gitrepo: add support for specifying CA data via ca.crt

aryan9600 · aryan9600 · commit bba3179c6caf · 2023-08-10T13:49:27.000+05:30
Check the auth secret for the `ca.crt` key for CA certificate data.
`ca.crt` takes precdence over `caFile`.

Signed-off-by: Sanskar Jaiswal &lt;jaiswalsanskar078@gmail.com&gt;
diff --git a/docs/spec/v1/gitrepositories.md b/docs/spec/v1/gitrepositories.md
@@ -161,8 +161,9 @@ data:
 #### HTTPS Certificate Authority
 
 To provide a Certificate Authority to trust while connecting with a Git
-repository over HTTPS, the referenced Secret can contain a `.data.caFile`
-value.
+repository over HTTPS, the referenced Secret's `.data` can contain a `ca.crt`
+or `caFile` key. `ca.crt` takes precedence over `caFile`, i.e. if both keys 
+are present, the value of `ca.crt` will be taken into consideration.
 
 ```yaml
 ---
@@ -173,7 +174,7 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  caFile: <BASE64>
+  ca.crt: <BASE64>
 ```
 
 #### SSH authentication
diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go
@@ -646,6 +646,13 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 	if err != nil {
 		return nil, err
 	}
+
+	// `git.NewAuthOptions()` populates the CA cert data by checking for the `caFile` key.
+	// Since, `ca.crt` takes precedence, check for its presence here and override the CA
+	// certificate, if found.
+	if ca, ok := authData["ca.crt"]; ok {
+		authOpts.CAFile = ca
+	}
 	return authOpts, nil
 }
 
diff --git a/internal/controller/gitrepository_controller_test.go b/internal/controller/gitrepository_controller_test.go
@@ -386,6 +386,32 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
 			},
 		},
+		{
+			name:     "HTTPS with CAFile secret with both ca.crt and caFile keys makes Reconciling=True and ignores caFile",
+			protocol: "https",
+			server: options{
+				publicKey:  tlsPublicKey,
+				privateKey: tlsPrivateKey,
+				ca:         tlsCA,
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "ca-file",
+				},
+				Data: map[string][]byte{
+					"ca.crt": tlsCA,
+					"caFile": []byte("invalid"),
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "ca-file"}
+			},
+			want: sreconcile.ResultSuccess,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+			},
+		},
 		{
 			name:     "HTTPS with invalid CAFile secret makes CheckoutFailed=True and returns error",
 			protocol: "https",

Original file line number	Diff line number	Diff line change
`@@ -646,6 +646,13 @@ func (r GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj sourcev1`
`646`	`646`	`if err != nil {`
`647`	`647`	`return nil, err`
`648`	`648`	`}`
	`649`	`+`
	`650`	+ // `git.NewAuthOptions()` populates the CA cert data by checking for the `caFile` key.
	`651`	+ // Since, `ca.crt` takes precedence, check for its presence here and override the CA
	`652`	`+ // certificate, if found.`
	`653`	`+ if ca, ok := authData["ca.crt"]; ok {`
	`654`	`+ authOpts.CAFile = ca`
	`655`	`+ }`
`649`	`656`	`return authOpts, nil`
`650`	`657`	`}`
`651`	`658`