controller: add --allow-insecure-registry flag

Allow falling back to HTTP when resolving tag-based image refs
against registries that do not serve TLS.

Assisted-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Alice Frosi <afrosi@redhat.com>

Author: alicefr

cmd/controller/main.go

@@ -34,8 +34,11 @@ func main() {
 	var enableLeaderElection bool
 	var probeAddr string
 	var tagResolutionInterval time.Duration
+	var allowInsecureRegistry bool
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.DurationVar(&tagResolutionInterval, "tag-resolution-interval", 5*time.Minute, "How often to re-resolve tag-based image refs.")
+	flag.BoolVar(&allowInsecureRegistry, "allow-insecure-registry", false,
+		"Allow falling back to HTTP when resolving tag-based image refs against registries that do not serve TLS.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -68,7 +71,7 @@ func main() {
 		Client:                mgr.GetClient(),
 		Scheme:                mgr.GetScheme(),
 		KubeClient:            kubeClient,
-		TagResolver:           &registry.GGCRResolver{},
+		TagResolver:           &registry.GGCRResolver{AllowInsecure: allowInsecureRegistry},
 		TagResolutionInterval: tagResolutionInterval,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "Failed to create controller", "controller", "bootcnodepool")

internal/registry/resolver.go

@@ -14,14 +14,25 @@ type TagResolver interface {
 }
 
 // GGCRResolver resolves image tags to digests using go-containerregistry.
-type GGCRResolver struct{}
+type GGCRResolver struct {
+	// AllowInsecure enables fallback to HTTP when the HTTPS connection
+	// to the registry fails.
+	AllowInsecure bool
+}
 
 func (r *GGCRResolver) Resolve(ctx context.Context, ref string) (string, error) {
 	parsed, err := name.ParseReference(ref)
 	if err != nil {
 		return "", fmt.Errorf("parsing reference %q: %w", ref, err)
 	}
 	desc, err := remote.Get(parsed, remote.WithContext(ctx))
+	if err != nil && r.AllowInsecure {
+		insecure, parseErr := name.ParseReference(ref, name.Insecure)
+		if parseErr != nil {
+			return "", fmt.Errorf("parsing reference %q: %w", ref, parseErr)
+		}
+		desc, err = remote.Get(insecure, remote.WithContext(ctx))
+	}
 	if err != nil {
 		return "", fmt.Errorf("fetching manifest for %q: %w", ref, err)
 	}