OpenShift GitOps operator 1.20.2 introduces a new `systemCATrust` configuration option that allows injecting custom TLS certificates directly into the CA bundle used by Argo CD's repository server and config management plugins. This addresses limitations of the existing certificate pinning approach, particularly for internal CAs, wildcard certificates, and indirect TLS connections made during manifest generation (e.g., Helm dependency fetching, Kustomize external files). The feature supports reading PEM-encoded certificates from Kubernetes Secrets or ConfigMaps, and optionally dropping the default Mozilla CA bundle entirely for strict source control. The post explains when to use bundle injection versus certificate pinning and how to combine both approaches for fine-grained TLS trust management.
Sort: