fix: honor insecureSkipTLS in OCI storage secret (rancher#4890)

khushalchandak17 · weyfonk · khushalchandak17 · commit 5a228077c5d1 · 2026-04-01T12:36:37.000+05:30
Fleet currently reads the legacy `insecure` field from the OCI storage secret. If the secret is created with `insecureSkipTLS: true`, that value is not recognized, so Fleet agents still perform TLS verification and may fail against registries using a self-signed/private CA. This change: - prefers `insecureSkipTLS` - keeps `insecure` as a backward-compatible fallback - updates test coverage to use `insecureSkipTLS` This is intended to be a minimal fix for OCI storage secret parsing and avoids breaking existing setups that may still use the legacy `insecure` field. Co-authored-by: Corentin Néau <tan.neau@suse.com> (cherry picked from commit 3951853)
diff --git a/e2e/single-cluster/oci_registry_test.go b/e2e/single-cluster/oci_registry_test.go
@@ -54,13 +54,13 @@ func createOCIRegistrySecret(
 			Namespace: namespace,
 		},
 		Data: map[string][]byte{
-			ocistorage.OCISecretReference:     []byte(reference),
-			ocistorage.OCISecretUsername:      []byte(username),
-			ocistorage.OCISecretPassword:      []byte(password),
-			ocistorage.OCISecretAgentUsername: []byte(agentUsername),
-			ocistorage.OCISecretAgentPassword: []byte(agentPassword),
-			ocistorage.OCISecretInsecure:      []byte(strconv.FormatBool(insecure)),
-			ocistorage.OCISecretBasicHTTP:     []byte(strconv.FormatBool(false)),
+			ocistorage.OCISecretReference:       []byte(reference),
+			ocistorage.OCISecretUsername:        []byte(username),
+			ocistorage.OCISecretPassword:        []byte(password),
+			ocistorage.OCISecretAgentUsername:   []byte(agentUsername),
+			ocistorage.OCISecretAgentPassword:   []byte(agentPassword),
+			ocistorage.OCISecretInsecureSkipTLS: []byte(strconv.FormatBool(insecure)),
+			ocistorage.OCISecretBasicHTTP:       []byte(strconv.FormatBool(false)),
 		},
 		Type: corev1.SecretType(fleet.SecretTypeOCIStorage),
 	}
diff --git a/internal/cmd/cli/apply/apply.go b/internal/cmd/cli/apply/apply.go
@@ -674,13 +674,13 @@ func newOCISecret(manifestID string, bundle *fleet.Bundle, opts ocistorage.OCIOp
 			},
 		},
 		Data: map[string][]byte{
-			ocistorage.OCISecretReference:     []byte(opts.Reference),
-			ocistorage.OCISecretUsername:      []byte(opts.Username),
-			ocistorage.OCISecretPassword:      []byte(opts.Password),
-			ocistorage.OCISecretAgentUsername: []byte(opts.AgentUsername),
-			ocistorage.OCISecretAgentPassword: []byte(opts.AgentPassword),
-			ocistorage.OCISecretBasicHTTP:     []byte(strconv.FormatBool(opts.BasicHTTP)),
-			ocistorage.OCISecretInsecure:      []byte(strconv.FormatBool(opts.InsecureSkipTLS)),
+			ocistorage.OCISecretReference:       []byte(opts.Reference),
+			ocistorage.OCISecretUsername:        []byte(opts.Username),
+			ocistorage.OCISecretPassword:        []byte(opts.Password),
+			ocistorage.OCISecretAgentUsername:   []byte(opts.AgentUsername),
+			ocistorage.OCISecretAgentPassword:   []byte(opts.AgentPassword),
+			ocistorage.OCISecretBasicHTTP:       []byte(strconv.FormatBool(opts.BasicHTTP)),
+			ocistorage.OCISecretInsecureSkipTLS: []byte(strconv.FormatBool(opts.InsecureSkipTLS)),
 		},
 		Type: fleet.SecretTypeOCIStorage,
 	}
diff --git a/internal/ocistorage/secret.go b/internal/ocistorage/secret.go
@@ -13,13 +13,14 @@ import (
 )
 
 const (
-	OCISecretUsername      = "username"
-	OCISecretPassword      = "password"
-	OCISecretAgentUsername = "agentUsername"
-	OCISecretAgentPassword = "agentPassword"
-	OCISecretReference     = "reference"
-	OCISecretBasicHTTP     = "basicHTTP"
-	OCISecretInsecure      = "insecure"
+	OCISecretUsername        = "username"
+	OCISecretPassword        = "password"
+	OCISecretAgentUsername   = "agentUsername"
+	OCISecretAgentPassword   = "agentPassword"
+	OCISecretReference       = "reference"
+	OCISecretBasicHTTP       = "basicHTTP"
+	OCISecretInsecureSkipTLS = "insecureSkipTLS"
+	OCISecretInsecure        = "insecure" // legacy alias
 )
 
 // ReadOptsFromSecret reads the secret identified by the given NamespacedName and
@@ -73,7 +74,12 @@ func ReadOptsFromSecret(ctx context.Context, c client.Reader, ns client.ObjectKe
 		return OCIOpts{}, err
 	}
 
-	opts.InsecureSkipTLS, err = getBoolValueFromSecret(secret.Data, OCISecretInsecure, false)
+	opts.InsecureSkipTLS, err = getBoolValueFromSecretWithFallback(
+		secret.Data,
+		false,
+		OCISecretInsecureSkipTLS,
+		OCISecretInsecure,
+	)
 	if err != nil {
 		return OCIOpts{}, err
 	}
@@ -108,3 +114,17 @@ func getBoolValueFromSecret(data map[string][]byte, key string, required bool) (
 
 	return boolValue, nil
 }
+
+// getBoolValueFromSecretWithFallback extracts a boolean value from data, using keys in the provided order of priority, and returns the first found value, if any.
+// If no value is found, the function returns false, with an error if the value was required.
+func getBoolValueFromSecretWithFallback(data map[string][]byte, required bool, keys ...string) (bool, error) {
+	for _, key := range keys {
+		if _, ok := data[key]; ok {
+			return getBoolValueFromSecret(data, key, true)
+		}
+	}
+	if !required {
+		return false, nil
+	}
+	return false, fmt.Errorf("key %q not found in secret", keys[0])
+}
diff --git a/internal/ocistorage/secret_test.go b/internal/ocistorage/secret_test.go
@@ -76,6 +76,46 @@ var _ = Describe("OCIOpts loaded from secret", func() {
 		})
 	})
 
+	When("the given oci storage secret uses the documented insecureSkipTLS field", func() {
+		BeforeEach(func() {
+			secretName = "test"
+			secretData = map[string][]byte{
+				OCISecretReference:       []byte("reference"),
+				OCISecretInsecureSkipTLS: []byte("true"),
+			}
+			secretType = fleet.SecretTypeOCIStorage
+			secretGetErrorMessage = ""
+			secretGetNotFoundError = false
+		})
+		It("returns the expected OCIOpts from the data in the secret", func() {
+			ns := client.ObjectKey{Name: secretName, Namespace: "test"}
+			opts, err := ReadOptsFromSecret(context.TODO(), mockClient, ns)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(opts.Reference).To(Equal(string(secretData[OCISecretReference])))
+			Expect(opts.InsecureSkipTLS).To(BeTrue())
+		})
+	})
+
+	When("the oci storage secret contains both insecure keys", func() {
+		BeforeEach(func() {
+			secretName = "test"
+			secretData = map[string][]byte{
+				OCISecretReference:       []byte("reference"),
+				OCISecretInsecureSkipTLS: []byte("false"),
+				OCISecretInsecure:        []byte("true"),
+			}
+			secretType = fleet.SecretTypeOCIStorage
+			secretGetErrorMessage = ""
+			secretGetNotFoundError = false
+		})
+		It("prefers insecureSkipTLS over the legacy insecure field", func() {
+			ns := client.ObjectKey{Name: secretName, Namespace: "test"}
+			opts, err := ReadOptsFromSecret(context.TODO(), mockClient, ns)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(opts.InsecureSkipTLS).To(BeFalse())
+		})
+	})
+
 	When("the secret name is not set, but a default secret exists", func() {
 		BeforeEach(func() {
 			secretName = ""
