Add WithSystemCertPool for CA compatibility

cappyzawa · cappyzawa · commit ccac97c82714 · 2025-07-30T12:42:23.000+09:00
Updates pkg/runtime to v0.78.0 and configures TLSConfigFromSecretRef to use
WithSystemCertPool() option. This maintains backward compatibility with the
existing extend approach (system CAs + user CA) rather than the default
replace approach (user CA only).

This ensures image-reflector-controller continues to work with both system
and user-provided CA certificates, fixing the regression where public
registries with valid certificates would fail when users provide custom
CA certificates for other purposes.

Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/go.mod b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/fluxcd/pkg/apis/meta v1.18.0
 	github.com/fluxcd/pkg/auth v0.21.0
 	github.com/fluxcd/pkg/cache v0.10.0
-	github.com/fluxcd/pkg/runtime v0.75.0
+	github.com/fluxcd/pkg/runtime v0.78.0
 	github.com/fluxcd/pkg/version v0.9.0
 	github.com/go-logr/logr v1.4.3
 	github.com/google/go-containerregistry v0.20.6
diff --git a/go.sum b/go.sum
@@ -181,8 +181,8 @@ github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15
 github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
 github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
-github.com/fluxcd/pkg/runtime v0.75.0 h1:wIaODmU5D54nyrehTqA9oQDFoi6BbBj/24adLStXc0I=
-github.com/fluxcd/pkg/runtime v0.75.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.78.0 h1:xwNZqnazmgURGuLiHDbzST6BI5K9fvZuNS4eMVY35Es=
+github.com/fluxcd/pkg/runtime v0.78.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/version v0.9.0 h1:pQBHMt9TbnnTUzj3EoMhRi5JUkNBqrTBSAaoLG1ovUA=
 github.com/fluxcd/pkg/version v0.9.0/go.mod h1:JU6/UwNbGeMm4gqeyUn/dxl+qwLTi2+X10xpfgWdt9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
diff --git a/internal/registry/options.go b/internal/registry/options.go
@@ -138,7 +138,11 @@ func (r *AuthOptionsGetter) GetOptions(ctx context.Context, repo *imagev1.ImageR
 			Scheme: registry.Scheme(),
 			Host:   registry.Name(),
 		}
-		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, r.Client, certSecretRef, registryURL.String(), repo.Spec.Insecure)
+		// NOTE: Use WithSystemCertPool to maintain backward compatibility with the existing
+		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
+		// This ensures image-reflector-controller continues to work with both system and user-provided CA certificates.
+		var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
+		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, r.Client, certSecretRef, registryURL.String(), tlsOpts...)
 		if err != nil {
 			return nil, err
 		}

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,11 @@ func (r AuthOptionsGetter) GetOptions(ctx context.Context, repo imagev1.ImageR`
`138`	`138`	`Scheme: registry.Scheme(),`
`139`	`139`	`Host: registry.Name(),`
`140`	`140`	`}`
`141`		`- tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, r.Client, certSecretRef, registryURL.String(), repo.Spec.Insecure)`
	`141`	`+ // NOTE: Use WithSystemCertPool to maintain backward compatibility with the existing`
	`142`	`+ // extend approach (system CAs + user CA) rather than the default replace approach (user CA only).`
	`143`	`+ // This ensures image-reflector-controller continues to work with both system and user-provided CA certificates.`
	`144`	`+ var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}`
	`145`	`+ tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, r.Client, certSecretRef, registryURL.String(), tlsOpts...)`
`142`	`146`	`if err != nil {`
`143`	`147`	`return nil, err`
`144`	`148`	`}`