Add support for insecure registries (Fix: #461)

[ravanelli]

• Introduce 'insecure-disable-tls-verification' parameter for skipping TLS verification;
• Fix Issue: support insecure registries #461.

[ravanelli]

It still depends on #461 (comment)

[cgwalters]

It still depends on #461 (comment)

OK yes...right. This is harder than I thought because basically all of the existing logic is really assuming that it can serialize and deserialize the source image reference into a single string.

Which is basically not how docker (and podman) work; one is required to pass --tls-verify=false externally around.

Although...wait...actually, can we handle this by just telling the admin to add to the /etc/containers/registries.conf.d with the [insecure] flag?

[cgwalters]

I think this should always be part of the source spec; unlike podman I'm trying here to be declarative where we can.

This means that once you do a bootc switch --insecure-disable-tls-verification, it is "sticky" and applied automatically on subsequent bootc upgrades.

So we can just drop this hunk I believe.

[cgwalters]

I don't think this one makes sense; edit just lets you edit the spec directly.

[cgwalters]

Just highlighting here

Although...wait...actually, can we handle this by just telling the admin to add to the /etc/containers/registries.conf.d with the [insecure] flag?

Let's test this first

[lukewarmtemp]

Let's test this first

Not sure if this is the expected local dev/test workflow specified in #461 (comment), but the following seems to work without any changes to the bootc code:

Create local registry

$ sudo mkdir -p /var/lib/registry
$ sudo podman run --privileged -d --name registry -p 5000:5000 -v /var/lib/registry:/$ var/lib/registry --restart=always registry:2

Disable TLS verification for the local registry

# create a new config file
$ sudo vi /etc/containers/registries.conf.d/001-localhost.conf
[[registry]]
location="localhost:5000"
insecure=true

Build and push image to local container registry

# create a simple Containerfile that is just the base fcos image
$ sudo vi Containerfile
FROM quay.io/fedora/fedora-coreos:stable

# build image
$ podman build -t localhost/fcos

# tag image so that it can be pushed to local registry
$ podman tag localhost/fcos:latest localhost:5000/fcos:latest

# push to local registry
$ podman push localhost:5000/fcos:latest

Test that TLS verification is disabled

$ sudo bootc switch localhost:5000/fcos:latest
$ sudo systemctl reboot

Verify that bootc switch worked

$ sudo bootc status
apiVersion: org.containers.bootc/v1alpha1
kind: BootcHost
metadata:
  name: host
spec:
  image:
    image: localhost:5000/fcos:latest
    transport: registry
  bootOrder: default
status:
  staged: null
  booted:
    image:
      image:
        image: localhost:5000/fcos:latest
        transport: registry
      version: 40.20240504.3.0
      timestamp: null
      imageDigest: sha256:2f7207cddc3b01ee0980a4c8152d1277e0a0b5fe0ebff27bcc5e9b101e08d7ce
    cachedUpdate: null
    incompatible: false
    pinned: false
    ostree:
      checksum: 05b704430628019881d929c204ad4293230dc34d7df962428268faf145be8ac7
      deploySerial: 0
  rollback:
    image:
      image:
        image: quay.io/luyang/fcos-karg-test2
        transport: registry
      version: 40.20240504.3.0
      timestamp: null
      imageDigest: sha256:d5d43c888d3017c19ee912714ce206716dd56564eea5818e5b2f32f6e74feae5
    cachedUpdate: null
    incompatible: false
    pinned: false
    ostree:
      checksum: 6f3d22c95edbd7257e5de1a6dcd88e31c4536031776230e4daa1629f679cc098
      deploySerial: 0
  rollbackQueued: false
  type: bootcHost

[cgwalters]

Thanks for testing this @lukewarmtemp ! #580