Support insecure registries

[jromero]

I am using https://github.com/tektoncd/catalog/blob/master/task/buildpacks/0.3/buildpacks.yaml.

Here the APP_IMAGE doesn't take transport style like http or https. The tekton staging pod makes an https call to the registry whereas my registry is insecure. How do I tell tekton to make a http request ?

• via @rohitsakala at Cannot connect to insecure private registry tektoncd/catalog#757

[jromero]

Hi @rohitsakala,

This currently isn't supported by the underlying buildpacks engine (lifecycle). See buildpacks/lifecycle#524.

Thank you for bringing up the use case. I'll try to push for support this feature.

[edmund-wagner]

I'm using IP instead of a hostname as a workaround to push into my local http registry. Maybe this helps some devs until this is fixed ;)

[david-caro]

@edmund-wagner can you elaborate? Using for example just "APP_IMAGE=192.168.49.1/minikube-user/python:snap" I get the same error:

$ kubectl -n image-build logs minikube-user-buildpacks-pipelinerun-fjtrj-build-from-git-gkt6c -c step-analyze
ERROR: failed to get previous image: connect to repo store '192.168.49.1/minikube-user/python:snap': Get "https://192.168.49.1/v2/": x509: certificate signed by unknown authority; Get "https://192.168.49.1:443/v2/": x509: certificate signed by unknown authority

And still does not accept passing the http:// proto in the APP_IMAGE param.

[david-caro]

And still does not accept passing the http:// proto in the APP_IMAGE param.

Replying to myself :), I'm using a local harbor instance, and if you have ssl configured it will redirect to all http traffic to https, just had to not configure ssl on harbor side and now it works!

[cmoulliard]

There is a workaround which is to use as registry hostname *.local. In this case the go-containerregistry lib used by lifecycle will issue a HTTP call instead of a HTTPS call :-)