Skip to content

feat: corporate CA trust for pipeline git-clone from internal hosts#142

Open
minmzzhang wants to merge 1 commit into
validatedpatterns:mainfrom
minmzzhang:pipeline-corp-ca-trust
Open

feat: corporate CA trust for pipeline git-clone from internal hosts#142
minmzzhang wants to merge 1 commit into
validatedpatterns:mainfrom
minmzzhang:pipeline-corp-ca-trust

Conversation

@minmzzhang
Copy link
Copy Markdown
Collaborator

@minmzzhang minmzzhang commented Jun 5, 2026

Add support for the git-clone task to trust corporate/internal CA certificates when cloning from private Git servers (e.g. GitLab behind a corporate CA).

Supply-chain chart:

  • Add conditional ssl-ca-directory workspace to pipeline and pipelinerun templates (gated by git.sslCABundle.enabled)
  • Add git.sslCABundle values (enabled, configMapName) defaulting to the ztvp-trusted-ca ConfigMap
  • Set CRT_FILENAME param so git-clone finds the CA bundle file

ztvp-certificates chart:

  • Auto-detect internal Git hosts via customCA.remoteHosts: the extraction Job connects to the host on port 443, extracts the full CA chain from the TLS handshake, and merges it into the bundle
  • Distribute ztvp-trusted-ca to the pipeline namespace via the targetNamespaces list

Generator (gen-feature-variants.py):

  • Auto-enable git.sslCABundle and customCA.remoteHosts when --git-repo points to a non-public host (not github.com/gitlab.com/bitbucket.org)
  • Add git.sslCABundle.enabled to the protected-repos feature fragment and to the commented-out overrides in the base values-hub.yaml

values-hub.yaml:

  • Replace hand-edited file with gen-feature-variants output for consistent indentation and complete feature composition

Documentation:

  • Add "Corporate CA trust for internal Git hosts" section to docs/supply-chain.md covering enablement, auto-extraction, and manual CA provisioning alternatives

@minmzzhang
feat: corporate CA trust for pipeline git-clone from internal hosts
2f1c9b8 
Add support for the git-clone task to trust corporate/internal CA
certificates when cloning from private Git servers (e.g. GitLab behind
a corporate CA).

Supply-chain chart:
- Add conditional ssl-ca-directory workspace to pipeline and
  pipelinerun templates (gated by git.sslCABundle.enabled)
- Add git.sslCABundle values (enabled, configMapName) defaulting to
  the ztvp-trusted-ca ConfigMap
- Set CRT_FILENAME param so git-clone finds the CA bundle file

ztvp-certificates chart:
- Auto-detect internal Git hosts via customCA.remoteHosts: the
  extraction Job connects to the host on port 443, extracts the full
  CA chain from the TLS handshake, and merges it into the bundle
- Distribute ztvp-trusted-ca to the pipeline namespace via the
  targetNamespaces list

Generator (gen-feature-variants.py):
- Auto-enable git.sslCABundle and customCA.remoteHosts when --git-repo
  points to a non-public host (not github.com/gitlab.com/bitbucket.org)
- Add git.sslCABundle.enabled to the protected-repos feature fragment
  and to the commented-out overrides in the base values-hub.yaml

values-hub.yaml:
- Replace hand-edited file with gen-feature-variants output for
  consistent indentation and complete feature composition

Documentation:
- Add "Corporate CA trust for internal Git hosts" section to
  docs/supply-chain.md covering enablement, auto-extraction, and
  manual CA provisioning alternatives

Signed-off-by: Min Zhang <minzhang@redhat.com>
@minmzzhang minmzzhang force-pushed the pipeline-corp-ca-trust branch from ae0f678 to 2f1c9b8 Compare June 5, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sabre1041 sabre1041 Awaiting requested review from sabre1041

@mlorenzofr mlorenzofr Awaiting requested review from mlorenzofr

@p-rog p-rog Awaiting requested review from p-rog

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@minmzzhang