Remove TLS ServerName pinning in TLS config creation

Updates pkg/runtime dependency to v0.80.0 which removes the need for
the insecure parameter in TLSConfigFromSecretRef. This change removes
the forced ServerName pinning behavior that was causing TLS verification
issues, allowing for more flexible certificate validation.

The TLS config creation now relies on the standard Go TLS verification
process without forcing specific ServerName values, improving
compatibility with various certificate configurations.

Signed-off-by: cappyzawa <[email protected]>

Author: cappyzawa

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/fluxcd/pkg/apis/meta v1.18.0
 	github.com/fluxcd/pkg/auth v0.21.0
 	github.com/fluxcd/pkg/cache v0.10.0
-	github.com/fluxcd/pkg/runtime v0.78.0
+	github.com/fluxcd/pkg/runtime v0.80.0
 	github.com/fluxcd/pkg/version v0.9.0
 	github.com/go-logr/logr v1.4.3
 	github.com/google/go-containerregistry v0.20.6

go.sum

@@ -181,8 +181,8 @@ github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15
 github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
 github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
-github.com/fluxcd/pkg/runtime v0.78.0 h1:xwNZqnazmgURGuLiHDbzST6BI5K9fvZuNS4eMVY35Es=
-github.com/fluxcd/pkg/runtime v0.78.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
+github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/version v0.9.0 h1:pQBHMt9TbnnTUzj3EoMhRi5JUkNBqrTBSAaoLG1ovUA=
 github.com/fluxcd/pkg/version v0.9.0/go.mod h1:JU6/UwNbGeMm4gqeyUn/dxl+qwLTi2+X10xpfgWdt9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=

internal/registry/options.go

@@ -126,23 +126,11 @@ func (r *AuthOptionsGetter) GetOptions(ctx context.Context, repo *imagev1.ImageR
 			Namespace: certSecret.Namespace,
 		}
 
-		// Build target URL for TLS server name validation.
-		// The image spec contains repository name without scheme (e.g., "127.0.0.1:5000/foo/bar"),
-		// but TLSConfigFromSecretRef requires a proper URL for ServerName extraction.
-		ref, err := ParseImageReference(repo.Spec.Image, repo.Spec.Insecure)
-		if err != nil {
-			return nil, err
-		}
-		registry := ref.Context().Registry
-		registryURL := &url.URL{
-			Scheme: registry.Scheme(),
-			Host:   registry.Name(),
-		}
 		// NOTE: Use WithSystemCertPool to maintain backward compatibility with the existing
 		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
 		// This ensures image-reflector-controller continues to work with both system and user-provided CA certificates.
 		var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
-		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, r.Client, certSecretRef, registryURL.String(), tlsOpts...)
+		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, r.Client, certSecretRef, tlsOpts...)
 		if err != nil {
 			return nil, err
 		}