Can't figure out flags for insecure registry

[evankanderson]

I'm using ko version v0.8.3, and I'm probably an idiot, but I can't seem to get either --insecure-registry flag from ko resolve or the --insecure-registry and --insecure-skip-tls-verify flags working against a private harbor registry.

The harbor registry has a SNI cert for 192.168.10.12, and I've set KO_DOCKER_REPO=192.168.10.12, and I've set up authorization via docker login (and added the registry to insecure-registries in the docker JSON config).

It looks like the following should be the correct usage:

$ ko apply --insecure-registry -f config/contour
...
Publishing 192.168.10.12/dev/contour-ff924afcef2cd0177014d053ee4b167d:latest
....
error during command execution:error processing import paths in "config/contour/external.yaml": error resolving image references: Get "https://192.168.10.12/v2/": x509: certificate signed by unknown authority; Get "https://192.168.10.12:443/v2/": x509: certificate signed by unknown authority

This just produces an error:

$ ko --insecure-registry apply -f config/contour
Error: unknown flag: --insecure-registry

The --insecure-skip-tls-verify flag might be a kubectl flag, though it's not documented what it connects to:

$ ko apply -f config/contour --insecure-skip-tls-verify
error: Unexpected args: [true]
...
Error: error executing 'kubectl apply': exit status 1
...
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

(This command doesn't seem to end up trying to publish an image before it fails)

[evankanderson]

Ref #142

[jonjohnsonjr]

The --insecure-skip-tls-verify flag might be a kubectl flag, though it's not documented what it connects to:

This is correct. I regret adding the kubectl flags to ko, but I thought it was cute at the time.

We'll need to configure the transport with InsecureSkipVerify, e.g. see crane: https://github.com/google/go-containerregistry/blob/596751a1747114c7f502f8a99a55891865aa2d03/cmd/crane/cmd/root.go#L67-L68

My only question is: Should this always happen if you pass publish.Insecure as an option? Or should we do this outside of the publisher so that it's possible to allow insecure domains but not skip verify?

A quick and dirty fix would be to do that here: https://github.com/google/ko/blob/c014ec1feb76a3574cb280dcd7d14eee7e2f11c2/pkg/publish/default.go#L83

And if do.t is an *http.Transport, we can do the same thing as in crane. If someone has overridden the transport via WithTransport, I imagine that type check will often fail, which is probably fine.

Some other places that might be less gross would be here: https://github.com/google/ko/blob/8295e25f7dc4954ac0e0dd4ec94b7af76f92d8c1/pkg/commands/resolver.go#L201-L207

(Supply a custom transport via publish.WithTransport).

Or even in here: https://github.com/google/ko/blob/c014ec1feb76a3574cb280dcd7d14eee7e2f11c2/pkg/publish/options.go#L105-L110

If b == true, we'd want to try to configure i.transport if we can.