Handing insecure registries for refresh etc.

[wSedlacek]

What happened?

Pushing a dockerBuild.Image to a registry is possible using exports: [ { registry: { insecure: true } } ]
But when using refresh or dockerBuild.Index an https client is always attempted to be used with no configuration for insecure registries.

Example

docker-build:index:Image (example:arm64):
  warning: failed to get manifest localhost:8000/development/example:development@sha256:e9a6905a38607548188a451516bb13e8f5d2a43025a3b02110ffbe0abc0f1ce3: Get "https://localhost:8000/v2/development/example/manifests/sha256:e9a6905a38607548188a451516bb13e8f5d2a43025a3b02110ffbe0abc0f1ce3": http: server gave HTTP response to HTTPS client

Output of pulumi about

CLI          
Version      3.140.0
Go Version   go1.23.3
Go Compiler  gc

Plugins
KIND      NAME    VERSION
language  nodejs  unknown

Host     
OS       darwin
Version  14.6.1
Arch     arm64

This project is written in nodejs: executable='/Users/wsedlacek/.local/state/fnm_multishells/44492_1732278457179/bin/node' version='v20.14.0'

Current Stack: organization/rocket/development

TYPE                                           URN
pulumi:pulumi:Stack                            urn:pulumi:development::rocket::pulumi:pulumi:Stack::rocket-development
pulumi:providers:pulumi                        urn:pulumi:development::rocket::pulumi:providers:pulumi::default
pulumi:providers:docker-build                  urn:pulumi:development::rocket::pulumi:providers:docker-build::default
docker-build:index:Image                       urn:pulumi:development::rocket::docker-build:index:Image::example:arm64

Found no pending operations associated with development

Backend        
Name           Williams-MBP
URL            file://~
User           wsedlacek
Organizations  
Token type     personal

Pulumi locates its logs in /var/folders/cg/gb0jh4wj19j0p4kbg_9yy7c40000gp/T/ by default
warning: Failed to get information about the Pulumi program's dependencies: no package-lock.json or yarn.lock file found (searching upwards from /Users/wsedlacek/Code/work/shipyard/dist/pulumi)

Additional context

(Note: I use pnpm so package-lock.json or yarn.lock do not exist)

    "@pulumi/aws": "^6.60.0",
    "@pulumi/command": "^1.0.1",
    "@pulumi/docker": "^4.5.7",
    "@pulumi/docker-build": "^0.0.7",
    "@pulumi/gcp": "^8.10.0",
    "@pulumi/kubernetes": "^4.18.3",
    "@pulumi/pulumi": "^3.140.0",
    "@pulumi/random": "^4.16.7",
    "@pulumi/std": "^1.7.3",

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[wSedlacek]

After looking at some code I believe TLS could be configured here:

pulumi-docker-build/provider/internal/cli.go

Line 150 in 7479f9f

h.Pass = v.Password

Example from regctl tests:
https://github.com/regclient/regclient/blob/5fbf76c4f6bbab7d622c0ba6ee509a786b9c4363/config/host_test.go#L251

The problem would be how to know if TLS should be enabled or not there?
Would it be reasonable to add insecure to the registries and map that through to this point?
Or should there be some logic with the outputs/inputs looking for the exports[].registry.insecure key?

[blampe]

Would it be reasonable to add insecure to the registries and map that through to this point?
Or should there be some logic with the outputs/inputs looking for the exports[].registry.insecure key?

We'll probably want both, but the former would be a great starting point.