fix: Enable registries with self-signed certificates

halvards · halvards · commit 4cd132ee6cd2 · 2025-11-07T23:57:37.000+11:00
This change enables Skaffold to push to container image registries that use self-signed or other untrusted certificates, when Skaffold runs on macOS or Windows. It also removes the need for the `SSL_CERT_FILE` environment variable workaround on Linux. Prior to this fix, Skaffold would fail to retrieve the digest from the registry after the image was built, even if the registry was configured as an insecure registry in Skaffold configuration: ``` getting image: Get "https://localhost:8443/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority; GET http://localhost:8443/v2/: unexpected status code 400 Bad Request: Client sent an HTTP request to an HTTPS server. ``` On Linux environments only, a possible workaround was to set the `SSL_CERT_FILE` environment variable. However, this workaround cannot be used on macOS or Windows. This change updates `getRemoteIndex()` and `getRemoteImage()` in `pkg/skaffold/docker/remote.go`, adding the `InsecureSkipVerify` TLS config field to the transport if the registry from the image name matches one of the insecure registries configured in Skaffold. Fixes: GoogleContainerTools#3039 GoogleContainerTools#3116 Related: google/go-containerregistry#1559
diff --git a/pkg/skaffold/docker/remote.go b/pkg/skaffold/docker/remote.go
@@ -18,7 +18,9 @@ package docker
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
 
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -123,6 +125,9 @@ func getRemoteImage(identifier string, cfg Config, platform v1.Platform) (v1.Ima
 	options := []remote.Option{
 		remote.WithAuthFromKeychain(primaryKeychain),
 	}
+	if IsInsecure(ref, cfg.GetInsecureRegistries()) {
+		options = append(options, insecureTransportOption())
+	}
 	if platform.String() != "" {
 		options = append(options, remote.WithPlatform(platform))
 	}
@@ -136,14 +141,29 @@ func getRemoteIndex(identifier string, cfg Config) (v1.ImageIndex, error) {
 		return nil, err
 	}
 
-	return remoteIndex(ref, remote.WithAuthFromKeychain(primaryKeychain))
+	options := []remote.Option{
+		remote.WithAuthFromKeychain(primaryKeychain),
+	}
+	if IsInsecure(ref, cfg.GetInsecureRegistries()) {
+		options = append(options, insecureTransportOption())
+	}
+	return remoteIndex(ref, options...)
 }
 
 // IsInsecure tests if an image is pulled from an insecure registry; default is false
 func IsInsecure(ref name.Reference, insecureRegistries map[string]bool) bool {
 	return insecureRegistries[ref.Context().Registry.Name()]
 }
 
+// insecureTransportOption allows untrusted certificates.
+func insecureTransportOption() remote.Option {
+	transport := remote.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = &tls.Config{
+		InsecureSkipVerify: true, //nolint: gosec
+	}
+	return remote.WithTransport(transport)
+}
+
 func parseReference(s string, cfg Config, opts ...name.Option) (name.Reference, error) {
 	ref, err := name.ParseReference(s, opts...)
 	if err != nil {
