Remove ServerName pinning from TLS config

cappyzawa · cappyzawa · commit 683719d33c54 · 2025-08-14T22:52:50.000+09:00
Remove ServerName pinning functionality that can cause TLS
verification failures in production environments with redirects,
proxies, and multi-host scenarios.

The Go standard library automatically handles SNI and hostname
verification based on the actual connection target, providing
better compatibility and security than fixed ServerName values.

Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/go.mod b/go.mod
@@ -38,7 +38,7 @@ require (
 	github.com/fluxcd/pkg/lockedfile v0.6.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
 	github.com/fluxcd/pkg/oci v0.52.0
-	github.com/fluxcd/pkg/runtime v0.79.0
+	github.com/fluxcd/pkg/runtime v0.80.0
 	github.com/fluxcd/pkg/sourceignore v0.13.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/fluxcd/pkg/tar v0.13.0
diff --git a/go.sum b/go.sum
@@ -398,8 +398,8 @@ github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
 github.com/fluxcd/pkg/oci v0.52.0 h1:rkHMtXYm21MtDrjNcR5KScqOe6C1JHPExoShuVdNm8M=
 github.com/fluxcd/pkg/oci v0.52.0/go.mod h1:5J6IhHoDVYCVeBEC+4E3nPeKh7d0kjJ8IEL6NVCiTx4=
-github.com/fluxcd/pkg/runtime v0.79.0 h1:9tv79EiQDx/QJH9mYDd9kZ9WybCVWBUGoiBHij+eKkc=
-github.com/fluxcd/pkg/runtime v0.79.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
+github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/sourceignore v0.13.0 h1:ZvkzX2WsmyZK9cjlqOFFW1onHVzhPZIqDbCh96rPqbU=
 github.com/fluxcd/pkg/sourceignore v0.13.0/go.mod h1:Z9H1GoBx0ljOhptnzoV0PL6Nd/UzwKcSphP27lqb4xI=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=
diff --git a/internal/controller/bucket_controller.go b/internal/controller/bucket_controller.go
@@ -831,7 +831,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 			Namespace: obj.GetNamespace(),
 			Name:      obj.Spec.CertSecretRef.Name,
 		}
-		tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.Endpoint, secrets.WithSystemCertPool())
+		tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, secrets.WithSystemCertPool())
 		if err != nil {
 			return nil, fmt.Errorf("failed to get TLS config: %w", err)
 		}
@@ -842,7 +842,7 @@ func (r *BucketReconciler) setupCredentials(ctx context.Context, obj *sourcev1.B
 			Namespace: obj.GetNamespace(),
 			Name:      obj.Spec.STS.CertSecretRef.Name,
 		}
-		stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.STS.Endpoint, secrets.WithSystemCertPool())
+		stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, secrets.WithSystemCertPool())
 		if err != nil {
 			return nil, fmt.Errorf("failed to get STS TLS config: %w", err)
 		}
diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go
@@ -689,8 +689,7 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 			conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)
 			return nil, e
 		}
-		targetURL := fmt.Sprintf("%s://%s", u.Scheme, u.Host)
-		authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTargetURL(targetURL), secrets.WithTLSSystemCertPool())
+		authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTLSSystemCertPool())
 		if err != nil {
 			return nil, err
 		}
diff --git a/internal/controller/helmrepository_controller_test.go b/internal/controller/helmrepository_controller_test.go
@@ -474,7 +474,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
@@ -526,7 +526,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
@@ -580,7 +580,7 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 				repoURL, err := repository.NormalizeURL(serverURL)
 				t.Expect(err).ToNot(HaveOccurred())
 
-				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret, serverURL)
+				tlsConfig, err := secrets.TLSConfigFromSecret(context.TODO(), secret)
 				t.Expect(err).ToNot(HaveOccurred())
 
 				getterOpts := []helmgetter.Option{
diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
@@ -1007,7 +1007,7 @@ func (r *OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj *sourcev
 	// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
 	// This ensures source-controller continues to work with both system and user-provided CA certificates.
 	var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
-	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, obj.Spec.URL, tlsOpts...)
+	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, tlsOpts...)
 }
 
 // reconcileStorage ensures the current state of the storage matches the
diff --git a/internal/helm/getter/client_opts.go b/internal/helm/getter/client_opts.go
@@ -127,7 +127,7 @@ func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1
 		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
 		// This ensures HelmRepository continues to work with both system and user-provided CA certificates.
 		var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
-		tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, obj.Spec.URL, tlsOpts...)
+		tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, tlsOpts...)
 		if err != nil {
 			return false, nil, nil, fmt.Errorf("failed to construct Helm client's TLS config: %w", err)
 		}
@@ -148,7 +148,6 @@ func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1
 		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
 		// This ensures HelmRepository auth methods work with both system and user-provided CA certificates.
 		var authOpts = []secrets.AuthMethodsOption{
-			secrets.WithTargetURL(obj.Spec.URL),
 			secrets.WithTLSSystemCertPool(),
 		}
 		methods, err := secrets.AuthMethodsFromSecret(ctx, secret, authOpts...)
diff --git a/internal/helm/getter/client_opts_test.go b/internal/helm/getter/client_opts_test.go
@@ -298,49 +298,3 @@ func TestGetClientOpts_registryTLSLoginOption(t *testing.T) {
 		})
 	}
 }
-
-func TestConfigureAuthentication_WithTargetURL(t *testing.T) {
-	g := NewWithT(t)
-
-	tlsCA, err := os.ReadFile("../../controller/testdata/certs/ca.pem")
-	if err != nil {
-		t.Errorf("could not read CA file: %s", err)
-		return
-	}
-
-	helmRepo := &helmv1.HelmRepository{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test-repo",
-			Namespace: "default",
-		},
-		Spec: helmv1.HelmRepositorySpec{
-			URL: "https://example.com/charts",
-		},
-	}
-
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "auth-secret",
-			Namespace: "default",
-		},
-		Data: map[string][]byte{
-			"username": []byte("testuser"),
-			"password": []byte("testpass"),
-			"ca.crt":   tlsCA,
-		},
-	}
-
-	client := fakeclient.NewClientBuilder().WithObjects(secret).Build()
-	helmRepo.Spec.SecretRef = &meta.LocalObjectReference{Name: secret.Name}
-
-	opts := &ClientOpts{}
-	deprecatedTLS, certSecret, authSecret, err := configureAuthentication(context.TODO(), client, helmRepo, opts, helmRepo.Spec.URL)
-	g.Expect(err).ToNot(HaveOccurred())
-	g.Expect(deprecatedTLS).To(BeTrue()) // TLS from SecretRef is deprecated
-	g.Expect(certSecret).To(BeNil())
-	g.Expect(authSecret).To(Equal(secret))
-
-	// Regression test: verify ServerName is set from target URL when WithTargetURL is used
-	g.Expect(opts.TlsConfig).ToNot(BeNil())
-	g.Expect(opts.TlsConfig.ServerName).To(Equal("example.com"))
-}

Original file line number	Diff line number	Diff line change
`@@ -831,7 +831,7 @@ func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.B`
`831`	`831`	`Namespace: obj.GetNamespace(),`
`832`	`832`	`Name: obj.Spec.CertSecretRef.Name,`
`833`	`833`	`}`
`834`		`- tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.Endpoint, secrets.WithSystemCertPool())`
	`834`	`+ tlsConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, secrets.WithSystemCertPool())`
`835`	`835`	`if err != nil {`
`836`	`836`	`return nil, fmt.Errorf("failed to get TLS config: %w", err)`
`837`	`837`	`}`
`@@ -842,7 +842,7 @@ func (r BucketReconciler) setupCredentials(ctx context.Context, obj sourcev1.B`
`842`	`842`	`Namespace: obj.GetNamespace(),`
`843`	`843`	`Name: obj.Spec.STS.CertSecretRef.Name,`
`844`	`844`	`}`
`845`		`- stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, obj.Spec.STS.Endpoint, secrets.WithSystemCertPool())`
	`845`	`+ stsTLSConfig, err = secrets.TLSConfigFromSecretRef(ctx, r.Client, secretRef, secrets.WithSystemCertPool())`
`846`	`846`	`if err != nil {`
`847`	`847`	`return nil, fmt.Errorf("failed to get STS TLS config: %w", err)`
`848`	`848`	`}`
Original file line number	Diff line number	Diff line change
`@@ -689,8 +689,7 @@ func (r GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj sourcev1`
`689`	`689`	`conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, "%s", e)`
`690`	`690`	`return nil, e`
`691`	`691`	`}`
`692`		`- targetURL := fmt.Sprintf("%s://%s", u.Scheme, u.Host)`
`693`		`- authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTargetURL(targetURL), secrets.WithTLSSystemCertPool())`
	`692`	`+ authMethods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTLSSystemCertPool())`
`694`	`693`	`if err != nil {`
`695`	`694`	`return nil, err`
`696`	`695`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1007,7 +1007,7 @@ func (r OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj sourcev`
`1007`	`1007`	`// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).`
`1008`	`1008`	`// This ensures source-controller continues to work with both system and user-provided CA certificates.`
`1009`	`1009`	`var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}`
`1010`		`- return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, obj.Spec.URL, tlsOpts...)`
	`1010`	`+ return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, tlsOpts...)`
`1011`	`1011`	`}`
`1012`	`1012`
`1013`	`1013`	`// reconcileStorage ensures the current state of the storage matches the`