{"id":"build-and-image-delivery-pipeline","text":"OpenShift provides an end-to-end image delivery pipeline: dual build systems (Shipwright + BuildConfig) produce images, ImageStreams provide controlled access with immutable content-addressed storage, and the internal registry can be exposed externally with re-encrypt TLS — connecting build, storage, and distribution.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["build-system-openshift-native-duality","imagestream-controlled-access-model","image-registry-external-access-model"],"outlist":[],"label":"Build systems, ImageStream access control, and registry exposure form a complete image delivery chain"}],"dependents":["application-packaging-and-delivery-model","image-supply-chain-end-to-end"],"metadata":{},"explanation":{"steps":[{"node":"build-and-image-delivery-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["build-system-openshift-native-duality","imagestream-controlled-access-model","image-registry-external-access-model"],"label":"Build systems, ImageStream access control, and registry exposure form a complete image delivery chain"},{"node":"build-system-openshift-native-duality","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-build-systems-shipwright-buildconfig","ocp-buildconfigs-not-in-upstream-k8s","imagestream-buildconfig-openshift-native"],"label":"The build system is entirely OpenShift-native — both build mechanisms and their image output target (ImageStream) have no K8s equivalents"},{"node":"ocp-two-build-systems-shipwright-buildconfig","truth_value":"IN","reason":"premise"},{"node":"ocp-buildconfigs-not-in-upstream-k8s","truth_value":"IN","reason":"premise"},{"node":"imagestream-buildconfig-openshift-native","truth_value":"IN","reason":"premise"},{"node":"imagestream-controlled-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-objects-immutable-content-addressed","end-users-access-images-via-imagestreamtag-or-imagestreamimage","imagestream-pull-requires-get-layers-permission","ocp-imagestreammapping-privileged-only"],"label":"Four beliefs collectively enforce a layered access control model over image content"},{"node":"image-objects-immutable-content-addressed","truth_value":"IN","reason":"premise"},{"node":"end-users-access-images-via-imagestreamtag-or-imagestreamimage","truth_value":"IN","reason":"premise"},{"node":"imagestream-pull-requires-get-layers-permission","truth_value":"IN","reason":"premise"},{"node":"ocp-imagestreammapping-privileged-only","truth_value":"IN","reason":"premise"},{"node":"image-registry-external-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-registry-default-route-true-exposes-externally","default-route-uses-reencrypt","registry-credential-secret-name","image-registry-storage-backends"],"label":"Four beliefs that together describe how the registry is configured, secured, and exposed"},{"node":"image-registry-default-route-true-exposes-externally","truth_value":"IN","reason":"premise"},{"node":"default-route-uses-reencrypt","truth_value":"IN","reason":"premise"},{"node":"registry-credential-secret-name","truth_value":"IN","reason":"premise"},{"node":"image-registry-storage-backends","truth_value":"IN","reason":"premise"}]}}