Require container images use a supported platform (#9996)

* CC-5610: Disallow users from pushing container images with an unsupported platform

The runtime only runs on amd64 right now. Require that images pushed to
the managed registry are configured for a linux/amd64 platform to avoid
runtime errors.

Author: nikitassharma

.changeset/old-clubs-swim.md

@@ -0,0 +1,5 @@
+---
+"wrangler": patch
+---
+
+Disallow users from pushing images with unsupported platforms to the container image registry

packages/wrangler/src/__tests__/cloudchamber/build.test.ts

@@ -223,6 +223,34 @@ describe("buildAndMaybePush", () => {
 		});
 	});
 
+	it("should be able to build image with platform specified", async () => {
+		await runWrangler(
+			"containers build ./container-context -t test-app:tag -p --platform linux/amd64"
+		);
+		expect(dockerBuild).toHaveBeenCalledWith("docker", {
+			buildCmd: [
+				"build",
+				"-t",
+				`${getCloudflareContainerRegistry()}/test-app:tag`,
+				"--platform",
+				"linux/amd64",
+				"--provenance=false",
+				"-f",
+				"-",
+				"./container-context",
+			],
+			dockerfile,
+		});
+	});
+
+	it("should fail with an invalid platform", async () => {
+		await expect(
+			runWrangler(
+				"containers build ./container-context -t test-app:tag -p --platform linux/arm64"
+			)
+		).rejects.toThrow("Unsupported platform");
+	});
+
 	it("should throw UserError when docker build fails", async () => {
 		const errorMessage = "Docker build failed";
 		vi.mocked(dockerBuild).mockReturnValue({

packages/wrangler/src/__tests__/containers/push.test.ts

@@ -0,0 +1,81 @@
+import {
+	dockerImageInspect,
+	getCloudflareContainerRegistry,
+	runDockerCmd,
+} from "@cloudflare/containers-shared";
+import { mockAccount, setWranglerConfig } from "../cloudchamber/utils";
+import { mockApiToken } from "../helpers/mock-account-id";
+import { mockConsoleMethods } from "../helpers/mock-console";
+import { useMockIsTTY } from "../helpers/mock-istty";
+import { runWrangler } from "../helpers/run-wrangler";
+
+vi.mock("@cloudflare/containers-shared", async (importOriginal) => {
+	const actual = await importOriginal();
+	return Object.assign({}, actual, {
+		dockerLoginManagedRegistry: vi.fn(),
+		runDockerCmd: vi.fn(),
+		dockerImageInspect: vi.fn(),
+	});
+});
+
+describe("containers push", () => {
+	const std = mockConsoleMethods();
+	const { setIsTTY } = useMockIsTTY();
+
+	mockApiToken();
+	beforeEach(mockAccount);
+	afterEach(vi.clearAllMocks);
+
+	it("should help", async () => {
+		await runWrangler("containers push --help");
+		expect(std.err).toMatchInlineSnapshot(`""`);
+		expect(std.out).toMatchInlineSnapshot(`
+			"wrangler containers push [TAG]
+
+			Push a tagged image to a Cloudflare managed registry
+
+			POSITIONALS
+			  TAG  [string]
+
+			GLOBAL FLAGS
+			  -c, --config   Path to Wrangler configuration file  [string]
+			      --cwd      Run as if Wrangler was started in the specified directory instead of the current working directory  [string]
+			  -e, --env      Environment to use for operations, and for selecting .env and .dev.vars files  [string]
+			  -h, --help     Show help  [boolean]
+			  -v, --version  Show version number  [boolean]
+
+			OPTIONS
+			      --path-to-docker  Path to your docker binary if it's not on $PATH  [string] [default: \\"docker\\"]"
+		`);
+	});
+
+	it("should push image with valid platform", async () => {
+		setIsTTY(false);
+		setWranglerConfig({});
+		vi.mocked(dockerImageInspect).mockResolvedValue("linux/amd64");
+		expect(std.err).toMatchInlineSnapshot(`""`);
+
+		await runWrangler("containers push test-app:tag");
+
+		expect(runDockerCmd).toHaveBeenCalledTimes(2);
+		expect(runDockerCmd).toHaveBeenNthCalledWith(1, "docker", [
+			"tag",
+			`test-app:tag`,
+			`${getCloudflareContainerRegistry()}/some-account-id/test-app:tag`,
+		]);
+		expect(runDockerCmd).toHaveBeenNthCalledWith(2, "docker", [
+			"push",
+			`${getCloudflareContainerRegistry()}/some-account-id/test-app:tag`,
+		]);
+	});
+
+	it("should reject pushing image if platform is not linux/amd64", async () => {
+		setIsTTY(false);
+		setWranglerConfig({});
+		vi.mocked(dockerImageInspect).mockResolvedValue("linux/arm64");
+		expect(std.err).toMatchInlineSnapshot(`""`);
+		await expect(runWrangler("containers push test-app:tag")).rejects.toThrow(
+			"Unsupported platform"
+		);
+	});
+});

packages/wrangler/src/cloudchamber/build.ts

@@ -62,6 +62,8 @@ export function buildYargs(yargs: CommonYargsArgv) {
 			describe:
 				"Platform to build for. Defaults to the architecture support by Workers (linux/amd64)",
 			demandOption: false,
+			hidden: true,
+			deprecated: true,
 		});
 }
 
@@ -225,6 +227,11 @@ export async function buildCommand(
 			`${args.PATH} is not a directory. Please specify a valid directory path.`
 		);
 	}
+	if (args.platform !== "linux/amd64") {
+		throw new UserError(
+			`Unsupported platform: Platform "${args.platform}" is unsupported. Please use "linux/amd64" instead.`
+		);
+	}
 	// if containers are not defined, the build should still work.
 	const containers = config.containers ?? [undefined];
 	const pathToDockerfile = join(args.PATH, "Dockerfile");
@@ -257,6 +264,7 @@ export async function pushCommand(
 			args.TAG
 		);
 		const dockerPath = args.pathToDocker ?? getDockerPath();
+		await checkImagePlatform(dockerPath, args.TAG);
 		await runDockerCmd(dockerPath, ["tag", args.TAG, newTag]);
 		await runDockerCmd(dockerPath, ["push", newTag]);
 		logger.log(`Pushed image: ${newTag}`);
@@ -269,6 +277,23 @@ export async function pushCommand(
 	}
 }
 
+async function checkImagePlatform(
+	pathToDocker: string,
+	imageTag: string,
+	expectedPlatform: string = "linux/amd64"
+) {
+	const platform = await dockerImageInspect(pathToDocker, {
+		imageTag,
+		formatString: "{{ .Os }}/{{ .Architecture }}",
+	});
+
+	if (platform !== expectedPlatform) {
+		throw new Error(
+			`Unsupported platform: Image platform (${platform}) does not match the expected platform (${expectedPlatform})`
+		);
+	}
+}
+
 export async function ensureDiskLimits(options: {
 	requiredSize: number;
 	account: CompleteAccountCustomer;