From 0889812b7b4ef8735284c7c16d9bf223fea23b23 Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Mon, 16 Dec 2024 18:22:32 +0100 Subject: [PATCH] Use system trust bundle in CPO IDP https client --- .../controllers/hostedcontrolplane/v2/oauth/idp_convert.go | 5 ++++- .../hostedcontrolplane/v2/oauth/idp_convert_test.go | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go index 0ae63c9ec5..8f6090c72f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert.go @@ -689,7 +689,10 @@ func transportForCARef(ctx context.Context, kclient crclient.Reader, namespace, transport := net.SetTransportDefaults(&http.Transport{ TLSClientConfig: &tls.Config{}, }) - roots := x509.NewCertPool() + roots, err := x509.SystemCertPool() + if err != nil { + return nil, fmt.Errorf("failed to create system cert pool: %w", err) + } if !skipKonnectivityDialer { var err error diff --git a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go index ca7c19e3fe..4d57d8c1ca 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go +++ b/control-plane-operator/controllers/hostedcontrolplane/v2/oauth/idp_convert_test.go @@ -380,7 +380,8 @@ users: g.Expect(gotURL).To(Equal(tc.expectedProxyRequestURL)) // Validate RootCAs expectations. - expectedCertPool := x509.NewCertPool() + expectedCertPool, err := x509.SystemCertPool() + g.Expect(err).ToNot(HaveOccurred()) if tc.hcp.Spec.Configuration != nil { if tc.hcp.Spec.Configuration.Proxy.TrustedCA.Name != "" { expectedCertPool.AppendCertsFromPEM([]byte(fakeProxyCertCADecoded))