Merge branch '660-extend-git-secret-creation-to-include-ca' into 'master'

Resolve "Extend git secret creation to include CA" Closes #660 See merge request platform-one/big-bang/bigbang!801

Merge branch '660-extend-git-secret-creation-to-include-ca' into 'master'
efde88d5 · Ryan Garcia · 25bd94fb · a22b090d · efde88d5 · efde88d5
Commit efde88d5 authored 3 years ago by Ryan Garcia
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -60,7 +60,7 @@ Build the appropriate git credentials secret for private git repositories
 {{- if .Values.git.existingSecret -}}
 secretRef:
  name: {{ .Values.git.existingSecret }}
-{{- else if coalesce .Values.git.credentials.username .Values.git.credentials.password .Values.git.credentials.privateKey .Values.git.credentials.publicKey .Values.git.credentials.knownHosts "" -}}
+{{- else if coalesce .Values.git.credentials.username .Values.git.credentials.password .Values.git.credentials.caFile .Values.git.credentials.privateKey .Values.git.credentials.publicKey .Values.git.credentials.knownHosts "" -}}
 {{- /* Input validation happens in git-credentials.yaml template */ -}}
 secretRef:
  name: {{ $.Release.Name }}-git-credentials

--- a/chart/templates/git-credentials.yaml
+++ b/chart/templates/git-credentials.yaml
 {{- if not .Values.git.existingSecret }}
 {{- with .Values.git -}}
-{{- if coalesce  .credentials.username .credentials.password .credentials.privateKey .credentials.publicKey .credentials.knownHosts -}}
-{{- $http := coalesce .credentials.username .credentials.password "" }}
+{{- if coalesce  .credentials.username .credentials.password .credentials.caFile .credentials.privateKey .credentials.publicKey .credentials.knownHosts -}}
+{{- $http := coalesce .credentials.username .credentials.password .credentials.caFile "" }}
 {{- $ssh := coalesce .credentials.privateKey .credentials.publicKey .credentials.knownHosts "" }}
 apiVersion: v1
 kind: Secret
@@ -11,11 +11,19 @@ metadata:
 type: Opaque
 data:
  {{- if $http }}
-  {{- if not (and .credentials.username .credentials.password) }}
-  {{- fail "When using http git credentials, username and password must both be specified" }}
+  {{- if .credentials.caFile }}
+  caFile: {{ .credentials.caFile | b64enc }}
  {{- end }}
+  {{- if and .credentials.username  (not .credentials.password ) }}
+  {{- fail "When using http git username, password must be specified" }}
+  {{- end }}
+  {{- if and .credentials.password  (not .credentials.username ) }}
+  {{- fail "When using http git password, username must be specified" }}
+  {{- end }}
+  {{- if and .credentials.username .credentials.password }} 
  username: {{ .credentials.username | b64enc }}
  password: {{ .credentials.password | b64enc }}
+  {{- end }}
  {{- else }}
  {{- if not (and (and .credentials.privateKey .credentials.publicKey) .credentials.knownHosts) }}
  {{- fail "When using ssh git credentials, privateKey, publicKey, and knownHosts must all be specified" }}

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -30,7 +30,7 @@ openshift: false
 # -- Git credential settings for accessing private repositories
 # Order of precedence is:
 #   1. existingSecret
-#   2. http credentials (username/password)
+#   2. http credentials (username/password/caFile)
 #   3. ssh credentials (privateKey/publicKey/knownHosts)
 git:
  # -- Existing secret to use for git credentials, must be in the appropriate format: https://toolkit.fluxcd.io/components/source/gitrepositories/#https-authentication
@@ -41,7 +41,8 @@ git:
    # -- HTTP git credentials, both username and password must be provided
    username: ""
    password: ""
-
+    # -- HTTPS certificate authority file.  Required for any repo with a self signed certificate
+    caFile: ""
    # -- SSH git credentials, privateKey, publicKey, and knownHosts must be provided
    privateKey: ""
    publicKey: ""