From ab847310efde540b5bfe17570b99af1bb705832b Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Fri, 26 Sep 2025 21:18:44 +0400
Subject: [PATCH] fix: provide refreshing CA pool (resolvers)

When a registry has _some_ TLS config included, the refreshing CA pool
was overwritten with the result returned from the config provider.

Ensure that is is restored back to the default value (unless explicitly
set by the provider if the registry CA is set).

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
---
 internal/pkg/containers/image/resolver.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/pkg/containers/image/resolver.go b/internal/pkg/containers/image/resolver.go
index a75c9bb4f..a79cc5f77 100644
--- a/internal/pkg/containers/image/resolver.go
+++ b/internal/pkg/containers/image/resolver.go
@@ -60,6 +60,11 @@ func RegistryHosts(reg config.Registries) docker.RegistryHosts {
 				if err != nil {
 					return nil, fmt.Errorf("error preparing TLS config for %q: %w", u.Host, err)
 				}
+
+				// set up refreshing Root CAs if none were provided
+				if transport.TLSClientConfig.RootCAs == nil {
+					transport.TLSClientConfig.RootCAs = httpdefaults.RootCAs()
+				}
 			}
 
 			if u.Path == "" {