fix: handle correctly incomplete RegistryTLSConfig

smira · smira · commit e16c2d5bba1b · 2026-01-21T16:20:37.000+04:00
Add some missing unit-test coverage. Fixes #12571 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit b8ff967)
diff --git a/internal/app/machined/pkg/controllers/cri/registries_config_test.go b/internal/app/machined/pkg/controllers/cri/registries_config_test.go
@@ -323,7 +323,10 @@ func (suite *ConfigSuite) TestRegistryNewStyle() {
 	}
 	tr1.TLSCA = "-----BEGIN CERTIFICATE-----\nMIID...IDAQAB\n-----END CERTIFICATE-----"
 
-	ctr, err := container.New(mr1, ar1, tr1)
+	tr2 := criconfig.NewRegistryTLSConfigV1Alpha1("another-registry")
+	tr2.TLSInsecureSkipVerify = pointer.To(true)
+
+	ctr, err := container.New(mr1, ar1, tr1, tr2)
 	suite.Require().NoError(err)
 
 	cfg := config.NewMachineConfig(ctr)
@@ -370,6 +373,9 @@ func (suite *ConfigSuite) TestRegistryNewStyle() {
 					},
 					TLSCA: []byte("-----BEGIN CERTIFICATE-----\nMIID...IDAQAB\n-----END CERTIFICATE-----"),
 				},
+				"another-registry": {
+					TLSInsecureSkipVerify: true,
+				},
 			},
 			spec.RegistryTLSs,
 		)
diff --git a/pkg/machinery/config/types/cri/registry_tls.go b/pkg/machinery/config/types/cri/registry_tls.go
@@ -159,6 +159,10 @@ func (s *RegistryTLSConfigV1Alpha1) Validate(validation.RuntimeMode, ...validati
 
 // ClientIdentity implements config.RegistryTLSConfigDocument interface.
 func (s *RegistryTLSConfigV1Alpha1) ClientIdentity() *x509.PEMEncodedCertificateAndKey {
+	if s.TLSClientIdentity == nil {
+		return nil
+	}
+
 	return &x509.PEMEncodedCertificateAndKey{
 		Crt: []byte(s.TLSClientIdentity.Cert),
 		Key: []byte(s.TLSClientIdentity.Key),
@@ -167,6 +171,10 @@ func (s *RegistryTLSConfigV1Alpha1) ClientIdentity() *x509.PEMEncodedCertificate
 
 // CA implements config.RegistryTLSConfigDocument interface.
 func (s *RegistryTLSConfigV1Alpha1) CA() []byte {
+	if s.TLSCA == "" {
+		return nil
+	}
+
 	return []byte(s.TLSCA)
 }
 
