Use system trust bundle in CPO IDP https client

openshift · Dec 16, 2024 · 0889812 · 0889812
1 parent ba6cf38
commit 0889812
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go
@@ -689,7 +689,10 @@ func transportForCARef(ctx context.Context, kclient crclient.Reader, namespace,
 	transport := net.SetTransportDefaults(&http.Transport{
 		TLSClientConfig: &tls.Config{},
 	})
-	roots := x509.NewCertPool()
+	roots, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create system cert pool: %w", err)
+	}
 
 	if !skipKonnectivityDialer {
 		var err error

diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go
@@ -380,7 +380,8 @@ users:
 			g.Expect(gotURL).To(Equal(tc.expectedProxyRequestURL))
 
 			// Validate RootCAs expectations.
-			expectedCertPool := x509.NewCertPool()
+			expectedCertPool, err := x509.SystemCertPool()
+			g.Expect(err).ToNot(HaveOccurred())
 			if tc.hcp.Spec.Configuration != nil {
 				if tc.hcp.Spec.Configuration.Proxy.TrustedCA.Name != "" {
 					expectedCertPool.AppendCertsFromPEM([]byte(fakeProxyCertCADecoded))