added caFile field support

63f7f264 · Michael Martin · 42c7902b · 63f7f264 · 63f7f264 · 63f7f264
Commit 63f7f264 authored 3 years ago by Michael Martin
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -60,7 +60,7 @@ Build the appropriate git credentials secret for private git repositories
 {{- if .Values.git.existingSecret -}}
 secretRef:
  name: {{ .Values.git.existingSecret }}
-{{- else if coalesce .Values.git.credentials.username .Values.git.credentials.password .Values.git.credentials.privateKey .Values.git.credentials.publicKey .Values.git.credentials.knownHosts "" -}}
+{{- else if coalesce .Values.git.credentials.username .Values.git.credentials.password .Values.git.credentials.caFile .Values.git.credentials.privateKey .Values.git.credentials.publicKey .Values.git.credentials.knownHosts "" -}}
 {{- /* Input validation happens in git-credentials.yaml template */ -}}
 secretRef:
  name: {{ $.Release.Name }}-git-credentials

--- a/chart/templates/git-credentials.yaml
+++ b/chart/templates/git-credentials.yaml
 {{- if not .Values.git.existingSecret }}
 {{- with .Values.git -}}
-{{- if coalesce  .credentials.username .credentials.password .credentials.privateKey .credentials.publicKey .credentials.knownHosts -}}
-{{- $http := coalesce .credentials.username .credentials.password "" }}
+{{- if coalesce  .credentials.username .credentials.password .credentials.caFile .credentials.privateKey .credentials.publicKey .credentials.knownHosts -}}
+{{- $http := coalesce .credentials.username .credentials.password .credentials.caFile "" }}
 {{- $ssh := coalesce .credentials.privateKey .credentials.publicKey .credentials.knownHosts "" }}
 apiVersion: v1
 kind: Secret
@@ -11,11 +11,15 @@ metadata:
 type: Opaque
 data:
  {{- if $http }}
+  {{- if .credentials.caFile }}
+  caFile: {{ .credentials.caFile | b64enc }}
+  {{- else }} 
  {{- if not (and .credentials.username .credentials.password) }}
-  {{- fail "When using http git credentials, username and password must both be specified" }}
+  {{- fail "When using http git credentials without a caFile, username and password must both be specified" }}
  {{- end }}
  username: {{ .credentials.username | b64enc }}
  password: {{ .credentials.password | b64enc }}
+  {{- end }}
  {{- else }}
  {{- if not (and (and .credentials.privateKey .credentials.publicKey) .credentials.knownHosts) }}
  {{- fail "When using ssh git credentials, privateKey, publicKey, and knownHosts must all be specified" }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -30,7 +30,7 @@ openshift: false
 # -- Git credential settings for accessing private repositories
 # Order of precedence is:
 #   1. existingSecret
-#   2. http credentials (username/password)
+#   2. http credentials (username/password/caFile)
 #   3. ssh credentials (privateKey/publicKey/knownHosts)
 git:
  # -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
@@ -41,7 +41,9 @@ git:
    # -- HTTP git credentials, both username and password must be provided
    username: ""
    password: ""
-
+    
+    # -- HTTPS certificate authority file.  It is also possible to specify a caFile for public repositories, in that case the username and password can be omitted.
+    caFile: ""
    # -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
    privateKey: ""
    publicKey: ""