feat: support deploying ZTVP from private git repositories#140
Merged
Conversation
Add bootstrap_secrets configuration to values-secret.yaml.template with two options for private repository access: - Option A: SSH deploy key authentication - Option B: HTTPS with Personal Access Token (PAT) Add docs/private-repos.md with step-by-step deployment instructions, verification steps, and troubleshooting guidance. The common Makefile already supports TOKEN_SECRET and TOKEN_NAMESPACE; this commit provides the pattern-level configuration and documentation. Signed-off-by: Min Zhang <minzhang@redhat.com>
The ArgoCD repo-server container does not have Git host SSH fingerprints in its known_hosts file, causing "knownhosts: key is unknown" errors. Add insecureIgnoreHostKey field to the SSH bootstrap_secrets template. Also document: - DISABLE_VALIDATE_ORIGIN for private repo pre-flight check - ACM temporary Degraded state during initial install (self-heals) - SSH known_hosts troubleshooting entry Signed-off-by: Min Zhang <minzhang@redhat.com>
When deploying from an internal Git host (e.g. gitlab.cee.redhat.com), users must add corporate CAs to proxy/cluster before install. Previously the ztvp-certificates job refused to overwrite a user-set trustedCA, leaving ACS Central unable to trust Keycloak via the ingress CA. Changes: - PHASE 8.5: include all extracted CAs (custom, additional, cluster) in the proxy CA bundle, not just ingress + service - PHASE 8.6: merge existing proxy CA ConfigMap content into ztvp-proxy-ca before taking over trustedCA management - docs/private-repos.md: document pre-install CA requirement and explain automatic merge behavior - values-secret.yaml.template: add ACM workaround bootstrap_secrets entry Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
requested review from
mlorenzofr,
p-rog and
sabre1041
and removed request for
mlorenzofr
The duplicate bootstrap_secrets entry targeting openshift-gitops is no longer needed. The VP operator (0.0.70+) copies credentials into vp-gitops and automatically sets global.vpArgoNamespace. The ACM chart 0.2.x reads that variable, so the private-repo policy resolves without any manual override or duplicate secret. - Remove second bootstrap_secrets entries (SSH and HTTPS workarounds) - Bump ACM chartVersion from 0.1.* to 0.2.* - Update docs/private-repos.md and values-secret.yaml.template comments Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
ztvp-private-repos
branch
from
dd8c6ab to
cb9264d
Compare
Move the DISABLE_VALIDATE_ORIGIN=true flag directly into the deploy command so users don't hit the git ls-remote failure before discovering the workaround in a separate section. Signed-off-by: Min Zhang <minzhang@redhat.com>
sabre1041
requested changes
Jun 5, 2026
Collaborator
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
Looks really good and testing SSH successfully. Added one blocking comment that we need to implement. Then we can look to merge this integration
| value: git | ||
| - name: url | ||
| value: git@github.com:YOUR-ORG/layered-zero-trust.git | ||
| - name: insecureIgnoreHostKey |
Collaborator
There was a problem hiding this comment.
Is there any support to provide known hosts at provisioning time? I did a quick check in the VP repos and did not locate an option
Collaborator
Author
There was a problem hiding this comment.
Updated the doc mentioning that the insecureIgnoreHostKey is only needed for self-hosted git servers, it is not needed for public git servers like gitlab.com, github.com.
- Add DISABLE_VALIDATE_ORIGIN=true to SSH deploy step (same issue as HTTPS: Makefile git ls-remote fails against private remotes) - Document insecureIgnoreHostKey alternatives: major providers have pre-populated fingerprints; self-hosted Git requires the flag since vp-gitops namespace does not exist until install; post-install hardening via ssh-keyscan + oc patch is described Signed-off-by: Min Zhang <minzhang@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
bootstrap_secretsconfiguration tovalues-secret.yaml.templatefor both SSH and HTTPS/PAT authentication to private Git repositoriesdocs/private-repos.mdwith step-by-step deployment instructions, verification steps, and troubleshooting guideztvp-certificateschart to merge existing proxy CA ConfigMaps (e.g. corporate CAs added pre-install for internal GitLab) intoztvp-proxy-ca, ensuring workloads like ACS Central can trust both cluster-internal routes and external hosts without manual interventionKey features
insecureIgnoreHostKeyfor ArgoCD repo-server containerschartVersionfrom0.1.*to0.2.*so thevp-private-hub-policyreadsglobal.vpArgoNamespace(set automatically by the VP operator) instead of hardcodingopenshift-gitopscustom-carequirement for internal Git hosts, and the automatic merge intoztvp-proxy-capost-installDISABLE_VALIDATE_ORIGINsupport for skipping localgit ls-remotepre-flight checkTroubleshooting coverage
knownhosts: key is unknownx509: certificate signed by unknown authority(internal CAs)authorization failed(Reporter role +read_repositoryscope required)vp-private-hub-policy NonCompliant