Remove TLS ServerName pinning in TLS config creation

cappyzawa · cappyzawa · commit 5be0d2b66cd0 · 2025-08-15T02:44:18.000+09:00
Updates pkg/runtime dependency to v0.80.0 which removes the need for
the insecure parameter in TLSConfigFromSecretRef. This change removes
the forced ServerName pinning behavior that was causing TLS verification
issues, allowing for more flexible certificate validation.

The TLS config creation now relies on the standard Go TLS verification
process without forcing specific ServerName values, improving
compatibility with various certificate configurations.

Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/go.mod b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/git v0.34.0
 	github.com/fluxcd/pkg/masktoken v0.7.0
-	github.com/fluxcd/pkg/runtime v0.75.0
+	github.com/fluxcd/pkg/runtime v0.80.0
 	github.com/fluxcd/pkg/ssa v0.51.0
 	github.com/fluxcd/pkg/ssh v0.20.0
 	github.com/getsentry/sentry-go v0.34.1
diff --git a/go.sum b/go.sum
@@ -146,8 +146,8 @@ github.com/fluxcd/pkg/git v0.34.0 h1:qTViWkfpEDnjzySyKRKliqUeGj/DznqlkmPhaDNIsFY
 github.com/fluxcd/pkg/git v0.34.0/go.mod h1:F9Asm3MlLW4uZx3FF92+bqho+oktdMdnTn/QmXe56NE=
 github.com/fluxcd/pkg/masktoken v0.7.0 h1:pitmyOg2pUVdW+nn2Lk/xqm2TaA08uxvOC0ns3sz6bM=
 github.com/fluxcd/pkg/masktoken v0.7.0/go.mod h1:Lc1uoDjO1GY6+YdkK+ZqqBIBWquyV58nlSJ5S1N1IYU=
-github.com/fluxcd/pkg/runtime v0.75.0 h1:wIaODmU5D54nyrehTqA9oQDFoi6BbBj/24adLStXc0I=
-github.com/fluxcd/pkg/runtime v0.75.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
+github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/ssa v0.51.0 h1:sFarxKZcS0J8sjq9qvs/r+1XiJqNgRodEiPjV75F8R4=
 github.com/fluxcd/pkg/ssa v0.51.0/go.mod h1:v+h9RC0JxWIqMTK2Eo+8Nh700AXyZChZ2TiLVj4tf3M=
 github.com/fluxcd/pkg/ssh v0.20.0 h1:Ak0laIYIc/L8lEfqls/LDWRW8wYPESGaravQsCRGLb8=
diff --git a/internal/server/event_handlers.go b/internal/server/event_handlers.go
@@ -432,8 +432,7 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api
 			Name:      provider.Spec.CertSecretRef.Name,
 			Namespace: provider.GetNamespace(),
 		}
-		const insecure = false // Provider API has no insecure field, always verify certificates
-		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef, webhook, insecure)
+		tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef)
 		if err != nil {
 			return nil, "", fmt.Errorf("failed to get TLS config: %w", err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -432,8 +432,7 @@ func createNotifier(ctx context.Context, kubeClient client.Client, provider *api`
`432`	`432`	`Name: provider.Spec.CertSecretRef.Name,`
`433`	`433`	`Namespace: provider.GetNamespace(),`
`434`	`434`	`}`
`435`		`- const insecure = false // Provider API has no insecure field, always verify certificates`
`436`		`- tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef, webhook, insecure)`
	`435`	`+ tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, kubeClient, secretRef)`
`437`	`436`	`if err != nil {`
`438`	`437`	`return nil, "", fmt.Errorf("failed to get TLS config: %w", err)`
`439`	`438`	`}`