux-musl.tar.gz"
+      - os: linux
+        arch: x86_64
+        location: "https://github.com/containerd/runwasi/releases/download/containerd-shim-wasmtime%2Fv0.6.0/containerd-shim-wasmtime-x86_64-linux-musl.tar.gz"
 
   runtimeClass:
     name: wasmtime-v1