knative · matejvasek · Nov 27, 2025
diff --git a/pkg/pipelines/tekton/templates.go b/pkg/pipelines/tekton/templates.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 	"path"
-	"regexp"
 	"strings"
 	"text/template"
 
@@ -77,27 +76,6 @@ const (
 	defaultPipelinesTargetBranch = "main"
 )
 
-// insecureRegistryRegex matches localhost, 127.0.0.1, or registry.default.svc.cluster.local with optional port
-var insecureRegistryRegex = regexp.MustCompile(`^(localhost|127\.0\.0\.1|registry\.default\.svc\.cluster\.local)(:[0-9]+)?$`)
-
-// isInsecureRegistry checks if the given registry should be treated as insecure
-// (skip TLS verification). This includes known local/cluster registries.
-func isInsecureRegistry(registry string) bool {
-	// First check the basic regex pattern
-	if insecureRegistryRegex.MatchString(registry) {
-		return true
-	}
-
-	// Also check if registry includes the insecure registry as part of image path (e.g., "localhost/myimage")
-	// This handles cases where the registry might be part of a full image reference
-	parts := strings.SplitN(registry, "/", 2)
-	if len(parts) > 0 && insecureRegistryRegex.MatchString(parts[0]) {
-		return true
-	}
-
-	return false
-}
-
 type templateData struct {
 	FunctionName  string
 	Annotations   map[string]string
@@ -134,9 +112,6 @@ type templateData struct {
 
 	// S2I related properties
 	S2iImageScriptsUrl string
-
-	// TLS verification for registry operations
-	TlsVerify string
 }
 
 // createPipelineTemplatePAC creates a Pipeline template used for PAC on-cluster build
@@ -214,12 +189,6 @@ func createPipelineRunTemplatePAC(f fn.Function, labels map[string]string) error
 		image = f.Image
 	}
 
-	// Determine if TLS verification should be skipped
-	tlsVerify := "true"
-	if isInsecureRegistry(f.Registry) {
-		tlsVerify = "false"
-	}
-
 	data := templateData{
 		FunctionName:  f.Name,
 		Annotations:   f.Deploy.Annotations,
@@ -242,7 +211,6 @@ func createPipelineRunTemplatePAC(f fn.Function, labels map[string]string) error
 		PipelineYamlURL: fmt.Sprintf("%s/%s", resourcesDirectory, pipelineFileNamePAC),
 
 		S2iImageScriptsUrl: s2iImageScriptsUrl,
-		TlsVerify:          tlsVerify,
 
 		RepoUrl:  "\"{{ repo_url }}\"",
 		Revision: "\"{{ revision }}\"",
@@ -418,12 +386,6 @@ func createAndApplyPipelineRunTemplate(f fn.Function, namespace string, labels m
 		s2iImageScriptsUrl = quarkusS2iImageScriptsUrl
 	}
 
-	// Determine if TLS verification should be skipped
-	tlsVerify := "true"
-	if isInsecureRegistry(f.Registry) {
-		tlsVerify = "false"
-	}
-
 	data := templateData{
 		FunctionName:  f.Name,
 		Annotations:   f.Deploy.Annotations,
@@ -440,7 +402,6 @@ func createAndApplyPipelineRunTemplate(f fn.Function, namespace string, labels m
 		SecretName:      getPipelineSecretName(f),
 
 		S2iImageScriptsUrl: s2iImageScriptsUrl,
-		TlsVerify:          tlsVerify,
 
 		RepoUrl:  f.Build.Git.URL,
 		Revision: pipelinesTargetBranch,

diff --git a/pkg/pipelines/tekton/templates_s2i.go b/pkg/pipelines/tekton/templates_s2i.go
@@ -44,10 +44,6 @@ spec:
       name: s2iImageScriptsUrl
       type: string
       default: 'image:///usr/libexec/s2i'
-    - description: Verify TLS when pushing to registry
-      name: tlsVerify
-      type: string
-      default: 'true'
   tasks:
     {{.GitCloneTaskRef}}
     - name: scaffold
@@ -74,8 +70,6 @@ spec:
             - '$(params.buildEnvs[*])'
         - name: S2I_IMAGE_SCRIPTS_URL
           value: $(params.s2iImageScriptsUrl)
-        - name: TLSVERIFY
-          value: $(params.tlsVerify)
       runAfter:
         - scaffold
       {{.FuncS2iTaskRef}}
@@ -144,8 +138,6 @@ spec:
         {{end}}
     - name: s2iImageScriptsUrl
       value: {{.S2iImageScriptsUrl}}
-    - name: tlsVerify
-      value: {{.TlsVerify}}
   pipelineRef:
    name: {{.PipelineName}}
   workspaces:
@@ -214,8 +206,6 @@ spec:
         {{end}}
     - name: s2iImageScriptsUrl
       value: {{.S2iImageScriptsUrl}}
-    - name: tlsVerify
-      value: {{.TlsVerify}}
   pipelineRef:
    name: {{.PipelineName}}
   workspaces:

diff --git a/pkg/pipelines/tekton/templates_test.go b/pkg/pipelines/tekton/templates_test.go
@@ -19,31 +19,6 @@ const (
 	TestRegistry = "example.com/alice"
 )
 
-func Test_isInsecureRegistry(t *testing.T) {
-	tests := []struct {
-		name     string
-		registry string
-		want     bool
-	}{
-		{"localhost without port", "localhost", true},
-		{"127.0.0.1 without port", "127.0.0.1", true},
-		{"cluster local registry without port", "registry.default.svc.cluster.local", true},
-		{"localhost with port 5000", "localhost:5000", true},
-		{"127.0.0.1 with port 5000", "127.0.0.1:5000", true},
-		{"cluster local registry with port 5000", "registry.default.svc.cluster.local:5000", true},
-		{"external registry", "docker.io", false},
-		{"external registry with port", "quay.io:443", false},
-		{"similar but not matching", "localhost.example.com", false},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := isInsecureRegistry(tt.registry); got != tt.want {
-				t.Errorf("isInsecureRegistry(%q) = %v, want %v", tt.registry, got, tt.want)
-			}
-		})
-	}
-}
-
 func Test_createPipelineTemplatePAC(t *testing.T) {
 	tests := []struct {
 		name    string