Skip to content

fix: honor insecureSkipTLS in OCI storage secret#4890

Merged
weyfonk merged 4 commits into
rancher:mainfrom
khushalchandak17:fix-insecure-oci
Mar 30, 2026
Merged

fix: honor insecureSkipTLS in OCI storage secret#4890
weyfonk merged 4 commits into
rancher:mainfrom
khushalchandak17:fix-insecure-oci

Conversation

@khushalchandak17
Copy link
Copy Markdown
Contributor

@khushalchandak17 khushalchandak17 commented Mar 25, 2026

Refers to #4898

This PR fixes OCI storage secret parsing to honor insecureSkipTLS.

Fleet currently reads the legacy insecure field from the OCI storage secret. If the secret is created with insecureSkipTLS: true, that value is not recognized, so downstream fleet-agent still performs TLS verification and may fail against registries using a self-signed/private CA.

This change:

  • prefers insecureSkipTLS
  • keeps insecure as a backward-compatible fallback
  • updates test coverage to use insecureSkipTLS

Additional Information

This is intended to be a minimal fix for OCI storage secret parsing and avoids breaking existing setups that may still use the legacy insecure field.

@khushalchandak17 khushalchandak17 requested a review from a team as a code owner March 25, 2026 07:14
@khushalchandak17 khushalchandak17 marked this pull request as draft March 25, 2026 08:53
@khushalchandak17 khushalchandak17 marked this pull request as ready for review March 25, 2026 14:00
@weyfonk weyfonk added this to Fleet Mar 30, 2026
@weyfonk weyfonk moved this to 👀 In review in Fleet Mar 30, 2026
@weyfonk weyfonk added this to the v2.13.5 milestone Mar 30, 2026
weyfonk
weyfonk approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@weyfonk weyfonk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread internal/ocistorage/secret.go
@weyfonk weyfonk merged commit 3951853 into rancher:main Mar 30, 2026
22 checks passed
@github-project-automation github-project-automation Bot moved this from 👀 In review to ✅ Done in Fleet Mar 30, 2026
khushalchandak17 added a commit to khushalchandak17/fleet that referenced this pull request Apr 1, 2026
@khushalchandak17 @weyfonk
fix: honor insecureSkipTLS in OCI storage secret (rancher#4890)
8fbd448 
Fleet currently reads the legacy `insecure` field from the OCI storage
secret. If the secret is created with `insecureSkipTLS: true`, that
value is not recognized, so Fleet agents still perform TLS verification
and may fail against registries using a self-signed/private CA.

This change:
- prefers `insecureSkipTLS`
- keeps `insecure` as a backward-compatible fallback
- updates test coverage to use `insecureSkipTLS`

This is intended to be a minimal fix for OCI storage secret parsing and
avoids breaking existing setups that may still use the legacy `insecure`
field.

Co-authored-by: Corentin Néau <tan.neau@suse.com>
(cherry picked from commit 3951853)
@khushalchandak17 khushalchandak17 mentioned this pull request Apr 1, 2026
Merged
khushalchandak17 added a commit to khushalchandak17/fleet that referenced this pull request Apr 1, 2026
@khushalchandak17 @weyfonk
fix: honor insecureSkipTLS in OCI storage secret (rancher#4890)
70287dd 
Fleet currently reads the legacy `insecure` field from the OCI storage
secret. If the secret is created with `insecureSkipTLS: true`, that
value is not recognized, so Fleet agents still perform TLS verification
and may fail against registries using a self-signed/private CA.

This change:
- prefers `insecureSkipTLS`
- keeps `insecure` as a backward-compatible fallback
- updates test coverage to use `insecureSkipTLS`

This is intended to be a minimal fix for OCI storage secret parsing and
avoids breaking existing setups that may still use the legacy `insecure`
field.

Co-authored-by: Corentin Néau <tan.neau@suse.com>
(cherry picked from commit 3951853)
@khushalchandak17 khushalchandak17 mentioned this pull request Apr 1, 2026
Merged
khushalchandak17 added a commit to khushalchandak17/fleet that referenced this pull request Apr 1, 2026
@khushalchandak17 @weyfonk
fix: honor insecureSkipTLS in OCI storage secret (rancher#4890)
5a22807 
Fleet currently reads the legacy `insecure` field from the OCI storage
secret. If the secret is created with `insecureSkipTLS: true`, that
value is not recognized, so Fleet agents still perform TLS verification
and may fail against registries using a self-signed/private CA.

This change:
- prefers `insecureSkipTLS`
- keeps `insecure` as a backward-compatible fallback
- updates test coverage to use `insecureSkipTLS`

This is intended to be a minimal fix for OCI storage secret parsing and
avoids breaking existing setups that may still use the legacy `insecure`
field.

Co-authored-by: Corentin Néau <tan.neau@suse.com>
(cherry picked from commit 3951853)
@kkaempf kkaempf modified the milestones: v2.13.5, v2.15.0 Apr 1, 2026
thardeck pushed a commit that referenced this pull request Apr 7, 2026
@khushalchandak17 @weyfonk
fix: honor insecureSkipTLS in OCI storage secret (#4890) (#4926)
271407c 
Fleet currently reads the legacy `insecure` field from the OCI storage
secret. If the secret is created with `insecureSkipTLS: true`, that
value is not recognized, so Fleet agents still perform TLS verification
and may fail against registries using a self-signed/private CA.

This change:
- prefers `insecureSkipTLS`
- keeps `insecure` as a backward-compatible fallback
- updates test coverage to use `insecureSkipTLS`

This is intended to be a minimal fix for OCI storage secret parsing and
avoids breaking existing setups that may still use the legacy `insecure`
field.


(cherry picked from commit 3951853)

Co-authored-by: Corentin Néau <tan.neau@suse.com>
khushalchandak17 added a commit to khushalchandak17/fleet that referenced this pull request Apr 7, 2026
@khushalchandak17 @weyfonk
fix: honor insecureSkipTLS in OCI storage secret (rancher#4890)
fc2edf8 
Fleet currently reads the legacy `insecure` field from the OCI storage
secret. If the secret is created with `insecureSkipTLS: true`, that
value is not recognized, so Fleet agents still perform TLS verification
and may fail against registries using a self-signed/private CA.

This change:
- prefers `insecureSkipTLS`
- keeps `insecure` as a backward-compatible fallback
- updates test coverage to use `insecureSkipTLS`

This is intended to be a minimal fix for OCI storage secret parsing and
avoids breaking existing setups that may still use the legacy `insecure`
field.

Co-authored-by: Corentin Néau <tan.neau@suse.com>
(cherry picked from commit 3951853)
thardeck pushed a commit that referenced this pull request Apr 7, 2026
@khushalchandak17 @weyfonk
backport[release/0.14]: honor insecureSkipTLS in OCI storage secret (#…
dc28ac3 
…4925)

* fix: honor insecureSkipTLS in OCI storage secret (#4890)

Fleet currently reads the legacy `insecure` field from the OCI storage
secret. If the secret is created with `insecureSkipTLS: true`, that
value is not recognized, so Fleet agents still perform TLS verification
and may fail against registries using a self-signed/private CA.

This change:
- prefers `insecureSkipTLS`
- keeps `insecure` as a backward-compatible fallback
- updates test coverage to use `insecureSkipTLS`

This is intended to be a minimal fix for OCI storage secret parsing and
avoids breaking existing setups that may still use the legacy `insecure`
field.

Co-authored-by: Corentin Néau <tan.neau@suse.com>
(cherry picked from commit 3951853)

* test: add OCI insecureSkipTLS apply regression

---------

Co-authored-by: Corentin Néau <tan.neau@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weyfonk weyfonk weyfonk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Fleet
Archived in project

Milestone

v2.15.0

Development

Successfully merging this pull request may close these issues.

3 participants

@khushalchandak17 @weyfonk @kkaempf