[OCIRepository] Add support for non-TLS insecure container registries

api/v1beta2/ocirepository_types.go

@@ -113,6 +113,10 @@ type OCIRepositorySpec struct {
 	// +optional
 	Ignore *string `json:"ignore,omitempty"`
 
+	// Insecure allows connecting to a non-TLS HTTP container registry.
+	// +optional
+	Insecure bool `json:"insecure,omitempty"`
+
 	// This flag tells the controller to suspend the reconciliation of this source.
 	// +optional
 	Suspend bool `json:"suspend,omitempty"`

config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml

@@ -72,6 +72,10 @@ spec:
                   a default will be used, consult the documentation for your version
                   to find out what those are.
                 type: string
+              insecure:
+                description: Insecure allows connecting to a non-TLS HTTP container
+                  registry.
+                type: boolean
               interval:
                 description: The interval at which to check for image updates.
                 type: string

controllers/ocirepository_controller.go

@@ -301,7 +301,7 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 	ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
 	defer cancel()
 
-	options := r.craneOptions(ctxTimeout)
+	options := r.craneOptions(ctxTimeout, obj.Spec.Insecure)
 
 	// Generate the registry credential keychain either from static credentials or using cloud OIDC
 	keychain, err := r.keychain(ctx, obj)
@@ -684,11 +684,16 @@ func (r *OCIRepositoryReconciler) oidcAuth(ctx context.Context, obj *sourcev1.OC
 
 // craneOptions sets the auth headers, timeout and user agent
 // for all operations against remote container registries.
-func (r *OCIRepositoryReconciler) craneOptions(ctx context.Context) []crane.Option {
+func (r *OCIRepositoryReconciler) craneOptions(ctx context.Context, insecure bool) []crane.Option {
 	options := []crane.Option{
 		crane.WithContext(ctx),
 		crane.WithUserAgent(oci.UserAgent),
 	}
+
+	if insecure {
+		options = append(options, crane.Insecure)
+	}
+
 	return options
 }
 

controllers/ocirepository_controller_test.go

@@ -623,7 +623,7 @@ func TestOCIRepository_reconcileSource_authStrategy(t *testing.T) {
 				Storage:       testStorage,
 			}
 
-			opts := r.craneOptions(ctx)
+			opts := r.craneOptions(ctx, true)
 			opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
 			repoURL, err := r.getArtifactURL(obj, opts)
 			g.Expect(err).To(BeNil())
@@ -1158,7 +1158,7 @@ func TestOCIRepository_getArtifactURL(t *testing.T) {
 				obj.Spec.Reference = tt.reference
 			}
 
-			opts := r.craneOptions(ctx)
+			opts := r.craneOptions(ctx, true)
 			opts = append(opts, crane.WithAuthFromKeychain(authn.DefaultKeychain))
 			got, err := r.getArtifactURL(obj, opts)
 			if tt.wantErr {

docs/api/source.md

@@ -1107,6 +1107,18 @@ consult the documentation for your version to find out what those are.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>suspend</code><br>
 <em>
 bool
@@ -2839,6 +2851,18 @@ consult the documentation for your version to find out what those are.</p>
 </tr>
 <tr>
 <td>
+<code>insecure</code><br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Insecure allows connecting to a non-TLS HTTP container registry.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>suspend</code><br>
 <em>
 bool

docs/spec/v1beta2/ocirepositories.md

@@ -287,6 +287,12 @@ kubectl create secret generic tls-certs \
   --from-file=caFile=ca.crt
 ```
 
+### Insecure
+
+`.spec.insecure` is an optional field to allow connecting to an insecure (HTTP)
+container registry server, if set to `true`. The default value is `false`,
+denying insecure (HTTP) connections.
+
 ### Interval
 
 `.spec.interval` is a required field that specifies the interval at which the