Use of insecure registry for exporter

[FredPraca]

Summary

I currently try to run cnb command in a Gitlab runner.
As I'm in a closed network with access to a Gitlab server and a Nexus proxy proxying OCI images as well as Maven artifacts and others, I have to configure a lot of things to make it work.
The problem is that both servers use a trust CA unknown to containers (whenever it's a CA from Gandi but that's another story).

For this task, I used

    - export CNB_PLATFORM_API=0.14
    - export CNB_INSECURE_REGISTRIES=gitlab.example.com:5005,nexus.example.com:5000
    - export CNB_RUN_IMAGE=nexus.example.com:5000/paketobuildpacks/run-jammy-tiny:latest
    - /cnb/lifecycle/creator -app . -platform $PLATFORM_PATH $CI_REGISTRY_IMAGE:latest

The result is always the same

===> EXPORTING
Reusing layers from image 'gitlab.example.com:5005/dev/my-project@sha256:2f7406504e3a3078c0147844939d72ef80fa7bac30a00bebf39eab7ecf055070'
ERROR: failed to access run image: connect to repo store "nexus.example.com:5000/paketobuildpacks/run-jammy-tiny:latest": Get "https://nexus.example.com:5000/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority

I also tried to force the insecure registry with the following but got the same result

    - export CNB_PLATFORM_API=0.14
    - export CNB_INSECURE_REGISTRIES=gitlab.example.com:5005,nexus.example.com:5000
    - export CNB_RUN_IMAGE=nexus.example.com:5000/paketobuildpacks/run-jammy-tiny:latest
    - /cnb/lifecycle/creator -app . -platform $PLATFORM_PATH --insecure-registry nexus.example.com:5000 $CI_REGISTRY_IMAGE:latest

---

Reproduction

Steps

1. Close the access to Docker registry
2. Setup a proxy to it with a custom certificate

Current behavior

As described, I get a TLS certificate verification error.

Expected behavior

CNB_INSECURE_REGISTRIES should be used to avoid checking registry certificate

---

Context

lifecycle version

Lifecycle version is the one from the paketobuildpacks/builder-jammy-tiny image : 0.20.3+dd23dd7d

platform version(s)

As used in the configuration, I use 0.14 architecture version.

[natalieparellano]

Ah, I see the issue - we're passing the insecure options through when we instantiate the app image here but not when we instantiate the run image here. I can probably make a quick fix for this

[FredPraca]

Cool, it's a bug. First of all, I thought I became crazy 😄

[FredPraca]

Wowww, super fast 👍
Thanks

[FredPraca]

Sorry for the delay.
I tested it using latest builder-jammy-tiny image and it works like a charm.

Thanks again