Add support for "insecure" registries

[Silvanoc]

Description

Using the documented public interface, there is no way to use the "OCI publication" feature with registries using plain HTTP (AKA insecure). Although no productive set-up should be using plain HTTP, it is very common experimenting locally.

I found out in the code that there is a hidden way to activate such a feature: setting the environment variable __TEST__INSECURE__REGISTRY__

It would be good to:

• either have a CLI flag for this feature, like many other tools do
• or document the, IMO not so nice, environment variable __TEST__INSECURE__REGISTRY__ possibility

[ndeloof]

as the name suggests, __TEST__INSECURE__REGISTRY__ is for (internal) testing purpose only, so not being documented.
I also had in mind to introduce a CLI flag but wanted to get a "quick fix" so selected a simpler path.

Let me experiment with a CLI flag. If we add one, it will be hidden and undocumented, as we don't want to promote use of insecure registries - while those are useful for testing, we know our users take what we give them and may shoot into their own feet 😅.

[Silvanoc]

Default is "require TLS", but I haven't found any containers-related tool that does not support such a CLI option (docker, podman, regctl, oras, skopeo,...).

Don't give your users a "radial arm saw" as the tool to use, if they are not experienced enough. But show them where it is, just in case they need once they get more experienced 😉

[ndeloof]

haven't found any containers-related tool that does not support such a CLI option

docker CLI doesn't, insecure registries have to be configured on engine side (so under admin responsibility, can't be used "by chance")

[Silvanoc]

haven't found any containers-related tool that does not support such a CLI option

docker CLI doesn't, insecure registries have to be configured on engine side (so under admin responsibility, can't be used "by chance")

You are right on that, that is for me also a "CLI-option". If it can be used for compose OCI publishing too, then it would suffice to document it.