runtime/secrets: remove ServerName pinning from TLS config

Remove ServerName pinning functionality that can cause TLS
verification failures in production environments with redirects,
proxies, and multi-host scenarios.

The Go standard library automatically handles SNI and hostname
verification based on the actual connection target, providing
better compatibility and security than fixed ServerName values.

Signed-off-by: cappyzawa <cappyzawa@gmail.com>

Author: cappyzawa

runtime/secrets/converter.go

@@ -57,8 +57,7 @@ func WithSystemCertPool() TLSConfigOption {
 // Multiple authentication methods can be present in a single secret and will be extracted
 // simultaneously, enabling use cases like Basic Auth + TLS or Bearer Token + TLS.
 //
-// Options can be provided to configure TLS extraction behavior. Use WithTargetURL() to specify
-// target URL for complete TLS configuration.
+// Options can be provided to configure TLS extraction behavior.
 func AuthMethodsFromSecret(ctx context.Context, secret *corev1.Secret, opts ...AuthMethodsOption) (*AuthMethods, error) {
 	config := &authMethodsConfig{}
 	for _, opt := range opts {
@@ -88,9 +87,7 @@ func AuthMethodsFromSecret(ctx context.Context, secret *corev1.Secret, opts ...A
 	}
 
 	if err := trySetAuth(ctx, secret, &methods.TLS, func(ctx context.Context, secret *corev1.Secret) (*tls.Config, error) {
-		// targetURL is empty here but will be set by TLSConfigOption if WithTargetURL was specified
-		const targetURL = ""
-		return TLSConfigFromSecret(ctx, secret, targetURL, config.tlsConfigOpts...)
+		return TLSConfigFromSecret(ctx, secret, config.tlsConfigOpts...)
 	}); err != nil {
 		return nil, err
 	}
@@ -106,15 +103,10 @@ func AuthMethodsFromSecret(ctx context.Context, secret *corev1.Secret, opts ...A
 //
 // Standard field names always take precedence over legacy ones.
 //
-// The targetURL parameter is used to set the ServerName for proper SNI support
-// in virtual hosting environments.
-//
 // Optional TLSConfigOption parameters can be used to configure CA certificate handling:
 //   - WithSystemCertPool(): Include system certificates in addition to user-provided CA
-func TLSConfigFromSecret(ctx context.Context, secret *corev1.Secret, targetURL string, opts ...TLSConfigOption) (*tls.Config, error) {
-	config := &tlsConfig{
-		targetURL: targetURL,
-	}
+func TLSConfigFromSecret(ctx context.Context, secret *corev1.Secret, opts ...TLSConfigOption) (*tls.Config, error) {
+	config := &tlsConfig{}
 	for _, opt := range opts {
 		opt(config)
 	}
@@ -317,17 +309,6 @@ func buildTLSConfig(certData *tlsCertificateData, config *tlsConfig) (*tls.Confi
 		InsecureSkipVerify: false,
 	}
 
-	// Set ServerName for proper SNI support if targetURL is provided
-	if config.targetURL != "" {
-		u, err := url.Parse(config.targetURL)
-		if err != nil {
-			return nil, fmt.Errorf("failed to parse target URL '%s': %w", config.targetURL, err)
-		}
-		if hostname := u.Hostname(); hostname != "" {
-			tlsConfig.ServerName = hostname
-		}
-	}
-
 	if certData.hasCertPair() {
 		cert, err := tls.X509KeyPair(certData.cert, certData.key)
 		if err != nil {

runtime/secrets/converter_test.go

@@ -227,7 +227,7 @@ func TestAuthMethodsFromSecret(t *testing.T) {
 			secretData: map[string][]byte{
 				secrets.KeyCACert: validCACert,
 			},
-			opt:     []secrets.AuthMethodsOption{secrets.WithTargetURL("https://example.com"), secrets.WithTLSSystemCertPool()},
+			opt:     []secrets.AuthMethodsOption{secrets.WithTLSSystemCertPool()},
 			wantTLS: true,
 		},
 		{
@@ -236,7 +236,7 @@ func TestAuthMethodsFromSecret(t *testing.T) {
 				secrets.KeyUsername: []byte("testuser"),
 				secrets.KeyPassword: []byte("testpass"),
 			},
-			opt:       []secrets.AuthMethodsOption{secrets.WithTargetURL("https://example.com"), secrets.WithTLSSystemCertPool()},
+			opt:       []secrets.AuthMethodsOption{secrets.WithTLSSystemCertPool()},
 			wantBasic: true,
 			wantTLS:   false,
 		},
@@ -443,13 +443,11 @@ func TestTLSConfigFromSecret(t *testing.T) {
 	caCert, tlsCert, tlsKey := generateTestCertificates(t)
 
 	tests := []struct {
-		name               string
-		secret             *corev1.Secret
-		targetURL          string
-		opts               []secrets.TLSConfigOption
-		expectedServerName string
-		errMsg             string
-		expectedFields     map[string]string // legacy key -> preferred key mapping
+		name           string
+		secret         *corev1.Secret
+		opts           []secrets.TLSConfigOption
+		errMsg         string
+		expectedFields map[string]string // legacy key -> preferred key mapping
 	}{
 		{
 			name: "valid TLS secret with standard fields",
@@ -576,28 +574,6 @@ func TestTLSConfigFromSecret(t *testing.T) {
 			),
 			errMsg: "secret 'default/tls-secret' must contain either 'ca.crt' or both 'tls.crt' and 'tls.key'",
 		},
-		{
-			name: "targetURL parameter",
-			secret: testSecret(
-				withName("tls-secret"),
-				withData(map[string][]byte{
-					secrets.KeyCACert: caCert,
-				}),
-			),
-			targetURL:          "https://example.com:8443",
-			expectedServerName: "example.com",
-		},
-		{
-			name: "invalid target URL",
-			secret: testSecret(
-				withName("tls-secret"),
-				withData(map[string][]byte{
-					secrets.KeyCACert: caCert,
-				}),
-			),
-			targetURL: "://invalid-url",
-			errMsg:    "failed to parse target URL '://invalid-url'",
-		},
 		{
 			name: "WithSystemCertPool option",
 			secret: testSecret(
@@ -630,15 +606,16 @@ func TestTLSConfigFromSecret(t *testing.T) {
 				ctx = log.IntoContext(ctx, logr.Discard())
 			}
 
-			tlsConfig, err := secrets.TLSConfigFromSecret(ctx, tt.secret, tt.targetURL, tt.opts...)
+			tlsConfig, err := secrets.TLSConfigFromSecret(ctx, tt.secret, tt.opts...)
 
 			if tt.errMsg != "" {
 				g.Expect(err).To(MatchError(ContainSubstring(tt.errMsg)))
 			} else {
 				g.Expect(err).ToNot(HaveOccurred())
 				g.Expect(tlsConfig).ToNot(BeNil())
 
-				g.Expect(tlsConfig.ServerName).To(Equal(tt.expectedServerName))
+				// ServerName should be empty to allow automatic hostname verification
+				g.Expect(tlsConfig.ServerName).To(BeEmpty())
 				// InsecureSkipVerify must always be false per Flux security policy.
 				// The insecure parameter was removed to prevent bypassing certificate validation.
 				g.Expect(tlsConfig.InsecureSkipVerify).To(BeFalse())

runtime/secrets/reader.go

@@ -33,17 +33,14 @@ import (
 // The function fetches the secret from the API server and then processes it using
 // TLSConfigFromSecret. It supports the same field names and legacy field handling.
 //
-// The targetURL parameter is used to set the ServerName for proper SNI support
-// in virtual hosting environments.
-//
 // Optional TLSConfigOption parameters can be used to configure CA certificate handling:
 //   - WithSystemCertPool(): Include system certificates in addition to user-provided CA
-func TLSConfigFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName, targetURL string, opts ...TLSConfigOption) (*tls.Config, error) {
+func TLSConfigFromSecretRef(ctx context.Context, c client.Client, secretRef types.NamespacedName, opts ...TLSConfigOption) (*tls.Config, error) {
 	secret, err := getSecret(ctx, c, secretRef)
 	if err != nil {
 		return nil, err
 	}
-	return TLSConfigFromSecret(ctx, secret, targetURL, opts...)
+	return TLSConfigFromSecret(ctx, secret, opts...)
 }
 
 // ProxyURLFromSecretRef creates a proxy URL from a Kubernetes secret reference.

runtime/secrets/reader_test.go

@@ -38,13 +38,11 @@ func TestTLSConfigFromSecretRef(t *testing.T) {
 	caCert, tlsCert, tlsKey := generateTestCertificates(t)
 
 	tests := []struct {
-		name               string
-		secretRef          types.NamespacedName
-		secret             *corev1.Secret // Secret to add to fake client (nil = not added)
-		targetURL          string
-		opts               []secrets.TLSConfigOption
-		expectedServerName string
-		errMsg             string
+		name      string
+		secretRef types.NamespacedName
+		secret    *corev1.Secret // Secret to add to fake client (nil = not added)
+		opts      []secrets.TLSConfigOption
+		errMsg    string
 	}{
 		{
 			name:      "integration test - basic TLS secret functionality",
@@ -63,18 +61,6 @@ func TestTLSConfigFromSecretRef(t *testing.T) {
 			secretRef: types.NamespacedName{Name: "missing-secret", Namespace: testNS},
 			errMsg:    "secret 'default/missing-secret' not found",
 		},
-		{
-			name:      "TLS secret with parameters",
-			secretRef: types.NamespacedName{Name: "tls-secret", Namespace: testNS},
-			secret: testSecret(
-				withName("tls-secret"),
-				withData(map[string][]byte{
-					secrets.KeyCACert: caCert,
-				}),
-			),
-			targetURL:          "https://example.com",
-			expectedServerName: "example.com",
-		},
 		{
 			name:      "TLS secret with WithSystemCertPool option",
 			secretRef: types.NamespacedName{Name: "tls-secret", Namespace: testNS},
@@ -103,15 +89,16 @@ func TestTLSConfigFromSecretRef(t *testing.T) {
 			}
 			c := fakeClient(objects...)
 
-			tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, c, tt.secretRef, tt.targetURL, tt.opts...)
+			tlsConfig, err := secrets.TLSConfigFromSecretRef(ctx, c, tt.secretRef, tt.opts...)
 
 			if tt.errMsg != "" {
 				g.Expect(err).To(MatchError(ContainSubstring(tt.errMsg)))
 			} else {
 				g.Expect(err).ToNot(HaveOccurred())
 				g.Expect(tlsConfig).ToNot(BeNil())
 
-				g.Expect(tlsConfig.ServerName).To(Equal(tt.expectedServerName))
+				// ServerName should be empty to allow automatic hostname verification
+				g.Expect(tlsConfig.ServerName).To(BeEmpty())
 				// InsecureSkipVerify must always be false per Flux security policy.
 				// The insecure parameter was removed to prevent bypassing certificate validation.
 				g.Expect(tlsConfig.InsecureSkipVerify).To(BeFalse())

runtime/secrets/secrets.go

@@ -121,19 +121,9 @@ type authMethodsConfig struct {
 
 // tlsConfig holds TLS-specific configuration options.
 type tlsConfig struct {
-	targetURL         string
 	useSystemCertPool bool
 }
 
-// WithTargetURL configures TLS extraction with the specified target URL for ServerName configuration.
-func WithTargetURL(targetURL string) AuthMethodsOption {
-	return func(cfg *authMethodsConfig) {
-		cfg.tlsConfigOpts = append(cfg.tlsConfigOpts, func(c *tlsConfig) {
-			c.targetURL = targetURL
-		})
-	}
-}
-
 // WithTLSSystemCertPool enables the use of system certificate pool in addition to user-provided CA certificates.
 func WithTLSSystemCertPool() AuthMethodsOption {
 	return func(cfg *authMethodsConfig) {