oci_push with remote_tags does not work with insecure repositories

[DrThomasRock]

When migrating from container_push to oci_push with a repository that fails to be detected as insecure, it appears the alternative for insecure_repository is to specify args = ["--insecure"] (taken from this website). This works like a charm if you're simply pushing, but if you combine this with the remote_tags attribute, the request to add tags will fail.

Example Bazel target

oci_push(
    name = "engine.push",
    args = ["--insecure"],
    image = ":engine",
    remote_tags = ":version_tag",
    repository = "k3d-registry.localhost:9999/engine",
)

will fail with the following exception

Error: fetching "k3d-registry.localhost:9999/engine@sha256:774d75357a396d3659774d71754130646e517874444a4b6d7355376d68723065": Get "https://k3d-registry.localhost:9999/v2/": http: server gave HTTP response to HTTPS client

This is due to args being passed to the push command but not the subsequent tags commands.

If I patch push.sh.tpl to pass ARGS into the tags command as well, then the bazel target above works as expected. I'm wondering if this is the proper solution, or if there's a reason ARGS shouldn't be passed to the tags command. If that is the case, is there an alternative to tagging with an insecure repository?

[thesayyn]

This is an oversight, and indeed a bug. We should pass --insecure, or all global flags down to every crane invocation.

[ahans]

This is an oversight, and indeed a bug. We should pass --insecure, or all global flags down to every crane invocation.

Not sure if I'm missing anything, but what @DrThomasRock writes in the last paragraph sounds like all there is to be done for this? Anyway, I created a a PR with what I think is a fix. Let's discuss over there if more needs to be done.