add global option to disable TLS validation

[ccwienk]

What would you like to be added

Add a (global) flag to disable TLS validation for OCM-CLI's commands. Inspired by curl, the flag might be named --insecure, but any name will do.

Why is this needed

For development purposes, there may be cases where no valid certificate is available in a testing environment (e.g. if using a self-signed certificate). Having the option to disable TLS validation will be handy in such cases.

One might also consider productive scenarios, where, through a misconfiguration, TLS validation fails, and OCM-CLI is needed to perform urgent tasks that would otherwise be blocked by TLS validation issues.

Admittedly, those are exceptional and corner-cases. However, most other tooling supports explicit disabling of TLS validation, including e.g. package-managers (apt, apk, pacman), HTTP-APIs for all programming languages, HTTP-tools, such as curl or wget, ... - even security-aware tools such as ssh offer disabling of checks / unsafe mode of operation.

[morri-son]

Hi @ccwienk, @fabianburth last week added the ability to use http registries: #676. It's not an explicit option, but implicitly set by using http as scheme instead of https (which is also the default when omitting the scheme). The latest version https://github.com/open-component-model/ocm/releases/tag/v0.9.0 contains this functionality. I didn't find this enhancement in the documentation, though. @fabianburth, is this part maybe still pending or was I just not able to find it? :-)

[ccwienk]

@morri-son : I cannot quite understand how that relates to my issue.

[hilmarf]

dev-note: during implementation, we should also unify the usage of http-client and its settings by creating a dedicated factory