fix: honor insecureSkipTLS in OCI storage secret

Author: khushalchandak17

e2e/single-cluster/oci_registry_test.go

@@ -54,13 +54,13 @@ func createOCIRegistrySecret(
 			Namespace: namespace,
 		},
 		Data: map[string][]byte{
-			ocistorage.OCISecretReference:     []byte(reference),
-			ocistorage.OCISecretUsername:      []byte(username),
-			ocistorage.OCISecretPassword:      []byte(password),
-			ocistorage.OCISecretAgentUsername: []byte(agentUsername),
-			ocistorage.OCISecretAgentPassword: []byte(agentPassword),
-			ocistorage.OCISecretInsecure:      []byte(strconv.FormatBool(insecure)),
-			ocistorage.OCISecretBasicHTTP:     []byte(strconv.FormatBool(false)),
+			ocistorage.OCISecretReference:       []byte(reference),
+			ocistorage.OCISecretUsername:        []byte(username),
+			ocistorage.OCISecretPassword:        []byte(password),
+			ocistorage.OCISecretAgentUsername:   []byte(agentUsername),
+			ocistorage.OCISecretAgentPassword:   []byte(agentPassword),
+			ocistorage.OCISecretInsecureSkipTLS: []byte(strconv.FormatBool(insecure)),
+			ocistorage.OCISecretBasicHTTP:       []byte(strconv.FormatBool(false)),
 		},
 		Type: corev1.SecretType(fleet.SecretTypeOCIStorage),
 	}

internal/ocistorage/secret.go

@@ -13,13 +13,14 @@ import (
 )
 
 const (
-	OCISecretUsername      = "username"
-	OCISecretPassword      = "password"
-	OCISecretAgentUsername = "agentUsername"
-	OCISecretAgentPassword = "agentPassword"
-	OCISecretReference     = "reference"
-	OCISecretBasicHTTP     = "basicHTTP"
-	OCISecretInsecure      = "insecure"
+	OCISecretUsername        = "username"
+	OCISecretPassword        = "password"
+	OCISecretAgentUsername   = "agentUsername"
+	OCISecretAgentPassword   = "agentPassword"
+	OCISecretReference       = "reference"
+	OCISecretBasicHTTP       = "basicHTTP"
+	OCISecretInsecureSkipTLS = "insecureSkipTLS"
+	OCISecretInsecure        = "insecure" // legacy alias
 )
 
 // ReadOptsFromSecret reads the secret identified by the given NamespacedName and
@@ -73,7 +74,12 @@ func ReadOptsFromSecret(ctx context.Context, c client.Reader, ns client.ObjectKe
 		return OCIOpts{}, err
 	}
 
-	opts.InsecureSkipTLS, err = getBoolValueFromSecret(secret.Data, OCISecretInsecure, false)
+	opts.InsecureSkipTLS, err = getBoolValueFromSecretWithFallback(
+		secret.Data,
+		false,
+		OCISecretInsecureSkipTLS,
+		OCISecretInsecure,
+	)
 	if err != nil {
 		return OCIOpts{}, err
 	}
@@ -108,3 +114,15 @@ func getBoolValueFromSecret(data map[string][]byte, key string, required bool) (
 
 	return boolValue, nil
 }
+
+func getBoolValueFromSecretWithFallback(data map[string][]byte, required bool, keys ...string) (bool, error) {
+	for _, key := range keys {
+		if _, ok := data[key]; ok {
+			return getBoolValueFromSecret(data, key, true)
+		}
+	}
+	if !required {
+		return false, nil
+	}
+	return false, fmt.Errorf("key %q not found in secret", keys[0])
+}

internal/ocistorage/secret_test.go

@@ -76,6 +76,46 @@ var _ = Describe("OCIOpts loaded from secret", func() {
 		})
 	})
 
+	When("the given oci storage secret uses the documented insecureSkipTLS field", func() {
+		BeforeEach(func() {
+			secretName = "test"
+			secretData = map[string][]byte{
+				OCISecretReference:       []byte("reference"),
+				OCISecretInsecureSkipTLS: []byte("true"),
+			}
+			secretType = fleet.SecretTypeOCIStorage
+			secretGetErrorMessage = ""
+			secretGetNotFoundError = false
+		})
+		It("returns the expected OCIOpts from the data in the secret", func() {
+			ns := client.ObjectKey{Name: secretName, Namespace: "test"}
+			opts, err := ReadOptsFromSecret(context.TODO(), mockClient, ns)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(opts.Reference).To(Equal(string(secretData[OCISecretReference])))
+			Expect(opts.InsecureSkipTLS).To(BeTrue())
+		})
+	})
+
+	When("the oci storage secret contains both insecure keys", func() {
+		BeforeEach(func() {
+			secretName = "test"
+			secretData = map[string][]byte{
+				OCISecretReference:       []byte("reference"),
+				OCISecretInsecureSkipTLS: []byte("false"),
+				OCISecretInsecure:        []byte("true"),
+			}
+			secretType = fleet.SecretTypeOCIStorage
+			secretGetErrorMessage = ""
+			secretGetNotFoundError = false
+		})
+		It("prefers insecureSkipTLS over the legacy insecure field", func() {
+			ns := client.ObjectKey{Name: secretName, Namespace: "test"}
+			opts, err := ReadOptsFromSecret(context.TODO(), mockClient, ns)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(opts.InsecureSkipTLS).To(BeFalse())
+		})
+	})
+
 	When("the secret name is not set, but a default secret exists", func() {
 		BeforeEach(func() {
 			secretName = ""