Merge pull request #1870 from cappyzawa/remove-tlsconfig-servername-pinning

Remove ServerName pinning from TLS config

go.mod

@@ -38,7 +38,7 @@ require (
 	github.com/fluxcd/pkg/lockedfile v0.6.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
 	github.com/fluxcd/pkg/oci v0.52.0
-	github.com/fluxcd/pkg/runtime v0.79.0
+	github.com/fluxcd/pkg/runtime v0.80.0
 	github.com/fluxcd/pkg/sourceignore v0.13.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/fluxcd/pkg/tar v0.13.0

go.sum

@@ -398,8 +398,8 @@ github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
 github.com/fluxcd/pkg/oci v0.52.0 h1:rkHMtXYm21MtDrjNcR5KScqOe6C1JHPExoShuVdNm8M=
 github.com/fluxcd/pkg/oci v0.52.0/go.mod h1:5J6IhHoDVYCVeBEC+4E3nPeKh7d0kjJ8IEL6NVCiTx4=
-github.com/fluxcd/pkg/runtime v0.79.0 h1:9tv79EiQDx/QJH9mYDd9kZ9WybCVWBUGoiBHij+eKkc=
-github.com/fluxcd/pkg/runtime v0.79.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
+github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/sourceignore v0.13.0 h1:ZvkzX2WsmyZK9cjlqOFFW1onHVzhPZIqDbCh96rPqbU=
 github.com/fluxcd/pkg/sourceignore v0.13.0/go.mod h1:Z9H1GoBx0ljOhptnzoV0PL6Nd/UzwKcSphP27lqb4xI=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=

internal/controller/bucket_controller.go

@@ -831,7 +831,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 			Namespace: obj.GetNamespace(),
 			Name:      obj.Spec.CertSecretRef.Name,
 		}
-		tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.Endpoint, secrets.WithSystemCertPool())
+		tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, secrets.WithSystemCertPool())
 		if err != nil {
 			return nil, fmt.Errorf("failed to get TLS config: %w", err)
 		}
@@ -842,7 +842,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 			Namespace: obj.GetNamespace(),
 			Name:      obj.Spec.STS.CertSecretRef.Name,
 		}
-		stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.STS.Endpoint, secrets.WithSystemCertPool())
+		stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, secrets.WithSystemCertPool())
 		if err != nil {
 			return nil, fmt.Errorf("failed to get STS TLS config: %w", err)
 		}

internal/controller/gitrepository_controller.go

@@ -689,8 +689,7 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return nil, e
 		}
-		targetURL := fmt.Sprintf("%s://%s", u.Scheme, u.Host)
-		authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTargetURL(targetURL), secrets.WithTLSSystemCertPool())
+		authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTLSSystemCertPool())
 		if err != nil {
 			return nil, err
 		}

internal/controller/helmrepository_controller_test.go

@@ -474,7 +474,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
@@ -526,7 +526,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
@@ -580,7 +580,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{

internal/controller/ocirepository_controller.go

@@ -1007,7 +1007,7 @@ func (r *OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj *sourcev
 	// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
 	// This ensures source-controller continues to work with both system and user-provided CA certificates.
 	var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
-	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, obj.Spec.URL, tlsOpts...)
+	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, tlsOpts...)
 }
 
 // reconcileStorage ensures the current state of the storage matches the

internal/helm/getter/client_opts.go

@@ -127,7 +127,7 @@ func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1
 		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
 		// This ensures HelmRepository continues to work with both system and user-provided CA certificates.
 		var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
-		tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, obj.Spec.URL, tlsOpts...)
+		tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, tlsOpts...)
 		if err != nil {
 			return false, nil, nil, fmt.Errorf("failed to construct Helm client's TLS config: %w", err)
 		}
@@ -148,7 +148,6 @@ func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1
 		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
 		// This ensures HelmRepository auth methods work with both system and user-provided CA certificates.
 		var authOpts = []secrets.AuthMethodsOption{
-			secrets.WithTargetURL(obj.Spec.URL),
 			secrets.WithTLSSystemCertPool(),
 		}
 		methods, err := secrets.AuthMethodsFromSecret(ctx, secret, authOpts...)

internal/helm/getter/client_opts_test.go

@@ -298,49 +298,3 @@ func TestGetClientOpts_registryTLSLoginOption(t *testing.T) {
 		})
 	}
 }
-
-func TestConfigureAuthentication_WithTargetURL(t *testing.T) {
-	g := NewWithT(t)
-
-	tlsCA, err := os.ReadFile("../../controller/testdata/certs/ca.pem")
-	if err != nil {
-		t.Errorf("could not read CA file: %s", err)
-		return
-	}
-
-	helmRepo := &helmv1.HelmRepository{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-repo",
-			Namespace: "default",
-		},
-		Spec: helmv1.HelmRepositorySpec{
-			URL: "https://example.com/charts",
-		},
-	}
-
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "auth-secret",
-			Namespace: "default",
-		},
-		Data: map[string][]byte{
-			"username": []byte("testuser"),
-			"password": []byte("testpass"),
-			"ca.crt":   tlsCA,
-		},
-	}
-
-	client := fakeclient.NewClientBuilder().WithObjects(secret).Build()
-	helmRepo.Spec.SecretRef = &meta.LocalObjectReference{Name: secret.Name}
-
-	opts := &ClientOpts{}
-	deprecatedTLS, certSecret, authSecret, err := configureAuthentication(context.TODO(), client, helmRepo, opts, helmRepo.Spec.URL)
-	g.Expect(err).ToNot(HaveOccurred())
-	g.Expect(deprecatedTLS).To(BeTrue()) // TLS from SecretRef is deprecated
-	g.Expect(certSecret).To(BeNil())
-	g.Expect(authSecret).To(Equal(secret))
-
-	// Regression test: verify ServerName is set from target URL when WithTargetURL is used
-	g.Expect(opts.TlsConfig).ToNot(BeNil())
-	g.Expect(opts.TlsConfig.ServerName).To(Equal("example.com"))
-}