From 2782b0ccb28ab425e5f951155d2df0133e24759b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Va=C5=A1ek?= Date: Thu, 27 Nov 2025 17:13:10 +0100 Subject: [PATCH] Revert "fix: remote builds defeault to insecure for local registries (#3094)" This reverts commit 89be8d933e7b6fa3e4eab63f24444b96e4e3bfeb. --- pkg/pipelines/tekton/templates.go | 39 -------------------------- pkg/pipelines/tekton/templates_s2i.go | 10 ------- pkg/pipelines/tekton/templates_test.go | 25 ----------------- 3 files changed, 74 deletions(-) diff --git a/pkg/pipelines/tekton/templates.go b/pkg/pipelines/tekton/templates.go index 9410c5bac5..3d22cdeb4b 100644 --- a/pkg/pipelines/tekton/templates.go +++ b/pkg/pipelines/tekton/templates.go @@ -5,7 +5,6 @@ import ( "fmt" "os" "path" - "regexp" "strings" "text/template" @@ -77,27 +76,6 @@ const ( defaultPipelinesTargetBranch = "main" ) -// insecureRegistryRegex matches localhost, 127.0.0.1, or registry.default.svc.cluster.local with optional port -var insecureRegistryRegex = regexp.MustCompile(`^(localhost|127\.0\.0\.1|registry\.default\.svc\.cluster\.local)(:[0-9]+)?$`) - -// isInsecureRegistry checks if the given registry should be treated as insecure -// (skip TLS verification). This includes known local/cluster registries. -func isInsecureRegistry(registry string) bool { - // First check the basic regex pattern - if insecureRegistryRegex.MatchString(registry) { - return true - } - - // Also check if registry includes the insecure registry as part of image path (e.g., "localhost/myimage") - // This handles cases where the registry might be part of a full image reference - parts := strings.SplitN(registry, "/", 2) - if len(parts) > 0 && insecureRegistryRegex.MatchString(parts[0]) { - return true - } - - return false -} - type templateData struct { FunctionName string Annotations map[string]string @@ -134,9 +112,6 @@ type templateData struct { // S2I related properties S2iImageScriptsUrl string - - // TLS verification for registry operations - TlsVerify string } // createPipelineTemplatePAC creates a Pipeline template used for PAC on-cluster build @@ -214,12 +189,6 @@ func createPipelineRunTemplatePAC(f fn.Function, labels map[string]string) error image = f.Image } - // Determine if TLS verification should be skipped - tlsVerify := "true" - if isInsecureRegistry(f.Registry) { - tlsVerify = "false" - } - data := templateData{ FunctionName: f.Name, Annotations: f.Deploy.Annotations, @@ -242,7 +211,6 @@ func createPipelineRunTemplatePAC(f fn.Function, labels map[string]string) error PipelineYamlURL: fmt.Sprintf("%s/%s", resourcesDirectory, pipelineFileNamePAC), S2iImageScriptsUrl: s2iImageScriptsUrl, - TlsVerify: tlsVerify, RepoUrl: "\"{{ repo_url }}\"", Revision: "\"{{ revision }}\"", @@ -418,12 +386,6 @@ func createAndApplyPipelineRunTemplate(f fn.Function, namespace string, labels m s2iImageScriptsUrl = quarkusS2iImageScriptsUrl } - // Determine if TLS verification should be skipped - tlsVerify := "true" - if isInsecureRegistry(f.Registry) { - tlsVerify = "false" - } - data := templateData{ FunctionName: f.Name, Annotations: f.Deploy.Annotations, @@ -440,7 +402,6 @@ func createAndApplyPipelineRunTemplate(f fn.Function, namespace string, labels m SecretName: getPipelineSecretName(f), S2iImageScriptsUrl: s2iImageScriptsUrl, - TlsVerify: tlsVerify, RepoUrl: f.Build.Git.URL, Revision: pipelinesTargetBranch, diff --git a/pkg/pipelines/tekton/templates_s2i.go b/pkg/pipelines/tekton/templates_s2i.go index d45368c8d7..7315a382bb 100644 --- a/pkg/pipelines/tekton/templates_s2i.go +++ b/pkg/pipelines/tekton/templates_s2i.go @@ -44,10 +44,6 @@ spec: name: s2iImageScriptsUrl type: string default: 'image:///usr/libexec/s2i' - - description: Verify TLS when pushing to registry - name: tlsVerify - type: string - default: 'true' tasks: {{.GitCloneTaskRef}} - name: scaffold @@ -74,8 +70,6 @@ spec: - '$(params.buildEnvs[*])' - name: S2I_IMAGE_SCRIPTS_URL value: $(params.s2iImageScriptsUrl) - - name: TLSVERIFY - value: $(params.tlsVerify) runAfter: - scaffold {{.FuncS2iTaskRef}} @@ -144,8 +138,6 @@ spec: {{end}} - name: s2iImageScriptsUrl value: {{.S2iImageScriptsUrl}} - - name: tlsVerify - value: {{.TlsVerify}} pipelineRef: name: {{.PipelineName}} workspaces: @@ -214,8 +206,6 @@ spec: {{end}} - name: s2iImageScriptsUrl value: {{.S2iImageScriptsUrl}} - - name: tlsVerify - value: {{.TlsVerify}} pipelineRef: name: {{.PipelineName}} workspaces: diff --git a/pkg/pipelines/tekton/templates_test.go b/pkg/pipelines/tekton/templates_test.go index 14cfcfb292..4fbc5e2863 100644 --- a/pkg/pipelines/tekton/templates_test.go +++ b/pkg/pipelines/tekton/templates_test.go @@ -19,31 +19,6 @@ const ( TestRegistry = "example.com/alice" ) -func Test_isInsecureRegistry(t *testing.T) { - tests := []struct { - name string - registry string - want bool - }{ - {"localhost without port", "localhost", true}, - {"127.0.0.1 without port", "127.0.0.1", true}, - {"cluster local registry without port", "registry.default.svc.cluster.local", true}, - {"localhost with port 5000", "localhost:5000", true}, - {"127.0.0.1 with port 5000", "127.0.0.1:5000", true}, - {"cluster local registry with port 5000", "registry.default.svc.cluster.local:5000", true}, - {"external registry", "docker.io", false}, - {"external registry with port", "quay.io:443", false}, - {"similar but not matching", "localhost.example.com", false}, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := isInsecureRegistry(tt.registry); got != tt.want { - t.Errorf("isInsecureRegistry(%q) = %v, want %v", tt.registry, got, tt.want) - } - }) - } -} - func Test_createPipelineTemplatePAC(t *testing.T) { tests := []struct { name string