Skip to content

bundlereader: merge PROXY_CA_BUNDLE into CABundle for HTTPS git clones#4919

Merged
p-se merged 1 commit into
rancher:mainfrom
p-se:issue-4869-2
Apr 7, 2026
Merged

bundlereader: merge PROXY_CA_BUNDLE into CABundle for HTTPS git clones#4919
p-se merged 1 commit into
rancher:mainfrom
p-se:issue-4869-2

Conversation

@p-se
Copy link
Copy Markdown
Contributor

@p-se p-se commented Mar 31, 2026

gitDownload now appends PROXY_CA_BUNDLE to auth.CABundle before passing the combined PEM to go-git's CloneOptions.CABundle, so that git::https:// repos cloned through an HTTPS proxy with a custom CA certificate are trusted. A defensive copy of auth.CABundle is made to avoid mutating the caller's slice.

Refers to #4869

Additional Information

Checklist

  • I have updated the documentation via a pull request in the fleet-product-docs repository.

@p-se p-se requested a review from a team as a code owner March 31, 2026 08:35
Copilot AI review requested due to automatic review settings March 31, 2026 08:35
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates bundlereader’s go-git clone path to trust custom HTTPS proxy CAs by merging PROXY_CA_BUNDLE into the effective CA bundle passed to go-git, aligning helm.chart git downloads with existing proxy CA support elsewhere in the codebase.

Changes:

  • Append PROXY_CA_BUNDLE to auth.CABundle (via a defensive copy) before setting go-git CloneOptions.CABundle.
  • Expand/clarify gitDownload TLS/proxy behavior documentation.
  • Add unit tests covering PROXY_CA_BUNDLE-only and merged CA bundle scenarios.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
internal/bundlereader/gitclone.go Merges PROXY_CA_BUNDLE into the CA bundle passed to go-git clone options.
internal/bundlereader/gitclone_test.go Adds tests verifying PROXY_CA_BUNDLE merge behavior during TLS verification.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/bundlereader/gitclone.go Outdated
Comment thread internal/bundlereader/gitclone_test.go
@weyfonk weyfonk added this to Fleet Mar 31, 2026
@weyfonk weyfonk moved this to 👀 In review in Fleet Mar 31, 2026
@weyfonk weyfonk added this to the v2.15.0 milestone Mar 31, 2026
@p-se
bundlereader: merge PROXY_CA_BUNDLE into CABundle for HTTPS git clones
51badba 
gitDownload now appends PROXY_CA_BUNDLE to auth.CABundle before passing
the combined PEM to go-git's CloneOptions.CABundle, so that git::https://
repos cloned through an HTTPS proxy with a custom CA certificate are
trusted. A defensive copy of auth.CABundle is made to avoid mutating the
caller's slice.
@p-se p-se merged commit aa2ccc8 into rancher:main Apr 7, 2026
22 checks passed
@github-project-automation github-project-automation Bot moved this from 👀 In review to ✅ Done in Fleet Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@thardeck thardeck thardeck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Fleet
Archived in project

Milestone

v2.15.0

Development

Successfully merging this pull request may close these issues.

4 participants

@p-se @thardeck @weyfonk