Feature: insecure non-TLS registry support

[alexellis]

Add support for insecure non-TLS registries

Why? It seems like commercial users are unsure how to configure self-hosted registries with TLS, and have requested this feature several times.

Expected Behaviour

faasd-provider can pull images from an insecure registry with no TLS such as localhost:5000 or 192.168.0.101:5000

I would expect a new flag to be set on the faasd provider command: https://github.com/openfaas/faasd/blob/master/cmd/provider.go

Current Behaviour

A valid TLS cert is required, for self-signed certs the CA should be part of the system's trust bundle.

List all Possible Solutions

@AkihiroSuda pointed me at:

https://github.com/containerd/nerdctl/pull/287/files

Which could be updated here:

faasd/pkg/service/service.go

Line 125 in 2885bb0

Hosts: docker.ConfigureDefaultRegistries(docker.WithAuthorizer(authorizer)),

Steps to Reproduce (for bugs)

1. Run an open source docker registry
2. Push an image there from your Docker Desktop instance with faas-cli push
3. Run faas-cli deploy and have faasd-provider deploy the function

[Shikachuu]

Hey @alexellis,
I am planning to pick up this issue.

The do you have any flag name in mind?
Or should I use the one in the nerdctl PR that you linked? (--insecure-registry)

[alexellis]

Why don't you have a play with it without committing to a design? Just see if you can figure out what's needed to make it work first.