From 8c5813d8437da83f935ce3b1092fd12608437559 Mon Sep 17 00:00:00 2001
From: Natalie Arellano <narellano@vmware.com>
Date: Wed, 28 Jun 2023 16:56:15 -0400
Subject: [PATCH 1/2] Fix: when running restore, provide creds for run image if
 there are run image extensions

Otherwise the restorer could fail to find the run image, resulting in unexpected behavior

Signed-off-by: Natalie Arellano <narellano@vmware.com>
---
 internal/build/lifecycle_execution.go      |  9 ++++++++-
 internal/build/lifecycle_execution_test.go | 22 +++++++++++++++++++++-
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/internal/build/lifecycle_execution.go b/internal/build/lifecycle_execution.go
index fb39fa1356..8ca6acd1ef 100644
--- a/internal/build/lifecycle_execution.go
+++ b/internal/build/lifecycle_execution.go
@@ -474,7 +474,9 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 			flags = append(flags, "-build-image", l.opts.BuilderImage)
 			registryImages = append(registryImages, l.opts.BuilderImage)
 		}
-
+		if l.hasExtensionsForRun() {
+			registryImages = append(registryImages, l.runImageAfterExtensions())
+		}
 		kanikoCacheBindOp = WithBinds(fmt.Sprintf("%s:%s", kanikoCache.Name(), l.mountPaths.kanikoCacheDir()))
 	}
 
@@ -851,9 +853,12 @@ type runImage struct {
 func (l *LifecycleExecution) hasExtensionsForRun() bool {
 	var amd analyzedMD
 	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming no run image extensions...")
 		return false
 	}
 	if amd.RunImage == nil {
+		// this shouldn't be reachable
+		l.logger.Warnf("found no run image in analyzed.toml file, assuming no run image extensions...")
 		return false
 	}
 	return amd.RunImage.Extend
@@ -862,10 +867,12 @@ func (l *LifecycleExecution) hasExtensionsForRun() bool {
 func (l *LifecycleExecution) runImageAfterExtensions() string {
 	var amd analyzedMD
 	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming run image did not change...")
 		return l.opts.RunImage
 	}
 	if amd.RunImage == nil {
 		// this shouldn't be reachable
+		l.logger.Warnf("found no run image in analyzed.toml file, assuming run image did not change...")
 		return l.opts.RunImage
 	}
 	return amd.RunImage.Image
diff --git a/internal/build/lifecycle_execution_test.go b/internal/build/lifecycle_execution_test.go
index e3673f072e..0fd5e59b5c 100644
--- a/internal/build/lifecycle_execution_test.go
+++ b/internal/build/lifecycle_execution_test.go
@@ -1709,6 +1709,26 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 			h.AssertSliceContains(t, configProvider.HostConfig().Binds, expectedBind)
 		})
 
+		when("there are extensions", func() {
+			platformAPI = api.MustParse("0.12")
+
+			when("for build", func() {
+				extensionsForBuild = true
+
+				it("configures the phase with registry access", func() {
+					h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_REGISTRY_AUTH={}")
+				})
+			})
+
+			when("for run", func() {
+				extensionsForRun = true
+
+				it("configures the phase with registry access", func() {
+					h.AssertSliceContains(t, configProvider.ContainerConfig().Env, "CNB_REGISTRY_AUTH={}")
+				})
+			})
+		})
+
 		when("using cache image", func() {
 			fakeBuildCache = newFakeImageCache()
 
@@ -1999,7 +2019,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 				h.AssertSliceNotContains(t, configProvider.ContainerConfig().Cmd, "-stack")
 			})
 
-			when("extensions", func() {
+			when("there are extensions", func() {
 				when("for run", func() {
 					extensionsForRun = true
 

From 16bd3579343e543d8f8af2a07e841c8b5ff1ef02 Mon Sep 17 00:00:00 2001
From: Natalie Arellano <narellano@vmware.com>
Date: Fri, 30 Jun 2023 14:17:47 -0400
Subject: [PATCH 2/2] Fix: also provide creds if the run image reference
 changed (even if it was only switched and we don't need to run extend) as the
 restorer also needs to update the digest & target data.

Signed-off-by: Natalie Arellano <narellano@vmware.com>
---
 internal/build/lifecycle_execution.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/internal/build/lifecycle_execution.go b/internal/build/lifecycle_execution.go
index 8ca6acd1ef..913d866fb6 100644
--- a/internal/build/lifecycle_execution.go
+++ b/internal/build/lifecycle_execution.go
@@ -469,15 +469,17 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 	// for kaniko
 	kanikoCacheBindOp := NullOp()
 	if (l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild()) ||
-		(l.platformAPI.AtLeast("0.12") && (l.hasExtensionsForBuild() || l.hasExtensionsForRun())) {
+		l.platformAPI.AtLeast("0.12") {
 		if l.hasExtensionsForBuild() {
 			flags = append(flags, "-build-image", l.opts.BuilderImage)
 			registryImages = append(registryImages, l.opts.BuilderImage)
 		}
-		if l.hasExtensionsForRun() {
+		if l.runImageChanged() || l.hasExtensionsForRun() {
 			registryImages = append(registryImages, l.runImageAfterExtensions())
 		}
-		kanikoCacheBindOp = WithBinds(fmt.Sprintf("%s:%s", kanikoCache.Name(), l.mountPaths.kanikoCacheDir()))
+		if l.hasExtensionsForBuild() || l.hasExtensionsForRun() {
+			kanikoCacheBindOp = WithBinds(fmt.Sprintf("%s:%s", kanikoCache.Name(), l.mountPaths.kanikoCacheDir()))
+		}
 	}
 
 	// for auths
@@ -853,7 +855,7 @@ type runImage struct {
 func (l *LifecycleExecution) hasExtensionsForRun() bool {
 	var amd analyzedMD
 	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
-		l.logger.Warnf("failed to parse analyzed.toml file, assuming no run image extensions...")
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming no run image extensions: %s", err)
 		return false
 	}
 	if amd.RunImage == nil {
@@ -867,7 +869,7 @@ func (l *LifecycleExecution) hasExtensionsForRun() bool {
 func (l *LifecycleExecution) runImageAfterExtensions() string {
 	var amd analyzedMD
 	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
-		l.logger.Warnf("failed to parse analyzed.toml file, assuming run image did not change...")
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming run image did not change: %s", err)
 		return l.opts.RunImage
 	}
 	if amd.RunImage == nil {
@@ -878,6 +880,11 @@ func (l *LifecycleExecution) runImageAfterExtensions() string {
 	return amd.RunImage.Image
 }
 
+func (l *LifecycleExecution) runImageChanged() bool {
+	currentRunImage := l.runImageAfterExtensions()
+	return currentRunImage != "" && currentRunImage != l.opts.RunImage
+}
+
 func (l *LifecycleExecution) appendLayoutOperations(opts []PhaseConfigProviderOperation) ([]PhaseConfigProviderOperation, error) {
 	layoutDir := filepath.Join(paths.RootDir, "layout-repo")
 	opts = append(opts, WithEnv("CNB_USE_LAYOUT=true", "CNB_LAYOUT_DIR="+layoutDir, "CNB_EXPERIMENTAL_MODE=warn"))