Summary

This PR adds the --oci-skip-registry-validation flag to source-controller, enabling the use of custom OCI registry proxies/gateways with cloud provider workload identity authentication.

Problem

Organizations using custom OCI registry proxies cannot use cloud provider authentication (GCP, AWS, Azure) because the auth package validates that registry domains match official patterns.

Example error:

HelmChart 'xxx' is not ready: unknown build error:
failed to get credential from 'gcp': failed to parse artifact repository
'oci-gateway.example.org/oci/charts/': invalid GCP registry:
'oci-gateway.example.org'. must match ^(((.+\.)?gcr\.io)|(.+-docker\.pkg\.dev))$

Solution

Add support for the new --oci-skip-registry-validation flag from fluxcd/pkg/auth that bypasses domain validation for all cloud providers.

Changes

main.go

• Added ociSkipRegistryValidation variable
• Added flag binding for --oci-skip-registry-validation
• Added call to auth.SetOCISkipRegistryValidation(true) when flag is enabled

Usage

Deploy source-controller with:

spec:
  containers:
    - name: manager
      args:
        - --oci-skip-registry-validation=true

Or via Helm values:

extraArgs:
  - --oci-skip-registry-validation=true

Security Considerations

• This flag should only be enabled when using trusted registry proxies
• The proxy is responsible for validating upstream registry access
• Cloud provider credentials will be sent to the configured registry endpoint
• Consider network policies to restrict egress to known proxy endpoints

Dependencies

• Requires fluxcd/pkg/auth with ControllerFlagOCISkipRegistryValidation support (Add --oci-skip-registry-validation flag for custom registry proxies pkg#1083)

Related

• Closes Feature request: Support OCI registry proxies with cloud provider authentication #1974
• Depends on Add --oci-skip-registry-validation flag for custom registry proxies pkg#1083