Merge pull request #1158 from cappyzawa/remove-tlsconfig-servername-pinning

matheuscscp · web-flow · commit 5bd63a94e437 · 2025-08-14T19:12:31.000+01:00
Remove TLS ServerName pinning in TLS config creation
diff --git a/go.mod b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/git v0.34.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
-	github.com/fluxcd/pkg/runtime v0.75.0
+	github.com/fluxcd/pkg/runtime v0.80.0
 	github.com/fluxcd/pkg/ssa v0.51.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/getsentry/sentry-go v0.34.1
diff --git a/go.sum b/go.sum
@@ -146,8 +146,8 @@ github.com/fluxcd/pkg/git v0.34.0 h1:qTViWkfpEDnjzySyKRKliqUeGj/DznqlkmPhaDNIsFY
 github.com/fluxcd/pkg/git v0.34.0/go.mod h1:F9Asm3MlLW4uZx3FF92+bqho+oktdMdnTn/QmXe56NE=
 github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3sz6bM=
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
-github.com/fluxcd/pkg/runtime v0.75.0 h1:wIaODmU5D54nyrehTqA9oQDFoi6BbBj/24adLStXc0I=
-github.com/fluxcd/pkg/runtime v0.75.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
+github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/ssa v0.51.0 h1:sFarxKZcS0J8sjq9qvs/r+1XiJqNgRodEiPjV75F8R4=
 github.com/fluxcd/pkg/ssa v0.51.0/go.mod h1:v+h9RC0JxWIqMTK2Eo+8Nh700AXyZChZ2TiLVj4tf3M=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=
diff --git a/internal/server/event_handlers.go b/internal/server/event_handlers.go
@@ -432,8 +432,7 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 			Name:      provider.Spec.CertSecretRef.Name,
 			Namespace: provider.GetNamespace(),
 		}
-		const insecure = false // Provider API has no insecure field, always verify certificates
-		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef, webhook, insecure)
+		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to get TLS config: %w", err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -432,8 +432,7 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api`
`432`	`432`	`Name: provider.Spec.CertSecretRef.Name,`
`433`	`433`	`Namespace: provider.GetNamespace(),`
`434`	`434`	`}`
`435`		`- const insecure = false // Provider API has no insecure field, always verify certificates`
`436`		`- tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef, webhook, insecure)`
	`435`	`+ tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef)`
`437`	`436`	`if err != nil {`
`438`	`437`	`return nil, "", fmt.Errorf("failed to get TLS config: %w", err)`
`439`	`438`	`}`