[PoC] Implement Custom Stacks RFC

Author: FloThinksPi

app/controllers/v3/space_manifests_controller.rb

@@ -127,6 +127,9 @@ def incompatible_with_buildpacks(lifecycle_type, manifest)
   end
 
   def incompatible_with_docker(lifecycle_type, manifest)
+    # Allow docker + buildpack when lifecycle is explicitly set to buildpack (custom stack usage)
+    return false if lifecycle_type == 'buildpack' && manifest.requested?(:lifecycle) && manifest.lifecycle == 'buildpack'
+
     lifecycle_type == 'buildpack' && manifest.docker
   end
 end

app/fetchers/buildpack_lifecycle_fetcher.rb

@@ -4,8 +4,16 @@ module VCAP::CloudController
   class BuildpackLifecycleFetcher
     class << self
       def fetch(buildpack_names, stack_name, lifecycle=Config.config.get(:default_app_lifecycle))
+        # Try to find the stack in the database first
+        stack = Stack.find(name: stack_name) if stack_name.is_a?(String)
+
+        # If not found and it looks like a custom stack URL, use it as-is (normalized)
+        if stack.nil? && stack_name.is_a?(String) && is_custom_stack?(stack_name)
+          stack = normalize_stack_url(stack_name)
+        end
+
         {
-          stack: Stack.find(name: stack_name),
+          stack: stack,
           buildpack_infos: ordered_buildpacks(buildpack_names, stack_name, lifecycle)
         }
       end
@@ -20,6 +28,21 @@ def ordered_buildpacks(buildpack_names, stack_name, lifecycle)
           BuildpackInfo.new(buildpack_name, buildpack_record)
         end
       end
+
+      def is_custom_stack?(stack_name)
+        # Check for various container registry URL formats (be conservative)
+        return true if stack_name.include?('docker://')
+        return true if stack_name.match?(%r{^https?://[^/]+/.+})  # https://registry/image
+        return true if stack_name.match?(%r{^[a-zA-Z0-9.-]*\.[a-zA-Z]{2,}/[^/]+/[^/]+})  # registry.com/namespace/image (at least 2 path components)
+        false
+      end
+
+      def normalize_stack_url(stack_url)
+        return stack_url if stack_url.start_with?('docker://')
+        return stack_url.sub(/^https?:\/\//, 'docker://') if stack_url.match?(%r{^https?://})
+        return "docker://#{stack_url}" if stack_url.match?(%r{^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.+})
+        stack_url
+      end
     end
   end
 end

app/messages/app_manifest_message.rb

@@ -138,9 +138,17 @@ def app_lifecycle_hash
                          Lifecycles::DOCKER
                        end
 
+      # Use docker image as custom stack when lifecycle is explicitly buildpack
+      stack_value = if requested?(:lifecycle) && @lifecycle == 'buildpack' && requested?(:docker) && docker
+                      docker_image = docker[:image] || docker['image']
+                      docker_image ? "docker://#{docker_image}" : @stack
+                    else
+                      @stack
+                    end
+
       data = {
         buildpacks: requested_buildpacks,
-        stack: @stack,
+        stack: stack_value,
         credentials: @cnb_credentials
       }.compact
 
@@ -475,6 +483,9 @@ def validate_cnb_enabled!
     def validate_docker_buildpacks_combination!
       return unless requested?(:docker) && (requested?(:buildpack) || requested?(:buildpacks))
 
+      # Allow docker + buildpacks when lifecycle is explicitly set to buildpack (custom stack usage)
+      return if requested?(:lifecycle) && @lifecycle == 'buildpack'
+
       errors.add(:base, 'Cannot specify both buildpack(s) and docker keys')
     end
 

app/messages/buildpack_lifecycle_data_message.rb

@@ -1,3 +1,5 @@
+require 'uri'
+
 module VCAP::CloudController
   class BuildpackLifecycleDataMessage < BaseMessage
     register_allowed_keys %i[buildpacks stack credentials]
@@ -19,6 +21,7 @@ class BuildpackLifecycleDataMessage < BaseMessage
 
     validate :buildpacks_content
     validate :credentials_content
+    validate :custom_stack_requires_custom_buildpack
 
     def buildpacks_content
       return unless buildpacks.is_a?(Array)
@@ -40,7 +43,44 @@ def buildpacks_content
     def credentials_content
       return unless credentials.is_a?(Hash)
 
-      errors.add(:credentials, 'credentials value must be a hash') if credentials.any? { |_, v| !v.is_a?(Hash) }
+      credentials.each do |registry, creds|
+        unless creds.is_a?(Hash)
+          errors.add(:credentials, "for registry '#{registry}' must be a hash")
+          next
+        end
+
+        has_username = creds.key?('username') || creds.key?(:username)
+        has_password = creds.key?('password') || creds.key?(:password)
+        errors.add(:base, "credentials for #{registry} must include 'username' and 'password'") unless has_username && has_password
+      end
+    end
+
+    def custom_stack_requires_custom_buildpack
+      return unless stack.is_a?(String) && is_custom_stack?(stack)
+      return unless FeatureFlag.enabled?(:diego_custom_stacks)
+      return unless buildpacks.is_a?(Array)
+
+      buildpacks.each do |buildpack_name|
+        # If buildpack is a URL, it's custom
+        next if buildpack_name&.match?(URI::DEFAULT_PARSER.make_regexp)
+
+        # Check if it's a system buildpack
+        system_buildpack = Buildpack.find(name: buildpack_name)
+        if system_buildpack
+          errors.add(:base, 'Buildpack must be a custom buildpack when using a custom stack')
+          break
+        end
+      end
+    end
+
+    private
+
+    def is_custom_stack?(stack_name)
+      # Check for various container registry URL formats (be conservative)
+      return true if stack_name.include?('docker://')
+      return true if stack_name.match?(%r{^https?://[^/]+/.+})  # https://registry/image
+      return true if stack_name.match?(%r{^[a-zA-Z0-9.-]*\.[a-zA-Z]{2,}/[^/]+/[^/]+})  # registry.com/namespace/image (at least 2 path components)
+      false
     end
   end
 end

app/messages/validators.rb

@@ -198,7 +198,7 @@ def validate(record)
       lifecycle_data_message = lifecycle_data_message_class.new(record.lifecycle_data)
       return if lifecycle_data_message.valid?
 
-      lifecycle_data_message.errors.full_messages.each do |message|
+      lifecycle_data_message.errors.each do |attribute, message|
         record.errors.add(:lifecycle, message:)
       end
     end

app/models/runtime/cnb_lifecycle_data_model.rb

@@ -68,13 +68,10 @@ def using_custom_buildpack?
     end
 
     def to_hash
-      hash = {
+      {
         buildpacks: buildpacks.map { |buildpack| CloudController::UrlSecretObfuscator.obfuscate(buildpack) },
         stack: stack
       }
-      hash[:credentials] = Presenters::Censorship::REDACTED_CREDENTIAL unless credentials.nil?
-
-      hash
     end
 
     def validate

app/models/runtime/feature_flag.rb

@@ -14,6 +14,7 @@ class UndefinedFeatureFlagError < StandardError
       service_instance_creation: true,
       diego_docker: false,
       diego_cnb: false,
+      diego_custom_stacks: false,
       set_roles_by_username: true,
       unset_roles_by_username: true,
       task_creation: true,

lib/cloud_controller/diego/lifecycles/buildpack_lifecycle_data_validator.rb

@@ -8,6 +8,14 @@ class BuildpackLifecycleDataValidator
 
     validate :buildpacks_are_uri_or_nil
     validate :stack_exists_in_db
+    validate :custom_stack_requires_custom_buildpack
+
+    def custom_stack_requires_custom_buildpack
+      return unless stack.is_a?(String) && is_custom_stack?(stack)
+      return if buildpack_infos.all?(&:custom?)
+
+      errors.add(:buildpack, 'must be a custom buildpack when using a custom stack')
+    end
 
     def buildpacks_are_uri_or_nil
       buildpack_infos.each do |buildpack_info|
@@ -16,15 +24,44 @@ def buildpacks_are_uri_or_nil
         next if buildpack_info.buildpack_url
 
         if stack
-          errors.add(:buildpack, %("#{buildpack_info.buildpack}" for stack "#{stack.name}" must be an existing admin buildpack or a valid git URI))
+          stack_name = stack.is_a?(String) ? stack : stack.name
+          errors.add(:buildpack, %("#{buildpack_info.buildpack}" for stack "#{stack_name}" must be an existing admin buildpack or a valid git URI))
         else
           errors.add(:buildpack, %("#{buildpack_info.buildpack}" must be an existing admin buildpack or a valid git URI))
         end
       end
     end
 
     def stack_exists_in_db
-      errors.add(:stack, 'must be an existing stack') if stack.nil?
+      # Explicitly check for nil first
+      if stack.nil?
+        errors.add(:stack, 'must be an existing stack')
+        return
+      end
+
+      # Handle custom stacks (container registry URLs)
+      if stack.is_a?(String) && is_custom_stack?(stack) && FeatureFlag.enabled?(:diego_custom_stacks)
+        return
+      end
+
+      # Handle existing stack objects or string names
+      if stack.is_a?(String)
+        # For string stack names, verify they exist in the database
+        unless VCAP::CloudController::Stack.where(name: stack).any?
+          errors.add(:stack, 'must be an existing stack')
+        end
+      end
+      # If stack is an object (not nil, not string), assume it's valid
+    end
+
+    private
+
+    def is_custom_stack?(stack_name)
+      # Check for various container registry URL formats (be conservative)
+      return true if stack_name.include?('docker://')
+      return true if stack_name.match?(%r{^https?://[^/]+/.+})  # https://registry/image
+      return true if stack_name.match?(%r{^[a-zA-Z0-9.-]*\.[a-zA-Z]{2,}/[^/]+/[^/]+})  # registry.com/namespace/image (at least 2 path components)
+      false
     end
   end
 end

lib/cloud_controller/diego/lifecycles/lifecycle_base.rb

@@ -17,7 +17,13 @@ def initialize(package, staging_message)
     delegate :valid?, :errors, to: :validator
 
     def staging_stack
-      requested_stack || app_stack || VCAP::CloudController::Stack.default.name
+      stack = requested_stack || app_stack || VCAP::CloudController::Stack.default.name
+      FeatureFlag.raise_unless_enabled!(:diego_custom_stacks) if stack.is_a?(String) && is_custom_stack?(stack)
+      stack
+    end
+
+    def credentials
+      staging_message.lifecycle_data&.dig(:credentials)
     end
 
     private
@@ -31,5 +37,15 @@ def requested_stack
     end
 
     attr_reader :validator
+
+    private
+
+    def is_custom_stack?(stack_name)
+      # Check for various container registry URL formats (be conservative)
+      return true if stack_name.include?('docker://')
+      return true if stack_name.match?(%r{^https?://[^/]+/.+})  # https://registry/image
+      return true if stack_name.match?(%r{^[a-zA-Z0-9.-]*\.[a-zA-Z]{2,}/[^/]+/[^/]+})  # registry.com/namespace/image (at least 2 path components)
+      false
+    end
   end
 end

lib/cloud_controller/diego/task_recipe_builder.rb

@@ -91,12 +91,55 @@ def build_staging_task(config, staging_details)
               "app:#{staging_details.package.app_guid}"
             ]
           ),
-          image_username: staging_details.package.docker_username,
-          image_password: staging_details.package.docker_password,
+          image_username: image_username(staging_details),
+          image_password: image_password(staging_details),
           volume_mounted_files: ServiceBindingFilesBuilder.build(staging_details.package.app)
         }.compact)
       end
 
+      def image_username(staging_details)
+        return staging_details.package.docker_username if staging_details.package.docker_username.present?
+        return unless staging_details.lifecycle.respond_to?(:credentials) && staging_details.lifecycle.credentials.present?
+
+        cred = get_credentials_for_stack(staging_details)
+        cred ? cred['username'] : nil
+      end
+
+      def image_password(staging_details)
+        return staging_details.package.docker_password if staging_details.package.docker_password.present?
+        return unless staging_details.lifecycle.respond_to?(:credentials) && staging_details.lifecycle.credentials.present?
+
+        cred = get_credentials_for_stack(staging_details)
+        cred ? cred['password'] : nil
+      end
+
+      def get_credentials_for_stack(staging_details)
+        stack = staging_details.lifecycle.staging_stack
+        return nil unless is_custom_stack?(stack)
+
+        # Convert different URL formats to a standard format for parsing
+        normalized_stack = normalize_stack_url(stack)
+        stack_uri = URI.parse(normalized_stack)
+        host = stack_uri.host
+        staging_details.lifecycle.credentials[host]
+      end
+
+      def normalize_stack_url(stack_url)
+        return stack_url if stack_url.start_with?('docker://')
+        return stack_url.sub(/^https?:\/\//, 'docker://') if stack_url.match?(%r{^https?://})
+        return "docker://#{stack_url}" if stack_url.match?(%r{^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.+})
+        stack_url
+      end
+
+      def is_custom_stack?(stack_name)
+        return false unless stack_name.is_a?(String)
+        # Check for various container registry URL formats (be conservative)
+        return true if stack_name.include?('docker://')
+        return true if stack_name.match?(%r{^https?://[^/]+/.+})  # https://registry/image
+        return true if stack_name.match?(%r{^[a-zA-Z0-9.-]*\.[a-zA-Z]{2,}/[^/]+/[^/]+})  # registry.com/namespace/image (at least 2 path components)
+        false
+      end
+
       private
 
       def metric_tags(source)