fixup! fixup! Migrate OCIRepository controller to runtime/secrets

Add ServerName support for TLS configuration

Signed-off-by: cappyzawa <[email protected]>

Author: cappyzawa

internal/controller/ocirepository_controller.go

@@ -971,6 +971,14 @@ func (r *OCIRepositoryReconciler) transport(ctx context.Context, obj *sourcev1.O
 		return nil, err
 	}
 	if tlsConfig != nil {
+		// Set ServerName for proper virtual hosting support
+		if tlsConfig.ServerName == "" {
+			serverName, err := extractServerNameFromURL(obj.Spec.URL)
+			if err != nil {
+				return nil, fmt.Errorf("failed to extract server name for TLS: %w", err)
+			}
+			tlsConfig.ServerName = serverName
+		}
 		transport.TLSClientConfig = tlsConfig
 	}
 
@@ -981,6 +989,25 @@ func (r *OCIRepositoryReconciler) transport(ctx context.Context, obj *sourcev1.O
 	return transport, nil
 }
 
+// extractServerNameFromURL extracts the server name from an OCI repository URL
+// for use in TLS configuration. It returns the hostname (with port if present)
+// that should be used as the ServerName in TLS handshakes.
+func extractServerNameFromURL(url string) (string, error) {
+	if !strings.HasPrefix(url, sourcev1.OCIRepositoryPrefix) {
+		return "", fmt.Errorf("URL must be in format 'oci://<domain>/<org>/<repo>'")
+	}
+
+	cleanURL := strings.TrimPrefix(url, sourcev1.OCIRepositoryPrefix)
+	
+	// Parse as a reference to get the registry part
+	ref, err := name.ParseReference(cleanURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse OCI URL: %w", err)
+	}
+	
+	return ref.Context().RegistryStr(), nil
+}
+
 // getTLSConfig gets the TLS configuration for the transport based on the
 // specified secret reference in the OCIRepository object, or the insecure flag.
 func (r *OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj *sourcev1.OCIRepository) (*cryptotls.Config, error) {

internal/controller/ocirepository_controller_test.go

@@ -3705,3 +3705,63 @@ func TestOCIContentConfigChanged(t *testing.T) {
 		})
 	}
 }
+
+func TestOCIRepositoryReconciler_extractServerNameFromURL(t *testing.T) {
+	tests := []struct {
+		name    string
+		url     string
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "valid OCI URL with hostname",
+			url:  "oci://registry.example.com/myorg/myrepo",
+			want: "registry.example.com",
+		},
+		{
+			name: "valid OCI URL with hostname and port",
+			url:  "oci://registry.example.com:8443/myorg/myrepo",
+			want: "registry.example.com:8443",
+		},
+		{
+			name: "valid OCI URL with tag",
+			url:  "oci://ghcr.io/fluxcd/flux2/manifests:v2.0.0",
+			want: "ghcr.io",
+		},
+		{
+			name: "valid OCI URL with digest",
+			url:  "oci://docker.io/library/nginx@sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
+			want: "index.docker.io",
+		},
+		{
+			name:    "invalid URL without oci:// prefix",
+			url:     "https://registry.example.com/myorg/myrepo",
+			wantErr: true,
+		},
+		{
+			name:    "invalid URL format",
+			url:     "oci://",
+			wantErr: true,
+		},
+		{
+			name:    "invalid URL with malformed registry",
+			url:     "oci://",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			got, err := extractServerNameFromURL(tt.url)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(got).To(Equal(tt.want))
+		})
+	}
+}