diff --git a/braintrust/Chart.yaml b/braintrust/Chart.yaml index 9a3e90f..1031c25 100644 --- a/braintrust/Chart.yaml +++ b/braintrust/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: braintrust -version: 2.0.4 +version: 2.1.0 description: A Helm chart to run the Braintrust services for the self-hosted data plane type: application home: https://github.com/braintrustdata/helm diff --git a/braintrust/README.md b/braintrust/README.md index 252389a..08f4b76 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -14,6 +14,7 @@ The `braintrust-secrets` secret must contain the following keys: | `PG_URL` | PostgreSQL connection URL | `postgres://:@:/` (append `?sslmode=require` if using TLS) | | `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page | | `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string | +| `CA_PEM` | Custom TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customTLSCABundle: true`. | | `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) | | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) | | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) | diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index fd0e92c..ad9218d 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -106,19 +106,46 @@ spec: {{- if .Values.api.extraEnvVars }} {{- toYaml .Values.api.extraEnvVars | nindent 12 }} {{- end }} - {{- if .Values.azureKeyVaultCSI.enabled }} + {{- if .Values.realtime.enabled }} + - name: REALTIME_URL + value: "http://{{ .Values.realtime.service.name | default .Values.realtime.name }}:{{ .Values.realtime.service.port }}" + {{- end }} + {{- if .Values.customTLSCABundle }} + - name: NODE_EXTRA_CA_CERTS + value: "/etc/braintrust/tls/ca-bundle.pem" + {{- end }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }} volumeMounts: + {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true + {{- end }} + {{- if .Values.customTLSCABundle }} + - name: tls-ca + mountPath: "/etc/braintrust/tls" + readOnly: true + {{- end }} {{- end }} - {{- if .Values.azureKeyVaultCSI.enabled }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }} volumes: + {{- if .Values.customTLSCABundle }} + - name: tls-ca + projected: + sources: + - secret: + name: "braintrust-secrets" + items: + - key: "CA_PEM" + path: "ca-bundle.pem" + {{- end }} + {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} + {{- end }} {{- end }} diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index 91fcc31..898765f 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -97,6 +97,11 @@ spec: secretKeyRef: name: braintrust-secrets key: PG_URL + - name: BRAINSTORE_REDIS_URL + valueFrom: + secretKeyRef: + name: braintrust-secrets + key: REDIS_URL {{- if eq .Values.brainstore.locksBackend "redis" }} - name: BRAINSTORE_LOCKS_URI valueFrom: @@ -112,6 +117,10 @@ spec: {{- if .Values.brainstore.reader.extraEnvVars }} {{- toYaml .Values.brainstore.reader.extraEnvVars | nindent 12 }} {{- end }} + {{- if .Values.customTLSCABundle }} + - name: SSL_CERT_FILE + value: "/etc/braintrust/tls/ca-bundle.pem" + {{- end }} volumeMounts: - name: cache-volume mountPath: {{ .Values.brainstore.reader.cacheDir }} @@ -120,6 +129,11 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} + {{- if .Values.customTLSCABundle }} + - name: tls-ca + mountPath: "/etc/braintrust/tls" + readOnly: true + {{- end }} volumes: - name: cache-volume emptyDir: {} @@ -131,3 +145,13 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} + {{- if .Values.customTLSCABundle }} + - name: tls-ca + projected: + sources: + - secret: + name: "braintrust-secrets" + items: + - key: "CA_PEM" + path: "ca-bundle.pem" + {{- end }} diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index a2f6a29..155da1c 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -97,6 +97,11 @@ spec: secretKeyRef: name: braintrust-secrets key: PG_URL + - name: BRAINSTORE_REDIS_URL + valueFrom: + secretKeyRef: + name: braintrust-secrets + key: REDIS_URL {{- if eq .Values.brainstore.locksBackend "redis" }} - name: BRAINSTORE_LOCKS_URI valueFrom: @@ -112,6 +117,10 @@ spec: {{- if .Values.brainstore.writer.extraEnvVars }} {{- toYaml .Values.brainstore.writer.extraEnvVars | nindent 12 }} {{- end }} + {{- if .Values.customTLSCABundle }} + - name: SSL_CERT_FILE + value: "/etc/braintrust/tls/ca-bundle.pem" + {{- end }} volumeMounts: - name: cache-volume mountPath: {{ .Values.brainstore.writer.cacheDir }} @@ -120,6 +129,11 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} + {{- if .Values.customTLSCABundle }} + - name: tls-ca + mountPath: "/etc/braintrust/tls" + readOnly: true + {{- end }} volumes: - name: cache-volume emptyDir: {} @@ -131,3 +145,13 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} + {{- if .Values.customTLSCABundle }} + - name: tls-ca + projected: + sources: + - secret: + name: "braintrust-secrets" + items: + - key: "CA_PEM" + path: "ca-bundle.pem" + {{- end }} diff --git a/braintrust/templates/realtime-deployment.yaml b/braintrust/templates/realtime-deployment.yaml index 0586ecf..c6d27d2 100644 --- a/braintrust/templates/realtime-deployment.yaml +++ b/braintrust/templates/realtime-deployment.yaml @@ -57,8 +57,13 @@ spec: - containerPort: {{ .Values.realtime.service.port }} resources: {{- toYaml .Values.realtime.resources | nindent 12 }} - {{- if .Values.realtime.extraEnvVars }} env: + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: braintrust-secrets + key: REDIS_URL + {{- if .Values.realtime.extraEnvVars }} {{- toYaml .Values.realtime.extraEnvVars | nindent 12 }} - {{- end }} + {{- end }} {{- end }} diff --git a/braintrust/values.yaml b/braintrust/values.yaml index ef96377..e1f1a1d 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -23,6 +23,13 @@ global: # Cloud provider configuration cloud: "google" # or "azure" or "aws" +# Custom TLS CA Bundle configuration +# When enabled, appends custom CA certificates to the system trust store for secure connections +# This is useful for private CAs, self-signed certificates, or custom certificate chains +# The custom CA bundle is added in addition to the default system CA certificates +# Requires CA_PEM secret to be set (see README for details) +customTLSCABundle: false + # Optional: Google Cloud specific configuration google: # GKE mode: "autopilot" or "standard"