Support for Sinker accessing registries over TLS

[mh013370]

The docker client will configure its HTTP client transport to use TLS if you configure it properly through environment variables:

• https://github.com/moby/moby/blob/v20.10.17/client/options.go#L27-L43

However, sinker doesn't use the docker client for every registry interaction. When it doesn't, it uses the go container registry client with basic auth.

For example: https://github.com/plexsystems/sinker/blob/v0.17.0/internal/docker/docker.go#L178

Due to this, for container registries that are TLS enabled and where basic auth isn't possible, sinker won't completely work.

I think there may be a fix, though. The docker client exposes its TLS-configured HTTPClient.Transport, which can be provided to the go-containerregistry remote client. For example:

func (c Client) ImageExistsAtRemote(ctx context.Context, image string) (bool, error) {
// ... 
  if _,  err := remote.Get(reference, 
    remote.WithTransport(c.docker.HTTPClient().Transport), 
    remote.WithAuthFromKeychain(authn.DefaultKeychain)); err != nil {
    // do something
  }
}

This way, if the environment is configured correctly then the docker client will load client certs which can be used in comms in sinker.

It's completely possible i'm approaching this incorrectly. If this is possible without code changes, please enlighten me 😄

I'm also happy to raise a PR. If my proposed solution seems reasonable, I'll raise one.

[mh013370]

The other alternative is to just use the docker client for all registry interactions, but that may not be advised if the goal is to support all OCI images.