cloudfoundry
diff --git a/‎app/controllers/v3/space_manifests_controller.rb‎
Lines changed: 3 additions & 0 deletions b/‎app/controllers/v3/space_manifests_controller.rb‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎app/fetchers/buildpack_lifecycle_fetcher.rb‎
Lines changed: 24 additions & 1 deletion b/‎app/fetchers/buildpack_lifecycle_fetcher.rb‎
Lines changed: 24 additions & 1 deletion
diff --git a/‎app/messages/app_manifest_message.rb‎
Lines changed: 12 additions & 1 deletion b/‎app/messages/app_manifest_message.rb‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎app/messages/buildpack_lifecycle_data_message.rb‎
Lines changed: 41 additions & 1 deletion b/‎app/messages/buildpack_lifecycle_data_message.rb‎
Lines changed: 41 additions & 1 deletion
diff --git a/‎app/messages/validators.rb‎
Lines changed: 1 addition & 1 deletion b/‎app/messages/validators.rb‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/models/runtime/cnb_lifecycle_data_model.rb‎
Lines changed: 1 addition & 4 deletions b/‎app/models/runtime/cnb_lifecycle_data_model.rb‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎app/models/runtime/feature_flag.rb‎
Lines changed: 1 addition & 0 deletions b/‎app/models/runtime/feature_flag.rb‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/cloud_controller/diego/buildpack/desired_lrp_builder.rb‎
Lines changed: 22 additions & 0 deletions b/‎lib/cloud_controller/diego/buildpack/desired_lrp_builder.rb‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎lib/cloud_controller/diego/buildpack/task_action_builder.rb‎
Lines changed: 20 additions & 0 deletions b/‎lib/cloud_controller/diego/buildpack/task_action_builder.rb‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎lib/cloud_controller/diego/cnb/desired_lrp_builder.rb‎
Lines changed: 22 additions & 0 deletions b/‎lib/cloud_controller/diego/cnb/desired_lrp_builder.rb‎
Lines changed: 22 additions & 0 deletions
@@ -127,6 +127,9 @@ def incompatible_with_buildpacks(lifecycle_type, manifest)
   end
 
   def incompatible_with_docker(lifecycle_type, manifest)
+    # Allow docker + buildpack when lifecycle is explicitly set to buildpack (custom stack usage)
+    return false if lifecycle_type == 'buildpack' && manifest.requested?(:lifecycle) && manifest.lifecycle == 'buildpack'
+
     lifecycle_type == 'buildpack' && manifest.docker
   end
 end
@@ -4,8 +4,16 @@ module VCAP::CloudController
   class BuildpackLifecycleFetcher
     class << self
       def fetch(buildpack_names, stack_name, lifecycle=Config.config.get(:default_app_lifecycle))
+        # Try to find the stack in the database first
+        stack = Stack.find(name: stack_name) if stack_name.is_a?(String)
+
+        # If not found and it looks like a custom stack URL, use it as-is (normalized)
+        if stack.nil? && stack_name.is_a?(String) && is_custom_stack?(stack_name)
+          stack = normalize_stack_url(stack_name)
+        end
+
         {
-          stack: Stack.find(name: stack_name),
+          stack: stack,
           buildpack_infos: ordered_buildpacks(buildpack_names, stack_name, lifecycle)
         }
       end
@@ -20,6 +28,21 @@ def ordered_buildpacks(buildpack_names, stack_name, lifecycle)
           BuildpackInfo.new(buildpack_name, buildpack_record)
         end
       end
+
+      def is_custom_stack?(stack_name)
+        # Check for various container registry URL formats
+        return true if stack_name.include?('docker://')
+        return true if stack_name.match?(%r{^https?://})  # Any https/http URL
+        return true if stack_name.include?('.')  # Any string with a dot (likely a registry)
+        false
+      end
+
+      def normalize_stack_url(stack_url)
+        return stack_url if stack_url.start_with?('docker://')
+        return stack_url.sub(/^https?:\/\//, 'docker://') if stack_url.match?(%r{^https?://})
+        return "docker://#{stack_url}" if stack_url.match?(%r{^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.+})
+        stack_url
+      end
     end
   end
 end
@@ -138,9 +138,17 @@ def app_lifecycle_hash
                          Lifecycles::DOCKER
                        end
 
+      # Use docker image as custom stack when lifecycle is explicitly buildpack
+      stack_value = if requested?(:lifecycle) && @lifecycle == 'buildpack' && requested?(:docker) && docker
+                      docker_image = docker[:image] || docker['image']
+                      docker_image ? "docker://#{docker_image}" : @stack
+                    else
+                      @stack
+                    end
+
       data = {
         buildpacks: requested_buildpacks,
-        stack: @stack,
+        stack: stack_value,
         credentials: @cnb_credentials
       }.compact
 
@@ -475,6 +483,9 @@ def validate_cnb_enabled!
     def validate_docker_buildpacks_combination!
       return unless requested?(:docker) && (requested?(:buildpack) || requested?(:buildpacks))
 
+      # Allow docker + buildpacks when lifecycle is explicitly set to buildpack (custom stack usage)
+      return if requested?(:lifecycle) && @lifecycle == 'buildpack'
+
       errors.add(:base, 'Cannot specify both buildpack(s) and docker keys')
     end
 
 
@@ -1,3 +1,5 @@
+require 'uri'
+
 module VCAP::CloudController
   class BuildpackLifecycleDataMessage < BaseMessage
     register_allowed_keys %i[buildpacks stack credentials]
@@ -19,6 +21,7 @@ class BuildpackLifecycleDataMessage < BaseMessage
 
     validate :buildpacks_content
     validate :credentials_content
+    validate :custom_stack_requires_custom_buildpack
 
     def buildpacks_content
       return unless buildpacks.is_a?(Array)
@@ -40,7 +43,44 @@ def buildpacks_content
     def credentials_content
       return unless credentials.is_a?(Hash)
 
-      errors.add(:credentials, 'credentials value must be a hash') if credentials.any? { |_, v| !v.is_a?(Hash) }
+      credentials.each do |registry, creds|
+        unless creds.is_a?(Hash)
+          errors.add(:credentials, "for registry '#{registry}' must be a hash")
+          next
+        end
+
+        has_username = creds.key?('username') || creds.key?(:username)
+        has_password = creds.key?('password') || creds.key?(:password)
+        errors.add(:base, "credentials for #{registry} must include 'username' and 'password'") unless has_username && has_password
+      end
+    end
+
+    def custom_stack_requires_custom_buildpack
+      return unless stack.is_a?(String) && is_custom_stack?(stack)
+      return unless FeatureFlag.enabled?(:diego_custom_stacks)
+      return unless buildpacks.is_a?(Array)
+
+      buildpacks.each do |buildpack_name|
+        # If buildpack is a URL, it's custom
+        next if buildpack_name&.match?(URI::DEFAULT_PARSER.make_regexp)
+
+        # Check if it's a system buildpack
+        system_buildpack = Buildpack.find(name: buildpack_name)
+        if system_buildpack
+          errors.add(:base, 'Buildpack must be a custom buildpack when using a custom stack')
+          break
+        end
+      end
+    end
+
+    private
+
+    def is_custom_stack?(stack_name)
+      # Check for various container registry URL formats
+      return true if stack_name.include?('docker://')
+      return true if stack_name.match?(%r{^https?://})  # Any https/http URL
+      return true if stack_name.include?('.')  # Any string with a dot (likely a registry)
+      false
     end
   end
 end
@@ -198,7 +198,7 @@ def validate(record)
       lifecycle_data_message = lifecycle_data_message_class.new(record.lifecycle_data)
       return if lifecycle_data_message.valid?
 
-      lifecycle_data_message.errors.full_messages.each do |message|
+      lifecycle_data_message.errors.each do |attribute, message|
         record.errors.add(:lifecycle, message:)
       end
     end
 
@@ -68,13 +68,10 @@ def using_custom_buildpack?
     end
 
     def to_hash
-      hash = {
+      {
         buildpacks: buildpacks.map { |buildpack| CloudController::UrlSecretObfuscator.obfuscate(buildpack) },
         stack: stack
       }
-      hash[:credentials] = Presenters::Censorship::REDACTED_CREDENTIAL unless credentials.nil?
-
-      hash
     end
 
     def validate
 
@@ -14,6 +14,7 @@ class UndefinedFeatureFlagError < StandardError
       service_instance_creation: true,
       diego_docker: false,
       diego_cnb: false,
+      diego_custom_stacks: false,
       set_roles_by_username: true,
       unset_roles_by_username: true,
       task_creation: true,
 
@@ -38,6 +38,11 @@ def cached_dependencies
         end
 
         def root_fs
+          # Handle custom stacks (docker:// URLs)
+          if @stack.is_a?(String) && is_custom_stack?(@stack)
+            return normalize_stack_url(@stack)
+          end
+
           @stack_obj ||= Stack.find(name: @stack)
           raise CloudController::Errors::ApiError.new_from_details('StackNotFound', @stack) unless @stack_obj
 
@@ -116,6 +121,23 @@ def port_environment_variables
         def privileged?
           @config.get(:diego, :use_privileged_containers_for_running)
         end
+
+        private
+
+        def is_custom_stack?(stack_name)
+          # Check for various container registry URL formats
+          return true if stack_name.include?('docker://')
+          return true if stack_name.match?(%r{^https?://})  # Any https/http URL
+          return true if stack_name.include?('.')  # Any string with a dot (likely a registry)
+          false
+        end
+
+        def normalize_stack_url(stack_url)
+          return stack_url if stack_url.start_with?('docker://')
+          return stack_url.sub(/^https?:\/\//, 'docker://') if stack_url.match?(%r{^https?://})
+          return "docker://#{stack_url}" if stack_url.include?('.')
+          stack_url
+        end
       end
     end
   end
 
@@ -90,6 +90,11 @@ def task_environment_variables
         end
 
         def stack
+          # Handle custom stacks (docker:// URLs)
+          if lifecycle_stack.is_a?(String) && is_custom_stack?(lifecycle_stack)
+            return normalize_stack_url(lifecycle_stack)
+          end
+
           @stack ||= Stack.find(name: lifecycle_stack)
           raise CloudController::Errors::ApiError.new_from_details('StackNotFound', lifecycle_stack) unless @stack
 
@@ -117,6 +122,21 @@ def lifecycle_bundle_key
         def lifecycle_stack
           lifecycle_data[:stack]
         end
+
+        def is_custom_stack?(stack_name)
+          # Check for various container registry URL formats
+          return true if stack_name.include?('docker://')
+          return true if stack_name.match?(%r{^https?://})  # Any https/http URL
+          return true if stack_name.include?('.')  # Any string with a dot (likely a registry)
+          false
+        end
+
+        def normalize_stack_url(stack_url)
+          return stack_url if stack_url.start_with?('docker://')
+          return stack_url.sub(/^https?:\\/\\//, 'docker://') if stack_url.match?(%r{^https?://})
+          return "docker://#{stack_url}" if stack_url.include?('.')
+          stack_url
+        end
       end
     end
   end
 
@@ -38,6 +38,11 @@ def cached_dependencies
         end
 
         def root_fs
+          # Handle custom stacks (docker:// URLs)
+          if @stack.is_a?(String) && is_custom_stack?(@stack)
+            return normalize_stack_url(@stack)
+          end
+
           @stack_obj ||= Stack.find(name: @stack)
           raise CloudController::Errors::ApiError.new_from_details('StackNotFound', @stack) unless @stack_obj
 
@@ -124,6 +129,23 @@ def default_container_env
             ::Diego::Bbs::Models::EnvironmentVariable.new(name: 'CNB_APP_DIR', value: '/home/vcap/workspace')
           ]
         end
+
+        private
+
+        def is_custom_stack?(stack_name)
+          # Check for various container registry URL formats
+          return true if stack_name.include?('docker://')
+          return true if stack_name.match?(%r{^https?://})  # Any https/http URL
+          return true if stack_name.include?('.')  # Any string with a dot (likely a registry)
+          false
+        end
+
+        def normalize_stack_url(stack_url)
+          return stack_url if stack_url.start_with?('docker://')
+          return stack_url.sub(/^https?:\/\//, 'docker://') if stack_url.match?(%r{^https?://})
+          return "docker://#{stack_url}" if stack_url.include?('.')
+          stack_url
+        end
       end
     end
   end