trivy-operator: Error x509: certificate signed by unknown authority when trying to download vulnerability DB from private Registry

What steps did you take and what happened:

I installed the trivy-operator via kubectl in version 0.0.5 and made the necessary changes to pull all images from our internal registry (JFrog Artifactory). The operator is running fine and starts the scanning pods. Except for the changes to the image sources, the operator is running with the default config.

However, the logs show the following error: failed to download vulnerability DB: OCI artifact error: OCI artifact error: OCI repository error: Get \"https://packages.repo.internal.com/v2/\": x509: certificate signed by unknown authority\n"

This repository uses a self-signed certificate, so this error is expected.

In the documentation I found a parameter to set registries to unsecure: trivy.insecureRegistry.<id>

So I added this to the trivy-operator-trivy-config configmap:

data:  
  trivy.insecureRegistry.artifactory: "packages.repo.internal.com"

This seems to have no effect, the error is unchanged.

What did you expect to happen:

I would expect trivy to skip the certificate validation with this setting.

Anything else you would like to add:

Environment:

• Trivy-Operator version (use trivy-operator version): 0.0.5
• Kubernetes version (use kubectl version): v1.22.6
• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Ubuntu 20.04