fix: use distro-based images for credential plugin integration

.github/workflows/build.yaml

@@ -67,6 +67,8 @@ jobs:
           username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
           password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
 
+      # Distro-less "FROM scratch" images.
+
       - name: Prepare manifest OCI metadata for amd64
         id: meta-amd64
         uses: docker/metadata-action@v6
@@ -204,6 +206,149 @@ jobs:
             docker manifest push "${tag}"
           done
 
+      # Distro-full "FROM debian:stable-slim" images.
+
+      - name: Prepare manifest OCI metadata for amd64 - distro
+        id: meta-amd64-distro
+        uses: docker/metadata-action@v6
+        with:
+          images: "quay.io/stackrox-io/image-prefetcher"
+          # generate Docker tags based on the following events/attributes
+          # See https://github.com/docker/metadata-action
+          flavor: suffix=-distro-amd64,onlatest=true
+          tags: |
+            type=ref,event=branch,prefix=branch-
+            type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+            type=sha
+
+      - name: Build and push OCI amd64 image - distro
+        if: github.event_name != 'pull_request'
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-amd64-distro.outputs.tags }}
+          labels: ${{ steps.meta-amd64-distro.outputs.labels }}
+          platforms: linux/amd64
+          build-args: |
+            ARCH=amd64
+            BASE=debian:stable-slim
+
+      - name: Prepare manifest OCI metadata for arm64 - distro
+        id: meta-arm64-distro
+        uses: docker/metadata-action@v6
+        with:
+          images: "quay.io/stackrox-io/image-prefetcher"
+          # generate Docker tags based on the following events/attributes
+          # See https://github.com/docker/metadata-action
+          flavor: suffix=-distro-arm64,onlatest=true
+          tags: |
+            type=ref,event=branch,prefix=branch-
+            type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+            type=sha
+
+      - name: Build and push OCI arm64 image - distro
+        if: github.event_name != 'pull_request'
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-arm64-distro.outputs.tags }}
+          labels: ${{ steps.meta-arm64-distro.outputs.labels }}
+          platforms: linux/arm64
+          build-args: |
+            ARCH=arm64
+            BASE=debian:stable-slim
+
+      - name: Prepare manifest OCI metadata for ppc64le - distro
+        id: meta-ppc64le-distro
+        uses: docker/metadata-action@v6
+        with:
+          images: "quay.io/stackrox-io/image-prefetcher"
+          # generate Docker tags based on the following events/attributes
+          # See https://github.com/docker/metadata-action
+          flavor: suffix=-distro-ppc64le,onlatest=true
+          tags: |
+            type=ref,event=branch,prefix=branch-
+            type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+            type=sha
+
+      - name: Build and push OCI ppc64le image - distro
+        if: github.event_name != 'pull_request'
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-ppc64le-distro.outputs.tags }}
+          labels: ${{ steps.meta-ppc64le-distro.outputs.labels }}
+          platforms: linux/ppc64le
+          build-args: |
+            ARCH=ppc64le
+            BASE=debian:stable-slim
+
+      - name: Prepare manifest OCI metadata for s390x - distro
+        id: meta-s390x-distro
+        uses: docker/metadata-action@v6
+        with:
+          images: "quay.io/stackrox-io/image-prefetcher"
+          # generate Docker tags based on the following events/attributes
+          # See https://github.com/docker/metadata-action
+          flavor: suffix=-distro-s390x,onlatest=true
+          tags: |
+            type=ref,event=branch,prefix=branch-
+            type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+            type=sha
+
+      - name: Build and push OCI s390x image - distro
+        if: github.event_name != 'pull_request'
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta-s390x-distro.outputs.tags }}
+          labels: ${{ steps.meta-s390x-distro.outputs.labels }}
+          platforms: linux/s390x
+          build-args: |
+            ARCH=s390x
+            BASE=debian:stable-slim
+
+      - name: Prepare manifest OCI metadata - distro
+        id: meta-distro
+        uses: docker/metadata-action@v6
+        with:
+          images: "quay.io/stackrox-io/image-prefetcher"
+          # generate Docker tags based on the following events/attributes
+          # See https://github.com/docker/metadata-action
+          flavor: suffix=-distro
+          tags: |
+            type=ref,event=branch,prefix=branch-
+            type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
+            type=semver,pattern=v{{major}}.{{minor}}
+            type=semver,pattern=v{{major}}
+            type=sha
+
+      - name: Create and push multi-arch manifest - distro
+        if: github.event_name != 'pull_request'
+        env:
+          IMAGE_TAGS: ${{ steps.meta-distro.outputs.tags }}
+        run: |
+          for tag in ${IMAGE_TAGS};
+          do
+            docker manifest create "${tag}" \
+              --amend "${tag}-amd64" \
+              --amend "${tag}-arm64" \
+              --amend "${tag}-ppc64le" \
+              --amend "${tag}-s390x"
+            docker manifest push "${tag}"
+          done
 
   e2e:
     if: github.event_name != 'pull_request'

Dockerfile

@@ -1,4 +1,5 @@
-FROM scratch
+ARG BASE=scratch
+FROM $BASE
 ARG ARCH=amd64
 COPY ./image-prefetcher-${ARCH} /image-prefetcher
 ENTRYPOINT ["/image-prefetcher"]

README.md

@@ -53,8 +53,11 @@ It also optionally collects each pull attempt's duration and result.
      Plugin credentials fetched dynamically and tried for the images configured in the `CredentialProviderConfig` before pull secrets.
      Currently only supports mode `GKE`, which uses `/etc/srv/kubernetes/cri_auth_config.yaml` and `/home/kubernetes/bin` mounted from the host.
 
-   Example:
+     Note that in this case, the tool uses distro-based prefetcher images, to provide the dynamic
+     linker and shared libraries that a credential plugin binary might need.
 
+   Example:
+
    ```
    go run github.com/stackrox/image-prefetcher/deploy@v0.3.0 --version v0.3.0 --namespace prefetch-images my-images > manifest.yaml
    ```

deploy/main.go

@@ -56,18 +56,22 @@ func init() {
 // processVersion processes the version string and returns the appropriate format.
 // For versions with dashes containing SHA (like v0.4.2-0.20251126115717-559dd9fd402f),
 // extracts short SHA and returns "sha-<shortSHA>" as long as the sha is at least 7 chars long.
-// Otherwise, returns as is
-func processVersion(version string) string {
+// Otherwise, returns as is.
+// If distro is true, appends "-distro" to the result.
+func processVersion(version string, distro bool) string {
+	result := version
 	// Pattern: vX.Y.Z-0.timestamp-SHA produced by `go mod tidy`.
 	dashRegex := regexp.MustCompile(`^v\d+\.\d+\.\d+-\d+\.\d+-([a-f0-9]+)$`)
 	matches := dashRegex.FindStringSubmatch(version)
-	if len(matches) != 2 {
-		return version
+	if len(matches) == 2 {
+		if fullSHA := matches[1]; len(fullSHA) >= 7 {
+			result = fmt.Sprintf("sha-%s", fullSHA[:7])
+		}
 	}
-	if fullSHA := matches[1]; len(fullSHA) >= 7 {
-		return fmt.Sprintf("sha-%s", fullSHA[:7])
+	if distro {
+		result += "-distro"
 	}
-	return version
+	return result
 }
 
 func main() {
@@ -84,7 +88,7 @@ func main() {
 		Name:                                 name,
 		Namespace:                            namespace,
 		Image:                                imageRepo,
-		Version:                              processVersion(version),
+		Version:                              processVersion(version, useKubeletImageCredentialIntegration != ""),
 		Secret:                               secret,
 		IsCRIO:                               isOcp,
 		NeedsPrivileged:                      isOcp,

go.mod

@@ -17,13 +17,10 @@ require (
 	k8s.io/cri-api v0.36.0
 	k8s.io/klog/v2 v2.140.0
 	k8s.io/kubelet v0.36.0
-	k8s.io/kubernetes v1.36.0
+	sigs.k8s.io/yaml v1.6.0
 )
 
 require (
-	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
@@ -40,13 +37,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.23.2 // indirect
-	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.5 // indirect
-	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/net v0.51.0 // indirect
@@ -59,11 +50,9 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.36.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect
-	sigs.k8s.io/yaml v1.6.0 // indirect
 )