The imager's `--insecure` flag covered BaseInstaller, ImageCache, and
SystemExtensions but not the Overlay or OverlayInstaller ContainerAssets.
When pulling those from a plain-HTTP local registry (e.g. for offline
or development builds), they always tried HTTPS and failed with
"http: server gave HTTP response to HTTPS client" even with the flag set.
This patch sets `ForceInsecure: cmdFlags.Insecure` on both overlay
asset references, matching how the other Inputs are handled.
Build-tool only — no effect on the running Talos OS. Lets `gmake installer`
work end-to-end against an insecure registry like 192.133.7.111:5001.
