fixup! fixup! Migrate OCIRepository controller to runtime/secrets

cappyzawa · cappyzawa · commit b1d2d1786b52 · 2025-07-19T17:29:49.000+09:00
Add ServerName support for TLS configuration

Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/internal/controller/ocirepository_controller.go b/internal/controller/ocirepository_controller.go
@@ -971,6 +971,12 @@ func (r *OCIRepositoryReconciler) transport(ctx context.Context, obj *sourcev1.O
 		return nil, err
 	}
 	if tlsConfig != nil {
+		// Set ServerName for proper virtual hosting support
+		serverName, err := extractServerNameFromURL(obj.Spec.URL)
+		if err != nil {
+			return nil, fmt.Errorf("failed to extract server name for TLS: %w", err)
+		}
+		tlsConfig.ServerName = serverName
 		transport.TLSClientConfig = tlsConfig
 	}
 
@@ -981,6 +987,29 @@ func (r *OCIRepositoryReconciler) transport(ctx context.Context, obj *sourcev1.O
 	return transport, nil
 }
 
+// extractServerNameFromURL extracts the server name from an OCI repository URL
+// for use in TLS configuration. It returns the hostname without port
+// that should be used as the ServerName in TLS handshakes.
+func extractServerNameFromURL(ociURL string) (string, error) {
+	if !strings.HasPrefix(ociURL, sourcev1.OCIRepositoryPrefix) {
+		return "", fmt.Errorf("URL must be in format 'oci://<domain>/<org>/<repo>'")
+	}
+
+	// Convert OCI URL to a parseable format by replacing oci:// with https://
+	// This allows us to use the standard url package
+	u, err := url.Parse(strings.Replace(ociURL, sourcev1.OCIRepositoryPrefix, "https://", 1))
+	if err != nil {
+		return "", fmt.Errorf("failed to parse OCI URL: %w", err)
+	}
+	
+	hostname := u.Hostname()
+	if hostname == "" {
+		return "", fmt.Errorf("failed to extract hostname from OCI URL")
+	}
+	
+	return hostname, nil
+}
+
 // getTLSConfig gets the TLS configuration for the transport based on the
 // specified secret reference in the OCIRepository object, or the insecure flag.
 func (r *OCIRepositoryReconciler) getTLSConfig(ctx context.Context, obj *sourcev1.OCIRepository) (*cryptotls.Config, error) {
diff --git a/internal/controller/ocirepository_controller_test.go b/internal/controller/ocirepository_controller_test.go
@@ -3705,3 +3705,58 @@ func TestOCIContentConfigChanged(t *testing.T) {
 		})
 	}
 }
+
+func TestOCIRepositoryReconciler_extractServerNameFromURL(t *testing.T) {
+	tests := []struct {
+		name    string
+		url     string
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "valid OCI URL with hostname",
+			url:  "oci://registry.example.com/myorg/myrepo",
+			want: "registry.example.com",
+		},
+		{
+			name: "valid OCI URL with hostname and port",
+			url:  "oci://registry.example.com:8443/myorg/myrepo",
+			want: "registry.example.com",
+		},
+		{
+			name: "valid OCI URL with tag",
+			url:  "oci://ghcr.io/fluxcd/flux2/manifests:v2.0.0",
+			want: "ghcr.io",
+		},
+		{
+			name: "valid OCI URL with digest",
+			url:  "oci://docker.io/library/nginx@sha256:abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890",
+			want: "docker.io",
+		},
+		{
+			name:    "invalid URL without oci:// prefix",
+			url:     "https://registry.example.com/myorg/myrepo",
+			wantErr: true,
+		},
+		{
+			name:    "invalid URL format",
+			url:     "oci://",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			got, err := extractServerNameFromURL(tt.url)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+				return
+			}
+
+			g.Expect(err).NotTo(HaveOccurred())
+			g.Expect(got).To(Equal(tt.want))
+		})
+	}
+}
