Skip to content

feat: corporate CA trust for pipeline git-clone from internal hosts#142

Open
minmzzhang wants to merge 4 commits into
validatedpatterns:mainfrom
minmzzhang:pipeline-corp-ca-trust
Open

feat: corporate CA trust for pipeline git-clone from internal hosts#142
minmzzhang wants to merge 4 commits into
validatedpatterns:mainfrom
minmzzhang:pipeline-corp-ca-trust

Conversation

@minmzzhang

@minmzzhang minmzzhang commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator

Add support for the git-clone task to trust corporate/internal CA certificates when cloning from private Git servers (e.g. GitLab behind a corporate CA).

Supply-chain chart:

  • Add conditional ssl-ca-directory workspace to pipeline and pipelinerun templates (gated by git.sslCABundle.enabled)
  • Add git.sslCABundle values (enabled, configMapName) defaulting to the ztvp-trusted-ca ConfigMap
  • Set CRT_FILENAME param so git-clone finds the CA bundle file

ztvp-certificates chart:

  • Auto-detect internal Git hosts via customCA.remoteHosts: the extraction Job connects to the host on port 443, extracts the full CA chain from the TLS handshake, and merges it into the bundle
  • Distribute ztvp-trusted-ca to the pipeline namespace via the targetNamespaces list

Generator (gen-feature-variants.py):

  • Auto-enable git.sslCABundle and customCA.remoteHosts when --git-repo points to a non-public host (not github.com/gitlab.com/bitbucket.org)
  • Add git.sslCABundle.enabled to the protected-repos feature fragment and to the commented-out overrides in the base values-hub.yaml

values-hub.yaml:

  • Replace hand-edited file with gen-feature-variants output for consistent indentation and complete feature composition

Documentation:

  • Add "Corporate CA trust for internal Git hosts" section to docs/supply-chain.md covering enablement, auto-extraction, and manual CA provisioning alternatives

@minmzzhang minmzzhang force-pushed the pipeline-corp-ca-trust branch from ae0f678 to 2f1c9b8 Compare June 5, 2026 15:22
mlorenzofr
mlorenzofr approved these changes Jun 9, 2026
View reviewed changes

@mlorenzofr mlorenzofr left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and working correctly. Just a couple of minor changes
LGTM

Comment thread charts/supply-chain/templates/pipeline-qtodo.yaml Outdated
Comment thread scripts/gen-feature-variants.py
Comment thread scripts/gen-feature-variants.py
Comment thread charts/supply-chain/templates/pipeline-qtodo.yaml Outdated
Comment thread charts/supply-chain/templates/pipeline-qtodo.yaml Outdated
Comment thread charts/supply-chain/templates/pipelinerun-qtodo.yaml Outdated
minmzzhang and others added 3 commits June 12, 2026 10:25
@minmzzhang
feat: corporate CA trust for pipeline git-clone from internal hosts
073b1b2 
Add support for the git-clone task to trust corporate/internal CA
certificates when cloning from private Git servers (e.g. GitLab behind
a corporate CA).

Supply-chain chart:
- Add conditional ssl-ca-directory workspace to pipeline and
  pipelinerun templates (gated by git.sslCABundle.enabled)
- Add git.sslCABundle values (enabled, configMapName) defaulting to
  the ztvp-trusted-ca ConfigMap
- Set CRT_FILENAME param so git-clone finds the CA bundle file

ztvp-certificates chart:
- Auto-detect internal Git hosts via customCA.remoteHosts: the
  extraction Job connects to the host on port 443, extracts the full
  CA chain from the TLS handshake, and merges it into the bundle
- Distribute ztvp-trusted-ca to the pipeline namespace via the
  targetNamespaces list

Generator (gen-feature-variants.py):
- Auto-enable git.sslCABundle and customCA.remoteHosts when --git-repo
  points to a non-public host (not github.com/gitlab.com/bitbucket.org)
- Add git.sslCABundle.enabled to the protected-repos feature fragment
  and to the commented-out overrides in the base values-hub.yaml

values-hub.yaml:
- Replace hand-edited file with gen-feature-variants output for
  consistent indentation and complete feature composition

Documentation:
- Add "Corporate CA trust for internal Git hosts" section to
  docs/supply-chain.md covering enablement, auto-extraction, and
  manual CA provisioning alternatives

Signed-off-by: Min Zhang <minzhang@redhat.com>
@mlorenzofr @minmzzhang
fix: trim username in git-credentials to handle trailing newlines
2949c09 
Signed-off-by: Manuel Lorenzo <mlorenzofr@redhat.com>
@minmzzhang
fix: address PR review feedback
7ad9fc4 
- Skip SSL CA bundle workspace/params when authType is SSH (not needed
  for SSH connections to git)
- Add hostname validation in _parse_git_repo_url() to fail early on
  malformed URLs

Signed-off-by: Min Zhang <minzhang@redhat.com>
@minmzzhang minmzzhang force-pushed the pipeline-corp-ca-trust branch from 2565a0e to 7ad9fc4 Compare June 12, 2026 14:31
@minmzzhang
fix: update ExternalSecret API version from v1beta1 to v1
35147f2 
The External Secrets Operator no longer serves v1beta1; only v1 is
available on the cluster, causing supply-chain sync failures.

Signed-off-by: Min Zhang <minzhang@redhat.com>
@minmzzhang

minmzzhang commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator Author

Rebased to latest main and ready for review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mlorenzofr mlorenzofr mlorenzofr approved these changes

@sabre1041 sabre1041 Awaiting requested review from sabre1041

@p-rog p-rog Awaiting requested review from p-rog

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@minmzzhang @mlorenzofr