Skip to content

fix(BuildStrategy): follow shp-output-insecure properly with buildpacks#2238

Open
sgaist wants to merge 3 commits into
shipwright-io:mainfrom
idiap:fix/buildpack-buildstrategy-follow-shp-output-insecure-correctly
Open

fix(BuildStrategy): follow shp-output-insecure properly with buildpacks#2238
sgaist wants to merge 3 commits into
shipwright-io:mainfrom
idiap:fix/buildpack-buildstrategy-follow-shp-output-insecure-correctly

Conversation

@sgaist

@sgaist sgaist commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Changes

This PR refactors the implementation to:

  • Better handle empty insecure-registries both as empty list or empty values in it.
  • Adds a warning if the registry used for the insecure output is listed in the insecure-registries
  • Disable the upload stage if that is the case

Related Issue

Fixes #2237

Type of PR

/kind bug

Submitter Checklist

  • Includes tests if functionality changed/was added
  • Includes docs if changes are user-facing
  • Kind label has been set
  • Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

Fixed buildpacks-v3 BuildStrategy examples: improved `shp-output-insecure` handling.

@openshift-ci openshift-ci Bot added kind/bug Categorizes issue or PR as related to a bug. release-note Label for when a PR has specified a release note labels Jun 22, 2026
@pull-request-size pull-request-size Bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 22, 2026
@openshift-ci openshift-ci Bot requested review from adambkaplan and karanibm6 June 22, 2026 14:27
@openshift-ci

openshift-ci Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign heavywombat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

The current implementation has one flaw: it creates the
CNB_INSECURE_REGISTRIES environment variable in all cases
which should not happen when `shp-output-insecure` is set
to false.

Hence move that part under the PARAM_OUTPUT_INSECURE check.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
@sgaist sgaist force-pushed the fix/buildpack-buildstrategy-follow-shp-output-insecure-correctly branch from 9d517b4 to 943ac31 Compare June 22, 2026 14:49

@SaschaSchwarze0 SaschaSchwarze0 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold

I am not agreeing with your statement

The current implementation has one flaw: it creates the CNB_INSECURE_REGISTRIES environment variable in all cases which should not happen when shp-output-insecure is set to false.

The build user, can specify insecure on build.spec.output and for Buildpacks, the user can pass (additional) insecure registries by host using build.spec.paramValues.

Imo, it is totally legitimate to have a secure output registry (and therefore have build.spec.output.insecure = false) while still having the need to consume from insecure registries (for example a custom run-image) and therefore pass that in param values.

Your proposed change would mean that the param value is then ignored.

Am I missing something?

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 29, 2026
@sgaist

sgaist commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

/hold

I am not agreeing with your statement

The current implementation has one flaw: it creates the CNB_INSECURE_REGISTRIES environment variable in all cases which should not happen when shp-output-insecure is set to false.

The build user, can specify insecure on build.spec.output and for Buildpacks, the user can pass (additional) insecure registries by host using build.spec.paramValues.

Imo, it is totally legitimate to have a secure output registry (and therefore have build.spec.output.insecure = false) while still having the need to consume from insecure registries (for example a custom run-image) and therefore pass that in param values.

Your proposed change would mean that the param value is then ignored.

Am I missing something?

I think I get you. I misunderstood something and while my fix is wrong, it may point to something else.

One thing I somehow missed was that CNB_INSECURE_REGISTRIES works both ways, for pulling and pushing as I essentially worked from the premise that the feature would be used only for pushing the output image.

While I was doing some work to implement a similar logic in a different BuildStrategy, I passed the output image prefix in params.insecure-registries which meant that with or without shp-output-insecure set, it wouldn't change the outcome: the image would be successfully built and pushed thus something I was not expecting and the creation of this patch.

With that in mind, should we add a check that will make the build fail if the image prefix can be found in the params.insecure-registries while shp-output-insecure is set to false ?

@SaschaSchwarze0

Copy link
Copy Markdown
Member

With that in mind, should we add a check that will make the build fail if the image prefix can be found in the params.insecure-registries while shp-output-insecure is set to false ?

Gut feeling ... I tend to not fail the build, but logging a warning could make sense. Something like "You use the insecure-registries parameter for the registry host of the output image. Consider using the insecure flag on the output definition instead."

@sgaist

sgaist commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Sounds good

One last question before I refactor the patch: should the push not happen in this case to avoid accidentally sending the image to a registry that was not meant to be used in the first place for that ?
This will keep the build working but also make the person involved check the logs to understand why they did not get the image in the registry.

sgaist added 2 commits July 3, 2026 11:13
When output insecure is enabled, the registry is
added to the list of insecure registries so it should
not be listed as part of the insecure-registries
parameters. Doing so means that even if insecure
output is set to false the image will be pushed.

A warning is now printed in the logs.

An empty list or an empty value in the list are
now properly handled as well.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
This avoids pushing images to an insecure registry when insecure
output is set to false but the target registry is listed in the
"insecure-registry" parameter.

Doing so allows the build process to proceed but won't
accidentally push the iamge.

Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
@pull-request-size pull-request-size Bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 3, 2026
@sgaist sgaist requested a review from SaschaSchwarze0 July 3, 2026 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/bug Categorizes issue or PR as related to a bug. release-note Label for when a PR has specified a release note size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

[BUG] Buildpacks BuildStrategy does not follow shp-output-insecure properly

3 participants