intranet: GIT_SSL_NO_VERIFY=true in clone-notes-corpus init container

Cluster egress is fronted by a step-ca TLS proxy whose cert doesn't match github.com. The init container's git clone failed with "SSL: no alternative certificate subject name matches target hostname 'github.com'". The Notes repo is public — there is no secret to protect on the wire — so GIT_SSL_NO_VERIFY=true is the right tradeoff here. Tag at v202604240040search. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 00:46:20 -05:00
parent b02bb4be38
commit 057595de3d
1 changed files with 4 additions and 0 deletions
--- a/apps/intranet/intranet.yaml
+++ b/apps/intranet/intranet.yaml
@@ -44,6 +44,10 @@ spec:
            - -c
            - |
              set -e
+              # Cluster egress is fronted by a step-ca TLS proxy whose cert
+              # doesn't match github.com. The Notes repo is public so there's
+              # no secret to protect — skip verify.
+              export GIT_SSL_NO_VERIFY=true
              if [ -d /srv/flowercore-notes/.git ]; then
                cd /srv/flowercore-notes && git fetch --depth=1 origin && git reset --hard origin/codex/notes-pimanager-live-drift
              else