RedHatInsights · JuanmaBM · May 11, 2026 · May 11, 2026 · May 12, 2026 · May 13, 2026
diff --git a/apis/cloud.redhat.com/v1alpha1/clowdapp_types.go b/apis/cloud.redhat.com/v1alpha1/clowdapp_types.go
@@ -529,6 +529,22 @@ type ClowdAppSpec struct {
 	// will be added to the configuration when present.
 	OptionalDependencies []string `json:"optionalDependencies,omitempty"`
 
+	// Name of the CA certificate to use for TLS connections to dependencies.
+	// References a name from ClowdEnvironment.spec.providers.web.tls.certificateAuthorities.
+	// If omitted, uses default behavior (openshift-service-ca.crt).
+	// If set to "system-trust-store", uses container's system trust store (no CA mounted by Clowder).
+	// Cannot be used together with tlsCertificateAuthoritySecretRef.
+	// +optional
+	TLSCertificateAuthorityName *string `json:"tlsCertificateAuthorityName,omitempty"`
+
+	// Reference to a Secret containing custom CA certificates for TLS connections to dependencies.
+	// The Secret must exist in the same namespace as the ClowdApp.
+	// This allows apps to manage their own certificate trust list instead of using the
+	// environment's certificate authority bundle.
+	// Cannot be used together with tlsCertificateAuthorityName.
+	// +optional
+	TLSCertificateAuthoritySecretRef *v1.LocalObjectReference `json:"tlsCertificateAuthoritySecretRef,omitempty"`
+
 	// Iqe plugin and other specifics
 	Testing TestingSpec `json:"testing,omitempty"`
 

diff --git a/apis/cloud.redhat.com/v1alpha1/clowdapp_webhook.go b/apis/cloud.redhat.com/v1alpha1/clowdapp_webhook.go
@@ -57,6 +57,7 @@ func (i *ClowdApp) ValidateCreate(_ context.Context, obj runtime.Object) (admiss
 		validateSidecars,
 		validateInit,
 		validateDeploymentStrategy,
+		validateCertificateAuthority,
 	)
 }
 
@@ -73,6 +74,7 @@ func (i *ClowdApp) ValidateUpdate(_ context.Context, _ runtime.Object, newObj ru
 		validateSidecars,
 		validateInit,
 		validateDeploymentStrategy,
+		validateCertificateAuthority,
 	)
 }
 
@@ -191,3 +193,14 @@ func validateDeploymentStrategy(i *ClowdApp) field.ErrorList {
 	}
 	return allErrs
 }
+
+func validateCertificateAuthority(i *ClowdApp) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if i.Spec.TLSCertificateAuthorityName != nil && i.Spec.TLSCertificateAuthoritySecretRef != nil {
+		allErrs = append(allErrs, field.Forbidden(
+			field.NewPath("spec"),
+			"cannot specify both tlsCertificateAuthorityName and tlsCertificateAuthoritySecretRef, they are mutually exclusive"),
+		)
+	}
+	return allErrs
+}
diff --git a/apis/cloud.redhat.com/v1alpha1/clowdenvironment_types.go b/apis/cloud.redhat.com/v1alpha1/clowdenvironment_types.go
@@ -141,6 +141,12 @@ type TLS struct {
 
 	// Sets the private H2C port exposed for ClowdApp deployments' TLS connections. If unset, H2C TLS is disabled in the environment.
 	H2CPrivatePort int32 `json:"h2cPrivatePort,omitempty"`
+
+	// List of available CA certificates that ClowdApps can reference for TLS connections.
+	// ClowdApps can select from this list using the tlsCertificateAuthorityName field.
+	// The reserved name "system-trust-store" cannot be used in this list.
+	// +optional
+	CertificateAuthorities []NamespacedName `json:"certificateAuthorities,omitempty"`
 }
 
 // MetricsMode details the mode of operation of the Clowder Metrics Provider

diff --git a/apis/cloud.redhat.com/v1alpha1/zz_generated.deepcopy.go b/apis/cloud.redhat.com/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/cloud.redhat.com_clowdapprefs.yaml b/config/crd/bases/cloud.redhat.com_clowdapprefs.yaml
@@ -220,6 +220,26 @@ spec:
                       deployments in the remote cluster (default: use same values
                       as the ClowdEnvironment in local cluster)'
                     properties:
+                      certificateAuthorities:
+                        description: |-
+                          List of available CA certificates that ClowdApps can reference for TLS connections.
+                          ClowdApps can select from this list using the tlsCertificateAuthorityName field.
+                          The reserved name "system-trust-store" cannot be used in this list.
+                        items:
+                          description: NamespacedName type to represent a real Namespaced
+                            Name
+                          properties:
+                            name:
+                              description: Name defines the Name of a resource.
+                              type: string
+                            namespace:
+                              description: Namespace defines the Namespace of a resource.
+                              type: string
+                          required:
+                          - name
+                          - namespace
+                          type: object
+                        type: array
                       enabled:
                         description: Determines whether TLS is enabled for ClowdApp
                           deployments by default

diff --git a/config/crd/bases/cloud.redhat.com_clowdapps.yaml b/config/crd/bases/cloud.redhat.com_clowdapps.yaml
@@ -7152,6 +7152,33 @@ spec:
                 required:
                 - iqePlugin
                 type: object
+              tlsCertificateAuthorityName:
+                description: |-
+                  Name of the CA certificate to use for TLS connections to dependencies.
+                  References a name from ClowdEnvironment.spec.providers.web.tls.certificateAuthorities.
+                  If omitted, uses default behavior (openshift-service-ca.crt).
+                  If set to "system-trust-store", uses container's system trust store (no CA mounted by Clowder).
+                  Cannot be used together with tlsCertificateAuthoritySecretRef.
+                type: string
+              tlsCertificateAuthoritySecretRef:
+                description: |-
+                  Reference to a Secret containing custom CA certificates for TLS connections to dependencies.
+                  The Secret must exist in the same namespace as the ClowdApp.
+                  This allows apps to manage their own certificate trust list instead of using the
+                  environment's certificate authority bundle.
+                  Cannot be used together with tlsCertificateAuthorityName.
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
             required:
             - envName
             type: object

diff --git a/config/crd/bases/cloud.redhat.com_clowdenvironments.yaml b/config/crd/bases/cloud.redhat.com_clowdenvironments.yaml
@@ -1049,6 +1049,27 @@ spec:
                       tls:
                         description: TLS sidecar enablement
                         properties:
+                          certificateAuthorities:
+                            description: |-
+                              List of available CA certificates that ClowdApps can reference for TLS connections.
+                              ClowdApps can select from this list using the tlsCertificateAuthorityName field.
+                              The reserved name "system-trust-store" cannot be used in this list.
+                            items:
+                              description: NamespacedName type to represent a real
+                                Namespaced Name
+                              properties:
+                                name:
+                                  description: Name defines the Name of a resource.
+                                  type: string
+                                namespace:
+                                  description: Namespace defines the Namespace of
+                                    a resource.
+                                  type: string
+                              required:
+                              - name
+                              - namespace
+                              type: object
+                            type: array
                           enabled:
                             description: Determines whether TLS is enabled for ClowdApp
                               deployments by default

diff --git a/controllers/cloud.redhat.com/clowdenvironment_controller.go b/controllers/cloud.redhat.com/clowdenvironment_controller.go
@@ -42,6 +42,7 @@ import (
 	"github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/hashcache"
 
 	// These blank imports make the providers go wheeeeee
+	_ "github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers/certificateauthority"
 	_ "github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers/confighash"
 	_ "github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers/cronjob"
 	_ "github.com/RedHatInsights/clowder/controllers/cloud.redhat.com/providers/database"