fix: use insecureSkipTLS in generated OCI secret

khushalchandak17 · khushalchandak17 · commit 7c8645a77d6a · 2026-03-25T14:49:44.000+05:30
diff --git a/internal/cmd/cli/apply/apply.go b/internal/cmd/cli/apply/apply.go
@@ -758,13 +758,13 @@ func newOCISecret(manifestID string, bundle *fleet.Bundle, opts ocistorage.OCIOp
 			},
 		},
 		Data: map[string][]byte{
-			ocistorage.OCISecretReference:     []byte(opts.Reference),
-			ocistorage.OCISecretUsername:      []byte(opts.Username),
-			ocistorage.OCISecretPassword:      []byte(opts.Password),
-			ocistorage.OCISecretAgentUsername: []byte(opts.AgentUsername),
-			ocistorage.OCISecretAgentPassword: []byte(opts.AgentPassword),
-			ocistorage.OCISecretBasicHTTP:     []byte(strconv.FormatBool(opts.BasicHTTP)),
-			ocistorage.OCISecretInsecure:      []byte(strconv.FormatBool(opts.InsecureSkipTLS)),
+			ocistorage.OCISecretReference:       []byte(opts.Reference),
+			ocistorage.OCISecretUsername:        []byte(opts.Username),
+			ocistorage.OCISecretPassword:        []byte(opts.Password),
+			ocistorage.OCISecretAgentUsername:   []byte(opts.AgentUsername),
+			ocistorage.OCISecretAgentPassword:   []byte(opts.AgentPassword),
+			ocistorage.OCISecretBasicHTTP:       []byte(strconv.FormatBool(opts.BasicHTTP)),
+			ocistorage.OCISecretInsecureSkipTLS: []byte(strconv.FormatBool(opts.InsecureSkipTLS)),
 		},
 		Type: fleet.SecretTypeOCIStorage,
 	}
diff --git a/internal/cmd/cli/apply/apply_test.go b/internal/cmd/cli/apply/apply_test.go
@@ -3,7 +3,10 @@ package apply
 import (
 	"testing"
 
+	"github.com/rancher/fleet/internal/ocistorage"
 	fleet "github.com/rancher/fleet/pkg/apis/fleet.cattle.io/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 func Test_getKindNS(t *testing.T) {
@@ -87,3 +90,30 @@ data:
 		})
 	}
 }
+
+func Test_newOCISecret_usesInsecureSkipTLSKey(t *testing.T) {
+	bundle := &fleet.Bundle{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "bundle",
+			Namespace: "fleet-local",
+			UID:       types.UID("bundle-uid"),
+		},
+	}
+
+	secret := newOCISecret("manifest-id", bundle, ocistorage.OCIOpts{
+		Reference:       "registry.example.com/test",
+		Username:        "user",
+		Password:        "pass",
+		AgentUsername:   "agent-user",
+		AgentPassword:   "agent-pass",
+		InsecureSkipTLS: true,
+	})
+
+	if got := string(secret.Data[ocistorage.OCISecretInsecureSkipTLS]); got != "true" {
+		t.Fatalf("expected insecureSkipTLS=true, got %q", got)
+	}
+
+	if _, ok := secret.Data[ocistorage.OCISecretInsecure]; ok {
+		t.Fatal("did not expect legacy insecure key in generated secret")
+	}
+}
