From 2151b98b63d3f5d8266a336880e5fee2437a5937 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Thu, 2 Apr 2026 17:28:02 +0200 Subject: [PATCH 1/4] Use tlsVerify param in Pipeline template for pack too --- pkg/pipelines/tekton/templates_pack.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/pipelines/tekton/templates_pack.go b/pkg/pipelines/tekton/templates_pack.go index 30ac671d11..bf3533bf55 100644 --- a/pkg/pipelines/tekton/templates_pack.go +++ b/pkg/pipelines/tekton/templates_pack.go @@ -40,6 +40,10 @@ spec: - description: Environment variables to set during build time name: buildEnvs type: array + - description: Verify TLS when pushing to registry + name: tlsVerify + type: string + default: 'true' tasks: - name: build params: @@ -58,6 +62,8 @@ spec: - name: ENV_VARS value: - '$(params.buildEnvs[*])' + - name: TLSVERIFY + value: $(params.tlsVerify) {{.FuncBuildpacksTaskRef}} workspaces: - name: source @@ -111,6 +117,8 @@ spec: {{range .BuildEnvs -}} - {{.}} {{end}} + - name: tlsVerify + value: {{.TlsVerify}} pipelineRef: name: {{.PipelineName}} workspaces: @@ -171,6 +179,8 @@ spec: {{range .BuildEnvs -}} - {{.}} {{end}} + - name: tlsVerify + value: {{.TlsVerify}} pipelineRef: name: {{.PipelineName}} workspaces: From 6d737b13efb8f374f75d98294f4a9095e4e4de50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Thu, 2 Apr 2026 18:08:26 +0200 Subject: [PATCH 2/4] Use CNB_INSECURE_REGISTRIES in buildpack create task when TLSVERIFY is set to false --- pkg/pipelines/tekton/task-buildpack.yaml.tmpl | 38 ++++++++++++------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/pkg/pipelines/tekton/task-buildpack.yaml.tmpl b/pkg/pipelines/tekton/task-buildpack.yaml.tmpl index abda863372..384b55a518 100644 --- a/pkg/pipelines/tekton/task-buildpack.yaml.tmpl +++ b/pkg/pipelines/tekton/task-buildpack.yaml.tmpl @@ -61,6 +61,9 @@ spec: - name: PLATFORM_DIR description: The name of the platform directory. default: empty-dir + - name: TLSVERIFY + description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) + default: "true" stepTemplate: env: - name: CNB_PLATFORM_API @@ -195,23 +198,30 @@ spec: - name: create image: $(params.BUILDER_IMAGE) imagePullPolicy: Always - command: ["/cnb/lifecycle/creator"] env: - name: DOCKER_CONFIG value: $(workspaces.dockerconfig.path) - args: - - "-app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)" - - "-cache-dir=$(workspaces.cache.path)" - - "-cache-image=$(params.CACHE_IMAGE)" - - "-uid=$(params.USER_ID)" - - "-gid=$(params.GROUP_ID)" - - "-layers=/layers" - - "-platform=/platform" - - "-report=/layers/report.toml" - - "-skip-restore=$(params.SKIP_RESTORE)" - - "-previous-image=$(params.APP_IMAGE)" - - "-run-image=$(params.RUN_IMAGE)" - - "$(params.APP_IMAGE)" + script: | + #!/usr/bin/env bash + set -e + + if [ "$(params.TLSVERIFY)" = "false" ]; then + export CNB_INSECURE_REGISTRIES="$(params.REGISTRY)" + fi + + /cnb/lifecycle/creator \ + -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) \ + -cache-dir=$(workspaces.cache.path) \ + -cache-image=$(params.CACHE_IMAGE) \ + -uid=$(params.USER_ID) \ + -gid=$(params.GROUP_ID) \ + -layers=/layers \ + -platform=/platform \ + -report=/layers/report.toml \ + -skip-restore=$(params.SKIP_RESTORE) \ + -previous-image=$(params.APP_IMAGE) \ + -run-image=$(params.RUN_IMAGE) \ + $(params.APP_IMAGE) volumeMounts: - name: layers-dir mountPath: /layers From 85fd2965d298672445388cfd495c006789073361 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Tue, 7 Apr 2026 08:53:12 +0200 Subject: [PATCH 3/4] Remove create task script and set CNB_INSECURE_REGISTRIES conditionally in template parsing --- pkg/pipelines/tekton/task-buildpack.yaml.tmpl | 43 ++++++++----------- pkg/pipelines/tekton/templates.go | 8 ++++ pkg/pipelines/tekton/templates_pack.go | 14 ++---- 3 files changed, 31 insertions(+), 34 deletions(-) diff --git a/pkg/pipelines/tekton/task-buildpack.yaml.tmpl b/pkg/pipelines/tekton/task-buildpack.yaml.tmpl index 384b55a518..51867292e6 100644 --- a/pkg/pipelines/tekton/task-buildpack.yaml.tmpl +++ b/pkg/pipelines/tekton/task-buildpack.yaml.tmpl @@ -61,9 +61,9 @@ spec: - name: PLATFORM_DIR description: The name of the platform directory. default: empty-dir - - name: TLSVERIFY - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - default: "true" + - name: INSECURE_REGISTRIES + description: Registries to access without TLS verification + default: "" stepTemplate: env: - name: CNB_PLATFORM_API @@ -198,30 +198,25 @@ spec: - name: create image: $(params.BUILDER_IMAGE) imagePullPolicy: Always + command: ["/cnb/lifecycle/creator"] env: - name: DOCKER_CONFIG value: $(workspaces.dockerconfig.path) - script: | - #!/usr/bin/env bash - set -e - - if [ "$(params.TLSVERIFY)" = "false" ]; then - export CNB_INSECURE_REGISTRIES="$(params.REGISTRY)" - fi - - /cnb/lifecycle/creator \ - -app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH) \ - -cache-dir=$(workspaces.cache.path) \ - -cache-image=$(params.CACHE_IMAGE) \ - -uid=$(params.USER_ID) \ - -gid=$(params.GROUP_ID) \ - -layers=/layers \ - -platform=/platform \ - -report=/layers/report.toml \ - -skip-restore=$(params.SKIP_RESTORE) \ - -previous-image=$(params.APP_IMAGE) \ - -run-image=$(params.RUN_IMAGE) \ - $(params.APP_IMAGE) + - name: CNB_INSECURE_REGISTRIES + value: $(params.INSECURE_REGISTRIES) + args: + - "-app=$(workspaces.source.path)/$(params.SOURCE_SUBPATH)" + - "-cache-dir=$(workspaces.cache.path)" + - "-cache-image=$(params.CACHE_IMAGE)" + - "-uid=$(params.USER_ID)" + - "-gid=$(params.GROUP_ID)" + - "-layers=/layers" + - "-platform=/platform" + - "-report=/layers/report.toml" + - "-skip-restore=$(params.SKIP_RESTORE)" + - "-previous-image=$(params.APP_IMAGE)" + - "-run-image=$(params.RUN_IMAGE)" + - "$(params.APP_IMAGE)" volumeMounts: - name: layers-dir mountPath: /layers diff --git a/pkg/pipelines/tekton/templates.go b/pkg/pipelines/tekton/templates.go index c199f7ffac..40f3c3c6a4 100644 --- a/pkg/pipelines/tekton/templates.go +++ b/pkg/pipelines/tekton/templates.go @@ -294,11 +294,19 @@ func createAndApplyPipelineTemplate(f fn.Function, namespace string, labels map[ // If Git is set up create fetch task and reference it from build task, // otherwise sources have been already uploaded to workspace PVC. + // Determine if TLS verification should be skipped + tlsVerify := "true" + if f.RegistryInsecure || isInsecureRegistry(f.Registry) { + tlsVerify = "false" + } + data := templateData{ FunctionName: f.Name, Annotations: f.Deploy.Annotations, Labels: labels, PipelineName: getPipelineName(f), + Registry: f.Registry, + TlsVerify: tlsVerify, } for _, val := range []struct { diff --git a/pkg/pipelines/tekton/templates_pack.go b/pkg/pipelines/tekton/templates_pack.go index bf3533bf55..7b5dcd02d9 100644 --- a/pkg/pipelines/tekton/templates_pack.go +++ b/pkg/pipelines/tekton/templates_pack.go @@ -40,10 +40,6 @@ spec: - description: Environment variables to set during build time name: buildEnvs type: array - - description: Verify TLS when pushing to registry - name: tlsVerify - type: string - default: 'true' tasks: - name: build params: @@ -62,8 +58,10 @@ spec: - name: ENV_VARS value: - '$(params.buildEnvs[*])' - - name: TLSVERIFY - value: $(params.tlsVerify) + {{- if eq .TlsVerify "false"}} + - name: INSECURE_REGISTRIES + value: $(params.registry) + {{- end}} {{.FuncBuildpacksTaskRef}} workspaces: - name: source @@ -117,8 +115,6 @@ spec: {{range .BuildEnvs -}} - {{.}} {{end}} - - name: tlsVerify - value: {{.TlsVerify}} pipelineRef: name: {{.PipelineName}} workspaces: @@ -179,8 +175,6 @@ spec: {{range .BuildEnvs -}} - {{.}} {{end}} - - name: tlsVerify - value: {{.TlsVerify}} pipelineRef: name: {{.PipelineName}} workspaces: From 772825e8adc02bb8ea794a01f59f28b777fea1ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Tue, 7 Apr 2026 21:32:17 +0200 Subject: [PATCH 4/4] Update createPipelineTemplatePAC to provision tlsVerify too --- pkg/pipelines/tekton/templates.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/pipelines/tekton/templates.go b/pkg/pipelines/tekton/templates.go index 40f3c3c6a4..5ca9cb5f2c 100644 --- a/pkg/pipelines/tekton/templates.go +++ b/pkg/pipelines/tekton/templates.go @@ -95,11 +95,19 @@ type templateData struct { // createPipelineTemplatePAC creates a Pipeline template used for PAC on-cluster build // it creates the resource in the project directory func createPipelineTemplatePAC(f fn.Function, labels map[string]string) error { + // Determine if TLS verification should be skipped + tlsVerify := "true" + if f.RegistryInsecure || isInsecureRegistry(f.Registry) { + tlsVerify = "false" + } + data := templateData{ FunctionName: f.Name, Annotations: f.Deploy.Annotations, Labels: labels, PipelineName: getPipelineName(f), + TlsVerify: tlsVerify, + Registry: f.Registry, } for _, val := range []struct {