fix(BuildStrategy): follow shp-output-insecure properly with buildpacks#2238
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
The current implementation has one flaw: it creates the CNB_INSECURE_REGISTRIES environment variable in all cases which should not happen when `shp-output-insecure` is set to false. Hence move that part under the PARAM_OUTPUT_INSECURE check. Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
9d517b4 to
943ac31
Compare
SaschaSchwarze0
left a comment
There was a problem hiding this comment.
/hold
I am not agreeing with your statement
The current implementation has one flaw: it creates the CNB_INSECURE_REGISTRIES environment variable in all cases which should not happen when shp-output-insecure is set to false.
The build user, can specify insecure on build.spec.output and for Buildpacks, the user can pass (additional) insecure registries by host using build.spec.paramValues.
Imo, it is totally legitimate to have a secure output registry (and therefore have build.spec.output.insecure = false) while still having the need to consume from insecure registries (for example a custom run-image) and therefore pass that in param values.
Your proposed change would mean that the param value is then ignored.
Am I missing something?
I think I get you. I misunderstood something and while my fix is wrong, it may point to something else. One thing I somehow missed was that While I was doing some work to implement a similar logic in a different BuildStrategy, I passed the output image prefix in With that in mind, should we add a check that will make the build fail if the image prefix can be found in the |
Gut feeling ... I tend to not fail the build, but logging a warning could make sense. Something like "You use the |
|
Sounds good One last question before I refactor the patch: should the push not happen in this case to avoid accidentally sending the image to a registry that was not meant to be used in the first place for that ? |
When output insecure is enabled, the registry is added to the list of insecure registries so it should not be listed as part of the insecure-registries parameters. Doing so means that even if insecure output is set to false the image will be pushed. A warning is now printed in the logs. An empty list or an empty value in the list are now properly handled as well. Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
This avoids pushing images to an insecure registry when insecure output is set to false but the target registry is listed in the "insecure-registry" parameter. Doing so allows the build process to proceed but won't accidentally push the iamge. Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
Changes
This PR refactors the implementation to:
insecure-registriesboth as empty list or empty values in it.insecure-registriesRelated Issue
Fixes #2237
Type of PR
/kind bug
Submitter Checklist
See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.
Release Notes