From 97b3e13396dd91dc67fe816822b2a857670b9215 Mon Sep 17 00:00:00 2001
From: xinhl <xinhl@microsoft.com>
Date: Fri, 12 Jun 2026 17:30:13 +1000
Subject: [PATCH 1/2] feat(chart): add stores[].plainHttp for HTTP registries

Adds an opt-in plainHttp toggle on each store in the ratify-gatekeeper-provider Helm chart so the rendered Executor CR can talk to registries that do not serve TLS (e.g. local kind clusters and development registries). Defaults to false so existing deployments are unchanged.

Signed-off-by: xinhl <xinhl@microsoft.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 deployments/ratify-gatekeeper-provider/templates/executor.yaml | 3 +++
 deployments/ratify-gatekeeper-provider/values.yaml             | 1 +
 2 files changed, 4 insertions(+)

diff --git a/deployments/ratify-gatekeeper-provider/templates/executor.yaml b/deployments/ratify-gatekeeper-provider/templates/executor.yaml
index 91b22b567..dd1121cb7 100644
--- a/deployments/ratify-gatekeeper-provider/templates/executor.yaml
+++ b/deployments/ratify-gatekeeper-provider/templates/executor.yaml
@@ -30,6 +30,9 @@ spec:
           username: "{{ .credential.username }}"
           password: "{{ .credential.password }}"
           {{- end }}
+        {{- if .plainHttp }}
+        plainHttp: true
+        {{- end }}
         {{- if eq (include "ratify.cosignConfigured" $root) "true" }}
         allowCosignTag: true
         {{- end }}
diff --git a/deployments/ratify-gatekeeper-provider/values.yaml b/deployments/ratify-gatekeeper-provider/values.yaml
index f9f704383..ccbbaf1dc 100644
--- a/deployments/ratify-gatekeeper-provider/values.yaml
+++ b/deployments/ratify-gatekeeper-provider/values.yaml
@@ -43,6 +43,7 @@ cosign:
 
 stores:
   - scopes: []
+    plainHttp: false # set to true for registries that do not use TLS (e.g. local development)
     caBase64: "" # base64 encoded CA certificate, used for TLS verification, e.g. "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCg=="
     caPem: "" # PEM encoded CA certificate, used for TLS verification, e.g. "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
     # if both caBase64 and caPem are provided, caPem will be used

From 965f0feeb4f9b6ca001a98199c1acb8b0786c8b4 Mon Sep 17 00:00:00 2001
From: xinhl <xinhl@microsoft.com>
Date: Wed, 17 Jun 2026 18:17:30 +1000
Subject: [PATCH 2/2] fix(chart): render registry store CA settings

Signed-off-by: xinhl <xinhl@microsoft.com>
---
 .../ratify-gatekeeper-provider/templates/executor.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/deployments/ratify-gatekeeper-provider/templates/executor.yaml b/deployments/ratify-gatekeeper-provider/templates/executor.yaml
index dd1121cb7..d5eaea6bf 100644
--- a/deployments/ratify-gatekeeper-provider/templates/executor.yaml
+++ b/deployments/ratify-gatekeeper-provider/templates/executor.yaml
@@ -31,7 +31,17 @@ spec:
           password: "{{ .credential.password }}"
           {{- end }}
         {{- if .plainHttp }}
+        {{- if or .caBase64 .caPem }}
+        {{- fail (printf "store with scopes %v: plainHttp cannot be combined with caBase64/caPem (no TLS over plain HTTP)" .scopes) }}
+        {{- end }}
         plainHttp: true
+        {{- else }}
+        {{- if .caPem }}
+        caPem: {{ .caPem | quote }}
+        {{- end }}
+        {{- if .caBase64 }}
+        caBase64: {{ .caBase64 | quote }}
+        {{- end }}
         {{- end }}
         {{- if eq (include "ratify.cosignConfigured" $root) "true" }}
         allowCosignTag: true