I have a private registry configured with TLS, the certificate for the registry is signed by a trusted root ca on my linux system, there is no insecure option in daemon.json and there is no insecure option in registry.conf files but I am still able to pull the images!!
when you run podman pull command with debug level logs:
podman pull --log-level=debug my-registry:5000/busybox:latest
in the logs I am able to see
Looking for TLS certificates and private keys in /etc/docker/certs.d/certs.d/my-registry:5000
but the /etc/docker/certs.d/my-registry:5000 doesn't exist
how without providing a ca.crt for podman it still able to pull the images from my private registry?
If /etc/containers/certs.d/my-registry:5000/ca.crt isn't available, Podman checks the host's trust store for verification. If the CA used to sign the registry server's certificate is in the trust store, Podman trusts and verifies the registry server's certificate.