diff --git a/docs/spec/v1/gitrepositories.md b/docs/spec/v1/gitrepositories.md index a5e4f74bf..543b90341 100644 --- a/docs/spec/v1/gitrepositories.md +++ b/docs/spec/v1/gitrepositories.md @@ -161,8 +161,9 @@ data: #### HTTPS Certificate Authority To provide a Certificate Authority to trust while connecting with a Git -repository over HTTPS, the referenced Secret can contain a `.data.caFile` -value. +repository over HTTPS, the referenced Secret's `.data` can contain a `ca.crt` +or `caFile` key. `ca.crt` takes precedence over `caFile`, i.e. if both keys +are present, the value of `ca.crt` will be taken into consideration. ```yaml --- @@ -173,7 +174,7 @@ metadata: namespace: default type: Opaque data: - caFile: + ca.crt: ``` #### SSH authentication diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go index e74ed34a7..7faccc443 100644 --- a/internal/controller/gitrepository_controller.go +++ b/internal/controller/gitrepository_controller.go @@ -646,6 +646,13 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1 if err != nil { return nil, err } + + // `git.NewAuthOptions()` populates the CA cert data by checking for the `caFile` key. + // Since, `ca.crt` takes precedence, check for its presence here and override the CA + // certificate, if found. + if ca, ok := authData["ca.crt"]; ok { + authOpts.CAFile = ca + } return authOpts, nil } diff --git a/internal/controller/gitrepository_controller_test.go b/internal/controller/gitrepository_controller_test.go index a7740fe40..828f7c16a 100644 --- a/internal/controller/gitrepository_controller_test.go +++ b/internal/controller/gitrepository_controller_test.go @@ -386,6 +386,32 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) { *conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:'"), }, }, + { + name: "HTTPS with CAFile secret with both ca.crt and caFile keys makes Reconciling=True and ignores caFile", + protocol: "https", + server: options{ + publicKey: tlsPublicKey, + privateKey: tlsPrivateKey, + ca: tlsCA, + }, + secret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ca-file", + }, + Data: map[string][]byte{ + "ca.crt": tlsCA, + "caFile": []byte("invalid"), + }, + }, + beforeFunc: func(obj *sourcev1.GitRepository) { + obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "ca-file"} + }, + want: sreconcile.ResultSuccess, + assertConditions: []metav1.Condition{ + *conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:'"), + *conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:'"), + }, + }, { name: "HTTPS with invalid CAFile secret makes CheckoutFailed=True and returns error", protocol: "https",