Merge pull request #997 from cappyzawa/feat/tls-config-from-secret-ref-options

runtime/secrets: add TLSConfigOption support to TLSConfigFromSecretRef

Author: matheuscscp

oci/tests/integration/go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/git v0.34.0
 	github.com/fluxcd/pkg/git/gogit v0.37.0
-	github.com/fluxcd/pkg/runtime v0.77.0
+	github.com/fluxcd/pkg/runtime v0.78.0
 	github.com/fluxcd/test-infra/tftestenv v0.0.0-20250626232827-e0ca9c3f8d7b
 	github.com/go-git/go-git/v5 v5.16.2
 	github.com/google/go-containerregistry v0.20.6

runtime/secrets/reader.go

@@ -35,12 +35,15 @@ import (
 //
 // The targetURL parameter is used to set the ServerName for proper SNI support
 // in virtual hosting environments.
-func TLSConfigFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName, targetURL string) (*tls.Config, error) {
+//
+// Optional TLSConfigOption parameters can be used to configure CA certificate handling:
+//   - WithSystemCertPool(): Include system certificates in addition to user-provided CA
+func TLSConfigFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName, targetURL string, opts ...TLSConfigOption) (*tls.Config, error) {
 	secret, err := getSecret(ctx, c, secretRef)
 	if err != nil {
 		return nil, err
 	}
-	return TLSConfigFromSecret(ctx, secret, targetURL)
+	return TLSConfigFromSecret(ctx, secret, targetURL, opts...)
 }
 
 // ProxyURLFromSecretRef creates a proxy URL from a Kubernetes secret reference.

runtime/secrets/reader_test.go

@@ -42,6 +42,7 @@ func TestTLSConfigFromSecretRef(t *testing.T) {
 		secretRef          types.NamespacedName
 		secret             *corev1.Secret // Secret to add to fake client (nil = not added)
 		targetURL          string
+		opts               []secrets.TLSConfigOption
 		expectedServerName string
 		errMsg             string
 	}{
@@ -74,6 +75,17 @@ func TestTLSConfigFromSecretRef(t *testing.T) {
 			targetURL:          "https://example.com",
 			expectedServerName: "example.com",
 		},
+		{
+			name:      "TLS secret with WithSystemCertPool option",
+			secretRef: types.NamespacedName{Name: "tls-secret", Namespace: testNS},
+			secret: testSecret(
+				withName("tls-secret"),
+				withData(map[string][]byte{
+					secrets.KeyCACert: caCert,
+				}),
+			),
+			opts: []secrets.TLSConfigOption{secrets.WithSystemCertPool()},
+		},
 	}
 
 	for _, tt := range tests {
@@ -91,7 +103,7 @@ func TestTLSConfigFromSecretRef(t *testing.T) {
 			}
 			c := fakeClient(objects...)
 
-			tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, c, tt.secretRef, tt.targetURL)
+			tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, c, tt.secretRef, tt.targetURL, tt.opts...)
 
 			if tt.errMsg != "" {
 				g.Expect(err).To(MatchError(ContainSubstring(tt.errMsg)))