Is there any plan to add mTLS support in the future?

No plans to implement mTLS anytime soon. I suggest using OCIRepository instead of Git. We do support mTLS for container registries.

On git push to the Flux Git repository, you would run flux push artifact in CI to publish the repo content to the container registry where the cluster has access.

On the cluster you would deploy Flux Operator and configure a FluxInstance that syncs the desired state from the container registry. Example here: https://fluxcd.control-plane.io/operator/flux-sync/#sync-from-a-container-registry

thanks for the reply, unfortunately I'm looking to use GitRepository.

Found this old PR that actually does what I want: #1302

Was that PR ever considered/discussed to be added?

After consulting with the go-git maintainers we've devised a plan for what's required to implement mTLS for Git operations in Flux.

• github.com/go-git/go-git
  • Add ClientCert []byte and ClientKey []byte to all the go-git Options following the CABundle implementation from https://github.com/go-git/go-git/pull/228/files
• github.com/fluxcd/pkg/git
  • Add ClientCert []byte and ClientKey []byte to the AuthOptions in pkg/git and map to the go-git options in pkg/git/gogit
• github.com/fluxcd/source-controller
  • Load the client certs from GitRepository.spec.secretRef and pass it to the fluxcd/pkg/git client
• github.com/fluxcd/image-automation-controller
  • Load the client certs by following the ImageUpdateAutomation.spec.sourceRef -> GitRepository.spec.secretRef and pass it to the fluxcd/pkg/git client

mTLS support is being added to go-git in go-git/go-git#1510