bib: disable --tls-verify flag

Since all containers are coming from local storage and require the user
to pull in the container before-hand, we can disable the `--tls-verify`
flag. The containers will not be resolved from a remote registry but
rather from the local container store.

README.md

@@ -131,7 +131,6 @@ Flags:
       --progress string       type of progress bar to use (e.g. verbose,term) (default "auto")
       --rootfs string         Root filesystem type. If not given, the default configured in the source container image is used.
       --target-arch string    build for the given target architecture (experimental)
-      --tls-verify            require HTTPS and verify certificates when contacting registries (default true)
       --type stringArray      image types to build [ami, anaconda-iso, gce, iso, qcow2, raw, vhd, vmdk] (default [qcow2])
       --version               version for bootc-image-builder
 
@@ -148,7 +147,6 @@ Global Flags:
 | --output          | output the artifact into the given output directory                                                       |      `.`      |
 | --progress        | Show progress in the given format, supported: verbose,term,debug. If empty it is auto-detected            |     `auto`    |
 | **--rootfs**      | Root filesystem type. Overrides the default from the source container. Supported values: ext4, xfs, btrfs |       ❌      |
-| --tls-verify      | Require HTTPS and verify certificates when contacting registries                                          |     `true`    |
 | **--type**        | [Image type](#-image-types) to build (can be passed multiple times)                                       |     `qcow2`   |
 | --target-arch     | [Target arch](#-target-architecture) to build                                                             |       ❌      |
 | --log-level       | Change log level (debug, info, error)                                                                     |     `error`   |

bib/cmd/bootc-image-builder/image.go

@@ -47,9 +47,6 @@ type ManifestConfig struct {
 	// CPU architecture of the image
 	Architecture arch.Arch
 
-	// TLSVerify specifies whether HTTPS and a valid TLS certificate are required
-	TLSVerify bool
-
 	// The minimum size required for the root fs in order to fit the container
 	// contents
 	RootfsMinsize uint64
@@ -319,10 +316,9 @@ func manifestForDiskImage(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest
 		return nil, fmt.Errorf("pipeline: no base image defined")
 	}
 	containerSource := container.SourceSpec{
-		Source:    c.Imgref,
-		Name:      c.Imgref,
-		TLSVerify: &c.TLSVerify,
-		Local:     true,
+		Source: c.Imgref,
+		Name:   c.Imgref,
+		Local:  true,
 	}
 
 	var customizations *blueprint.Customizations
@@ -427,10 +423,9 @@ func manifestForISO(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest, erro
 	}
 
 	containerSource := container.SourceSpec{
-		Source:    c.Imgref,
-		Name:      c.Imgref,
-		TLSVerify: &c.TLSVerify,
-		Local:     true,
+		Source: c.Imgref,
+		Name:   c.Imgref,
+		Local:  true,
 	}
 
 	// The ref is not needed and will be removed from the ctor later

bib/cmd/bootc-image-builder/main.go

@@ -194,7 +194,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string, pbar progress.Progress
 	imgTypes, _ := cmd.Flags().GetStringArray("type")
 	rpmCacheRoot, _ := cmd.Flags().GetString("rpmmd")
 	targetArch, _ := cmd.Flags().GetString("target-arch")
-	tlsVerify, _ := cmd.Flags().GetBool("tls-verify")
 	rootFs, _ := cmd.Flags().GetString("rootfs")
 	useLibrepo, _ := cmd.Flags().GetBool("use-librepo")
 
@@ -305,7 +304,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string, pbar progress.Progress
 		Config:         config,
 		ImageTypes:     imageTypes,
 		Imgref:         imgref,
-		TLSVerify:      tlsVerify,
 		RootfsMinsize:  cntSize * containerSizeToDiskSizeMultiplier,
 		DistroDefPaths: distroDefPaths,
 		SourceInfo:     sourceinfo,
@@ -653,7 +651,10 @@ func buildCobraCmdline() (*cobra.Command, error) {
 	rootCmd.AddCommand(versionCmd)
 
 	rootCmd.AddCommand(manifestCmd)
-	manifestCmd.Flags().Bool("tls-verify", true, "require HTTPS and verify certificates when contacting registries")
+	manifestCmd.Flags().Bool("tls-verify", false, "DEPRECATED: require HTTPS and verify certificates when contacting registries")
+	if err := manifestCmd.Flags().MarkHidden("tls-verify"); err != nil {
+		return nil, fmt.Errorf("cannot hide 'tls-verify' :%w", err)
+	}
 	manifestCmd.Flags().String("rpmmd", "/rpmmd", "rpm metadata cache directory")
 	manifestCmd.Flags().String("target-arch", "", "build for the given target architecture (experimental)")
 	manifestCmd.Flags().StringArray("type", []string{"qcow2"}, fmt.Sprintf("image types to build [%s]", imagetypes.Available()))

test/test_opts.py

@@ -76,33 +76,6 @@ def test_opts_arch_is_same_arch_is_fine(tmp_path, build_fake_container, target_a
         assert expected_err in res.stderr
 
 
-@pytest.mark.parametrize("tls_opt,expected_cmdline", [
-    ([], "--tls-verify=true"),
-    (["--tls-verify"], "--tls-verify=true"),
-    (["--tls-verify=true"], "--tls-verify=true"),
-    (["--tls-verify=false"], "--tls-verify=false"),
-    (["--tls-verify=0"], "--tls-verify=false"),
-])
-def test_bib_tls_opts(tmp_path, container_storage, build_fake_container, tls_opt, expected_cmdline):
-    output_path = tmp_path / "output"
-    output_path.mkdir(exist_ok=True)
-
-    container_ref = "quay.io/centos-bootc/centos-bootc:stream9"
-    testutil.pull_container(container_ref)
-
-    subprocess.check_call([
-        "podman", "run", "--rm",
-        "--privileged",
-        "--security-opt", "label=type:unconfined_t",
-        "-v", f"{container_storage}:/var/lib/containers/storage",
-        "-v", f"{output_path}:/output",
-        build_fake_container,
-        container_ref,
-    ] + tls_opt)
-    podman_log = output_path / "podman.log"
-    assert expected_cmdline in podman_log.read_text()
-
-
 @pytest.mark.parametrize("with_debug", [False, True])
 def test_bib_log_level_smoke(tmp_path, container_storage, build_fake_container, with_debug):
     output_path = tmp_path / "output"