Add support for mTLS to GitHub App transport #1160
Merged
+209
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abhijith-darshan
force-pushed
the
feat/gh_app_tls
branch
from
6699497 to
545f697
Compare
abhijith-darshan
force-pushed
the
feat/gh_app_tls
branch
3 times, most recently
from
41a8320 to
cb7dd16
Compare
matheuscscp
reviewed
Aug 16, 2025
|
This is looking good, thanks! Please add docs and amend the commit message to match the PR title 🙏 |
abhijith-darshan
force-pushed
the
feat/gh_app_tls
branch
from
cb7dd16 to
6ed456c
Compare
matheuscscp
reviewed
Aug 18, 2025
This commit ensures that if GitHub app secret data contains ca.crt then a TLS config with user provided custom ca is used in the underlying HTTP transports. The ca.crt in GitHub App secretRef is ignored if certSecretRef is also provided. Signed-off-by: abhijith-darshan <[email protected]> (chore): keep Makefile in sync with other controllers Signed-off-by: abhijith-darshan <[email protected]> (chore): use proper func naming format Signed-off-by: abhijith-darshan <[email protected]> (chore): revert Makefile changes Signed-off-by: abhijith-darshan <[email protected]> (chore): add get secret helper This commit creates a getSecret helper func which can be used to resolve secret. createNotifier re-uses this helper func to extract and pass secrets down to other methods Signed-off-by: abhijith-darshan <[email protected]> (chore): adds tls test cases Signed-off-by: abhijith-darshan <[email protected]> (chore): remove debug logs Signed-off-by: abhijith-darshan <[email protected]> (chore): adds documentation Signed-off-by: abhijith-darshan <[email protected]> (chore): update docs with mTLS info Signed-off-by: abhijith-darshan <[email protected]>
abhijith-darshan
force-pushed
the
feat/gh_app_tls
branch
from
6ed456c to
4eae0d3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
notification-controllercurrently generates a TLS config for the underlyingHTTPtransport ifProviderspec contains acertSecretRef.Related to the following issues, notification-controller will also use the TLS config for mTLS GitHub App scenarios as well -
git/github: Add support for mTLS to GitHub App transport pkg#999
Add support for mTLS to GitHub App transport source-controller#1860
Add support for mTLS to GitHub App transport image-automation-controller#947
.spec.certSecretRefis the default choice for extracting theca.crt.If the
ca.crtis present in both.spec.certSecretRefand.spec.secretRefthen.spec.certSecretReftakes the higher precedence.The
ca.crtin.spec.secretRefis only consider if the provider is of one of thegittypes andcertSecretRefis not specified in the spec.example:
TODOS:
ca.crtfor TLS config should be generated from.spec.certSecretRefand if not specified then it should attempt to generate TLS config from.spec.secretRef(only if the provider is one of thegittypes)ca.crtpreference