fix(desktop): preserve transport defaults; nil-fall-back for resolver

Address Copilot review on #13770:

- ProxyTransport now clones http.DefaultTransport and overrides only
  Proxy and DialContext, keeping stdlib timeouts, idle pool, and HTTP/2
  defaults (was a bare *http.Transport that dropped them).
- When DD is unavailable or detection fails, return nil instead of
  http.DefaultTransport so oci.NewResolver lets containerd use its own
  built-in default transport — preserving prior behavior for non-DD
  users.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>

Author: glours

internal/desktop/proxy.go

@@ -68,32 +68,38 @@ func httpProxySocketEndpoint(endpoint string) string {
 }
 
 // ProxyTransport returns an http.RoundTripper that routes traffic through
-// Docker Desktop's PAC-aware HTTP proxy when DD exposes the proxy socket.
-// Otherwise http.DefaultTransport is returned. Pass "" for endpoint when DD
-// is not the active engine.
+// Docker Desktop's PAC-aware HTTP proxy when DD exposes the proxy socket,
+// or nil when no override is needed (callers should use their own default
+// transport in that case — for the OCI resolver this means containerd's
+// built-in transport). Pass "" for endpoint when DD is not the active
+// engine.
+//
+// When DD is available, the returned transport is a clone of
+// http.DefaultTransport with only Proxy and DialContext overridden, so it
+// preserves stdlib timeout, pooling, and HTTP/2 defaults.
 func ProxyTransport(endpoint string) http.RoundTripper {
 	proxyEndpoint := httpProxySocketEndpoint(endpoint)
 	if proxyEndpoint == "" {
-		logrus.Debug("Docker Desktop HTTP proxy not available; using default HTTP transport")
-		return http.DefaultTransport
+		logrus.Debug("Docker Desktop HTTP proxy not available; deferring to caller's default transport")
+		return nil
 	}
 	logrus.Debugf("routing OCI traffic through Docker Desktop HTTP proxy at %s", proxyEndpoint)
-	return &http.Transport{
-		Proxy: http.ProxyURL(&url.URL{Scheme: "http"}),
-		DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
-			return memnet.DialEndpoint(ctx, proxyEndpoint)
-		},
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.Proxy = http.ProxyURL(&url.URL{Scheme: "http"})
+	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
+		return memnet.DialEndpoint(ctx, proxyEndpoint)
 	}
+	return tr
 }
 
 // ProxyTransportFor discovers the Docker Desktop endpoint via apiClient and
-// returns the matching transport, falling back to http.DefaultTransport on
-// discovery failure.
+// returns the matching transport, or nil when DD is not active or discovery
+// fails (so callers fall back to their own default transport).
 func ProxyTransportFor(ctx context.Context, apiClient client.APIClient) http.RoundTripper {
 	endpoint, err := Endpoint(ctx, apiClient)
 	if err != nil {
-		logrus.Debugf("could not detect Docker Desktop endpoint, using default HTTP transport: %v", err)
-		return http.DefaultTransport
+		logrus.Debugf("could not detect Docker Desktop endpoint, deferring to caller's default transport: %v", err)
+		return nil
 	}
 	return ProxyTransport(endpoint)
 }

internal/desktop/proxy_test.go

@@ -57,20 +57,19 @@ func TestHTTPProxySocketEndpoint_EmptyOrUnknown(t *testing.T) {
 	assert.Equal(t, httpProxySocketEndpoint("tcp://localhost:1234"), "")
 }
 
-func TestProxyTransport_FallsBackWhenNoDockerDesktop(t *testing.T) {
-	got := ProxyTransport("")
-	assert.Equal(t, got, http.DefaultTransport)
+func TestProxyTransport_NilWhenNoDockerDesktop(t *testing.T) {
+	assert.Assert(t, ProxyTransport("") == nil,
+		"must return nil so callers fall back to their own (e.g. containerd's) default transport")
 }
 
-func TestProxyTransport_FallsBackWhenSocketMissing(t *testing.T) {
+func TestProxyTransport_NilWhenSocketMissing(t *testing.T) {
 	// no httpproxy.sock created
 	dir := t.TempDir()
 	cliSock := filepath.Join(dir, "docker-cli.sock")
 	mustTouch(t, cliSock)
 
-	got := ProxyTransport("unix://" + cliSock)
-	assert.Equal(t, got, http.DefaultTransport,
-		"when DD endpoint is set but proxy socket is missing, must not return a transport that would dial a dead socket")
+	assert.Assert(t, ProxyTransport("unix://"+cliSock) == nil,
+		"must return nil when DD endpoint is set but proxy socket is missing, not a transport that would dial a dead socket")
 }
 
 func TestProxyTransport_RoutesThroughDockerDesktop(t *testing.T) {
@@ -86,7 +85,18 @@ func TestProxyTransport_RoutesThroughDockerDesktop(t *testing.T) {
 	got := ProxyTransport("unix://" + cliSock)
 	tr, ok := got.(*http.Transport)
 	assert.Assert(t, ok, "expected *http.Transport when DD endpoint is set and socket exists")
-	assert.Assert(t, tr != http.DefaultTransport)
+	assert.Assert(t, tr != http.DefaultTransport, "must be a clone, not DefaultTransport itself")
+
+	// Verify the clone preserved http.DefaultTransport's production
+	// settings (timeouts, idle pool, HTTP/2). Compare to the source
+	// fields rather than asserting fixed values so this test follows
+	// stdlib changes.
+	src := http.DefaultTransport.(*http.Transport)
+	assert.Equal(t, tr.MaxIdleConns, src.MaxIdleConns)
+	assert.Equal(t, tr.IdleConnTimeout, src.IdleConnTimeout)
+	assert.Equal(t, tr.TLSHandshakeTimeout, src.TLSHandshakeTimeout)
+	assert.Equal(t, tr.ExpectContinueTimeout, src.ExpectContinueTimeout)
+	assert.Equal(t, tr.ForceAttemptHTTP2, src.ForceAttemptHTTP2)
 }
 
 func mustTouch(t *testing.T, path string) {