feat: corporate CA trust for pipeline git-clone from internal hosts#142
Merged
sabre1041 merged 7 commits intoJun 16, 2026
Merged
Conversation
minmzzhang
force-pushed
the
pipeline-corp-ca-trust
branch
from
ae0f678 to
2f1c9b8
Compare
mlorenzofr
approved these changes
Jun 9, 2026
mlorenzofr
left a comment
mlorenzofr
left a comment
Collaborator
There was a problem hiding this comment.
Tested and working correctly. Just a couple of minor changes
LGTM
Add support for the git-clone task to trust corporate/internal CA certificates when cloning from private Git servers (e.g. GitLab behind a corporate CA). Supply-chain chart: - Add conditional ssl-ca-directory workspace to pipeline and pipelinerun templates (gated by git.sslCABundle.enabled) - Add git.sslCABundle values (enabled, configMapName) defaulting to the ztvp-trusted-ca ConfigMap - Set CRT_FILENAME param so git-clone finds the CA bundle file ztvp-certificates chart: - Auto-detect internal Git hosts via customCA.remoteHosts: the extraction Job connects to the host on port 443, extracts the full CA chain from the TLS handshake, and merges it into the bundle - Distribute ztvp-trusted-ca to the pipeline namespace via the targetNamespaces list Generator (gen-feature-variants.py): - Auto-enable git.sslCABundle and customCA.remoteHosts when --git-repo points to a non-public host (not github.com/gitlab.com/bitbucket.org) - Add git.sslCABundle.enabled to the protected-repos feature fragment and to the commented-out overrides in the base values-hub.yaml values-hub.yaml: - Replace hand-edited file with gen-feature-variants output for consistent indentation and complete feature composition Documentation: - Add "Corporate CA trust for internal Git hosts" section to docs/supply-chain.md covering enablement, auto-extraction, and manual CA provisioning alternatives Signed-off-by: Min Zhang <minzhang@redhat.com>
Signed-off-by: Manuel Lorenzo <mlorenzofr@redhat.com>
- Skip SSL CA bundle workspace/params when authType is SSH (not needed for SSH connections to git) - Add hostname validation in _parse_git_repo_url() to fail early on malformed URLs Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
pipeline-corp-ca-trust
branch
from
2565a0e to
7ad9fc4
Compare
The External Secrets Operator no longer serves v1beta1; only v1 is available on the cluster, causing supply-chain sync failures. Signed-off-by: Min Zhang <minzhang@redhat.com>
Collaborator
Author
|
Rebased to latest main and ready for review. |
The supply-chain doc lists values-hub.yaml sections to uncomment but did not mention overrides/values-vault-jwt.yaml. Without the rhtpa and supply-chain JWT roles, RHTPA and the pipeline SA cannot authenticate to Vault via SPIFFE. Signed-off-by: Min Zhang <minzhang@redhat.com>
When a custom CA is added after the pattern is already deployed, the ArgoCD repo-server init container will not re-run to pick up the updated trusted-ca-bundle. Document the rollout restart workaround and broaden the x509 troubleshooting entry to cover Gitea and other self-hosted Git servers beyond GitLab. Signed-off-by: Min Zhang <minzhang@redhat.com>
The corporate CA trust configuration was nested as step 4 under "Protected Repositories", implying it only applies to private repos. In reality these are orthogonal concerns -- a public repo on an internal Git server behind a corporate CA also needs CA trust without any git credentials. Promote "Corporate CA Trust for Internal Git Hosts" to its own top-level section, split the combined "How it works" block, and add bidirectional cross-references. Also fix the duplicate SSH mode PipelineRun YAML and add ssl-ca-directory guidance to the Web Console instructions. Signed-off-by: Min Zhang <minzhang@redhat.com>
sabre1041
reviewed
Jun 16, 2026
sabre1041
left a comment
sabre1041
left a comment
Collaborator
There was a problem hiding this comment.
LGTM. Great work @minmzzhang !
sabre1041
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add support for the git-clone task to trust corporate/internal CA certificates when cloning from private Git servers (e.g. GitLab behind a corporate CA).
Supply-chain chart:
ztvp-certificates chart:
Generator (gen-feature-variants.py):
values-hub.yaml:
Documentation: