test: migrate testing registry from host container to in-cluster deployment

[matejvasek]

Changes

• 🧹 Replace the standalone docker/podman registry container (localhost:50000) with an in-cluster Deployment + ClusterIP Service + Ingress at registry.localtest.me
• 🎁 Add insecure registry support to credential verification and docker push paths (CheckAuth, docker.Pusher, NewCredentialsProvider, checkPullPermissions) so --registry-insecure properly uses HTTP
• 🧹 Update hack/allow-insecure.tar to include *.localtest.me for buildah/podman tools
• 🧹 E2E tests set FUNC_REGISTRY_INSECURE=true centrally in setupEnv when using registry.localtest.me
• 🧹 CI config test patches the generated workflow to use the locally-built func binary instead of downloading a release via functions-dev/action

/kind cleanup

The previous test registry setup required a host-side docker/podman container, host-side insecure registry config, an ExternalName Service, separate registry URLs for local vs remote builds (localhost:50000 vs. registry.default.svc:5000), and macOS SSH port forwarding. The in-cluster registry uses a single URL (registry.localtest.me) reachable from the host (via Contour ingress), Kind nodes (via containerd mirrors to localhost:5000 hostPort), and pods (via ClusterIP Service).

The --registry-insecure / RegistryInsecure flag was not fully threaded through the docker pusher and credential verification paths — CheckAuth and docker.Pusher always defaulted to HTTPS. This caused failures when pushing to plain-HTTP registries like registry.localtest.me.

The CI config test previously downloaded a released func binary via functions-dev/action, which lacked the insecure registry fix. It now patches the generated workflow to symlink the locally-built binary, ensuring the test exercises the current code.

Release Note

Fix --registry-insecure flag not being fully propagated: credential verification (CheckAuth) and the docker pusher always defaulted to HTTPS even when the flag was set, causing failures against plain-HTTP registries. The flag now correctly switches to HTTP scheme throughout the push and credential check paths.

Docs

NONE

[knative-prow]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[knative-prow]

@matejvasek: The label(s) kind/<kind> cannot be applied, because the repository doesn't have them.

Details

In response to this:

…oyment

Replace the standalone docker/podman registry container (localhost:50000) with an in-cluster Deployment + ClusterIP Service + Ingress exposed at registry.localtest.me. This eliminates the need for host-side container management, ExternalName services, and Podman VM port forwarding.

The single URL registry.localtest.me is reachable from the host, Kind nodes (via localtest.me → 127.0.0.1 public DNS), and pods (via Contour ingress). Containerd mirrors for ghcr.io, quay.io, and registry.default.svc.cluster.local are preserved, pointing to the new ingress endpoint.

E2E remote tests now use --registry-insecure for registry.localtest.me.

A dedicated TestRemote_Deploy_InClusterRegistry test verifies the in-cluster dialer tunneling path via registry.default.svc.cluster.local.

hack/allow-insecure.tar updated to include *.localtest.me alongside *.cluster.local for buildah/podman insecure registry configuration.

Changes

/kind

Fixes #

Release Note

Docs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.05%. Comparing base (e435a89) to head (7931004).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3718      +/-   ##
==========================================
+ Coverage   56.95%   57.05%   +0.10%     
==========================================
  Files         181      181              
  Lines       21116    21141      +25     
==========================================
+ Hits        12026    12063      +37     
+ Misses       7866     7855      -11     
+ Partials     1224     1223       -1     

Flag	Coverage Δ
e2e	35.92% <93.18%> (+0.10%)	⬆️
e2e go	31.47% <92.30%> (-0.96%)	⬇️
e2e node	27.23% <92.30%> (-0.97%)	⬇️
e2e python	31.84% <92.30%> (-0.96%)	⬇️
e2e quarkus	27.37% <92.30%> (-0.97%)	⬇️
e2e rust	26.78% <87.17%> (?)
e2e springboot	25.29% <87.17%> (-0.97%)	⬇️
e2e typescript	27.36% <92.30%> (-0.97%)	⬇️
e2e-config-ci	28.31% <87.17%> (+10.60%)	⬆️
integration	17.38% <12.82%> (+0.08%)	⬆️
unit macos-14	45.04% <61.53%> (-0.01%)	⬇️
unit macos-latest	45.04% <61.53%> (-0.01%)	⬇️
unit ubuntu-24.04-arm	45.30% <54.54%> (-0.02%)	⬇️
unit ubuntu-latest	46.00% <61.53%> (-0.01%)	⬇️
unit windows-latest	45.09% <61.53%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[matejvasek]

PTAL @gauron99 @lkingland

[gauron99]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gauron99, matejvasek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [gauron99,matejvasek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment