Trust loopback builders

pkg/builders/buildpacks/builder.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"strings"
 	"time"
@@ -242,6 +243,9 @@ func isPodmanV43(ctx context.Context, cli client.CommonAPIClient) (b bool, err e
 // TrustBuilder determines whether the builder image should be trusted
 // based on a set of trusted builder image registry prefixes.
 func TrustBuilder(b string) bool {
+	if isLocalhost(b) {
+		return true
+	}
 	for _, v := range trustedBuilderImagePrefixes {
 		// Ensure that all entries in this list are terminated with a trailing "/"
 		if !strings.HasSuffix(v, "/") {
@@ -254,6 +258,14 @@ func TrustBuilder(b string) bool {
 	return false
 }
 
+func isLocalhost(img string) bool {
+	// Parsing logic is broken for localhost in go-containerregistry.
+	// See: https://github.com/google/go-containerregistry/issues/2048
+	// So I went for regex.
+	localhostRE := regexp.MustCompile(`^(localhost|127\.0\.0\.1|\[::1\])(:\d+)?/.+$`)
+	return localhostRE.MatchString(img)
+}
+
 // Builder Image chooses the correct builder image or defaults.
 func BuilderImage(f fn.Function, builderName string) (string, error) {
 	return builders.Image(f, builderName, DefaultBuilderImages)

pkg/builders/buildpacks/builder_test.go

@@ -40,6 +40,22 @@ func TestBuild_BuilderImageTrusted(t *testing.T) {
 	}
 }
 
+func TestBuild_BuilderImageTrustedLocalhost(t *testing.T) {
+	for _, reg := range []string{
+		"localhost",
+		"localhost:5000",
+		"127.0.0.1",
+		"127.0.0.1:5000",
+		"[::1]",
+		"[::1]:5000"} {
+		t.Run(reg, func(t *testing.T) {
+			if !TrustBuilder(reg + "/project/builder:latest") {
+				t.Errorf("expected to be trusted: %q", reg)
+			}
+		})
+	}
+}
+
 // TestBuild_BuilderImageDefault ensures that a Function bing built which does not
 // define a Builder Image will get the internally-defined default.
 func TestBuild_BuilderImageDefault(t *testing.T) {