fix: pass insecure registry options to image cache#1616
Merged
jabrown85 merged 1 commit intobuildpacks:mainfrom Feb 19, 2026
Merged
fix: pass insecure registry options to image cache#1616jabrown85 merged 1 commit intobuildpacks:mainfrom
jabrown85 merged 1 commit intobuildpacks:mainfrom
Conversation
NewImageCacheFromName did not pass insecure registry options to remote.NewImage, causing TLS verification failures when using -insecure-registry with cache images stored on registries that use self-signed certificates or plain HTTP. Other code paths (pullSparse, initRemoteAppImage, RegistryHandler) already correctly call image.GetInsecureOptions, but the cache image path was missed. Add a variadic insecureRegistries parameter to NewImageCacheFromName and thread it through initCache, DefaultCacheHandler, and all callers (creator, restorer, exporter, analyzer). Signed-off-by: Qi Zhang <smallqi1@163.com>
Contributor
Author
|
@jabrown85 please review |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NewImageCacheFromNamedid not pass insecure registry options toremote.NewImage(), causing TLS verification failures when using-insecure-registrywith cache images stored onregistries that use self-signed certificates or plain HTTP.
Other code paths (
pullSparse,initRemoteAppImage,RegistryHandler) already correctly callimage.GetInsecureOptions, but the cache image path was missed.This PR adds a variadic
insecureRegistriesparameter toNewImageCacheFromNameand threads it throughinitCache,DefaultCacheHandler, and all callers (creator, restorer,exporter, analyzer).
Release notes
When using
-insecure-registry, cache images now correctly skip TLS verification, matching the existing behavior for app images.Related
Resolves #___
Context
The bug can be reproduced by running the lifecycle with
-insecure-registry=registry.example.comagainst a registry using self-signed certificates. App image operations (analyze,export) succeed, but cache image restore/export fails with:
ERROR: failed to create image cache: accessing cache image "registry.example.com/cache:latest": tls: failed to verify certificate: x509: certificate signed by unknown authority
The fix uses a variadic parameter (
insecureRegistries ...string) to maintain backward compatibility — existing callers without insecure registries continue to work unchanged.Files changed:
cache/image_cache.go— addinsecureRegistriesparam, applyGetInsecureOptionsto bothremote.NewImagecallscmd/lifecycle/main.go— addinsecureRegistriestoDefaultCacheHandlerandinitCachecmd/lifecycle/creator.go— passInsecureRegistriestoinitCacheandNewCacheHandlercmd/lifecycle/restorer.go— passInsecureRegistriestoinitCachecmd/lifecycle/exporter.go— passInsecureRegistriestoinitCachecmd/lifecycle/analyzer.go— passInsecureRegistriestoNewCacheHandler