fix(ocireg): preserve default transport settings for HTTPS registries

mabo235 · mabo235 · commit 895760705055 · 2026-03-31T06:51:52.000+02:00
diff --git a/api/oci/extensions/repositories/ocireg/repository.go b/api/oci/extensions/repositories/ocireg/repository.go
@@ -53,6 +53,18 @@ type RepositoryImpl struct {
 	info   *RepositoryInfo
 }
 
+func newHTTPTransport(conf *tls.Config) *http.Transport {
+	base, ok := http.DefaultTransport.(*http.Transport)
+	if !ok {
+		return &http.Transport{TLSClientConfig: conf}
+	}
+
+	transport := base.Clone()
+	transport.TLSClientConfig = conf
+
+	return transport
+}
+
 var (
 	_ cpi.RepositoryImpl                   = (*RepositoryImpl)(nil)
 	_ credentials.ConsumerIdentityProvider = &RepositoryImpl{}
@@ -172,9 +184,7 @@ func (r *RepositoryImpl) getResolver(comp string) (oras.Resolver, error) {
 				return rootCAs
 			}(),
 		}
-		client.Transport = ocmlog.NewRoundTripper(retry.NewTransport(&http.Transport{
-			TLSClientConfig: conf,
-		}), logger)
+		client.Transport = ocmlog.NewRoundTripper(retry.NewTransport(newHTTPTransport(conf)), logger)
 	}
 
 	authClient := &auth.Client{
diff --git a/api/oci/extensions/repositories/ocireg/repository_test.go b/api/oci/extensions/repositories/ocireg/repository_test.go
@@ -0,0 +1,38 @@
+package ocireg
+
+import (
+	"crypto/tls"
+	"net/http"
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewHTTPTransportClonesDefaultTransport(t *testing.T) {
+	t.Parallel()
+
+	base, ok := http.DefaultTransport.(*http.Transport)
+	require.True(t, ok, "default transport must be *http.Transport")
+
+	conf := &tls.Config{MinVersion: tls.VersionTLS12}
+
+	got := newHTTPTransport(conf)
+	require.NotNil(t, got)
+
+	assert.NotSame(t, base, got)
+	assert.Same(t, conf, got.TLSClientConfig)
+	assert.Equal(t, base.ForceAttemptHTTP2, got.ForceAttemptHTTP2)
+	assert.Equal(t, base.MaxIdleConns, got.MaxIdleConns)
+	assert.Equal(t, base.MaxIdleConnsPerHost, got.MaxIdleConnsPerHost)
+	assert.Equal(t, base.MaxConnsPerHost, got.MaxConnsPerHost)
+	assert.Equal(t, base.IdleConnTimeout, got.IdleConnTimeout)
+	assert.Equal(t, base.TLSHandshakeTimeout, got.TLSHandshakeTimeout)
+	assert.Equal(t, base.ExpectContinueTimeout, got.ExpectContinueTimeout)
+
+	if base.Proxy != nil {
+		require.NotNil(t, got.Proxy)
+		assert.Equal(t, reflect.ValueOf(base.Proxy).Pointer(), reflect.ValueOf(got.Proxy).Pointer())
+	}
+}
