[backport v2.14] Fleet Agent cannot pull Bundle from OCI Storage with self signed CA

[rancherbot]

This is a backport issue for #4897, automatically created via GitHub Actions workflow initiated by @0xavi0

Original issue body:

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

In a fully Rancher provisioned setup with an rke2 downstream cluster, the fleet-agent in the downstream cluster fails to pull the fleet bundle from the oci registry because it doesn't trust its certificate which is signed by a custom CA.

{"level":"error","ts":"2026-03-26T14:21:21Z","msg":"Reconciler error","controller":"bundledeployment","controllerGroup":"fleet.cattle.io","controllerKind":"BundleDeployment","BundleDeployment":{"name":"infra-common-cert-manager","namespace":"cluster-fleet-default-playground-130f5a23df29"},"namespace":"cluster-fleet-default-playground-130f5a23df29","name":"infra-common-cert-manager","reconcileID":"663446f9-9198-446e-af5f-f2f9b219e8e6","error":"failed deploying bundle: failed to perform \"FetchReference\" on source: Get \"https://redacted/s-904eb49f284e823a11b8c6cf9e952211bca46f4bd1e2b43b62d075a9d471d/manifests/latest\": tls: failed to verify certificate: x509: certificate signed by unknown authority","errorCauses":[{"error":"failed deploying bundle: failed to perform \"FetchReference\" on source: Get \"https://redacted/s-904eb49f284e823a11b8c6cf9e952211bca46f4bd1e2b43b62d075a9d471d/manifests/latest\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}],"stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.21.0/pkg/internal/controller/controller.go:353\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.21.0/pkg/internal/controller/controller.go:300\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.21.0/pkg/internal/controller/controller.go:202"}

The fleet-controller can upload bundles into the oci registry without issues.

I also tried to set insecureSkipTLS: true on the ocistorage secret according to https://fleet.rancher.io/0.13/how-tos-for-users/oci-storage#_secret_field_reference but it had no effect.

Rancher is configured with the additionalTrustedCAs option https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options#additional-trusted-cas and fleet can sucessfully pull oci helm charts from the registry. Only the OCI Storage for bundles doesn't work.

Expected Behavior

fleet-agent in downstream clusters should inherit the CA config from the upstream cluster and apply it when pulling fleet bundles from an OCI storage.

Steps To Reproduce

1. Install Rancher on an rke2 cluster with a custom CA setting additionalTrustedCAs
2. Setup a downstream rke2 cluster
3. Attempt to use fleet with OCI Storage on a registry with a self signed CA

Environment

- Architecture: amd64
- Fleet Version: 0.13.9
- Cluster:
  - Provider: rke2
  - Options:
  - Kubernetes Version: 1.33.7

Logs

Anything else?

No response