Fix missing TLS ServerName in Provider notifications

cappyzawa · cappyzawa · commit f3332962405d · 2025-07-22T12:41:05.000+09:00
Updates pkg/runtime/secrets to v0.75.0 which adds targetURL and insecure
parameters to TLS functions. This resolves ServerName regression that
caused TLS handshake failures in virtual hosting environments.

The Provider API has no insecure field, so certificates are always
verified (insecure=false). This maintains secure-by-default behavior
and is consistent with the original pre-pkg/runtime/secrets implementation.

All 17+ notification providers automatically benefit from proper ServerName
setting through the centralized TLS configuration in createNotifier().

Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/go.mod b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/git v0.34.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
-	github.com/fluxcd/pkg/runtime v0.74.0
+	github.com/fluxcd/pkg/runtime v0.75.0
 	github.com/fluxcd/pkg/ssa v0.51.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/getsentry/sentry-go v0.34.1
diff --git a/go.sum b/go.sum
@@ -146,8 +146,8 @@ github.com/fluxcd/pkg/git v0.34.0 h1:qTViWkfpEDnjzySyKRKliqUeGj/DznqlkmPhaDNIsFY
 github.com/fluxcd/pkg/git v0.34.0/go.mod h1:F9Asm3MlLW4uZx3FF92+bqho+oktdMdnTn/QmXe56NE=
 github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3sz6bM=
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
-github.com/fluxcd/pkg/runtime v0.74.0 h1:4SxBWJSU6vKIrAoUHtaJ190pHyK445qlmIgG2XC5Tb0=
-github.com/fluxcd/pkg/runtime v0.74.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.75.0 h1:wIaODmU5D54nyrehTqA9oQDFoi6BbBj/24adLStXc0I=
+github.com/fluxcd/pkg/runtime v0.75.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/ssa v0.51.0 h1:sFarxKZcS0J8sjq9qvs/r+1XiJqNgRodEiPjV75F8R4=
 github.com/fluxcd/pkg/ssa v0.51.0/go.mod h1:v+h9RC0JxWIqMTK2Eo+8Nh700AXyZChZ2TiLVj4tf3M=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=
diff --git a/internal/server/event_handlers.go b/internal/server/event_handlers.go
@@ -432,7 +432,8 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 			Name:      provider.Spec.CertSecretRef.Name,
 			Namespace: provider.GetNamespace(),
 		}
-		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef)
+		const insecure = false // Provider API has no insecure field, always verify certificates
+		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef, webhook, insecure)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to get TLS config: %w", err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -432,7 +432,8 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api`
`432`	`432`	`Name: provider.Spec.CertSecretRef.Name,`
`433`	`433`	`Namespace: provider.GetNamespace(),`
`434`	`434`	`}`
`435`		`- tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef)`
	`435`	`+ const insecure = false // Provider API has no insecure field, always verify certificates`
	`436`	`+ tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef, webhook, insecure)`
`436`	`437`	`if err != nil {`
`437`	`438`	`return nil, "", fmt.Errorf("failed to get TLS config: %w", err)`
`438`	`439`	`}`