From 057595de3dbd1c13839bda1a225a4a8656af4c8c Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Fri, 24 Apr 2026 00:46:20 -0500
Subject: [PATCH] intranet: GIT_SSL_NO_VERIFY=true in clone-notes-corpus init
 container
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cluster egress is fronted by a step-ca TLS proxy whose cert doesn't
match github.com. The init container's git clone failed with
"SSL: no alternative certificate subject name matches target hostname
'github.com'". The Notes repo is public — there is no secret to
protect on the wire — so GIT_SSL_NO_VERIFY=true is the right tradeoff
here. Tag at v202604240040search.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/intranet/intranet.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/intranet/intranet.yaml b/apps/intranet/intranet.yaml
index 597fe10..964ab5e 100644
--- a/apps/intranet/intranet.yaml
+++ b/apps/intranet/intranet.yaml
@@ -44,6 +44,10 @@ spec:
             - -c
             - |
               set -e
+              # Cluster egress is fronted by a step-ca TLS proxy whose cert
+              # doesn't match github.com. The Notes repo is public so there's
+              # no secret to protect — skip verify.
+              export GIT_SSL_NO_VERIFY=true
               if [ -d /srv/flowercore-notes/.git ]; then
                 cd /srv/flowercore-notes && git fetch --depth=1 origin && git reset --hard origin/codex/notes-pimanager-live-drift
               else