add flag --ca-crt-file to flux create secret git

Add flag `--ca-crt-file` to `flux create secret git` to specify the path
to CA certificate. It takes precedence over `--ca-file` and uses the
key `ca.crt` in the generated Secret.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>

cmd/flux/create_secret_git.go

@@ -88,6 +88,7 @@ type secretGitFlags struct {
 	rsaBits        flags.RSAKeyBits
 	ecdsaCurve     flags.ECDSACurve
 	caFile         string
+	caCrtFile      string
 	privateKeyFile string
 	bearerToken    string
 }
@@ -102,6 +103,7 @@ func init() {
 	createSecretGitCmd.Flags().Var(&secretGitArgs.rsaBits, "ssh-rsa-bits", secretGitArgs.rsaBits.Description())
 	createSecretGitCmd.Flags().Var(&secretGitArgs.ecdsaCurve, "ssh-ecdsa-curve", secretGitArgs.ecdsaCurve.Description())
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caFile, "ca-file", "", "path to TLS CA file used for validating self-signed certificates")
+	createSecretGitCmd.Flags().StringVar(&secretGitArgs.caCrtFile, "ca-crt-file", "", "path to TLS CA certificate file used for validating self-signed certificates; takes precedence over --ca-file")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.privateKeyFile, "private-key-file", "", "path to a passwordless private key file used for authenticating to the Git SSH server")
 	createSecretGitCmd.Flags().StringVar(&secretGitArgs.bearerToken, "bearer-token", "", "bearer authentication token")
 
@@ -160,12 +162,18 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		if secretGitArgs.username != "" && secretGitArgs.password != "" && secretGitArgs.bearerToken != "" {
 			return fmt.Errorf("user credentials and bearer token cannot be used together")
 		}
-		if secretGitArgs.caFile != "" {
+
-			caBundle, err := os.ReadFile(secretGitArgs.caFile)
+		// --ca-crt-file takes precedence over --ca-file.
+		if secretGitArgs.caCrtFile != "" {
+			opts.CACrt, err = os.ReadFile(secretGitArgs.caCrtFile)
+			if err != nil {
+				return fmt.Errorf("unable to read TLS CA file: %w", err)
+			}
+		} else if secretGitArgs.caFile != "" {
+			opts.CAFile, err = os.ReadFile(secretGitArgs.caFile)
 			if err != nil {
 				return fmt.Errorf("unable to read TLS CA file: %w", err)
 			}
-			opts.CAFile = caBundle
 		}
 	default:
 		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)

cmd/flux/create_secret_git_test.go

@@ -1,10 +1,21 @@
 package main
 
 import (
+	"fmt"
+	"os"
 	"testing"
 )
 
 func TestCreateGitSecret(t *testing.T) {
+	file, err := os.CreateTemp(t.TempDir(), "ca-crt")
+	if err != nil {
+		t.Fatal("could not create CA certificate file")
+	}
+	_, err = file.Write([]byte("ca-data"))
+	if err != nil {
+		t.Fatal("could not write to CA certificate file")
+	}
+
 	tests := []struct {
 		name   string
 		args   string
@@ -35,6 +46,11 @@ func TestCreateGitSecret(t *testing.T) {
 			args:   "create secret git bearer-token-auth --url=https://github.com/stefanprodan/podinfo --bearer-token=ghp_baR2qnFF0O41WlucePL3udt2N9vVZS4R0hAS --namespace=my-namespace --export",
 			assert: assertGoldenFile("testdata/create_secret/git/git-bearer-token.yaml"),
 		},
+		{
+			name:   "git authentication with CA certificate",
+			args:   fmt.Sprintf("create secret git ca-crt --url=https://github.com/stefanprodan/podinfo --password=my-password --username=my-username --ca-crt-file=%s --namespace=my-namespace --export", file.Name()),
+			assert: assertGoldenFile("testdata/create_secret/git/secret-ca-crt.yaml"),
+		},
 		{
 			name:   "git authentication with basic auth and bearer token",
 			args:   "create secret git podinfo-auth --url=https://github.com/stefanprodan/podinfo --username=aaa --password=zzzz --bearer-token=aaaa --namespace=my-namespace --export",

cmd/flux/testdata/create_secret/git/secret-ca-crt.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-crt
+  namespace: my-namespace
+stringData:
+  ca.crt: ca-data
+  password: my-password
+  username: my-username
+