feat(image): support custom TLS certs and insecure registries

crates/cli/lib/commands/image.rs

@@ -5,6 +5,7 @@ use std::time::Instant;
 use clap::{Args, Subcommand};
 use console::style;
 use microsandbox::image::Image;
+use microsandbox_image::{PullOptions, Registry};
 
 use crate::ui;
 
@@ -91,6 +92,8 @@ pub async fn run(args: ImageArgs) -> anyhow::Result<()> {
                 args.reference,
                 args.force,
                 args.quiet,
+                args.insecure,
+                args.ca_certs,
                 microsandbox_image::PullPolicy::Always,
             )
             .await
@@ -107,6 +110,8 @@ pub async fn run_pull(args: pull::PullArgs) -> anyhow::Result<()> {
         args.reference,
         args.force,
         args.quiet,
+        args.insecure,
+        args.ca_certs,
         microsandbox_image::PullPolicy::Always,
     )
     .await
@@ -117,6 +122,8 @@ async fn run_pull_inner(
     reference: String,
     force: bool,
     quiet: bool,
+    insecure: bool,
+    cli_ca_certs: Option<String>,
     pull_policy: microsandbox_image::PullPolicy,
 ) -> anyhow::Result<()> {
     let start = Instant::now();
@@ -129,9 +136,24 @@ async fn run_pull_inner(
         .map_err(|e| anyhow::anyhow!("invalid image reference: {e}"))?;
 
     let auth = global.resolve_registry_auth(image_ref.registry())?;
-    let registry = microsandbox_image::Registry::with_auth(platform, cache, auth)?;
+    let mut ca_certs = global.resolve_ca_certs().await?;
+    if let Some(path) = &cli_ca_certs {
+        let data = tokio::fs::read(path)
+            .await
+            .map_err(|e| anyhow::anyhow!("failed to read CA certs from `{path}`: {e}"))?;
+        ca_certs.push(data);
+    }
+    let mut insecure_registries = global.insecure_registries();
+    if insecure {
+        insecure_registries.push(image_ref.registry().to_string());
+    }
+    let registry = Registry::builder(platform, cache)
+        .auth(auth)
+        .extra_ca_certs(ca_certs)
+        .add_insecure_registries(insecure_registries)
+        .build()?;
 
-    let options = microsandbox_image::PullOptions {
+    let options = PullOptions {
         pull_policy,
         force,
         ..Default::default()
@@ -218,6 +240,8 @@ pub(crate) async fn pull_if_missing(reference: &str, quiet: bool) -> anyhow::Res
         reference.to_string(),
         false,
         quiet,
+        false,
+        None,
         microsandbox_image::PullPolicy::IfMissing,
     )
     .await

crates/cli/lib/commands/pull.rs

@@ -22,4 +22,12 @@ pub struct PullArgs {
     /// Suppress progress output.
     #[arg(short, long)]
     pub quiet: bool,
+
+    /// Connect to the registry over plain HTTP instead of HTTPS.
+    #[arg(long)]
+    pub insecure: bool,
+
+    /// Path to a PEM file containing additional CA root certificates to trust.
+    #[arg(long, value_name = "PATH")]
+    pub ca_certs: Option<String>,
 }

crates/cli/lib/commands/registry.rs

@@ -93,15 +93,17 @@ fn run_login(args: RegistryLoginArgs) -> anyhow::Result<()> {
     })?;
 
     let mut config = load_persisted_config_or_default()?;
-    config.registries.auth.insert(
-        args.registry.clone(),
-        RegistryAuthEntry {
-            username: args.username,
-            store: Some(RegistryCredentialStore::Keyring),
-            password_env: None,
-            secret_name: None,
-        },
-    );
+    config
+        .registries
+        .hosts
+        .entry(args.registry.clone())
+        .or_default()
+        .auth = Some(RegistryAuthEntry {
+        username: args.username,
+        store: Some(RegistryCredentialStore::Keyring),
+        password_env: None,
+        secret_name: None,
+    });
 
     if let Err(error) = save_persisted_config(&config) {
         let restore = match previous_auth {
@@ -130,7 +132,12 @@ fn run_login(args: RegistryLoginArgs) -> anyhow::Result<()> {
 fn run_logout(args: RegistryLogoutArgs) -> anyhow::Result<()> {
     let mut config = load_persisted_config_or_default()?;
     let previous_auth = get_registry_keyring_auth(&args.registry).ok().flatten();
-    let had_config_entry = config.registries.auth.remove(&args.registry).is_some();
+    let had_config_entry = config
+        .registries
+        .hosts
+        .get_mut(&args.registry)
+        .and_then(|e| e.auth.take())
+        .is_some();
     let had_keyring_entry = previous_auth.is_some();
 
     if !had_config_entry && !had_keyring_entry {
@@ -156,12 +163,19 @@ fn run_logout(args: RegistryLogoutArgs) -> anyhow::Result<()> {
 
 fn run_list(_args: RegistryListArgs) -> anyhow::Result<()> {
     let config = load_persisted_config_or_default()?;
-    if config.registries.auth.is_empty() {
+    let auth_entries: Vec<_> = config
+        .registries
+        .hosts
+        .iter()
+        .filter_map(|(hostname, entry)| entry.auth.as_ref().map(|auth| (hostname, auth)))
+        .collect();
+
+    if auth_entries.is_empty() {
         println!("No registries configured.");
         return Ok(());
     }
 
-    let mut entries: Vec<_> = config.registries.auth.iter().collect();
+    let mut entries: Vec<_> = auth_entries;
     entries.sort_by(|(left, _), (right, _)| left.cmp(right));
 
     let mut table = ui::Table::new(&["REGISTRY", "USERNAME", "SOURCE"]);

crates/image/Cargo.toml

@@ -18,6 +18,7 @@ hex.workspace = true
 libc.workspace = true
 microsandbox-utils = { version = "0.3.12", path = "../utils" }
 oci-client.workspace = true
+rustls-pemfile.workspace = true
 oci-spec.workspace = true
 scopeguard.workspace = true
 serde.workspace = true
@@ -30,5 +31,6 @@ tracing.workspace = true
 xattr.workspace = true
 
 [dev-dependencies]
+rcgen.workspace = true
 tar.workspace = true
 tempfile.workspace = true

crates/image/lib/auth.rs

@@ -9,7 +9,7 @@ use serde::{Deserialize, Serialize};
 /// Authentication credentials for OCI registry access.
 ///
 /// Resolution chain (in [`Registry`](crate::Registry)):
-/// 1. Explicit [`RegistryAuth`] via [`Registry::with_auth()`](crate::Registry::with_auth)
+/// 1. Explicit [`RegistryAuth`] via [`RegistryBuilder::auth()`](crate::RegistryBuilder::auth)
 /// 2. OS keyring / credential store (when configured by the caller)
 /// 3. Global config `registries.auth` (`store`, `password_env`, or `secret_name`)
 /// 4. Docker credential store/config fallback (when enabled by the caller)

crates/image/lib/error.rs

@@ -78,6 +78,10 @@ pub enum ImageError {
         reference: String,
     },
 
+    /// Invalid PEM certificate data.
+    #[error("invalid PEM certificate: {0}")]
+    InvalidCertificate(String),
+
     /// General I/O error.
     #[error(transparent)]
     Io(#[from] std::io::Error),

crates/image/lib/lib.rs

@@ -30,5 +30,5 @@ pub use oci_client::Reference;
 pub use platform::{Arch, Os, Platform};
 pub use progress::{PullProgress, PullProgressHandle, PullProgressSender, progress_channel};
 pub use pull::{PullOptions, PullPolicy, PullResult};
-pub use registry::Registry;
+pub use registry::{Registry, RegistryBuilder};
 pub use store::{CachedImageMetadata, CachedLayerMetadata, GlobalCache};