Skip to content

Accept Custom Certificate for GitHub App authentication to private Git repositories in source-controller #1858

New issue
New issue
Closed
#1860
Closed
Accept Custom Certificate for GitHub App authentication to private Git repositories in source-controller#1858
#1860
Assignees
abhijith-darshan
@abhijith-darshan

Description

@abhijith-darshan
abhijith-darshan
opened on Jul 31, 2025

Related to fluxcd/pkg#998

Context:

The above issues explains that some enterprise GitHub instances need custom root ca to be provided to the my.enterprise.git.com/api/v3 endpoints when retrieving an installation token.

While this is supported for generic provider (git) with username and pat, it is missing for provider: github

Solution:

Option 1:

// Configure authentication strategy to access the source
	opts, err := git.NewAuthOptions(u, authData)
....
case sourcev1.GitProviderGitHub:
....
getCreds = func() (*authutils.GitCredentials, error) {
			var appOptions []github.OptFunc

			if len(authData) > 0 {
				appOptions = append(appOptions, github.WithAppData(authData))
			}

			......
                         // new option to pass ca.crt / caFile if found in GitRepository secretRef
			if len(opts.CAFile) > 0 {
				appOptions = append(appOptions, github.WithCustomCA(opts.CAFile))
			}
			username, password, err := github.GetCredentials(ctx, appOptions...)
			if err != nil {
				return nil, err
			}
			return &authutils.GitCredentials{
				Username: username,
				Password: password,
			}, nil
		}
....
}

Option 2:

Modify source-controller deployment and mount the custom ca from a ConfigMap

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: flux-system

resources:
  - https://github.com/fluxcd/flux2/manifests/install?ref=v2.6.1
  - root-ca-cm.yaml

patches:
  # mount custom ca from a configMap
  - target:
      kind: Deployment
      name: source-controller
    patch: |
      - op: add
        path: /spec/template/spec/volumes/-
        value:
          name: root-ca
          configMap:
            name: root-ca-cm
      - op: add
        path: /spec/template/spec/containers/0/volumeMounts/-
        value:
          name: root-ca
          mountPath: /etc/ssl/certs/ca-certificates.crt
          subPath: ca-certificates.crt
          readOnly: true
  • Option 1 has flexibility of passing such a custom certificate to other providers in the future
  • Option 2 involves modifying deployment manifests which could result into a bit of devOps work

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions