diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
index a71ed1e1c16fea7d583855cf062eb9ef8e7a578e..1eadf30aa44d7d0442e20c7b81b38ba137a6d946 100644
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -60,7 +60,7 @@ Build the appropriate git credentials secret for private git repositories
 {{- if .Values.git.existingSecret -}}
 secretRef:
   name: {{ .Values.git.existingSecret }}
-{{- else if coalesce .Values.git.credentials.username .Values.git.credentials.password .Values.git.credentials.privateKey .Values.git.credentials.publicKey .Values.git.credentials.knownHosts "" -}}
+{{- else if coalesce .Values.git.credentials.username .Values.git.credentials.password .Values.git.credentials.caFile .Values.git.credentials.privateKey .Values.git.credentials.publicKey .Values.git.credentials.knownHosts "" -}}
 {{- /* Input validation happens in git-credentials.yaml template */ -}}
 secretRef:
   name: {{ $.Release.Name }}-git-credentials
diff --git a/chart/templates/git-credentials.yaml b/chart/templates/git-credentials.yaml
index 9c1bad84dd00d0d3722025a2c92d9d121d0236eb..345343a5e129d6a0551525677dab07ef3ce2dc19 100644
--- a/chart/templates/git-credentials.yaml
+++ b/chart/templates/git-credentials.yaml
@@ -1,7 +1,7 @@
 {{- if not .Values.git.existingSecret }}
 {{- with .Values.git -}}
-{{- if coalesce  .credentials.username .credentials.password .credentials.privateKey .credentials.publicKey .credentials.knownHosts -}}
-{{- $http := coalesce .credentials.username .credentials.password "" }}
+{{- if coalesce  .credentials.username .credentials.password .credentials.caFile .credentials.privateKey .credentials.publicKey .credentials.knownHosts -}}
+{{- $http := coalesce .credentials.username .credentials.password .credentials.caFile "" }}
 {{- $ssh := coalesce .credentials.privateKey .credentials.publicKey .credentials.knownHosts "" }}
 apiVersion: v1
 kind: Secret
@@ -11,11 +11,15 @@ metadata:
 type: Opaque
 data:
   {{- if $http }}
+  {{- if .credentials.caFile }}
+  caFile: {{ .credentials.caFile | b64enc }}
+  {{- else }} 
   {{- if not (and .credentials.username .credentials.password) }}
-  {{- fail "When using http git credentials, username and password must both be specified" }}
+  {{- fail "When using http git credentials without a caFile, username and password must both be specified" }}
   {{- end }}
   username: {{ .credentials.username | b64enc }}
   password: {{ .credentials.password | b64enc }}
+  {{- end }}
   {{- else }}
   {{- if not (and (and .credentials.privateKey .credentials.publicKey) .credentials.knownHosts) }}
   {{- fail "When using ssh git credentials, privateKey, publicKey, and knownHosts must all be specified" }}
diff --git a/chart/values.yaml b/chart/values.yaml
index a4f63bdad20e4a21371e7b9e7ad33d156b0f7212..2df449938683c84f906457bfa3c8d6a6762c0d7b 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -30,7 +30,7 @@ openshift: false
 # -- Git credential settings for accessing private repositories
 # Order of precedence is:
 #   1. existingSecret
-#   2. http credentials (username/password)
+#   2. http credentials (username/password/caFile)
 #   3. ssh credentials (privateKey/publicKey/knownHosts)
 git:
   # -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
@@ -41,7 +41,9 @@ git:
     # -- HTTP git credentials, both username and password must be provided
     username: ""
     password: ""
-
+    
+    # -- HTTPS certificate authority file.  It is also possible to specify a caFile for public repositories, in that case the username and password can be omitted.
+    caFile: ""
     # -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
     privateKey: ""
     publicKey: ""