fixup! fixup! fixup! Migrate OCIRepository controller to runtime/secrets

cappyzawa · cappyzawa · commit e0bd19ce220b · 2025-07-22T00:25:11.000+09:00
Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/go.mod b/go.mod
@@ -38,7 +38,7 @@ require (
 	github.com/fluxcd/pkg/lockedfile v0.6.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
 	github.com/fluxcd/pkg/oci v0.51.0
-	github.com/fluxcd/pkg/runtime v0.73.0
+	github.com/fluxcd/pkg/runtime v0.75.0
 	github.com/fluxcd/pkg/sourceignore v0.13.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/fluxcd/pkg/tar v0.13.0
diff --git a/go.sum b/go.sum
@@ -398,8 +398,8 @@ github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
 github.com/fluxcd/pkg/oci v0.51.0 h1:9oYnm+T4SCVSBif9gn80ALJkMGSERabVMDJiaMIdr7Y=
 github.com/fluxcd/pkg/oci v0.51.0/go.mod h1:5J6IhHoDVYCVeBEC+4E3nPeKh7d0kjJ8IEL6NVCiTx4=
-github.com/fluxcd/pkg/runtime v0.73.0 h1:BV3qEwMT3lfHA2lterT3Es62z6EkJr2ST/jkyBmmskQ=
-github.com/fluxcd/pkg/runtime v0.73.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.75.0 h1:wIaODmU5D54nyrehTqA9oQDFoi6BbBj/24adLStXc0I=
+github.com/fluxcd/pkg/runtime v0.75.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/sourceignore v0.13.0 h1:ZvkzX2WsmyZK9cjlqOFFW1onHVzhPZIqDbCh96rPqbU=
 github.com/fluxcd/pkg/sourceignore v0.13.0/go.mod h1:Z9H1GoBx0ljOhptnzoV0PL6Nd/UzwKcSphP27lqb4xI=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=
diff --git a/internal/controller/helmrepository_controller_test.go b/internal/controller/helmrepository_controller_test.go
@@ -482,7 +482,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL, false)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
@@ -534,7 +534,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL, false)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
@@ -588,7 +588,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL, false)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
@@ -971,17 +971,6 @@ func (r *OCIRepositoryReconciler) transport(ctx context.Context, obj *sourcev1.O
 		return nil, err
 	}
 	if tlsConfig != nil {
-		// Set ServerName for proper virtual hosting support.
-		// This is crucial for OCI registries that use virtual hosting where multiple
-		// registries are hosted on the same IP address. Without ServerName, the TLS
-		// handshake would fail with a certificate mismatch error.
-		// Note: runtime/secrets does not set ServerName, so this must be done at the
-		// controller level to ensure proper TLS SNI (Server Name Indication) support.
-		u, err := url.Parse(obj.Spec.URL)
-		if err != nil {
-			return nil, fmt.Errorf("cannot parse repository URL: %w", err)
-		}
-		tlsConfig.ServerName = u.Hostname()
 		transport.TLSClientConfig = tlsConfig
 	}
 
@@ -1008,7 +997,7 @@ func (r *OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj *sourcev
 		Namespace: obj.Namespace,
 		Name:      obj.Spec.CertSecretRef.Name,
 	}
-	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName)
+	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, obj.Spec.URL, obj.Spec.Insecure)
 }
 
 // reconcileStorage ensures the current state of the storage matches the

Original file line number	Diff line number	Diff line change
`@@ -971,17 +971,6 @@ func (r OCIRepositoryReconciler) transport(ctx context.Context, obj sourcev1.O`
`971`	`971`	`return nil, err`
`972`	`972`	`}`
`973`	`973`	`if tlsConfig != nil {`
`974`		`- // Set ServerName for proper virtual hosting support.`
`975`		`- // This is crucial for OCI registries that use virtual hosting where multiple`
`976`		`- // registries are hosted on the same IP address. Without ServerName, the TLS`
`977`		`- // handshake would fail with a certificate mismatch error.`
`978`		`- // Note: runtime/secrets does not set ServerName, so this must be done at the`
`979`		`- // controller level to ensure proper TLS SNI (Server Name Indication) support.`
`980`		`- u, err := url.Parse(obj.Spec.URL)`
`981`		`- if err != nil {`
`982`		`- return nil, fmt.Errorf("cannot parse repository URL: %w", err)`
`983`		`- }`
`984`		`- tlsConfig.ServerName = u.Hostname()`
`985`	`974`	`transport.TLSClientConfig = tlsConfig`
`986`	`975`	`}`
`987`	`976`
`@@ -1008,7 +997,7 @@ func (r OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj sourcev`
`1008`	`997`	`Namespace: obj.Namespace,`
`1009`	`998`	`Name: obj.Spec.CertSecretRef.Name,`
`1010`	`999`	`}`
`1011`		`- return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName)`
	`1000`	`+ return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, obj.Spec.URL, obj.Spec.Insecure)`
`1012`	`1001`	`}`
`1013`	`1002`
`1014`	`1003`	`// reconcileStorage ensures the current state of the storage matches the`