Add WithSystemCertPool for CA compatibility

go.mod

@@ -38,7 +38,7 @@ require (
 	github.com/fluxcd/pkg/lockedfile v0.6.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
 	github.com/fluxcd/pkg/oci v0.51.0
-	github.com/fluxcd/pkg/runtime v0.76.0
+	github.com/fluxcd/pkg/runtime v0.78.0
 	github.com/fluxcd/pkg/sourceignore v0.13.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/fluxcd/pkg/tar v0.13.0

go.sum

@@ -398,8 +398,8 @@ github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
 github.com/fluxcd/pkg/oci v0.51.0 h1:9oYnm+T4SCVSBif9gn80ALJkMGSERabVMDJiaMIdr7Y=
 github.com/fluxcd/pkg/oci v0.51.0/go.mod h1:5J6IhHoDVYCVeBEC+4E3nPeKh7d0kjJ8IEL6NVCiTx4=
-github.com/fluxcd/pkg/runtime v0.76.0 h1:VoN508i65E/zK0iNXk1Ubvb2VcA8uADqckF+7nuof20=
-github.com/fluxcd/pkg/runtime v0.76.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.78.0 h1:xwNZqnazmgURGuLiHDbzST6BI5K9fvZuNS4eMVY35Es=
+github.com/fluxcd/pkg/runtime v0.78.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/sourceignore v0.13.0 h1:ZvkzX2WsmyZK9cjlqOFFW1onHVzhPZIqDbCh96rPqbU=
 github.com/fluxcd/pkg/sourceignore v0.13.0/go.mod h1:Z9H1GoBx0ljOhptnzoV0PL6Nd/UzwKcSphP27lqb4xI=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=

internal/controller/helmrepository_controller_test.go

@@ -426,11 +426,11 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 		assertConditions []metav1.Condition
 	}{
 		{
-			name:     "HTTPS with certSecretRef pointing to non-matching CA cert but public repo URL fails",
+			name:     "HTTPS with certSecretRef non-matching CA succeeds via system CA pool",
 			protocol: "http",
 			url:      "https://stefanprodan.github.io/podinfo",
-			want:     sreconcile.ResultEmpty,
-			wantErr:  true,
+			want:     sreconcile.ResultSuccess,
+			wantErr:  false,
 			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "ca-file",
@@ -442,19 +442,10 @@ func TestHelmRepositoryReconciler_reconcileSource(t *testing.T) {
 			},
 			beforeFunc: func(t *WithT, obj *sourcev1.HelmRepository) {
 				obj.Spec.CertSecretRef = &meta.LocalObjectReference{Name: "ca-file"}
-				conditions.MarkReconciling(obj, meta.ProgressingReason, "foo")
-				conditions.MarkUnknown(obj, meta.ReadyCondition, "foo", "bar")
 			},
 			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(sourcev1.FetchFailedCondition, meta.FailedReason, "tls: failed to verify certificate: x509: certificate signed by unknown authority"),
-				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "foo"),
-				*conditions.UnknownCondition(meta.ReadyCondition, "foo", "bar"),
-			},
-			afterFunc: func(t *WithT, obj *sourcev1.HelmRepository, artifact sourcev1.Artifact, chartRepo *repository.ChartRepository) {
-				// No repo index due to fetch fail.
-				t.Expect(chartRepo.Path).To(BeEmpty())
-				t.Expect(chartRepo.Index).To(BeNil())
-				t.Expect(artifact.Revision).To(BeEmpty())
+				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new index revision"),
+				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new index revision"),
 			},
 		},
 		{

internal/controller/ocirepository_controller.go

@@ -1002,7 +1002,11 @@ func (r *OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj *sourcev
 		Namespace: obj.Namespace,
 		Name:      obj.Spec.CertSecretRef.Name,
 	}
-	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, obj.Spec.URL)
+	// NOTE: Use WithSystemCertPool to maintain backward compatibility with the existing
+	// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
+	// This ensures source-controller continues to work with both system and user-provided CA certificates.
+	var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
+	return secrets.TLSConfigFromSecretRef(ctx, r.Client, secretName, obj.Spec.URL, tlsOpts...)
 }
 
 // reconcileStorage ensures the current state of the storage matches the

internal/helm/getter/client_opts.go

@@ -122,7 +122,11 @@ func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1
 		}
 		certSecret = secret
 
-		tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, obj.Spec.URL)
+		// NOTE: Use WithSystemCertPool to maintain backward compatibility with the existing
+		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
+		// This ensures HelmRepository continues to work with both system and user-provided CA certificates.
+		var tlsOpts = []secrets.TLSConfigOption{secrets.WithSystemCertPool()}
+		tlsConfig, err := secrets.TLSConfigFromSecret(ctx, secret, obj.Spec.URL, tlsOpts...)
 		if err != nil {
 			return false, nil, nil, fmt.Errorf("failed to construct Helm client's TLS config: %w", err)
 		}
@@ -138,7 +142,14 @@ func configureAuthentication(ctx context.Context, c client.Client, obj *sourcev1
 		}
 		authSecret = secret
 
-		methods, err := secrets.AuthMethodsFromSecret(ctx, secret, secrets.WithTargetURL(obj.Spec.URL))
+		// NOTE: Use WithTLSSystemCertPool to maintain backward compatibility with the existing
+		// extend approach (system CAs + user CA) rather than the default replace approach (user CA only).
+		// This ensures HelmRepository auth methods work with both system and user-provided CA certificates.
+		var authOpts = []secrets.AuthMethodsOption{
+			secrets.WithTargetURL(obj.Spec.URL),
+			secrets.WithTLSSystemCertPool(),
+		}
+		methods, err := secrets.AuthMethodsFromSecret(ctx, secret, authOpts...)
 		if err != nil {
 			return false, nil, nil, fmt.Errorf("failed to detect authentication methods: %w", err)
 		}