Document support for insecure registries

[baronfel]

Once dotnet/sdk#39840 lands we will support writing to insecure registries following the existing container engine mechanisms (insecure-registries in docker daemon.json config, podman registries.conf configuration).

We should document this support and point to the official resources for configuring these kinds of registries.

[tmds]

@baronfel when configuring a registry as insecure, both podman and docker allow the connection to be either unencrypted HTTP or HTTPS with an untrusted certificate.

The implementation added in dotnet/sdk#39840 is only supporting the first.

[baronfel]

Thanks! Logged an issue to expand our support - are you noting the gap or did you try to use the new support and got blocked by this in your workflow?

[tmds]

are you noting the gap or did you try to use the new support and got blocked by this in your workflow?

I know from using it with podman that it enables both scenarios.

I was looking whether the SDK already has some support for configuring insecure registries, and I noticed the difference in behavior implemented in the PR.

The registry I need it for is HTTP, so I'm not blocked. It would be easier if I can use an envvar. I may look into contributing SDK_CONTAINER_INSECURE_REGISTRIES to enable that.

[baronfel]

Effectively if we wanted to support HTTPS we'd have to override the cert validation callback to check the domain against the list of known-insecure domains before accepting the cert, right?

[tmds]

Yes, we'd override the callback to allow cert issues when the hostname is an insecure one.

We also don't know if the endpoint is http/https so we need to switch when needed.