chore(images): add kubectl image
diff --git a/build/pin-images.py b/build/pin-images.py
index 0f113ae..dc42ef4 100755
--- a/build/pin-images.py
+++ b/build/pin-images.py
@@ -25,6 +25,22 @@
         r.raise_for_status()
         digest = r.json()["tags"][0]["manifest_digest"]
 
+    if image_ref.domain() == "docker.io":
+        # Get token for docker.io
+        r = requests.get(
+            "https://auth.docker.io/token",
+            params={"service": "registry.docker.io", "scope": f"repository:{image_ref.path()}:pull"},
+        )
+        r.raise_for_status()
+        token = r.json()["token"]
+
+        r = requests.get(
+            f"https://registry-1.docker.io/v2/{image_ref.path()}/manifests/{image_ref['tag']}",
+            headers={"Accept": "application/vnd.docker.distribution.manifest.v2+json", "Authorization": f"Bearer {token}"},
+        )
+        r.raise_for_status()
+        digest = r.headers["Docker-Content-Digest"]
+
     return f"{image_ref.domain()}/{image_ref.path()}@{digest}"
 
 
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index e48633b..d1319ec 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -85,6 +85,7 @@
   ks_endpoints: quay.io/vexxhost/heat@sha256:755225f9a63c0968f1ceeda3a2f06c66dd8d247ff00308f549e66496aa8f59d0 # image-source: quay.io/vexxhost/heat:zed
   ks_service: quay.io/vexxhost/heat@sha256:755225f9a63c0968f1ceeda3a2f06c66dd8d247ff00308f549e66496aa8f59d0 # image-source: quay.io/vexxhost/heat:zed
   ks_user: quay.io/vexxhost/heat@sha256:755225f9a63c0968f1ceeda3a2f06c66dd8d247ff00308f549e66496aa8f59d0 # image-source: quay.io/vexxhost/heat:zed
+  kubectl: docker.io/bitnami/kubectl@sha256:f59ccdfedf272a89983abe62ca277b86c8b0b3fcf913c4b7f637db08f4b21682 # image-source: docker.io/bitnami/kubectl:latest
   kube_apiserver: registry.k8s.io/kube-apiserver:v1.22.17
   kube_controller_manager: registry.k8s.io/kube-controller-manager:v1.22.17
   kube_coredns: registry.k8s.io/coredns/coredns:v1.8.4