Skip to content

fix: honor insecureSkipTLS in OCI storage secret #4890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
weyfonk merged 4 commits into from
Mar 30, 2026
Merged

fix: honor insecureSkipTLS in OCI storage secret #4890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
62ec443
fix: honor insecureSkipTLS in OCI storage secret
khushalchandak17 Mar 24, 2026
7c8645a
fix: use insecureSkipTLS in generated OCI secret
khushalchandak17 Mar 25, 2026
493de27
Merge branch 'main' into fix-insecure-oci
khushalchandak17 Mar 30, 2026
b998744
Thanks! Added a short comment to document the fallback behavior of th…
khushalchandak17 Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions e2e/single-cluster/oci_registry_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,13 @@ func createOCIRegistrySecret(
Namespace: namespace,
},
Data: map[string][]byte{
ocistorage.OCISecretReference: []byte(reference),
ocistorage.OCISecretUsername: []byte(username),
ocistorage.OCISecretPassword: []byte(password),
ocistorage.OCISecretAgentUsername: []byte(agentUsername),
ocistorage.OCISecretAgentPassword: []byte(agentPassword),
ocistorage.OCISecretInsecure: []byte(strconv.FormatBool(insecure)),
ocistorage.OCISecretBasicHTTP: []byte(strconv.FormatBool(false)),
ocistorage.OCISecretReference: []byte(reference),
ocistorage.OCISecretUsername: []byte(username),
ocistorage.OCISecretPassword: []byte(password),
ocistorage.OCISecretAgentUsername: []byte(agentUsername),
ocistorage.OCISecretAgentPassword: []byte(agentPassword),
ocistorage.OCISecretInsecureSkipTLS: []byte(strconv.FormatBool(insecure)),
ocistorage.OCISecretBasicHTTP: []byte(strconv.FormatBool(false)),
},
Type: corev1.SecretType(fleet.SecretTypeOCIStorage),
}
Expand Down
14 changes: 7 additions & 7 deletions internal/cmd/cli/apply/apply.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -758,13 +758,13 @@ func newOCISecret(manifestID string, bundle *fleet.Bundle, opts ocistorage.OCIOp
},
},
Data: map[string][]byte{
ocistorage.OCISecretReference: []byte(opts.Reference),
ocistorage.OCISecretUsername: []byte(opts.Username),
ocistorage.OCISecretPassword: []byte(opts.Password),
ocistorage.OCISecretAgentUsername: []byte(opts.AgentUsername),
ocistorage.OCISecretAgentPassword: []byte(opts.AgentPassword),
ocistorage.OCISecretBasicHTTP: []byte(strconv.FormatBool(opts.BasicHTTP)),
ocistorage.OCISecretInsecure: []byte(strconv.FormatBool(opts.InsecureSkipTLS)),
ocistorage.OCISecretReference: []byte(opts.Reference),
ocistorage.OCISecretUsername: []byte(opts.Username),
ocistorage.OCISecretPassword: []byte(opts.Password),
ocistorage.OCISecretAgentUsername: []byte(opts.AgentUsername),
ocistorage.OCISecretAgentPassword: []byte(opts.AgentPassword),
ocistorage.OCISecretBasicHTTP: []byte(strconv.FormatBool(opts.BasicHTTP)),
ocistorage.OCISecretInsecureSkipTLS: []byte(strconv.FormatBool(opts.InsecureSkipTLS)),
},
Type: fleet.SecretTypeOCIStorage,
}
Expand Down
30 changes: 30 additions & 0 deletions internal/cmd/cli/apply/apply_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@ package apply
import (
"testing"

"github.com/rancher/fleet/internal/ocistorage"
fleet "github.com/rancher/fleet/pkg/apis/fleet.cattle.io/v1alpha1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
)

func Test_getKindNS(t *testing.T) {
Expand Down Expand Up @@ -87,3 +90,30 @@ data:
})
}
}

func Test_newOCISecret_usesInsecureSkipTLSKey(t *testing.T) {
bundle := &fleet.Bundle{
ObjectMeta: metav1.ObjectMeta{
Name: "bundle",
Namespace: "fleet-local",
UID: types.UID("bundle-uid"),
},
}

secret := newOCISecret("manifest-id", bundle, ocistorage.OCIOpts{
Reference: "registry.example.com/test",
Username: "user",
Password: "pass",
AgentUsername: "agent-user",
AgentPassword: "agent-pass",
InsecureSkipTLS: true,
})

if got := string(secret.Data[ocistorage.OCISecretInsecureSkipTLS]); got != "true" {
t.Fatalf("expected insecureSkipTLS=true, got %q", got)
}

if _, ok := secret.Data[ocistorage.OCISecretInsecure]; ok {
t.Fatal("did not expect legacy insecure key in generated secret")
}
}
36 changes: 28 additions & 8 deletions internal/ocistorage/secret.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,14 @@ import (
)

const (
OCISecretUsername = "username"
OCISecretPassword = "password"
OCISecretAgentUsername = "agentUsername"
OCISecretAgentPassword = "agentPassword"
OCISecretReference = "reference"
OCISecretBasicHTTP = "basicHTTP"
OCISecretInsecure = "insecure"
OCISecretUsername = "username"
OCISecretPassword = "password"
OCISecretAgentUsername = "agentUsername"
OCISecretAgentPassword = "agentPassword"
OCISecretReference = "reference"
OCISecretBasicHTTP = "basicHTTP"
OCISecretInsecureSkipTLS = "insecureSkipTLS"
OCISecretInsecure = "insecure" // legacy alias
)

// ReadOptsFromSecret reads the secret identified by the given NamespacedName and
Expand Down Expand Up @@ -73,7 +74,12 @@ func ReadOptsFromSecret(ctx context.Context, c client.Reader, ns client.ObjectKe
return OCIOpts{}, err
}

opts.InsecureSkipTLS, err = getBoolValueFromSecret(secret.Data, OCISecretInsecure, false)
opts.InsecureSkipTLS, err = getBoolValueFromSecretWithFallback(
secret.Data,
false,
OCISecretInsecureSkipTLS,
OCISecretInsecure,
)
if err != nil {
return OCIOpts{}, err
}
Expand Down Expand Up @@ -108,3 +114,17 @@ func getBoolValueFromSecret(data map[string][]byte, key string, required bool) (

return boolValue, nil
}

// getBoolValueFromSecretWithFallback extracts a boolean value from data, using keys in the provided order of priority, and returns the first found value, if any.
// If no value is found, the function returns false, with an error if the value was required.
func getBoolValueFromSecretWithFallback(data map[string][]byte, required bool, keys ...string) (bool, error) {
Comment thread
khushalchandak17 marked this conversation as resolved.
for _, key := range keys {
if _, ok := data[key]; ok {
return getBoolValueFromSecret(data, key, true)
}
}
if !required {
return false, nil
}
return false, fmt.Errorf("key %q not found in secret", keys[0])
}
40 changes: 40 additions & 0 deletions internal/ocistorage/secret_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,46 @@ var _ = Describe("OCIOpts loaded from secret", func() {
})
})

When("the given oci storage secret uses the documented insecureSkipTLS field", func() {
BeforeEach(func() {
secretName = "test"
secretData = map[string][]byte{
OCISecretReference: []byte("reference"),
OCISecretInsecureSkipTLS: []byte("true"),
}
secretType = fleet.SecretTypeOCIStorage
secretGetErrorMessage = ""
secretGetNotFoundError = false
})
It("returns the expected OCIOpts from the data in the secret", func() {
ns := client.ObjectKey{Name: secretName, Namespace: "test"}
opts, err := ReadOptsFromSecret(context.TODO(), mockClient, ns)
Expect(err).ToNot(HaveOccurred())
Expect(opts.Reference).To(Equal(string(secretData[OCISecretReference])))
Expect(opts.InsecureSkipTLS).To(BeTrue())
})
})

When("the oci storage secret contains both insecure keys", func() {
BeforeEach(func() {
secretName = "test"
secretData = map[string][]byte{
OCISecretReference: []byte("reference"),
OCISecretInsecureSkipTLS: []byte("false"),
OCISecretInsecure: []byte("true"),
}
secretType = fleet.SecretTypeOCIStorage
secretGetErrorMessage = ""
secretGetNotFoundError = false
})
It("prefers insecureSkipTLS over the legacy insecure field", func() {
ns := client.ObjectKey{Name: secretName, Namespace: "test"}
opts, err := ReadOptsFromSecret(context.TODO(), mockClient, ns)
Expect(err).ToNot(HaveOccurred())
Expect(opts.InsecureSkipTLS).To(BeFalse())
})
})

When("the secret name is not set, but a default secret exists", func() {
BeforeEach(func() {
secretName = ""
Expand Down