fix: allow http registries by disabling TLS check (#1203)

**What problem does this PR solve?**:
Disables TLS if the registry is HTTP 

**Which issue(s) this PR fixes**:
Fixes #

**How Has This Been Tested?**:
<!--
Please describe the tests that you ran to verify your changes.
Provide output from the tests and any manual steps needed to replicate
the tests.
-->

**Special notes for your reviewer**:
<!--
Use this to provide any additional information to the reviewers.
This may include:
- Best way to review the PR.
- Where the author wants the most review attention on.
- etc.
-->

Author: faiq

pkg/webhook/preflight/generic/registry.go

@@ -86,18 +86,35 @@ func (r *registryCheck) checkRegistry(
 		)
 		return result
 	}
-	mirrorHost := config.Host{
+	registryHost := config.Host{
 		Name: registryURLParsed.Host,
 	}
+	if registryURLParsed.Scheme != "http" && registryURLParsed.Scheme != "https" {
+		result.Allowed = false
+		result.Causes = append(result.Causes,
+			preflight.Cause{
+				Message: fmt.Sprintf(
+					"Registry URL scheme %q is not supported. Use http or https.",
+					registryURLParsed.Scheme,
+				),
+				Field: r.field + ".url",
+			},
+		)
+		return result
+	}
+	if registryURLParsed.Scheme == "http" {
+		registryHost.TLS = config.TLSDisabled
+	}
+
 	if credentials != nil && credentials.SecretRef != nil {
-		mirrorCredentialsSecret := &corev1.Secret{}
+		credentialsSecret := &corev1.Secret{}
 		err := r.kclient.Get(
 			ctx,
 			types.NamespacedName{
 				Namespace: r.cluster.Namespace,
 				Name:      credentials.SecretRef.Name,
 			},
-			mirrorCredentialsSecret,
+			credentialsSecret,
 		)
 		if apierrors.IsNotFound(err) {
 			result.Allowed = false
@@ -121,21 +138,21 @@ func (r *registryCheck) checkRegistry(
 			)
 			return result
 		}
-		username, ok := mirrorCredentialsSecret.Data["username"]
+		username, ok := credentialsSecret.Data["username"]
 		if ok {
-			mirrorHost.User = string(username)
+			registryHost.User = string(username)
 		}
-		password, ok := mirrorCredentialsSecret.Data["password"]
+		password, ok := credentialsSecret.Data["password"]
 		if ok {
-			mirrorHost.Pass = string(password)
+			registryHost.Pass = string(password)
 		}
-		if caCert, ok := mirrorCredentialsSecret.Data["ca.crt"]; ok {
-			mirrorHost.RegCert = string(caCert)
+		if caCert, ok := credentialsSecret.Data["ca.crt"]; ok {
+			registryHost.RegCert = string(caCert)
 		}
 	}
 	rc := regClientGetter(
-		regclient.WithConfigHost(mirrorHost),
-		regclient.WithUserAgent("regclient/example"),
+		regclient.WithConfigHost(registryHost),
+		regclient.WithUserAgent("regclient/caren"),
 	)
 	_, err = rc.Ping(ctx,
 		ref.Ref{

pkg/webhook/preflight/generic/registry_test.go

@@ -232,6 +232,38 @@ func TestRegistryCheck(t *testing.T) {
 				Allowed: true,
 			},
 		},
+		{
+			name: "image registry with valid configuration using http",
+			imageRegistry: &carenv1.ImageRegistry{
+				URL: "http://registry.example.com",
+				Credentials: &carenv1.RegistryCredentials{
+					SecretRef: &carenv1.LocalObjectReference{
+						Name: "test-secret",
+					},
+				},
+			},
+			kclient: &mockK8sClient{
+				getSecretFunc: func(ctx context.Context,
+					key types.NamespacedName,
+					obj ctrlclient.Object,
+					opts ...ctrlclient.GetOption,
+				) error {
+					secret := obj.(*corev1.Secret)
+					secret.Data = map[string][]byte{
+						"username": []byte("testuser"),
+					}
+					return nil
+				},
+			},
+			mockRegClientPingerFactory: func(...regclient.Opt) regClientPinger {
+				return &mockRegClient{
+					pingFunc: func(ref.Ref) error { return nil },
+				}
+			},
+			want: preflight.CheckResult{
+				Allowed: true,
+			},
+		},
 		{
 			name:  "image registry with invalid URL",
 			field: "cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[0]",
@@ -275,6 +307,48 @@ func TestRegistryCheck(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:  "image registry with invalid URL scheme",
+			field: "cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[0]",
+			imageRegistry: &carenv1.ImageRegistry{
+				URL: "tcp://some-registry.lol",
+				Credentials: &carenv1.RegistryCredentials{
+					SecretRef: &carenv1.LocalObjectReference{
+						Name: "test-secret",
+					},
+				},
+			},
+			kclient: &mockK8sClient{
+				getSecretFunc: func(ctx context.Context,
+					key types.NamespacedName,
+					obj ctrlclient.Object,
+					opts ...ctrlclient.GetOption,
+				) error {
+					secret := obj.(*corev1.Secret)
+					secret.Data = map[string][]byte{
+						"username": []byte("testuser"),
+						"password": []byte("testpass"),
+						"ca.crt":   []byte("test-ca-cert"),
+					}
+					return nil
+				},
+			},
+			mockRegClientPingerFactory: func(...regclient.Opt) regClientPinger {
+				return &mockRegClient{
+					pingFunc: func(ref.Ref) error { return nil },
+				}
+			},
+			want: preflight.CheckResult{
+				Allowed:       false,
+				InternalError: false,
+				Causes: []preflight.Cause{
+					{
+						Message: "Registry URL scheme \"tcp\" is not supported. Use http or https.",
+						Field:   "cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[0].url",
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {