updated docs

adwk67 · adwk67 · commit 5296c52cc2ee · 2026-03-02T14:45:00.000+01:00
diff --git a/docs/modules/airflow/examples/example-airflow-gitsync-https.yaml b/docs/modules/airflow/examples/example-airflow-gitsync-https.yaml
@@ -23,7 +23,11 @@ spec:
           # --rev: git-sync-tag # N.B. tag must be covered by "depth" (the number of commits to clone)
           # --rev: 39ee3598bd9946a1d958a448c9f7d3774d7a8043 # N.B. commit must be covered by "depth"
           # --git-config: http.sslCAInfo:/tmp/ca-cert/ca.crt # N.B. this will trigger a warning if caCertSecretName is also supplied
-        caCertSecretName: git-ca-cert # <11>
+        tls:
+          verification:
+            server:
+              caCert:
+                secretClass: git-ca-cert # <11>
   webservers:
     ...
 ---
diff --git a/docs/modules/airflow/pages/usage-guide/mounting-dags.adoc b/docs/modules/airflow/pages/usage-guide/mounting-dags.adoc
@@ -69,8 +69,11 @@ include::example$example-airflow-gitsync-https.yaml[]
     If a tag or commit hash is specified, then git-sync recognizes this and does not perform further cloning.
     Git-sync settings can be provided inline, although some of these (`--dest`, `--root`) are specified internally in the operator and are ignored if provided by the user.
     Git-config settings can also be specified, although a warning is logged if `safe.directory` is specified as this is defined internally, and should not be defined by the user.
-<11> An optional secret used for holding CA certificates that will be used to verify the git server's TLS certificate by passing it to the git config option `http.sslCAInfo` passed with the gitsync command.
-    The secret must have a key named `ca.crt` whose value is the PEM-encoded certificate bundle.
+<11> An optional reference to the SecretClass used for holding CA certificates that will be used to verify the git server's TLS certificate by passing it to the git config option `http.sslCAInfo` passed with the gitsync command.
+    The associated secret must have a key named `ca.crt` whose value is the PEM-encoded certificate bundle.
+    If this field is set to `webPki: {}` or is omitted altogether, then no changes will be made to the gitsync command and it will default to presenting no certificate to the backend.
+    Omitting this field is non-breaking behaviour and as such it does *not* set `http.sslverify` to `false` as disabling security checks should be a last resort and not something activated by default.
+    This can still be achieved by passing `--git-config: http.sslverify=false` explicitly.
 
 .git-sync usage example: ssh
 [source,yaml]
