fix: insecure push (#266)

Signed-off-by: Timur Tuktamyshev <[email protected]>

Author: timmilesdw

go.mod

@@ -5,7 +5,7 @@ go 1.24.6
 require (
 	github.com/Masterminds/semver/v3 v3.3.1
 	github.com/deckhouse/deckhouse/pkg/log v0.1.0
-	github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20251120122028-65011cba39f4
+	github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20260120103154-2be5575578db
 	github.com/deckhouse/virtualization/src/cli v1.0.0
 	github.com/fatih/color v1.18.0
 	github.com/fluxcd/flagger v1.36.1

go.sum

@@ -417,6 +417,10 @@ github.com/deckhouse/deckhouse/pkg/log v0.1.0 h1:2aPfyiHHSIJlX4x7ysyPOaIb7CLmyY+
 github.com/deckhouse/deckhouse/pkg/log v0.1.0/go.mod h1:pbAxTSDcPmwyl3wwKDcEB3qdxHnRxqTV+J0K+sha8bw=
 github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20251120122028-65011cba39f4 h1:puYW42+BF8fYuoq/dMDd+oxNprMuuSACWqDss6IQulE=
 github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20251120122028-65011cba39f4/go.mod h1:+oNXMQMOaVpDq00i+PX9NXptzIybUDRmxAO7iRWM32s=
+github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20260119191635-04ce9157d702 h1:HdfASfTGK2124itxEKqFNqEIEdjJ2XfD0DA+8ONBTok=
+github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20260119191635-04ce9157d702/go.mod h1:OdmJduRktTXVMNLAULkzoPbzLbtaU/jBuwSoAUbnxRM=
+github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20260120103154-2be5575578db h1:xq4DMxGgDk0IaqUzIqwkKOiY9dtQlpVnEupfE/TBU6c=
+github.com/deckhouse/deckhouse/pkg/registry v0.0.0-20260120103154-2be5575578db/go.mod h1:OdmJduRktTXVMNLAULkzoPbzLbtaU/jBuwSoAUbnxRM=
 github.com/deckhouse/virtualization/api v1.0.0 h1:q4TvC74tpjk25k0byXJCYP4HjvRexBSeI0cC8QeCMTQ=
 github.com/deckhouse/virtualization/api v1.0.0/go.mod h1:meTeGulR+xwnvt0pTGsoI14YhGe0lHUVyAfhZsoQyeQ=
 github.com/deckhouse/virtualization/src/cli v1.0.0 h1:tNuQugKqYiMwVV8xh2yLVaEIrxCzmRhaTVijrWc7Epw=

pkg/libmirror/util/auth/auth_test.go

@@ -39,3 +39,81 @@ func TestMakeRemoteRegistryRequestOptionsAnonymousInsecure(t *testing.T) {
 	gotOptionFnPtr := reflect.PointerTo(reflect.TypeOf(nameOpts[0]))
 	require.Equal(t, expectedOptionFnPtr, gotOptionFnPtr)
 }
+
+func TestMakeRemoteRegistryRequestOptions_InsecureHTTPScheme(t *testing.T) {
+	t.Run("insecure flag enables HTTP scheme for registry references", func(t *testing.T) {
+		nameOpts, _ := MakeRemoteRegistryRequestOptions(nil, true, false)
+		require.Len(t, nameOpts, 1, "should return name.Insecure option")
+
+		ref, err := name.ParseReference("localhost:5000/repo:tag", nameOpts...)
+		require.NoError(t, err)
+		require.Equal(t, "http", ref.Context().Registry.Scheme(), "should use HTTP scheme with insecure flag")
+	})
+
+	t.Run("secure mode uses HTTPS scheme", func(t *testing.T) {
+		nameOpts, _ := MakeRemoteRegistryRequestOptions(nil, false, false)
+		require.Len(t, nameOpts, 0, "should return no name options")
+
+		ref, err := name.ParseReference("registry.example.com/repo:tag", nameOpts...)
+		require.NoError(t, err)
+		require.Equal(t, "https", ref.Context().Registry.Scheme(), "should use HTTPS scheme by default")
+	})
+
+	t.Run("insecure flag works with localhost registry", func(t *testing.T) {
+		nameOpts, _ := MakeRemoteRegistryRequestOptions(nil, true, false)
+
+		ref, err := name.ParseReference("localhost:5000/deckhouse/install:v1.0.0", nameOpts...)
+		require.NoError(t, err)
+		require.Equal(t, "http", ref.Context().Registry.Scheme())
+		require.Equal(t, "localhost:5000", ref.Context().RegistryStr())
+	})
+
+	t.Run("insecure flag works with IP-based registry", func(t *testing.T) {
+		nameOpts, _ := MakeRemoteRegistryRequestOptions(nil, true, false)
+
+		ref, err := name.ParseReference("192.168.1.100:5000/repo:tag", nameOpts...)
+		require.NoError(t, err)
+		require.Equal(t, "http", ref.Context().Registry.Scheme())
+	})
+}
+
+func TestMakeRemoteRegistryRequestOptions_TLSSkipVerify(t *testing.T) {
+	t.Run("TLS skip verify creates custom transport", func(t *testing.T) {
+		_, remoteOpts := MakeRemoteRegistryRequestOptions(nil, false, true)
+		require.Len(t, remoteOpts, 3, "should have 3 remote options: transport + puller + pusher")
+	})
+
+	t.Run("both insecure and TLS skip verify", func(t *testing.T) {
+		nameOpts, remoteOpts := MakeRemoteRegistryRequestOptions(nil, true, true)
+		require.Len(t, nameOpts, 1, "should have name.Insecure option")
+		require.Len(t, remoteOpts, 3, "should have transport + puller + pusher options")
+	})
+
+	t.Run("secure mode without TLS skip", func(t *testing.T) {
+		nameOpts, remoteOpts := MakeRemoteRegistryRequestOptions(nil, false, false)
+		require.Len(t, nameOpts, 0, "should have no name options")
+		require.Len(t, remoteOpts, 2, "should have only puller + pusher options")
+	})
+}
+
+func TestMakeRemoteRegistryRequestOptions_RegressionTest(t *testing.T) {
+	t.Run("insecure flag must be passed to name.ParseReference", func(t *testing.T) {
+		nameOpts, _ := MakeRemoteRegistryRequestOptions(nil, true, false)
+
+		require.NotEmpty(t, nameOpts, "name options must not be empty when insecure=true")
+
+		ref, err := name.ParseReference("localhost:5000/deckhouse/ee:v1.63.0", nameOpts...)
+		require.NoError(t, err, "should parse reference with insecure option")
+		require.Equal(t, "http", ref.Context().Registry.Scheme(),
+			"REGRESSION: insecure flag must result in HTTP scheme, not HTTPS")
+	})
+
+	t.Run("without insecure flag remote registry defaults to HTTPS", func(t *testing.T) {
+		nameOpts, _ := MakeRemoteRegistryRequestOptions(nil, false, false)
+
+		ref, err := name.ParseReference("registry.example.com:5000/repo:tag", nameOpts...)
+		require.NoError(t, err)
+		require.Equal(t, "https", ref.Context().Registry.Scheme(),
+			"without insecure flag, remote registry should default to HTTPS")
+	})
+}