From e5925482a17e343c314a4a5b7ff1a2f1d07d78b1 Mon Sep 17 00:00:00 2001
From: Yegor Tokmakov <yegor@tokmakov.biz>
Date: Sat, 31 Jan 2026 13:35:15 +0100
Subject: [PATCH] OCISkipRegistryValidation flag

Signed-off-by: Yegor Tokmakov <yegor@tokmakov.biz>
---
 main.go | 50 +++++++++++++++++++++++++++++---------------------
 1 file changed, 29 insertions(+), 21 deletions(-)

diff --git a/main.go b/main.go
index 75d897bd8..175615e36 100644
--- a/main.go
+++ b/main.go
@@ -96,27 +96,28 @@ func main() {
 	)
 
 	var (
-		metricsAddr            string
-		eventsAddr             string
-		healthAddr             string
-		concurrent             int
-		requeueDependency      time.Duration
-		helmIndexLimit         int64
-		helmChartLimit         int64
-		helmChartFileLimit     int64
-		artifactOptions        artcfg.Options
-		clientOptions          client.Options
-		logOptions             logger.Options
-		leaderElectionOptions  leaderelection.Options
-		rateLimiterOptions     helper.RateLimiterOptions
-		featureGates           feathelper.FeatureGates
-		watchOptions           helper.WatchOptions
-		intervalJitterOptions  jitter.IntervalOptions
-		helmCacheMaxSize       int
-		helmCacheTTL           string
-		helmCachePurgeInterval string
-		tokenCacheOptions      pkgcache.TokenFlags
-		defaultServiceAccount  string
+		metricsAddr               string
+		eventsAddr                string
+		healthAddr                string
+		concurrent                int
+		requeueDependency         time.Duration
+		helmIndexLimit            int64
+		helmChartLimit            int64
+		helmChartFileLimit        int64
+		artifactOptions           artcfg.Options
+		clientOptions             client.Options
+		logOptions                logger.Options
+		leaderElectionOptions     leaderelection.Options
+		rateLimiterOptions        helper.RateLimiterOptions
+		featureGates              feathelper.FeatureGates
+		watchOptions              helper.WatchOptions
+		intervalJitterOptions     jitter.IntervalOptions
+		helmCacheMaxSize          int
+		helmCacheTTL              string
+		helmCachePurgeInterval    string
+		tokenCacheOptions         pkgcache.TokenFlags
+		defaultServiceAccount     string
+		ociSkipRegistryValidation bool
 	)
 
 	flag.StringVar(&metricsAddr, "metrics-addr", envOrDefault("METRICS_ADDR", ":8080"),
@@ -145,6 +146,9 @@ func main() {
 		"The list of hostkey algorithms to use for ssh connections, arranged from most preferred to the least.")
 	flag.StringVar(&defaultServiceAccount, auth.ControllerFlagDefaultServiceAccount,
 		"", "Default service account to use for workload identity when not specified in resources.")
+	flag.BoolVar(&ociSkipRegistryValidation, auth.ControllerFlagOCISkipRegistryValidation, false,
+		"Skip OCI registry domain validation for cloud provider authentication. "+
+			"Enables using custom registry proxies/gateways with workload identity.")
 
 	artifactOptions.BindFlags(flag.CommandLine)
 	clientOptions.BindFlags(flag.CommandLine)
@@ -164,6 +168,10 @@ func main() {
 		auth.SetDefaultServiceAccount(defaultServiceAccount)
 	}
 
+	if ociSkipRegistryValidation {
+		auth.SetOCISkipRegistryValidation(true)
+	}
+
 	if err := featureGates.WithLogger(setupLog).SupportedFeatures(features.FeatureGates()); err != nil {
 		setupLog.Error(err, "unable to load feature gates")
 		os.Exit(1)