fluxcd
/
source-controller
mirror of https://github.com/fluxcd/source-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

gitrepo: add support for specifying CA data via `ca.crt` 

Check the auth secret for the `ca.crt` key for CA certificate data.
`ca.crt` takes precdence over `caFile`.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
This commit is contained in:
Sanskar Jaiswal 2023-08-08 17:56:00 +05:30
parent 6fe3c96311
commit 2a7f67de48
No known key found for this signature in database
GPG Key ID: 5982D0279C227FFD
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/spec/v1/gitrepositories.md
View File

@ -161,8 +161,9 @@ data:
#### HTTPS Certificate Authority #### HTTPS Certificate Authority
To provide a Certificate Authority to trust while connecting with a Git To provide a Certificate Authority to trust while connecting with a Git
repository over HTTPS, the referenced Secret can contain a `.data.caFile` repository over HTTPS, the referenced Secret's `.data` can contain a `ca.crt`
value. or `caFile` key. `ca.crt` takes precedence over `caFile`, i.e. if both keys
are present, the value of `ca.crt` will be taken into consideration.
```yaml ```yaml
--- ---
@ -173,7 +174,7 @@ metadata:
namespace: default namespace: default
type: Opaque type: Opaque
data: data:
caFile: <BASE64> ca.crt: <BASE64>
``` ```
#### SSH authentication #### SSH authentication

26
internal/controller/gitrepository_controller_test.go
View File

@ -410,6 +410,32 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"), *conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
}, },
}, },
{
name: "HTTPS with CAFile secret with both ca.crt and caFile keys makes Reconciling=True and ignores caFile",
protocol: "https",
server: options{
publicKey: tlsPublicKey,
privateKey: tlsPrivateKey,
ca: tlsCA,
},
secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "ca-file",
},
Data: map[string][]byte{
"ca.crt": tlsCA,
"caFile": []byte("invalid"),
},
},
beforeFunc: func(obj *sourcev1.GitRepository) {
obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "ca-file"}
},
want: sreconcile.ResultSuccess,
assertConditions: []metav1.Condition{
*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
},
},
{ {
name: "HTTPS with invalid CAFile secret makes CheckoutFailed=True and returns error", name: "HTTPS with invalid CAFile secret makes CheckoutFailed=True and returns error",
protocol: "https", protocol: "https",