fix: Always use custom transport to ensure TLS config is correct (#315)

cmd/mindthegap/create/imagebundle/image_bundle.go

@@ -115,15 +115,17 @@ func NewCommand(out output.Output) *cobra.Command {
 				registryConfig := cfg[registryName]
 
 				var remoteOpts []remote.Option
-				if registryConfig.TLSVerify != nil && !*registryConfig.TLSVerify {
-					transport := httputils.NewConfigurableTLSRoundTripper(
-						httputils.TLSHostsConfig{
-							registryName: httputils.TLSHostConfig{Insecure: true},
-						},
-					)
 
-					remoteOpts = append(remoteOpts, remote.WithTransport(transport))
+				var tlsHostsConfig httputils.TLSHostsConfig
+				if registryConfig.TLSVerify != nil && !*registryConfig.TLSVerify {
+					tlsHostsConfig = httputils.TLSHostsConfig{
+						registryName: httputils.TLSHostConfig{Insecure: true},
+					}
 				}
+				transport := httputils.NewConfigurableTLSRoundTripper(
+					tlsHostsConfig,
+				)
+				remoteOpts = append(remoteOpts, remote.WithTransport(transport))
 
 				keychain := authn.NewMultiKeychain(
 					authn.NewKeychainFromHelper(

cmd/mindthegap/push/helmbundle/helm_bundle.go

@@ -81,20 +81,21 @@ func NewCommand(out output.Output) *cobra.Command {
 			logs.Warn.SetOutput(out.InfoWriter())
 
 			var remoteOpts []remote.Option
+
 			insecure := flags.SkipTLSVerify(destRegistrySkipTLSVerify, destRegistryURI)
+			tlsHostsConfig := httputils.TLSHostsConfig{
+				reg.Address(): httputils.TLSHostConfig{Insecure: true},
+			}
 			if insecure || destRegistryCACertificateFile != "" {
-				transport := httputils.NewConfigurableTLSRoundTripper(
-					httputils.TLSHostsConfig{
-						destRegistryURI.Host(): httputils.TLSHostConfig{
-							Insecure: insecure,
-							CAFile:   destRegistryCACertificateFile,
-						},
-						reg.Address(): httputils.TLSHostConfig{Insecure: true},
-					},
-				)
-
-				remoteOpts = append(remoteOpts, remote.WithTransport(transport))
+				tlsHostsConfig[destRegistryURI.Host()] = httputils.TLSHostConfig{
+					Insecure: insecure,
+					CAFile:   destRegistryCACertificateFile,
+				}
 			}
+			transport := httputils.NewConfigurableTLSRoundTripper(
+				tlsHostsConfig,
+			)
+			remoteOpts = append(remoteOpts, remote.WithTransport(transport))
 
 			keychain := authn.DefaultKeychain
 			if destRegistryUsername != "" && destRegistryPassword != "" {

cmd/mindthegap/push/imagebundle/image_bundle.go

@@ -82,20 +82,21 @@ func NewCommand(out output.Output) *cobra.Command {
 			logs.Warn.SetOutput(out.InfoWriter())
 
 			var remoteOpts []remote.Option
+
 			insecure := flags.SkipTLSVerify(destRegistrySkipTLSVerify, destRegistryURI)
+			tlsHostsConfig := httputils.TLSHostsConfig{
+				reg.Address(): httputils.TLSHostConfig{Insecure: true},
+			}
 			if insecure || destRegistryCACertificateFile != "" {
-				transport := httputils.NewConfigurableTLSRoundTripper(
-					httputils.TLSHostsConfig{
-						destRegistryURI.Host(): httputils.TLSHostConfig{
-							Insecure: insecure,
-							CAFile:   destRegistryCACertificateFile,
-						},
-						reg.Address(): httputils.TLSHostConfig{Insecure: true},
-					},
-				)
-
-				remoteOpts = append(remoteOpts, remote.WithTransport(transport))
+				tlsHostsConfig[destRegistryURI.Host()] = httputils.TLSHostConfig{
+					Insecure: insecure,
+					CAFile:   destRegistryCACertificateFile,
+				}
 			}
+			transport := httputils.NewConfigurableTLSRoundTripper(
+				tlsHostsConfig,
+			)
+			remoteOpts = append(remoteOpts, remote.WithTransport(transport))
 
 			keychain := authn.DefaultKeychain
 			if destRegistryUsername != "" && destRegistryPassword != "" {