fix: provide refreshing CA pool (resolvers)

smira · frezbo · commit 7668c52dd412 · 2025-10-13T21:51:23.000+05:30
When a registry has _some_ TLS config included, the refreshing CA pool was overwritten with the result returned from the config provider. Ensure that is is restored back to the default value (unless explicitly set by the provider if the registry CA is set). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit ab84731)
diff --git a/internal/pkg/containers/image/resolver.go b/internal/pkg/containers/image/resolver.go
@@ -60,6 +60,11 @@ func RegistryHosts(reg config.Registries) docker.RegistryHosts {
 				if err != nil {
 					return nil, fmt.Errorf("error preparing TLS config for %q: %w", u.Host, err)
 				}
+
+				// set up refreshing Root CAs if none were provided
+				if transport.TLSClientConfig.RootCAs == nil {
+					transport.TLSClientConfig.RootCAs = httpdefaults.RootCAs()
+				}
 			}
 
 			if u.Path == "" {

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,11 @@ func RegistryHosts(reg config.Registries) docker.RegistryHosts {`
`60`	`60`	`if err != nil {`
`61`	`61`	`return nil, fmt.Errorf("error preparing TLS config for %q: %w", u.Host, err)`
`62`	`62`	`}`
	`63`	`+`
	`64`	`+ // set up refreshing Root CAs if none were provided`
	`65`	`+ if transport.TLSClientConfig.RootCAs == nil {`
	`66`	`+ transport.TLSClientConfig.RootCAs = httpdefaults.RootCAs()`
	`67`	`+ }`
`63`	`68`	`}`
`64`	`69`
`65`	`70`	`if u.Path == "" {`