Feature: Better OCI image SDLC experience and dealing with internal OCI registry Self-Signed Certs

[jessesanford]

Have you searched for this feature request?

• I searched but did not find similar requests

Problem Statement

We need to make it easier to manage images that are used in our stacks. Right now it's very handy to use the internal git repos to slurp up stacks as you are ideating, but not any containers that they require. We should consider methods by which this could be handled.

Some questions that come to mind:

• Is this adding too much complexity to idpbuilder?

• Should we support building images as well as hosting them on the internal OCI registry?

• Can we make use of kaniko or Buildah in an automated way?

• Should we provide new top level commands to manage the images directly within idpbuilder rather than requiring folks to use other tools like the docker CLI, skopeo etc?

This last bit might at least help with the issue of the gitea using a self-signed certificate and thus the incompatibility with the docker cli (requiring re-configuring the daemon.json to allow insecure registries)

Possible Solution

At the very least if we can add the ability to push and pull images from gitea using idpbuilder will make rapidly itterating on stacks that contain images a little easier. We can configure the go registry client to use insecure registries like so:

import (
    "crypto/tls"
    "crypto/x509"
    "net/http"
    "encoding/base64"
    "encoding/json"
    "github.com/docker/docker/api/types"
    "github.com/docker/docker/client"
)

// Create custom TLS config
tlsConfig := &tls.Config{
    InsecureSkipVerify: true, // Skip certificate verification
    // Alternatively, if you have the certificate:
    // RootCAs: certPool, // Add your custom CA certificate pool
}

// Create HTTP client with custom TLS config
httpClient := &http.Client{
    Transport: &http.Transport{
        TLSClientConfig: tlsConfig,
    },
}

// Create Docker client
cli, err := client.NewClientWithOpts(
    client.FromEnv,
    client.WithHTTPClient(httpClient),
)
if err != nil {
    // Handle error
}

registryAddr := "cnoe.localtest.me:8443/giteaadmin/""

authConfig := types.AuthConfig{
    Username:      "giteaAdmin",
    Password:      "generatedPAT",
    ServerAddress: registryAddr,
}
encodedJSON, err := json.Marshal(authConfig)
if err != nil {
    // Handle error
}
authStr := base64.URLEncoding.EncodeToString(encodedJSON)

// Use with ImagePush
imageRef := registryAddr + "/repository/image:tag"
resp, err := cli.ImagePush(ctx, imageRef, types.ImagePushOptions{
    RegistryAuth: authStr,
})

Alternatives Considered

DO nothing, update documentation to show folks how to deal with the self-signed cert issue.

[squidboylan]

IMO we should push much of this problem down to the user as maintaining this just to work around self-signed cert verification seems like a lot of work. Additionally docker in my environment (docker: 28.3.3, ubuntu: 22.04) inherently skips verification of registries running on localhost, so this all just works automatically (at least when running idpbuilder locally and not on a remote host).

I think a better solution would be adding a command to grab the certs out of the cluster and put them in files that users can then pass to tools or to grab the certs and add them to the standard locations for the tools they will probably use (like ~/.docker/ca.pem).

Thoughts?