[BUG] Build Remains "unregistered" After Git Clone Secret is Created

[adambkaplan]

Is there an existing issue for this?

• I have searched the existing issues

Kubernetes Version

1.29

Shipwright Version

v0.13.0

Current Behavior

If we create a build requiring git credential before creating the secret and we create the secret after build creation, the build cannot start.

Expected Behavior

We should be able to run a build after the referenced secret.git.cloneSecret has been created.

Steps To Reproduce

1. Create a Build object that references a git clone secret that does not exist yet.
2. Create the referenced source clone secret.
3. Attempt to execute a BuildRun from this Build.

Build cannot run because the parent Build has the "unregistered" status.

Anything else?

Reported in Red Hat JIRA - https://issues.redhat.com/browse/BUILD-1160

[SaschaSchwarze0]

@adambkaplan today, we reconcile Builds only for secret operations if the secret is annotated with build.shipwright.io/referenced.secret=true. See for the code logic: https://github.com/shipwright-io/build/blob/main/pkg/reconciler/build/controller.go#L160. Documentation is here: https://github.com/shipwright-io/build/blob/main/docs/development/authentication.md#build-secrets-annotation

Though, I would not be against changing this. Given this all operates on caches, we could always retrieve all builds when a secret gets created or deleted and reconcile either all of them or only those that have a reference to the secret.

[adambkaplan]

Though, I would not be against changing this. Given this all operates on caches, we could always retrieve all builds when a secret gets created or deleted and reconcile either all of them or only those that have a reference to the secret.

Agree that it makes sense to remove. This feels like a performance optimization we did in the early days of the project. Since we now have very strong caching in place, those list operations are very low cost, even at scale.