diff --git a/CHANGELOG.md b/CHANGELOG.md
index b9fa1b14..13a8946a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
   - GitSync considered for v1alpha1 and v1alpha2
 - Support objectOverrides using `.spec.objectOverrides`.
   See [objectOverrides concepts page](https://docs.stackable.tech/home/nightly/concepts/overrides/#object-overrides) for details ([#726]).
+- Support for passing CAs to GitSync ([#750]).
 
 ### Changed
 
@@ -28,6 +29,7 @@
 [#734]: https://github.com/stackabletech/airflow-operator/pull/734
 [#741]: https://github.com/stackabletech/airflow-operator/pull/741
 [#742]: https://github.com/stackabletech/airflow-operator/pull/742
+[#750]: https://github.com/stackabletech/airflow-operator/pull/750
 
 ## [25.11.0] - 2025-11-07
 
diff --git a/Cargo.lock b/Cargo.lock
index 59c59d41..be38fc91 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -97,9 +97,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.101"
+version = "1.0.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e0fee31ef5ed1ba1316088939cea399010ed7731dba877ed44aeb407a75ea"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 
 [[package]]
 name = "arc-swap"
@@ -141,7 +141,7 @@ checksum = "c7c24de15d275a1ecfd47a380fb4d5ec9bfe0933f309ed5e705b775596a3574d"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -152,7 +152,7 @@ checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -290,9 +290,9 @@ dependencies = [
 
 [[package]]
 name = "bumpalo"
-version = "3.20.1"
+version = "3.20.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c6f81257d10a0f602a294ae4182251151ff97dbb504ef9afcdda4a64b24d9b4"
+checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
 
 [[package]]
 name = "bytes"
@@ -331,9 +331,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.59"
+version = "4.5.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5caf74d17c3aec5495110c34cc3f78644bfa89af6c8993ed4de2790e49b6499"
+checksum = "2797f34da339ce31042b27d23607e051786132987f595b02ba4f6a6dffb7030a"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -341,9 +341,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.59"
+version = "4.5.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "370daa45065b80218950227371916a1633217ae42b2715b2287b606dcd618e24"
+checksum = "24a241312cea5059b13574bb9b3861cabf758b879c15190b37b6d6fd63ab6876"
 dependencies = [
  "anstream",
  "anstyle",
@@ -360,7 +360,7 @@ dependencies = [
  "heck",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -519,7 +519,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "strsim",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -530,7 +530,7 @@ checksum = "ac3984ec7bd6cfa798e62b4a642426a5be0e68f9401cfc2a01e3fa9ea2fcdb8d"
 dependencies = [
  "darling_core",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -541,7 +541,7 @@ checksum = "780eb241654bf097afb00fc5f054a09b687dad862e485fdcf8399bb056565370"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -565,7 +565,7 @@ checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -595,7 +595,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "rustc_version",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -618,7 +618,7 @@ checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -670,7 +670,7 @@ dependencies = [
  "enum-ordinalize",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -734,7 +734,7 @@ checksum = "8ca9601fb2d62598ee17836250842873a413586e5d7ed88b356e38ddbb0ec631"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -906,7 +906,7 @@ checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -1422,7 +1422,7 @@ checksum = "f7946b4325269738f270bb55b3c19ab5c5040525f83fd625259422a9d25d9be5"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -1511,7 +1511,7 @@ dependencies = [
 [[package]]
 name = "k8s-version"
 version = "0.1.3"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "darling",
  "regex",
@@ -1592,7 +1592,7 @@ dependencies = [
  "quote",
  "serde",
  "serde_json",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2013,7 +2013,7 @@ dependencies = [
  "pest_meta",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2043,7 +2043,7 @@ checksum = "6e918e4ff8c4549eb882f14b3a4bc8c8bc93de829416eacf579f1207a8fbf861"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2187,7 +2187,7 @@ dependencies = [
  "itertools",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2289,7 +2289,7 @@ checksum = "b7186006dcb21920990093f30e3dea63b7d6e977bf1256be20c3563a5db070da"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2431,7 +2431,7 @@ dependencies = [
  "regex",
  "relative-path",
  "rustc_version",
- "syn 2.0.116",
+ "syn 2.0.117",
  "unicode-ident",
 ]
 
@@ -2535,7 +2535,7 @@ dependencies = [
  "proc-macro2",
  "quote",
  "serde_derive_internals",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2569,9 +2569,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework"
-version = "3.6.0"
+version = "3.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38"
+checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
 dependencies = [
  "bitflags",
  "core-foundation",
@@ -2582,9 +2582,9 @@ dependencies = [
 
 [[package]]
 name = "security-framework-sys"
-version = "2.16.0"
+version = "2.17.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a"
+checksum = "6ce2691df843ecc5d231c0b14ece2acc3efb62c0a398c7e1d875f3983ce020e3"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -2633,7 +2633,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2644,7 +2644,7 @@ checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2810,7 +2810,7 @@ dependencies = [
  "heck",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -2873,7 +2873,7 @@ dependencies = [
 [[package]]
 name = "stackable-certs"
 version = "0.4.0"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "const-oid",
  "ecdsa",
@@ -2897,7 +2897,7 @@ dependencies = [
 [[package]]
 name = "stackable-operator"
 version = "0.106.1"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "clap",
  "const_format",
@@ -2936,18 +2936,18 @@ dependencies = [
 [[package]]
 name = "stackable-operator-derive"
 version = "0.3.1"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "darling",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
 name = "stackable-shared"
 version = "0.1.0"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "jiff",
  "k8s-openapi",
@@ -2964,7 +2964,7 @@ dependencies = [
 [[package]]
 name = "stackable-telemetry"
 version = "0.6.1"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "axum",
  "clap",
@@ -2988,7 +2988,7 @@ dependencies = [
 [[package]]
 name = "stackable-versioned"
 version = "0.8.3"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "schemars",
  "serde",
@@ -3001,7 +3001,7 @@ dependencies = [
 [[package]]
 name = "stackable-versioned-macros"
 version = "0.8.3"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "convert_case",
  "convert_case_extras",
@@ -3013,13 +3013,13 @@ dependencies = [
  "kube",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
 name = "stackable-webhook"
 version = "0.9.0"
-source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#2ba637e9d72e8b82adc6b5f370211ba9563c136d"
+source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#8892204f9988527bb598df7a36703e4da2ff3066"
 dependencies = [
  "arc-swap",
  "async-trait",
@@ -3071,7 +3071,7 @@ dependencies = [
  "heck",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3093,9 +3093,9 @@ dependencies = [
 
 [[package]]
 name = "syn"
-version = "2.0.116"
+version = "2.0.117"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -3119,7 +3119,7 @@ checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3148,7 +3148,7 @@ checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3159,7 +3159,7 @@ checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3230,7 +3230,7 @@ checksum = "2d2e76690929402faae40aebdda620a2c0e25dd6d3b9afe48867dfd95991f4bd"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3258,7 +3258,7 @@ checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3328,9 +3328,9 @@ dependencies = [
 
 [[package]]
 name = "tonic"
-version = "0.14.4"
+version = "0.14.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f32a6f80051a4111560201420c7885d0082ba9efe2ab61875c587bb6b18b9a0"
+checksum = "fec7c61a0695dc1887c1b53952990f3ad2e3a31453e1f49f10e75424943a93ec"
 dependencies = [
  "async-trait",
  "base64",
@@ -3355,9 +3355,9 @@ dependencies = [
 
 [[package]]
 name = "tonic-prost"
-version = "0.14.4"
+version = "0.14.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f86539c0089bfd09b1f8c0ab0239d80392af74c21bc9e0f15e1b4aca4c1647f"
+checksum = "a55376a0bbaa4975a3f10d009ad763d8f4108f067c7c2e74f3001fb49778d309"
 dependencies = [
  "bytes",
  "prost",
@@ -3448,7 +3448,7 @@ checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3680,7 +3680,7 @@ dependencies = [
  "bumpalo",
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
  "wasm-bindgen-shared",
 ]
 
@@ -3734,7 +3734,7 @@ checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3745,7 +3745,7 @@ checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -3988,7 +3988,7 @@ checksum = "b659052874eb698efe5b9e8cf382204678a0086ebf46982b79d6ca3182927e5d"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
  "synstructure",
 ]
 
@@ -4009,7 +4009,7 @@ checksum = "4122cd3169e94605190e77839c9a40d40ed048d305bfdc146e7df40ab0f3e517"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -4029,7 +4029,7 @@ checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
  "synstructure",
 ]
 
@@ -4050,7 +4050,7 @@ checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
@@ -4083,7 +4083,7 @@ checksum = "eadce39539ca5cb3985590102671f2567e659fca9666581ad3411d59207951f3"
 dependencies = [
  "proc-macro2",
  "quote",
- "syn 2.0.116",
+ "syn 2.0.117",
 ]
 
 [[package]]
diff --git a/Cargo.nix b/Cargo.nix
index e285c842..8bb80ee6 100644
--- a/Cargo.nix
+++ b/Cargo.nix
@@ -327,14 +327,13 @@ rec {
       };
       "anyhow" = rec {
         crateName = "anyhow";
-        version = "1.0.101";
+        version = "1.0.102";
         edition = "2021";
-        sha256 = "1skmg90fnjnlgs3vl7bksw7036d3rqwqj20n2fxd2ppg67p0y3jz";
+        sha256 = "0b447dra1v12z474c6z4jmicdmc5yxz5bakympdnij44ckw2s83z";
         authors = [
           "David Tolnay <dtolnay@gmail.com>"
         ];
         features = {
-          "backtrace" = [ "dep:backtrace" ];
           "default" = [ "std" ];
         };
         resolvedDefaultFeatures = [ "default" "std" ];
@@ -435,7 +434,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" "visit-mut" ];
           }
         ];
@@ -462,7 +461,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "clone-impls" "full" "parsing" "printing" "proc-macro" "visit-mut" ];
           }
@@ -926,9 +925,9 @@ rec {
       };
       "bumpalo" = rec {
         crateName = "bumpalo";
-        version = "3.20.1";
+        version = "3.20.2";
         edition = "2021";
-        sha256 = "1d6r4i5sd96xzjdfy15mvfbzyl8i4n143blll81gd80hgljq2vsw";
+        sha256 = "1jrgxlff76k9glam0akhwpil2fr1w32gbjdf5hpipc7ld2c7h82x";
         authors = [
           "Nick Fitzgerald <fitzgen@gmail.com>"
         ];
@@ -1056,10 +1055,10 @@ rec {
       };
       "clap" = rec {
         crateName = "clap";
-        version = "4.5.59";
+        version = "4.5.60";
         edition = "2021";
         crateBin = [];
-        sha256 = "16b4kgj909yyshz9kj7nkalbyi46yz1lrhqha54wbbn32x6zgjn5";
+        sha256 = "02h3nzznssjgp815nnbzk0r62y2iw03kdli75c233kirld6z75r7";
         dependencies = [
           {
             name = "clap_builder";
@@ -1098,9 +1097,9 @@ rec {
       };
       "clap_builder" = rec {
         crateName = "clap_builder";
-        version = "4.5.59";
+        version = "4.5.60";
         edition = "2021";
-        sha256 = "094fc76nsq3v52r1a9rbwix22cqnda8p2wr2a24j302v0r2sl39p";
+        sha256 = "0xk8mdizvmmn6w5ij5cwhy5pbgyac4w9pfvl6nqmjl7a5hql38i4";
         dependencies = [
           {
             name = "anstream";
@@ -1156,7 +1155,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" ];
           }
         ];
@@ -1582,7 +1581,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" "extra-traits" ];
           }
         ];
@@ -1613,7 +1612,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
 
@@ -1639,7 +1638,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" "visit-mut" ];
           }
         ];
@@ -1716,7 +1715,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "extra-traits" ];
           }
         ];
@@ -1818,7 +1817,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
         buildDependencies = [
@@ -1915,7 +1914,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
         features = {
@@ -2081,13 +2080,13 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
         devDependencies = [
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" ];
           }
         ];
@@ -2288,7 +2287,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
         features = {
@@ -2789,7 +2788,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" ];
           }
         ];
@@ -4553,7 +4552,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
         features = {
@@ -4807,9 +4806,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         libName = "k8s_version";
         authors = [
@@ -5275,7 +5274,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "extra-traits" ];
           }
         ];
@@ -6769,7 +6768,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
         features = {
@@ -6838,7 +6837,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "parsing" "printing" "clone-impls" "proc-macro" "full" "visit-mut" ];
           }
@@ -7215,7 +7214,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "extra-traits" ];
           }
         ];
@@ -7497,7 +7496,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
 
@@ -8155,7 +8154,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" "parsing" "extra-traits" "visit" "visit-mut" ];
           }
           {
@@ -8497,13 +8496,13 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
         devDependencies = [
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "extra-traits" ];
           }
         ];
@@ -8603,9 +8602,9 @@ rec {
       };
       "security-framework" = rec {
         crateName = "security-framework";
-        version = "3.6.0";
-        edition = "2021";
-        sha256 = "0f7cajmxfkxijl4g0blidqp0vyc4ndyc2wj3xslc6j39dn58jyyi";
+        version = "3.7.0";
+        edition = "2024";
+        sha256 = "07fd0j29j8yczb3hd430vwz784lx9knb5xwbvqna1nbkbivvrx5p";
         libName = "security_framework";
         authors = [
           "Steven Fackler <sfackler@gmail.com>"
@@ -8635,21 +8634,19 @@ rec {
           }
         ];
         features = {
-          "OSX_10_12" = [ "security-framework-sys/OSX_10_12" ];
-          "OSX_10_13" = [ "OSX_10_12" "security-framework-sys/OSX_10_13" "alpn" "session-tickets" ];
-          "OSX_10_14" = [ "OSX_10_13" "security-framework-sys/OSX_10_14" ];
-          "OSX_10_15" = [ "OSX_10_14" "security-framework-sys/OSX_10_15" ];
-          "default" = [ "OSX_10_12" ];
+          "OSX_10_15" = [ "security-framework-sys/OSX_10_15" ];
+          "default" = [ "OSX_10_14" "alpn" "session-tickets" ];
           "log" = [ "dep:log" ];
+          "macos-12" = [ "security-framework-sys/macos-12" ];
           "sync-keychain" = [ "OSX_10_13" ];
         };
-        resolvedDefaultFeatures = [ "OSX_10_12" "default" ];
+        resolvedDefaultFeatures = [ "OSX_10_14" "alpn" "default" "session-tickets" ];
       };
       "security-framework-sys" = rec {
         crateName = "security-framework-sys";
-        version = "2.16.0";
+        version = "2.17.0";
         edition = "2021";
-        sha256 = "06p6x6s8jysrkay1glazxl0r3drwsxwrhjh30lka9acjn1rqc71j";
+        sha256 = "1qr0w0y9iwvmv3hwg653q1igngnc5b74xcf0679cbv23z0fnkqkc";
         libName = "security_framework_sys";
         authors = [
           "Steven Fackler <sfackler@gmail.com>"
@@ -8666,15 +8663,8 @@ rec {
           }
         ];
         features = {
-          "OSX_10_10" = [ "OSX_10_9" ];
-          "OSX_10_11" = [ "OSX_10_10" ];
-          "OSX_10_12" = [ "OSX_10_11" ];
-          "OSX_10_13" = [ "OSX_10_12" ];
-          "OSX_10_14" = [ "OSX_10_13" ];
-          "OSX_10_15" = [ "OSX_10_14" ];
-          "default" = [ "OSX_10_12" ];
+          "default" = [ "OSX_10_13" ];
         };
-        resolvedDefaultFeatures = [ "OSX_10_10" "OSX_10_11" "OSX_10_12" "OSX_10_9" ];
       };
       "semver" = rec {
         crateName = "semver";
@@ -8796,7 +8786,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "clone-impls" "derive" "parsing" "printing" "proc-macro" ];
           }
@@ -8828,7 +8818,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "clone-impls" "derive" "parsing" "printing" ];
           }
@@ -9315,7 +9305,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" ];
           }
         ];
@@ -9534,9 +9524,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         libName = "stackable_certs";
         authors = [
@@ -9637,9 +9627,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         libName = "stackable_operator";
         authors = [
@@ -9810,9 +9800,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         procMacro = true;
         libName = "stackable_operator_derive";
@@ -9834,7 +9824,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
 
@@ -9845,9 +9835,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         libName = "stackable_shared";
         authors = [
@@ -9926,9 +9916,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         libName = "stackable_telemetry";
         authors = [
@@ -10036,9 +10026,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         libName = "stackable_versioned";
         authors = [
@@ -10080,9 +10070,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         procMacro = true;
         libName = "stackable_versioned_macros";
@@ -10137,7 +10127,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
 
@@ -10148,9 +10138,9 @@ rec {
         edition = "2024";
         workspace_member = null;
         src = pkgs.fetchgit {
-          url = "https://github.com/stackabletech/operator-rs.git";
-          rev = "2ba637e9d72e8b82adc6b5f370211ba9563c136d";
-          sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17";
+          url = "https://github.com/stackabletech//operator-rs.git";
+          rev = "8892204f9988527bb598df7a36703e4da2ff3066";
+          sha256 = "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2";
         };
         libName = "stackable_webhook";
         authors = [
@@ -10328,7 +10318,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "parsing" ];
           }
         ];
@@ -10382,11 +10372,11 @@ rec {
         };
         resolvedDefaultFeatures = [ "clone-impls" "default" "derive" "full" "parsing" "printing" "proc-macro" "quote" ];
       };
-      "syn 2.0.116" = rec {
+      "syn 2.0.117" = rec {
         crateName = "syn";
-        version = "2.0.116";
+        version = "2.0.117";
         edition = "2021";
-        sha256 = "1jv9pk48qmhn6yrdfl3lngy5i74wg7gcx13gfhvm4s8q0p3j9x1x";
+        sha256 = "16cv7c0wbn8amxc54n4w15kxlx5ypdmla8s0gxr2l7bv7s0bhrg6";
         authors = [
           "David Tolnay <dtolnay@gmail.com>"
         ];
@@ -10458,7 +10448,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "derive" "parsing" "printing" "clone-impls" "visit" "extra-traits" ];
           }
@@ -10525,7 +10515,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
 
@@ -10551,7 +10541,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
           }
         ];
 
@@ -10768,7 +10758,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "parsing" ];
           }
         ];
@@ -10914,7 +10904,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" ];
           }
         ];
@@ -11141,9 +11131,9 @@ rec {
       };
       "tonic" = rec {
         crateName = "tonic";
-        version = "0.14.4";
+        version = "0.14.5";
         edition = "2021";
-        sha256 = "185r31mvp1y5flcbcapyksx8402xi33j0510c0ai392i03wacckz";
+        sha256 = "1v4k7aa28m7722gz9qak2jiy7lis1ycm4fdmq63iip4m0qdcdizy";
         authors = [
           "Lucio Franco <luciofranco14@gmail.com>"
         ];
@@ -11241,7 +11231,7 @@ rec {
           {
             name = "tokio";
             packageId = "tokio";
-            features = [ "rt-multi-thread" "macros" ];
+            features = [ "rt-multi-thread" "macros" "test-util" ];
           }
           {
             name = "tower";
@@ -11270,9 +11260,9 @@ rec {
       };
       "tonic-prost" = rec {
         crateName = "tonic-prost";
-        version = "0.14.4";
+        version = "0.14.5";
         edition = "2021";
-        sha256 = "0zv4q6jard712l7rxg119kvjlfc0kliv02lc3ydx1gw902f571lz";
+        sha256 = "02fkg2bv87q0yds2wz3w0s7i1x6qcgbrl00dy6ipajdapfh7clx5";
         libName = "tonic_prost";
         authors = [
           "Lucio Franco <luciofranco14@gmail.com>"
@@ -11672,7 +11662,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "full" "parsing" "printing" "visit-mut" "clone-impls" "extra-traits" "proc-macro" ];
           }
@@ -12386,7 +12376,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "visit" "visit-mut" "full" ];
           }
           {
@@ -12988,7 +12978,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "parsing" "proc-macro" "printing" "full" "clone-impls" ];
           }
@@ -13015,7 +13005,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             usesDefaultFeatures = false;
             features = [ "parsing" "proc-macro" "printing" "full" "clone-impls" ];
           }
@@ -14263,7 +14253,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "fold" ];
           }
           {
@@ -14331,14 +14321,14 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" ];
           }
         ];
         devDependencies = [
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "visit" ];
           }
         ];
@@ -14387,7 +14377,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "fold" ];
           }
           {
@@ -14441,7 +14431,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "full" "extra-traits" "visit" ];
           }
         ];
@@ -14543,7 +14533,7 @@ rec {
           }
           {
             name = "syn";
-            packageId = "syn 2.0.116";
+            packageId = "syn 2.0.117";
             features = [ "extra-traits" ];
           }
         ];
diff --git a/Cargo.toml b/Cargo.toml
index 50df5e0b..5dd92013 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -33,5 +33,6 @@ tokio = { version = "1.40", features = ["full"] }
 tracing = "0.1"
 
 [patch."https://github.com/stackabletech/operator-rs.git"]
-# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+# TODO revert this before merging!
+stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/gitsync-ca-support" }
 # stackable-operator = { path = "../operator-rs/crates/stackable-operator" }
diff --git a/crate-hashes.json b/crate-hashes.json
index 6dd679f9..f04b0e81 100644
--- a/crate-hashes.json
+++ b/crate-hashes.json
@@ -4,14 +4,14 @@
   "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n",
   "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n",
   "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#k8s-version@0.1.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-certs@0.4.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-operator-derive@0.3.1": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-operator@0.106.1": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-shared@0.1.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-telemetry@0.6.1": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-versioned-macros@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-versioned@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.106.1#stackable-webhook@0.9.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#k8s-version@0.1.3": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-certs@0.4.0": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-operator-derive@0.3.1": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-operator@0.106.1": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-shared@0.1.0": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-telemetry@0.6.1": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-versioned-macros@0.8.3": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-versioned@0.8.3": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
+  "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fgitsync-ca-support#stackable-webhook@0.9.0": "17qybxq6f8w5b94apnj0gvcqdhlq4bs9n1yv54adgvic9aipk3l2",
   "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987"
 }
\ No newline at end of file
diff --git a/docs/modules/airflow/examples/example-airflow-gitsync-https.yaml b/docs/modules/airflow/examples/example-airflow-gitsync-https.yaml
index 7589c9eb..2dccb2dd 100644
--- a/docs/modules/airflow/examples/example-airflow-gitsync-https.yaml
+++ b/docs/modules/airflow/examples/example-airflow-gitsync-https.yaml
@@ -22,7 +22,8 @@ spec:
           --rev: HEAD # <10>
           # --rev: git-sync-tag # N.B. tag must be covered by "depth" (the number of commits to clone)
           # --rev: 39ee3598bd9946a1d958a448c9f7d3774d7a8043 # N.B. commit must be covered by "depth"
-          --git-config: http.sslCAInfo:/tmp/ca-cert/ca.crt # <11>
+          # --git-config: http.sslCAInfo:/tmp/ca-cert/ca.crt # N.B. this will trigger a warning if caCertSecretName is also supplied
+        caCertSecretName: git-ca-cert # <11>
   webservers:
     ...
 ---
diff --git a/docs/modules/airflow/pages/usage-guide/mounting-dags.adoc b/docs/modules/airflow/pages/usage-guide/mounting-dags.adoc
index cd03fc3b..03b9d2a1 100644
--- a/docs/modules/airflow/pages/usage-guide/mounting-dags.adoc
+++ b/docs/modules/airflow/pages/usage-guide/mounting-dags.adoc
@@ -65,10 +65,12 @@ include::example$example-airflow-gitsync-https.yaml[]
     This should include two fields: `user` and `password` (which can be either a password -- which is not recommended -- or a GitHub token, as described https://github.com/kubernetes/git-sync/tree/v3.6.4#flags-which-configure-authentication[here])
 <9> A map of optional configuration settings that are listed in https://github.com/kubernetes/git-sync/tree/v4.2.1?tab=readme-ov-file#manual[this] configuration section (and the ones that follow on that link)
 <10> An example showing how to specify a target revision (the default is HEAD).
-     The revision can also be a tag or a commit, though this assumes that the target hash is contained within the number of commits specified by `depth`.
-     If a tag or commit hash is specified, then git-sync recognizes this and does not perform further cloning.
-<11> Git-sync settings can be provided inline, although some of these (`--dest`, `--root`) are specified internally in the operator and are ignored if provided by the user.
-     Git-config settings can also be specified, although a warning is logged if `safe.directory` is specified as this is defined internally, and should not be defined by the user.
+    The revision can also be a tag or a commit, though this assumes that the target hash is contained within the number of commits specified by `depth`.
+    If a tag or commit hash is specified, then git-sync recognizes this and does not perform further cloning.
+    Git-sync settings can be provided inline, although some of these (`--dest`, `--root`) are specified internally in the operator and are ignored if provided by the user.
+    Git-config settings can also be specified, although a warning is logged if `safe.directory` is specified as this is defined internally, and should not be defined by the user.
+<11> An optional secret used for holding CA certificates that will be used to verify the git server's TLS certificate by passing it to the git config option `http.sslCAInfo` passed with the gitsync command.
+    The secret must have a key named `ca.crt` whose value is the PEM-encoded certificate bundle.
 
 .git-sync usage example: ssh
 [source,yaml]
diff --git a/extra/crds.yaml b/extra/crds.yaml
index 288919db..ed3cfcab 100644
--- a/extra/crds.yaml
+++ b/extra/crds.yaml
@@ -1155,6 +1155,12 @@ spec:
 
                             Since git-sync v4.x.x this field is mapped to the flag `--ref`.
                           type: string
+                        caCertSecretName:
+                          description: |-
+                            An optional secret used for holding CA certificates that will be used to verify the git server's TLS certificate by passing it to the git config option `http.sslCAInfo` passed with the gitsync command. The secret must have a key named `ca.crt` whose value is the PEM-encoded certificate bundle.
+                            If `http.sslCAInfo` is also set via `gitSyncConf` (the `--git-config` option) then a warning will be logged.
+                          nullable: true
+                          type: string
                         credentials:
                           description: An optional secret used for git access.
                           nullable: true
diff --git a/rust/operator-binary/src/airflow_controller.rs b/rust/operator-binary/src/airflow_controller.rs
index 4930c575..d2f065c6 100644
--- a/rust/operator-binary/src/airflow_controller.rs
+++ b/rust/operator-binary/src/airflow_controller.rs
@@ -1457,6 +1457,8 @@ fn add_git_sync_resources(
         .context(AddVolumeSnafu)?;
     pb.add_volumes(git_sync_resources.git_ssh_volumes.to_owned())
         .context(AddVolumeSnafu)?;
+    pb.add_volumes(git_sync_resources.git_ca_cert_volumes.to_owned())
+        .context(AddVolumeSnafu)?;
     cb.add_volume_mounts(git_sync_resources.git_content_volume_mounts.to_owned())
         .context(AddVolumeMountSnafu)?;
 
diff --git a/tests/templates/kuttl/ca-cert/00-patch-ns.yaml.j2 b/tests/templates/kuttl/ca-cert/00-patch-ns.yaml.j2
new file mode 100644
index 00000000..67185acf
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/00-patch-ns.yaml.j2
@@ -0,0 +1,9 @@
+{% if test_scenario['values']['openshift'] == 'true' %}
+# see https://github.com/stackabletech/issues/issues/566
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kubectl patch namespace $NAMESPACE -p '{"metadata":{"labels":{"pod-security.kubernetes.io/enforce":"privileged"}}}'
+    timeout: 120
+{% endif %}
diff --git a/tests/templates/kuttl/ca-cert/03-assert.yaml b/tests/templates/kuttl/ca-cert/03-assert.yaml
new file mode 100644
index 00000000..319e927a
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/03-assert.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-airflow-postgresql
+timeout: 480
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: airflow-postgresql
+status:
+  readyReplicas: 1
+  replicas: 1
diff --git a/tests/templates/kuttl/ca-cert/03-install-postgresql.yaml b/tests/templates/kuttl/ca-cert/03-install-postgresql.yaml
new file mode 100644
index 00000000..dc25ba20
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/03-install-postgresql.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: >-
+      helm install airflow-postgresql
+      --namespace $NAMESPACE
+      --version 16.4.2
+      -f helm-bitnami-postgresql-values.yaml
+      oci://registry-1.docker.io/bitnamicharts/postgresql
+    timeout: 600
diff --git a/tests/templates/kuttl/ca-cert/05-assert.yaml.j2 b/tests/templates/kuttl/ca-cert/05-assert.yaml.j2
new file mode 100644
index 00000000..50b1d4c3
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/05-assert.yaml.j2
@@ -0,0 +1,10 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vector-aggregator-discovery
+{% endif %}
diff --git a/tests/templates/kuttl/ca-cert/05-install-vector-aggregator-discovery-configmap.yaml.j2 b/tests/templates/kuttl/ca-cert/05-install-vector-aggregator-discovery-configmap.yaml.j2
new file mode 100644
index 00000000..2d6a0df5
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/05-install-vector-aggregator-discovery-configmap.yaml.j2
@@ -0,0 +1,9 @@
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vector-aggregator-discovery
+data:
+  ADDRESS: {{ lookup('env', 'VECTOR_AGGREGATOR') }}
+{% endif %}
diff --git a/tests/templates/kuttl/ca-cert/15-assert.yaml b/tests/templates/kuttl/ca-cert/15-assert.yaml
new file mode 100644
index 00000000..3c2158b4
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/15-assert.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: create-ca-cert
+status:
+  succeeded: 1
diff --git a/tests/templates/kuttl/ca-cert/15-create-ca-cert.yaml b/tests/templates/kuttl/ca-cert/15-create-ca-cert.yaml
new file mode 100644
index 00000000..330a907a
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/15-create-ca-cert.yaml
@@ -0,0 +1,60 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      kubectl apply -n "$NAMESPACE" -f - <<EOF
+      ---
+      apiVersion: batch/v1
+      kind: Job
+      metadata:
+        name: create-ca-cert
+      spec:
+        template:
+          spec:
+            containers:
+              - name: create-ca-cert
+                image: oci.stackable.tech/sdp/testing-tools:0.3.0-stackable0.0.0-dev
+                env:
+                  - name: NAMESPACE
+                    value: $NAMESPACE
+                command:
+                  - bash
+                args:
+                  - -c
+                  - |
+                    set -euo pipefail
+
+                    # Create the correct cert
+                    openssl req -x509 -newkey rsa:4096 \
+                      -nodes -keyout ca.key -out ca.crt -subj "/CN=test-git-ca"
+
+                    openssl req -newkey rsa:4096 -nodes -keyout \
+                      server.key -out server.csr -subj "/CN=git-proxy"
+
+                    openssl x509 -req -in server.csr -CA ca.crt \
+                      -CAkey ca.key -set_serial 1 -out server.crt \
+                      -extfile <(printf "subjectAltName=DNS:git-proxy,DNS:git-proxy.$NAMESPACE.svc.cluster.local")
+
+                    openssl x509 -in server.crt -noout -ext subjectAltName
+
+                    kubectl create secret tls git-proxy-tls \
+                      --cert=server.crt --key=server.key
+                    kubectl create secret generic git-ca-cert \
+                      --from-file=ca.crt=ca.crt
+
+                    # Create an incorrect cert which should cause the gitsync container to exit
+                    openssl req -x509 -newkey rsa:4096 \
+                      -nodes -keyout ca-wrong.key -out ca-wrong.crt \
+                      -subj "/CN=wrong-git-ca"
+
+                    kubectl create secret generic git-wrong-ca-cert \
+                      --from-file=ca.crt=ca-wrong.crt
+            securityContext:
+              runAsUser: 1000
+              runAsGroup: 1000
+              fsGroup: 1000
+            restartPolicy: Never
+            terminationGracePeriodSeconds: 0
+            serviceAccount: integration-tests-sa
+      EOF
diff --git a/tests/templates/kuttl/ca-cert/15-rbac.yaml.j2 b/tests/templates/kuttl/ca-cert/15-rbac.yaml.j2
new file mode 100644
index 00000000..403819a6
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/15-rbac.yaml.j2
@@ -0,0 +1,36 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - secrets
+    verbs:
+      - create
+{% if test_scenario['values']['openshift'] == "true" %}
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    resourceNames: ["privileged"]
+    verbs: ["use"]
+{% endif %}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: integration-tests-sa
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: use-integration-tests-scc
+subjects:
+  - kind: ServiceAccount
+    name: integration-tests-sa
+roleRef:
+  kind: Role
+  name: use-integration-tests-scc
+  apiGroup: rbac.authorization.k8s.io
diff --git a/tests/templates/kuttl/ca-cert/15-secrets.yaml b/tests/templates/kuttl/ca-cert/15-secrets.yaml
new file mode 100644
index 00000000..a52851a3
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/15-secrets.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-sync-ssh
+type: Opaque
+data:
+  # This is a combination of a read-only deploy key and known hosts (github.com) for the repo (stackable-airflow/dags).
+  # Contact github users @razvan or @adwk67 for details.
+  key: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNDTUpoLzdaUDFUWDBHem5sZG0zV3p3TW9Ed0xTVzh4dm9SUmpIZGVYTVViQUFBQUtDc3QzQ1NyTGR3CmtnQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQ01KaC83WlAxVFgwR3pubGRtM1d6d01vRHdMU1c4eHZvUlJqSGRlWE1VYkEKQUFBRUQwSUtCOG1wMWlScXFVSlVjTDh5Y0tKWkRwZkRnYWRXUHVhcUxYQkkvTVY0d21IL3RrL1ZOZlFiT2VWMmJkYlBBeQpnUEF0SmJ6RytoRkdNZDE1Y3hSc0FBQUFGbVJsY0d4dmVTMXJaWGt0Wm05eUxXZHBkSE41Ym1NQkFnTUVCUVlICi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=
+  knownHosts: Z2l0aHViLmNvbSBzc2gtcnNhIEFBQUFCM056YUMxeWMyRUFBQUFEQVFBQkFBQUJnUUNqN25kTnhRb3dnY1FuanNoY0xycVBFaWlwaG50K1ZUVHZEUDZtSEJMOWoxYU5Va1k0VWUxZ3Z3bkdMVmxPaEdlWXJuWmFNZ1JLNitQS0NVWGFEYkM3cXRiVzhnSWtoTDdhR0NzT3IvQzU2U0pNeS9CQ1pmeGQxbld6QU94U0RQZ1ZzbWVyT0JZZk5xbHRWOS9oV0NxQnl3SU5JUis1ZElnNkpUSjcycGNFcEVqY1lnWGtFMllFRlhWMUpIbnNLZ2JMV05saFNjcWIyVW15UmtReXl0Ukx0TCszOFRHeGt4Q2ZsbU8rNVo4Q1NTTlk3R2lkak1JWjdRNHpNakEybjFuR3JsVERrendEQ3N3K3dxRlBHUUExNzljbmZHV09XUlZydWoxNno2WHl2eHZqSndiejB3UVo3NVhLNXRLU2I3Rk55ZUlFczRUVDRqaytTNGRoUGVBVUM1eStiRFlpcllnTTRHQzd1RW56dG5aeWFWV1E3QjM4MUFLNFFkcnd0NTFacUV4S2JRcFRVTm4rRWpxb1R3dnFOajRrcXg1UVVDSTBUaFMvWWtPeEpDWG1QVVdaYmhqcENnNTZpKzJhQjZDbUsySkdobjU3SzVtajBNTmRCWEE0L1dud0g2WG9QV0p6SzVOeXUyekIzbkFacCtTNWhwUXMrcDF2TjEvd3Nqaz0KZ2l0aHViLmNvbSBlY2RzYS1zaGEyLW5pc3RwMjU2IEFBQUFFMlZqWkhOaExYTm9ZVEl0Ym1semRIQXlOVFlBQUFBSWJtbHpkSEF5TlRZQUFBQkJCRW1LU0VOalFFZXpPbXhrWk15N29wS2d3RkI5bmt0NVlScllNak51RzVOODd1UmdnNkNMcmJvNXdBZFQveTZ2MG1LVjBVMncwV1oyWUIvKytUcG9ja2c9CmdpdGh1Yi5jb20gc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9NcXFua1Z6cm0wU2RHNlVPb3FLTHNhYmdINUM5b2tXaTBkaDJsOUdLSmwK
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-airflow-credentials
+type: Opaque
+stringData:
+  adminUser.username: airflow
+  adminUser.firstname: Airflow
+  adminUser.lastname: Admin
+  adminUser.email: airflow@airflow.com
+  adminUser.password: airflow
+  connections.sqlalchemyDatabaseUri: postgresql+psycopg2://airflow:airflow@airflow-postgresql/airflow
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: git-credentials
+type: Opaque
+data:
+  # This is a fine-grained access token for the owner of the repo (stackable-airflow/dags) which has read only access
+  # to *only* this repo. Contact github users @razvan or @adwk67 for details.
+  # This token doesn't expire.
+  user: c3RhY2thYmxlLWFpcmZsb3c=
+  password: Z2l0aHViX3BhdF8xMUJLUURCRVkwSk1EWlNVQk1RYTdoX0c2OGlhbWtpRkpFV1RMTTF0ajFwbHFTVFNyZ3p3dHZneXI5b2tubGRXaGpVRDZITFRFV0JJcm9yT0dXCg==
diff --git a/tests/templates/kuttl/ca-cert/20-nginx-proxy.yaml b/tests/templates/kuttl/ca-cert/20-nginx-proxy.yaml
new file mode 100644
index 00000000..edabeb26
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/20-nginx-proxy.yaml
@@ -0,0 +1,79 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: git-proxy-config
+data:
+  nginx.conf: |
+    events {}
+    http {
+      server {
+        listen 443 ssl;
+        server_name _;
+
+        ssl_certificate /etc/nginx/tls/tls.crt;
+        ssl_certificate_key /etc/nginx/tls/tls.key;
+
+        client_max_body_size 0;
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        location / {
+          proxy_pass https://github.com;
+          proxy_set_header Host github.com;
+          proxy_ssl_server_name on;
+          proxy_ssl_name github.com;
+          proxy_ssl_verify on;
+          proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+          proxy_ssl_verify_depth 5;
+          proxy_http_version 1.1;
+          proxy_set_header Connection "";
+          proxy_pass_request_headers on;
+        }
+      }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: git-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: git-proxy
+  template:
+    metadata:
+      labels:
+        app: git-proxy
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:alpine
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: config
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+            - name: tls
+              mountPath: /etc/nginx/tls
+              readOnly: true
+      volumes:
+        - name: config
+          configMap:
+            name: git-proxy-config
+        - name: tls
+          secret:
+            secretName: git-proxy-tls
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: git-proxy
+spec:
+  selector:
+    app: git-proxy
+  ports:
+    - port: 443
+      targetPort: 443
diff --git a/tests/templates/kuttl/ca-cert/25-assert.yaml b/tests/templates/kuttl/ca-cert/25-assert.yaml
new file mode 100644
index 00000000..bed7d7fb
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/25-assert.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 120
+commands:
+  - script: |
+      # this is to avoid excessive looping while the git-sync pod starts
+      sleep 10
+
+      POD="airflow-wrong-cert-dagprocessor-default-0"
+      CONTAINER="git-sync-0"
+
+      kubectl logs -n "$NAMESPACE" "$POD" -c "$CONTAINER" 2>/dev/null \
+        | grep -q "SSL certificate problem: unable to get local issuer certificate" && exit 0
+
+      exit 1
diff --git a/tests/templates/kuttl/ca-cert/25-install-airflow-wrong-cert.yaml b/tests/templates/kuttl/ca-cert/25-install-airflow-wrong-cert.yaml
new file mode 100644
index 00000000..189523aa
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/25-install-airflow-wrong-cert.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 120
+commands:
+  - script: |
+      envsubst < 25_airflow-wrong-cert.yaml | kubectl apply -n $NAMESPACE -f -
diff --git a/tests/templates/kuttl/ca-cert/25_airflow-wrong-cert.yaml.j2 b/tests/templates/kuttl/ca-cert/25_airflow-wrong-cert.yaml.j2
new file mode 100644
index 00000000..12f49d56
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/25_airflow-wrong-cert.yaml.j2
@@ -0,0 +1,53 @@
+---
+apiVersion: airflow.stackable.tech/v1alpha2
+kind: AirflowCluster
+metadata:
+  name: airflow-wrong-cert
+spec:
+  image:
+{% if test_scenario['values']['airflow-latest'].find(",") > 0 %}
+    custom: "{{ test_scenario['values']['airflow-latest'].split(',')[1] }}"
+    productVersion: "{{ test_scenario['values']['airflow-latest'].split(',')[0] }}"
+{% else %}
+    productVersion: "{{ test_scenario['values']['airflow-latest'] }}"
+{% endif %}
+    pullPolicy: IfNotPresent
+  clusterConfig:
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+    vectorAggregatorConfigMapName: vector-aggregator-discovery
+{% endif %}
+    credentialsSecret: test-airflow-credentials
+    dagsGitSync:
+      - repo: https://git-proxy.$NAMESPACE.svc.cluster.local/stackable-airflow/dags
+        credentials:
+          basicAuthSecretName: git-credentials
+        gitFolder: "mount-dags-gitsync/dags_airflow3"
+        wait: 5s
+        caCertSecretName: git-wrong-ca-cert
+  webservers:
+    roleConfig:
+      listenerClass: external-unstable
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+    roleGroups:
+      default:
+        replicas: 1
+  kubernetesExecutors:
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+  schedulers:
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+    roleGroups:
+      default:
+        replicas: 1
+  dagProcessors:
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+    roleGroups:
+      default:
+        replicas: 1
diff --git a/tests/templates/kuttl/ca-cert/30-assert.yaml.j2 b/tests/templates/kuttl/ca-cert/30-assert.yaml.j2
new file mode 100644
index 00000000..37f7c5b8
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/30-assert.yaml.j2
@@ -0,0 +1,30 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-airflow-cluster
+timeout: 1200
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: airflow-webserver-default
+status:
+  readyReplicas: 1
+  replicas: 1
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: airflow-scheduler-default
+status:
+  readyReplicas: 1
+  replicas: 1
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: airflow-dagprocessor-default
+status:
+  readyReplicas: 1
+  replicas: 1
diff --git a/tests/templates/kuttl/ca-cert/30-install-airflow-cluster.yaml b/tests/templates/kuttl/ca-cert/30-install-airflow-cluster.yaml
new file mode 100644
index 00000000..a14a37fd
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/30-install-airflow-cluster.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+metadata:
+  name: install-airflow
+timeout: 480
+commands:
+  - script: |
+      kubectl delete airflowcluster airflow-wrong-cert -n $NAMESPACE --wait=false
+      envsubst < 30_airflow-cluster.yaml | kubectl apply -n $NAMESPACE -f -
diff --git a/tests/templates/kuttl/ca-cert/30_airflow-cluster.yaml.j2 b/tests/templates/kuttl/ca-cert/30_airflow-cluster.yaml.j2
new file mode 100644
index 00000000..1ea7d644
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/30_airflow-cluster.yaml.j2
@@ -0,0 +1,53 @@
+---
+apiVersion: airflow.stackable.tech/v1alpha2
+kind: AirflowCluster
+metadata:
+  name: airflow
+spec:
+  image:
+{% if test_scenario['values']['airflow-latest'].find(",") > 0 %}
+    custom: "{{ test_scenario['values']['airflow-latest'].split(',')[1] }}"
+    productVersion: "{{ test_scenario['values']['airflow-latest'].split(',')[0] }}"
+{% else %}
+    productVersion: "{{ test_scenario['values']['airflow-latest'] }}"
+{% endif %}
+    pullPolicy: IfNotPresent
+  clusterConfig:
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+    vectorAggregatorConfigMapName: vector-aggregator-discovery
+{% endif %}
+    credentialsSecret: test-airflow-credentials
+    dagsGitSync:
+      - repo: https://git-proxy.$NAMESPACE.svc.cluster.local/stackable-airflow/dags
+        credentials:
+          basicAuthSecretName: git-credentials
+        gitFolder: "mount-dags-gitsync/dags_airflow3"
+        wait: 5s
+        caCertSecretName: git-ca-cert
+  webservers:
+    roleConfig:
+      listenerClass: external-unstable
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+    roleGroups:
+      default:
+        replicas: 1
+  kubernetesExecutors:
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+  schedulers:
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+    roleGroups:
+      default:
+        replicas: 1
+  dagProcessors:
+    config:
+      logging:
+        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+    roleGroups:
+      default:
+        replicas: 1
diff --git a/tests/templates/kuttl/ca-cert/31-assert.yaml b/tests/templates/kuttl/ca-cert/31-assert.yaml
new file mode 100644
index 00000000..0a11bc12
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/31-assert.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 120
+commands:
+  - script: |
+      kubectl logs -n "$NAMESPACE" airflow-dagprocessor-default-0 -c git-sync-0 2>/dev/null \
+        | grep -q "updated successfully" && echo "git-sync: repo updated successfully via CA-cert-authenticated proxy"
diff --git a/tests/templates/kuttl/ca-cert/40-assert.yaml b/tests/templates/kuttl/ca-cert/40-assert.yaml
new file mode 100644
index 00000000..6edaa3c3
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/40-assert.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-airflow-python
+timeout: 240
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-airflow-python
+status:
+  readyReplicas: 1
+  replicas: 1
diff --git a/tests/templates/kuttl/ca-cert/40-install-airflow-python.yaml b/tests/templates/kuttl/ca-cert/40-install-airflow-python.yaml
new file mode 100644
index 00000000..c3f865a0
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/40-install-airflow-python.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-airflow-python
+  labels:
+    app: test-airflow-python
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-airflow-python
+  template:
+    metadata:
+      labels:
+        app: test-airflow-python
+    spec:
+      containers:
+        - name: test-airflow-python
+          image: oci.stackable.tech/sdp/testing-tools:0.2.0-stackable0.0.0-dev
+          imagePullPolicy: IfNotPresent
+          stdin: true
+          tty: true
diff --git a/tests/templates/kuttl/ca-cert/50-assert.yaml.j2 b/tests/templates/kuttl/ca-cert/50-assert.yaml.j2
new file mode 100644
index 00000000..b85052aa
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/50-assert.yaml.j2
@@ -0,0 +1,12 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: test-airflow-webserver-health-check
+timeout: 480
+commands:
+{% if test_scenario['values']['airflow-latest'].find(",") > 0 %}
+  - script: kubectl exec -n $NAMESPACE test-airflow-python-0 -- python /tmp/health.py --airflow-version "{{ test_scenario['values']['airflow-latest'].split(',')[0] }}"
+{% else %}
+  - script: kubectl exec -n $NAMESPACE test-airflow-python-0 -- python /tmp/health.py --airflow-version "{{ test_scenario['values']['airflow-latest'] }}"
+{% endif %}
diff --git a/tests/templates/kuttl/ca-cert/50-health-check.yaml b/tests/templates/kuttl/ca-cert/50-health-check.yaml
new file mode 100644
index 00000000..5d3b329f
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/50-health-check.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 480
+commands:
+  - script: kubectl cp -n $NAMESPACE ../../../../templates/kuttl/commons/health.py  test-airflow-python-0:/tmp
+    timeout: 240
diff --git a/tests/templates/kuttl/ca-cert/helm-bitnami-postgresql-values.yaml.j2 b/tests/templates/kuttl/ca-cert/helm-bitnami-postgresql-values.yaml.j2
new file mode 100644
index 00000000..80c50924
--- /dev/null
+++ b/tests/templates/kuttl/ca-cert/helm-bitnami-postgresql-values.yaml.j2
@@ -0,0 +1,37 @@
+---
+global:
+  security:
+    allowInsecureImages: true
+
+image:
+  repository: bitnamilegacy/postgresql
+
+volumePermissions:
+  enabled: false
+  image:
+    repository: bitnamilegacy/os-shell
+  securityContext:
+    runAsUser: auto
+
+metrics:
+  image:
+    repository: bitnamilegacy/postgres-exporter
+
+primary:
+  podSecurityContext:
+{% if test_scenario['values']['openshift'] == 'true' %}
+    enabled: false
+{% else %}
+    enabled: true
+{% endif %}
+  containerSecurityContext:
+    enabled: false
+
+shmVolume:
+  chmod:
+    enabled: false
+
+auth:
+  username: airflow
+  password: airflow
+  database: airflow
diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml
index 512e237a..6c7b486c 100644
--- a/tests/test-definition.yaml
+++ b/tests/test-definition.yaml
@@ -108,6 +108,10 @@ tests:
     dimensions:
       - airflow-latest
       - openshift
+  - name: ca-cert
+    dimensions:
+      - airflow-latest
+      - openshift
 suites:
   - name: nightly
     # Run nightly with the latest airflow