Add flags to support --local-path workflow that allows user to override registry opts defaults

[atmandhol]

Description of problem

Multiple instances were reported where a corporate firewall scrambles the SSL handshake between a dev's local machine and the external signed registry like azurecr.io. This results in apps plugin failing to push an image and an error message certificate signed by unknown authority.

Proposed solution

Currently apps plugin does not support flags to set the CACertPaths, VerifyCerts and Insecure registry options through flags and VerifyCerts defaults to true. We should add flags to support boolean VerifyCerts and Insecure options, and default to secure options, but allow the user to override it using flags if they are behind firewall and run into this issue.

For Future state, we should provide a config option (once #108 is implemented) to let user change the defaults to insecure mode as they will always hit this firewall issue, but won't have to provide flags all the time.

CC @danfein @heyjcollins for design and product input regarding flag names.

Thanks to @cpage-pivotal for bringing this to our attention.

Updates

We have decided to not implement support for overriding the following options

• insecure (will always default to false)
• verifyCerts (will always default to true)

Flags that will be added as part of this issue to support passing the following information

• username
• password
• token
• caCertsPath

Reference: https://pkg.go.dev/github.com/vmware-tanzu/carvel-imgpkg@v0.29.0/pkg/imgpkg/registry#Opts

[rashedkvm]

1. azurecr.io is a public registry and should not require users to set either of these flags CACertPaths, VerifyCerts, or Insecure. The issue could be related to firewall settings, CORS policy, etc.
2. As per our team discussion, our goal is only to support TLS connections. For TLS connection to registries with client cert(mTLS) or cert issued by private certificate authorities, we will need additional flag(s) in the apps CLI plugin. Love to get design input regarding the new flag(s).

@danfein ^^

[cpage-pivotal]

We will also need support for Insecure. As @rashedkvm notes, firewall/CORS settings are preventing secure access to public signed registries like azurecr.io, and the developer teams that want to use this capability do not have privileges to override this.

[atmandhol]

@danfein Can we get Design recco for a CA Certs Path flag that can be used multiple times?

[danfein]

Recommendation

--registry-ca-cert

--registry-ca-cert                 string    file path to CA certificate used to authenticate with registry. Flag may be used multiple times

---

Thinking

registry - included to differentiate this ca cert from other ca certs that may need to be used by other parts of the system.

ca - included to differentiate it from a registry client cert which may also be needed --registry-client-cert

---

Also considered

--registry-cert - if there was only one cert type would have been a shorter option.

[danfein]

Recommended flags for additional registry configuration

 tanzu apps workload create -h
...
--registry-ca-cert       string    file path to CA certificate used to authenticate with registry.Flag may be used multiple times
--registry-username      string    username for authenticating with registry
--registry-password      string    password for authenticating with registry
--registry-token         string    token for authenticating with registry