From f0585d5880b7ed1fc0e234b1d60032bfd3e67e38 Mon Sep 17 00:00:00 2001
From: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Date: Tue, 8 Aug 2023 17:56:00 +0530
Subject: [PATCH] gitrepo: add support for specifying CA data via `ca.crt`

Check the auth secret for the `ca.crt` key for CA certificate data.
`ca.crt` takes precdence over `caFile`.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
---
 docs/spec/v1/gitrepositories.md               |  7 ++---
 go.mod                                        |  4 ++-
 go.sum                                        |  4 +--
 .../controller/gitrepository_controller.go    |  1 +
 .../gitrepository_controller_test.go          | 26 +++++++++++++++++++
 5 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/docs/spec/v1/gitrepositories.md b/docs/spec/v1/gitrepositories.md
index a5e4f74bf..543b90341 100644
--- a/docs/spec/v1/gitrepositories.md
+++ b/docs/spec/v1/gitrepositories.md
@@ -161,8 +161,9 @@ data:
 #### HTTPS Certificate Authority
 
 To provide a Certificate Authority to trust while connecting with a Git
-repository over HTTPS, the referenced Secret can contain a `.data.caFile`
-value.
+repository over HTTPS, the referenced Secret's `.data` can contain a `ca.crt`
+or `caFile` key. `ca.crt` takes precedence over `caFile`, i.e. if both keys 
+are present, the value of `ca.crt` will be taken into consideration.
 
 ```yaml
 ---
@@ -173,7 +174,7 @@ metadata:
   namespace: default
 type: Opaque
 data:
-  caFile: <BASE64>
+  ca.crt: <BASE64>
 ```
 
 #### SSH authentication
diff --git a/go.mod b/go.mod
index deb9676e0..9c8003459 100644
--- a/go.mod
+++ b/go.mod
@@ -14,6 +14,8 @@ replace github.com/opencontainers/go-digest => github.com/opencontainers/go-dige
 // Check again when oras.land/oras-go is updated, which is a dependency of Helm.
 replace github.com/docker/docker => github.com/docker/docker v23.0.6+incompatible
 
+replace github.com/fluxcd/pkg/git => github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294
+
 require (
 	cloud.google.com/go/storage v1.31.0
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1
@@ -27,7 +29,7 @@ require (
 	github.com/docker/go-units v0.5.0
 	github.com/fluxcd/pkg/apis/event v0.5.2
 	github.com/fluxcd/pkg/apis/meta v1.1.2
-	github.com/fluxcd/pkg/git v0.12.4
+	github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294
 	github.com/fluxcd/pkg/git/gogit v0.12.1
 	github.com/fluxcd/pkg/gittestserver v0.8.5
 	github.com/fluxcd/pkg/helmtestserver v0.13.2
diff --git a/go.sum b/go.sum
index a67f7533b..8c1a8625a 100644
--- a/go.sum
+++ b/go.sum
@@ -393,8 +393,8 @@ github.com/fluxcd/pkg/apis/event v0.5.2 h1:WtnCOeWglf7wR3dpyiWxb1JtYkw1G5OXcERb1
 github.com/fluxcd/pkg/apis/event v0.5.2/go.mod h1:5l6SSxVTkqrXrYjgEqAajOOHkl4x0TPocAuSdu+3AEs=
 github.com/fluxcd/pkg/apis/meta v1.1.2 h1:Unjo7hxadtB2dvGpeFqZZUdsjpRA08YYSBb7dF2WIAM=
 github.com/fluxcd/pkg/apis/meta v1.1.2/go.mod h1:BHQyRHCskGMEDf6kDGbgQ+cyiNpUHbLsCOsaMYM2maI=
-github.com/fluxcd/pkg/git v0.12.4 h1:COuVYUL+gqMOYAm6oD32Vwcmy/8WVsT/nMk8ps0lpJI=
-github.com/fluxcd/pkg/git v0.12.4/go.mod h1:rKB1puk7sbC4AYF1oZDBrkvu3cr0aibkd4I5yNbxSQg=
+github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294 h1:S3BGp89TNABBE17pb5n8WkijOCQkX6n2G30Nb/fXCj8=
+github.com/fluxcd/pkg/git v0.12.5-0.20230817140615-66fe41a41294/go.mod h1:rKB1puk7sbC4AYF1oZDBrkvu3cr0aibkd4I5yNbxSQg=
 github.com/fluxcd/pkg/git/gogit v0.12.1 h1:06jzHOTntYN5xCSQvyFXtLXdqoP8crLh7VYgtXS9+wo=
 github.com/fluxcd/pkg/git/gogit v0.12.1/go.mod h1:Z4Ysp8VifKTvWpjJMKncJsgb2iBqHuIeK80VGjlU41Y=
 github.com/fluxcd/pkg/gittestserver v0.8.5 h1:EGqDF4240xPRgW1FFrQAs0Du7fZb8OGXC5qKDIqyXD8=
diff --git a/internal/controller/gitrepository_controller.go b/internal/controller/gitrepository_controller.go
index e74ed34a7..5fbbf16cf 100644
--- a/internal/controller/gitrepository_controller.go
+++ b/internal/controller/gitrepository_controller.go
@@ -646,6 +646,7 @@ func (r *GitRepositoryReconciler) getAuthOpts(ctx context.Context, obj *sourcev1
 	if err != nil {
 		return nil, err
 	}
+
 	return authOpts, nil
 }
 
diff --git a/internal/controller/gitrepository_controller_test.go b/internal/controller/gitrepository_controller_test.go
index a7740fe40..828f7c16a 100644
--- a/internal/controller/gitrepository_controller_test.go
+++ b/internal/controller/gitrepository_controller_test.go
@@ -386,6 +386,32 @@ func TestGitRepositoryReconciler_reconcileSource_authStrategy(t *testing.T) {
 				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
 			},
 		},
+		{
+			name:     "HTTPS with CAFile secret with both ca.crt and caFile keys makes Reconciling=True and ignores caFile",
+			protocol: "https",
+			server: options{
+				publicKey:  tlsPublicKey,
+				privateKey: tlsPrivateKey,
+				ca:         tlsCA,
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "ca-file",
+				},
+				Data: map[string][]byte{
+					"ca.crt": tlsCA,
+					"caFile": []byte("invalid"),
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.SecretRef = &meta.LocalObjectReference{Name: "ca-file"}
+			},
+			want: sreconcile.ResultSuccess,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(meta.ReconcilingCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+				*conditions.UnknownCondition(meta.ReadyCondition, meta.ProgressingReason, "building artifact: new upstream revision 'master@sha1:<commit>'"),
+			},
+		},
 		{
 			name:     "HTTPS with invalid CAFile secret makes CheckoutFailed=True and returns error",
 			protocol: "https",