controller: wire insecure and TLS config to cosign verifier

stealthybox · stealthybox · commit c22363b583e0 · 2026-06-04T01:59:43.000-06:00
Pass obj.Spec.Insecure and transport.TLSClientConfig to the cosign
verifier so v3 bundle discovery and Rekor connections use the same
transport settings as the registry.

Signed-off-by: leigh capili &lt;leigh@null.net&gt;
diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
@@ -680,6 +680,8 @@ func (r *OCIRepositoryReconciler) verifySignature(ctx context.Context, obj *sour
 	case "cosign":
 		defaultCosignOciOpts := []scosign.Options{
 			scosign.WithRemoteOptions(opt...),
+			scosign.WithInsecure(obj.Spec.Insecure),
+			scosign.WithTLSConfig(transport.TLSClientConfig),
 		}
 
 		// If a trusted root secret is provided, read and pass it to the verifier.

Original file line number	Diff line number	Diff line change
`@@ -680,6 +680,8 @@ func (r OCIRepositoryReconciler) verifySignature(ctx context.Context, obj sour`
`680`	`680`	`case "cosign":`
`681`	`681`	`defaultCosignOciOpts := []scosign.Options{`
`682`	`682`	`scosign.WithRemoteOptions(opt...),`
	`683`	`+ scosign.WithInsecure(obj.Spec.Insecure),`
	`684`	`+ scosign.WithTLSConfig(transport.TLSClientConfig),`
`683`	`685`	`}`
`684`	`686`
`685`	`687`	`// If a trusted root secret is provided, read and pass it to the verifier.`