Skip to content

Add WithSystemCertPool for CA compatibility #1856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 30, 2025
Merged

Add WithSystemCertPool for CA compatibility #1856

merged 1 commit into from
Jul 30, 2025

Conversation

@cappyzawa
Copy link
Member

@cappyzawa
Add WithSystemCertPool for CA compatibility
ba14962 
Update pkg/runtime dependency from v0.76.0 to v0.78.0 and add
WithSystemCertPool() options to maintain backward compatibility
with the existing extend approach (system CAs + user CA).

This ensures source-controller continues to work with both system
and user-provided CA certificates, maintaining the same behavior
as before the pkg/runtime/secrets API changes.

Signed-off-by: cappyzawa <[email protected]>
@cappyzawa cappyzawa force-pushed the feat/helm-oci-controllers-runtime-secrets-v078 branch from 97b95f9 to ba14962 Compare July 30, 2025 02:40
cappyzawa
cappyzawa commented Jul 30, 2025
View reviewed changes
internal/controller/helmrepository_controller_test.go
}{
{
name: "HTTPS with certSecretRef pointing to non-matching CA cert but public repo URL fails",
name: "HTTPS with certSecretRef non-matching CA succeeds via system CA pool",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test case update reverts the breaking behavior introduced in PR #1849, which made TLS validation stricter by only accepting user-provided CA certificates.

While this stricter validation was initially considered beneficial for security, it broke backward compatibility. With the restoration of the extend approach (system CAs + user CA) through WithSystemCertPool(), this test now correctly succeeds because:

  1. The user-provided CA certificate doesn't match the public repository's certificate
  2. The system CA pool contains the valid CA that can verify the public repository
  3. Therefore, the connection succeeds via system CA validation

The test name has been updated to "succeeds via system CA pool" to make this behavior explicit for future maintainers.

matheuscscp
matheuscscp approved these changes Jul 30, 2025
View reviewed changes
Copy link
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

@matheuscscp matheuscscp merged commit 93b9048 into fluxcd:main Jul 30, 2025
8 checks passed
@cappyzawa cappyzawa deleted the feat/helm-oci-controllers-runtime-secrets-v078 branch July 30, 2025 03:43
@cappyzawa cappyzawa mentioned this pull request Jul 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cappyzawa @matheuscscp