From f213478b3fd9024b25e4b68173845f08dc936a7e Mon Sep 17 00:00:00 2001 From: Braintrust Bot <215900051+braintrust-bot[bot]@users.noreply.github.com> Date: Tue, 14 Oct 2025 16:26:36 +0000 Subject: [PATCH 1/8] Update Chart version to 2.1.0 --- braintrust/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/braintrust/Chart.yaml b/braintrust/Chart.yaml index 9a3e90f..1031c25 100644 --- a/braintrust/Chart.yaml +++ b/braintrust/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: braintrust -version: 2.0.4 +version: 2.1.0 description: A Helm chart to run the Braintrust services for the self-hosted data plane type: application home: https://github.com/braintrustdata/helm From 0e9bfadfc6a853c36749b0b28b0797a5aad5d901 Mon Sep 17 00:00:00 2001 From: Hedi Daoud Date: Wed, 22 Oct 2025 14:50:36 +0200 Subject: [PATCH 2/8] Pull Request Proposal for Braintrust Helm Chart: Redis TLS CA support for API (GCP Memorystore) --- braintrust/README.md | 1 + braintrust/templates/api-deployment.yaml | 27 ++++++++++++++++++++++-- braintrust/values.yaml | 2 ++ 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/braintrust/README.md b/braintrust/README.md index 252389a..7253b49 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -14,6 +14,7 @@ The `braintrust-secrets` secret must contain the following keys: | `PG_URL` | PostgreSQL connection URL | `postgres://:@:/` (append `?sslmode=require` if using TLS) | | `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page | | `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string | +| `REDIS_CA_PEM` | Redis TLS CA bundle used when API Redis TLS is enabled | Full PEM bundle as a multiline string (BEGIN/END blocks). only required if `api.redisTls.enabled: true`. | | `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) | | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) | | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) | diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index fd0e92c..6875123 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -106,19 +106,42 @@ spec: {{- if .Values.api.extraEnvVars }} {{- toYaml .Values.api.extraEnvVars | nindent 12 }} {{- end }} - {{- if .Values.azureKeyVaultCSI.enabled }} + {{- if .Values.api.redisTls.enabled }} + - name: NODE_EXTRA_CA_CERTS + value: "/etc/redis/redis-bundle.pem" + {{- end }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.api.redisTls.enabled }} volumeMounts: + {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true + {{- end }} + {{- if .Values.api.redisTls.enabled }} + - name: redis-tls-ca + mountPath: "/etc/redis" + readOnly: true + {{- end }} {{- end }} - {{- if .Values.azureKeyVaultCSI.enabled }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.api.redisTls.enabled }} volumes: + {{- if .Values.api.redisTls.enabled }} + - name: redis-tls-ca + projected: + sources: + - secret: + name: "braintrust-secrets" + items: + - key: "REDIS_CA_PEM" + path: "redis-bundle.pem" + {{- end }} + {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} + {{- end }} {{- end }} diff --git a/braintrust/values.yaml b/braintrust/values.yaml index ef96377..1f33421 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -116,6 +116,8 @@ api: nodeSelector: {} tolerations: [] affinity: {} + redisTls: + enabled: false # Brainstore configuration (split into reader and writer) brainstore: From 7d90b538d75968ad120154112ba361994b951e82 Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Fri, 24 Oct 2025 12:09:01 -0500 Subject: [PATCH 3/8] update redis tls to be a global setting, enabled only for google, and enabled for brainstore only when locking is set to redis. --- braintrust/README.md | 2 +- braintrust/templates/api-deployment.yaml | 10 +++++----- .../brainstore-reader-deployment.yaml | 19 +++++++++++++++++++ .../brainstore-writer-deployment.yaml | 19 +++++++++++++++++++ braintrust/values.yaml | 9 +++++++-- 5 files changed, 51 insertions(+), 8 deletions(-) diff --git a/braintrust/README.md b/braintrust/README.md index 7253b49..bbd5628 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -14,7 +14,7 @@ The `braintrust-secrets` secret must contain the following keys: | `PG_URL` | PostgreSQL connection URL | `postgres://:@:/` (append `?sslmode=require` if using TLS) | | `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page | | `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string | -| `REDIS_CA_PEM` | Redis TLS CA bundle used when API Redis TLS is enabled | Full PEM bundle as a multiline string (BEGIN/END blocks). only required if `api.redisTls.enabled: true`. | +| `REDIS_CA_PEM` | Redis TLS CA bundle used when Redis TLS is enabled | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `cloud: google` and `redisTls.enabled: true`. | | `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) | | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) | | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) | diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 6875123..6c62ea6 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -106,26 +106,26 @@ spec: {{- if .Values.api.extraEnvVars }} {{- toYaml .Values.api.extraEnvVars | nindent 12 }} {{- end }} - {{- if .Values.api.redisTls.enabled }} + {{- if and .Values.redisTls.enabled (eq .Values.cloud "google") }} - name: NODE_EXTRA_CA_CERTS value: "/etc/redis/redis-bundle.pem" {{- end }} - {{- if or .Values.azureKeyVaultCSI.enabled .Values.api.redisTls.enabled }} + {{- if or .Values.azureKeyVaultCSI.enabled (and .Values.redisTls.enabled (eq .Values.cloud "google")) }} volumeMounts: {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true {{- end }} - {{- if .Values.api.redisTls.enabled }} + {{- if and .Values.redisTls.enabled (eq .Values.cloud "google") }} - name: redis-tls-ca mountPath: "/etc/redis" readOnly: true {{- end }} {{- end }} - {{- if or .Values.azureKeyVaultCSI.enabled .Values.api.redisTls.enabled }} + {{- if or .Values.azureKeyVaultCSI.enabled (and .Values.redisTls.enabled (eq .Values.cloud "google")) }} volumes: - {{- if .Values.api.redisTls.enabled }} + {{- if and .Values.redisTls.enabled (eq .Values.cloud "google") }} - name: redis-tls-ca projected: sources: diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index 91fcc31..51584f4 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -112,6 +112,10 @@ spec: {{- if .Values.brainstore.reader.extraEnvVars }} {{- toYaml .Values.brainstore.reader.extraEnvVars | nindent 12 }} {{- end }} + {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + - name: SSL_CERT_FILE + value: "/etc/redis/redis-bundle.pem" + {{- end }} volumeMounts: - name: cache-volume mountPath: {{ .Values.brainstore.reader.cacheDir }} @@ -120,6 +124,11 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} + {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + - name: redis-tls-ca + mountPath: "/etc/redis" + readOnly: true + {{- end }} volumes: - name: cache-volume emptyDir: {} @@ -131,3 +140,13 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} + {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + - name: redis-tls-ca + projected: + sources: + - secret: + name: "braintrust-secrets" + items: + - key: "REDIS_CA_PEM" + path: "redis-bundle.pem" + {{- end }} diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index a2f6a29..2380da5 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -112,6 +112,10 @@ spec: {{- if .Values.brainstore.writer.extraEnvVars }} {{- toYaml .Values.brainstore.writer.extraEnvVars | nindent 12 }} {{- end }} + {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + - name: SSL_CERT_FILE + value: "/etc/redis/redis-bundle.pem" + {{- end }} volumeMounts: - name: cache-volume mountPath: {{ .Values.brainstore.writer.cacheDir }} @@ -120,6 +124,11 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} + {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + - name: redis-tls-ca + mountPath: "/etc/redis" + readOnly: true + {{- end }} volumes: - name: cache-volume emptyDir: {} @@ -131,3 +140,13 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} + {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + - name: redis-tls-ca + projected: + sources: + - secret: + name: "braintrust-secrets" + items: + - key: "REDIS_CA_PEM" + path: "redis-bundle.pem" + {{- end }} diff --git a/braintrust/values.yaml b/braintrust/values.yaml index 1f33421..747e88f 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -23,6 +23,13 @@ global: # Cloud provider configuration cloud: "google" # or "azure" or "aws" +# Redis TLS configuration (only applies when cloud is "google") +# When enabled, services will use TLS certificates to connect to Redis +# - API: Always gets TLS when enabled +# - Brainstore: Only gets TLS when enabled AND locksBackend is "redis" +redisTls: + enabled: false + # Optional: Google Cloud specific configuration google: # GKE mode: "autopilot" or "standard" @@ -116,8 +123,6 @@ api: nodeSelector: {} tolerations: [] affinity: {} - redisTls: - enabled: false # Brainstore configuration (split into reader and writer) brainstore: From 121168a75cd788155f4ddc796f5c69982e0e462f Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Fri, 24 Oct 2025 12:21:21 -0500 Subject: [PATCH 4/8] add realtime url to api and add redis secret --- braintrust/templates/api-deployment.yaml | 4 ++++ braintrust/templates/realtime-deployment.yaml | 9 +++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 6c62ea6..842bdab 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -106,6 +106,10 @@ spec: {{- if .Values.api.extraEnvVars }} {{- toYaml .Values.api.extraEnvVars | nindent 12 }} {{- end }} + {{- if .Values.realtime.enabled }} + - name: REALTIME_URL + value: "http://{{ .Values.realtime.service.name | default .Values.realtime.name }}:{{ .Values.realtime.service.port }}" + {{- end }} {{- if and .Values.redisTls.enabled (eq .Values.cloud "google") }} - name: NODE_EXTRA_CA_CERTS value: "/etc/redis/redis-bundle.pem" diff --git a/braintrust/templates/realtime-deployment.yaml b/braintrust/templates/realtime-deployment.yaml index 0586ecf..c6d27d2 100644 --- a/braintrust/templates/realtime-deployment.yaml +++ b/braintrust/templates/realtime-deployment.yaml @@ -57,8 +57,13 @@ spec: - containerPort: {{ .Values.realtime.service.port }} resources: {{- toYaml .Values.realtime.resources | nindent 12 }} - {{- if .Values.realtime.extraEnvVars }} env: + - name: REDIS_URL + valueFrom: + secretKeyRef: + name: braintrust-secrets + key: REDIS_URL + {{- if .Values.realtime.extraEnvVars }} {{- toYaml .Values.realtime.extraEnvVars | nindent 12 }} - {{- end }} + {{- end }} {{- end }} From 486ba386d707a606813d1bdb1ce252e6d1f12857 Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Fri, 24 Oct 2025 14:05:26 -0500 Subject: [PATCH 5/8] simplify value and support any cloud --- braintrust/README.md | 2 +- braintrust/templates/api-deployment.yaml | 10 +++++----- .../templates/brainstore-reader-deployment.yaml | 6 +++--- .../templates/brainstore-writer-deployment.yaml | 6 +++--- braintrust/values.yaml | 12 ++++++------ 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/braintrust/README.md b/braintrust/README.md index bbd5628..ac658e0 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -14,7 +14,7 @@ The `braintrust-secrets` secret must contain the following keys: | `PG_URL` | PostgreSQL connection URL | `postgres://:@:/` (append `?sslmode=require` if using TLS) | | `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page | | `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string | -| `REDIS_CA_PEM` | Redis TLS CA bundle used when Redis TLS is enabled | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `cloud: google` and `redisTls.enabled: true`. | +| `REDIS_CA_PEM` | Custom Redis TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customRedisTLSCABundle: true`. | | `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) | | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) | | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) | diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 842bdab..bfe40a1 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -110,26 +110,26 @@ spec: - name: REALTIME_URL value: "http://{{ .Values.realtime.service.name | default .Values.realtime.name }}:{{ .Values.realtime.service.port }}" {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.cloud "google") }} + {{- if .Values.customRedisTLSCABundle }} - name: NODE_EXTRA_CA_CERTS value: "/etc/redis/redis-bundle.pem" {{- end }} - {{- if or .Values.azureKeyVaultCSI.enabled (and .Values.redisTls.enabled (eq .Values.cloud "google")) }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.customRedisTLSCABundle }} volumeMounts: {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.cloud "google") }} + {{- if .Values.customRedisTLSCABundle }} - name: redis-tls-ca mountPath: "/etc/redis" readOnly: true {{- end }} {{- end }} - {{- if or .Values.azureKeyVaultCSI.enabled (and .Values.redisTls.enabled (eq .Values.cloud "google")) }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.customRedisTLSCABundle }} volumes: - {{- if and .Values.redisTls.enabled (eq .Values.cloud "google") }} + {{- if .Values.customRedisTLSCABundle }} - name: redis-tls-ca projected: sources: diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index 51584f4..eaa0e28 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -112,7 +112,7 @@ spec: {{- if .Values.brainstore.reader.extraEnvVars }} {{- toYaml .Values.brainstore.reader.extraEnvVars | nindent 12 }} {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} - name: SSL_CERT_FILE value: "/etc/redis/redis-bundle.pem" {{- end }} @@ -124,7 +124,7 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} - name: redis-tls-ca mountPath: "/etc/redis" readOnly: true @@ -140,7 +140,7 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} - name: redis-tls-ca projected: sources: diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index 2380da5..b0438f1 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -112,7 +112,7 @@ spec: {{- if .Values.brainstore.writer.extraEnvVars }} {{- toYaml .Values.brainstore.writer.extraEnvVars | nindent 12 }} {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} - name: SSL_CERT_FILE value: "/etc/redis/redis-bundle.pem" {{- end }} @@ -124,7 +124,7 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} - name: redis-tls-ca mountPath: "/etc/redis" readOnly: true @@ -140,7 +140,7 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} - {{- if and .Values.redisTls.enabled (eq .Values.brainstore.locksBackend "redis") (eq .Values.cloud "google") }} + {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} - name: redis-tls-ca projected: sources: diff --git a/braintrust/values.yaml b/braintrust/values.yaml index 747e88f..d125931 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -23,12 +23,12 @@ global: # Cloud provider configuration cloud: "google" # or "azure" or "aws" -# Redis TLS configuration (only applies when cloud is "google") -# When enabled, services will use TLS certificates to connect to Redis -# - API: Always gets TLS when enabled -# - Brainstore: Only gets TLS when enabled AND locksBackend is "redis" -redisTls: - enabled: false +# Custom Redis TLS CA Bundle configuration +# When enabled, services will use a custom TLS CA certificate bundle to connect to Redis +# - API: Always gets TLS CA bundle when enabled +# - Brainstore: Only gets TLS CA bundle when enabled AND locksBackend is "redis" +# Requires REDIS_CA_PEM secret to be set (see README for details) +customRedisTLSCABundle: false # Optional: Google Cloud specific configuration google: From 2a09049456696a7a47cb37a11e859f3a8da98f2a Mon Sep 17 00:00:00 2001 From: Ken Jiang <39507362+knjiang@users.noreply.github.com> Date: Mon, 27 Oct 2025 18:10:08 -0400 Subject: [PATCH 6/8] add BRAINSTORE_REDIS_URL (#40) --- braintrust/templates/brainstore-reader-deployment.yaml | 5 +++++ braintrust/templates/brainstore-writer-deployment.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index 4d427b2..de62a86 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -89,6 +89,11 @@ spec: secretKeyRef: name: braintrust-secrets key: PG_URL + - name: BRAINSTORE_REDIS_URL + valueFrom: + secretKeyRef: + name: braintrust-secrets + key: REDIS_URL {{- if eq .Values.brainstore.locksBackend "redis" }} - name: BRAINSTORE_LOCKS_URI valueFrom: diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index f3fd6aa..ad94ab4 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -89,6 +89,11 @@ spec: secretKeyRef: name: braintrust-secrets key: PG_URL + - name: BRAINSTORE_REDIS_URL + valueFrom: + secretKeyRef: + name: braintrust-secrets + key: REDIS_URL {{- if eq .Values.brainstore.locksBackend "redis" }} - name: BRAINSTORE_LOCKS_URI valueFrom: From d4f0eb0b26cbe83938b40273ef338924278e817b Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Mon, 27 Oct 2025 17:40:51 -0500 Subject: [PATCH 7/8] rename customRedisTLSCABundle to customTLSCABundle --- braintrust/README.md | 2 +- braintrust/templates/api-deployment.yaml | 10 +++++----- .../templates/brainstore-reader-deployment.yaml | 6 +++--- .../templates/brainstore-writer-deployment.yaml | 6 +++--- braintrust/values.yaml | 12 +++++++----- 5 files changed, 19 insertions(+), 17 deletions(-) diff --git a/braintrust/README.md b/braintrust/README.md index ac658e0..30fa71e 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -14,7 +14,7 @@ The `braintrust-secrets` secret must contain the following keys: | `PG_URL` | PostgreSQL connection URL | `postgres://:@:/` (append `?sslmode=require` if using TLS) | | `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page | | `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string | -| `REDIS_CA_PEM` | Custom Redis TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customRedisTLSCABundle: true`. | +| `REDIS_CA_PEM` | Custom Redis TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customTLSCABundle: true`. | | `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) | | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) | | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) | diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index bfe40a1..0a2d71a 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -110,26 +110,26 @@ spec: - name: REALTIME_URL value: "http://{{ .Values.realtime.service.name | default .Values.realtime.name }}:{{ .Values.realtime.service.port }}" {{- end }} - {{- if .Values.customRedisTLSCABundle }} + {{- if .Values.customTLSCABundle }} - name: NODE_EXTRA_CA_CERTS value: "/etc/redis/redis-bundle.pem" {{- end }} - {{- if or .Values.azureKeyVaultCSI.enabled .Values.customRedisTLSCABundle }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }} volumeMounts: {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true {{- end }} - {{- if .Values.customRedisTLSCABundle }} + {{- if .Values.customTLSCABundle }} - name: redis-tls-ca mountPath: "/etc/redis" readOnly: true {{- end }} {{- end }} - {{- if or .Values.azureKeyVaultCSI.enabled .Values.customRedisTLSCABundle }} + {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }} volumes: - {{- if .Values.customRedisTLSCABundle }} + {{- if .Values.customTLSCABundle }} - name: redis-tls-ca projected: sources: diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index 89156dc..dbb6eea 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -117,7 +117,7 @@ spec: {{- if .Values.brainstore.reader.extraEnvVars }} {{- toYaml .Values.brainstore.reader.extraEnvVars | nindent 12 }} {{- end }} - {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} + {{- if .Values.customTLSCABundle }} - name: SSL_CERT_FILE value: "/etc/redis/redis-bundle.pem" {{- end }} @@ -129,7 +129,7 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} - {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} + {{- if .Values.customTLSCABundle }} - name: redis-tls-ca mountPath: "/etc/redis" readOnly: true @@ -145,7 +145,7 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} - {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} + {{- if .Values.customTLSCABundle }} - name: redis-tls-ca projected: sources: diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index 3e4d099..21ce3e0 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -117,7 +117,7 @@ spec: {{- if .Values.brainstore.writer.extraEnvVars }} {{- toYaml .Values.brainstore.writer.extraEnvVars | nindent 12 }} {{- end }} - {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} + {{- if .Values.customTLSCABundle }} - name: SSL_CERT_FILE value: "/etc/redis/redis-bundle.pem" {{- end }} @@ -129,7 +129,7 @@ spec: mountPath: "/mnt/secrets-store" readOnly: true {{- end }} - {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} + {{- if .Values.customTLSCABundle }} - name: redis-tls-ca mountPath: "/etc/redis" readOnly: true @@ -145,7 +145,7 @@ spec: volumeAttributes: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} - {{- if and .Values.customRedisTLSCABundle (eq .Values.brainstore.locksBackend "redis") }} + {{- if .Values.customTLSCABundle }} - name: redis-tls-ca projected: sources: diff --git a/braintrust/values.yaml b/braintrust/values.yaml index d125931..606b9e9 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -23,12 +23,14 @@ global: # Cloud provider configuration cloud: "google" # or "azure" or "aws" -# Custom Redis TLS CA Bundle configuration -# When enabled, services will use a custom TLS CA certificate bundle to connect to Redis -# - API: Always gets TLS CA bundle when enabled -# - Brainstore: Only gets TLS CA bundle when enabled AND locksBackend is "redis" +# Custom TLS CA Bundle configuration +# When enabled, appends custom CA certificates to the system trust store for secure connections +# This is useful for private CAs, self-signed certificates, or custom certificate chains +# The custom CA bundle is added in addition to the default system CA certificates +# - API: Always gets TLS CA bundle when enabled (used for Redis and other connections) +# - Brainstore: Always gets TLS CA bundle when enabled (used for Redis and other connections) # Requires REDIS_CA_PEM secret to be set (see README for details) -customRedisTLSCABundle: false +customTLSCABundle: false # Optional: Google Cloud specific configuration google: From 8cb351d5906f9b91a9b0e70a148163f9d532bdc8 Mon Sep 17 00:00:00 2001 From: Jeff McCollum Date: Thu, 30 Oct 2025 09:50:51 -0500 Subject: [PATCH 8/8] rename --- braintrust/README.md | 2 +- braintrust/templates/api-deployment.yaml | 12 ++++++------ .../templates/brainstore-reader-deployment.yaml | 12 ++++++------ .../templates/brainstore-writer-deployment.yaml | 12 ++++++------ braintrust/values.yaml | 4 +--- 5 files changed, 20 insertions(+), 22 deletions(-) diff --git a/braintrust/README.md b/braintrust/README.md index 30fa71e..08f4b76 100644 --- a/braintrust/README.md +++ b/braintrust/README.md @@ -14,7 +14,7 @@ The `braintrust-secrets` secret must contain the following keys: | `PG_URL` | PostgreSQL connection URL | `postgres://:@:/` (append `?sslmode=require` if using TLS) | | `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page | | `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string | -| `REDIS_CA_PEM` | Custom Redis TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customTLSCABundle: true`. | +| `CA_PEM` | Custom TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customTLSCABundle: true`. | | `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) | | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) | | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) | diff --git a/braintrust/templates/api-deployment.yaml b/braintrust/templates/api-deployment.yaml index 0a2d71a..ad9218d 100644 --- a/braintrust/templates/api-deployment.yaml +++ b/braintrust/templates/api-deployment.yaml @@ -112,7 +112,7 @@ spec: {{- end }} {{- if .Values.customTLSCABundle }} - name: NODE_EXTRA_CA_CERTS - value: "/etc/redis/redis-bundle.pem" + value: "/etc/braintrust/tls/ca-bundle.pem" {{- end }} {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }} volumeMounts: @@ -122,22 +122,22 @@ spec: readOnly: true {{- end }} {{- if .Values.customTLSCABundle }} - - name: redis-tls-ca - mountPath: "/etc/redis" + - name: tls-ca + mountPath: "/etc/braintrust/tls" readOnly: true {{- end }} {{- end }} {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }} volumes: {{- if .Values.customTLSCABundle }} - - name: redis-tls-ca + - name: tls-ca projected: sources: - secret: name: "braintrust-secrets" items: - - key: "REDIS_CA_PEM" - path: "redis-bundle.pem" + - key: "CA_PEM" + path: "ca-bundle.pem" {{- end }} {{- if .Values.azureKeyVaultCSI.enabled }} - name: secrets-store-inline diff --git a/braintrust/templates/brainstore-reader-deployment.yaml b/braintrust/templates/brainstore-reader-deployment.yaml index dbb6eea..898765f 100644 --- a/braintrust/templates/brainstore-reader-deployment.yaml +++ b/braintrust/templates/brainstore-reader-deployment.yaml @@ -119,7 +119,7 @@ spec: {{- end }} {{- if .Values.customTLSCABundle }} - name: SSL_CERT_FILE - value: "/etc/redis/redis-bundle.pem" + value: "/etc/braintrust/tls/ca-bundle.pem" {{- end }} volumeMounts: - name: cache-volume @@ -130,8 +130,8 @@ spec: readOnly: true {{- end }} {{- if .Values.customTLSCABundle }} - - name: redis-tls-ca - mountPath: "/etc/redis" + - name: tls-ca + mountPath: "/etc/braintrust/tls" readOnly: true {{- end }} volumes: @@ -146,12 +146,12 @@ spec: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} {{- if .Values.customTLSCABundle }} - - name: redis-tls-ca + - name: tls-ca projected: sources: - secret: name: "braintrust-secrets" items: - - key: "REDIS_CA_PEM" - path: "redis-bundle.pem" + - key: "CA_PEM" + path: "ca-bundle.pem" {{- end }} diff --git a/braintrust/templates/brainstore-writer-deployment.yaml b/braintrust/templates/brainstore-writer-deployment.yaml index 21ce3e0..155da1c 100644 --- a/braintrust/templates/brainstore-writer-deployment.yaml +++ b/braintrust/templates/brainstore-writer-deployment.yaml @@ -119,7 +119,7 @@ spec: {{- end }} {{- if .Values.customTLSCABundle }} - name: SSL_CERT_FILE - value: "/etc/redis/redis-bundle.pem" + value: "/etc/braintrust/tls/ca-bundle.pem" {{- end }} volumeMounts: - name: cache-volume @@ -130,8 +130,8 @@ spec: readOnly: true {{- end }} {{- if .Values.customTLSCABundle }} - - name: redis-tls-ca - mountPath: "/etc/redis" + - name: tls-ca + mountPath: "/etc/braintrust/tls" readOnly: true {{- end }} volumes: @@ -146,12 +146,12 @@ spec: secretProviderClass: {{ .Values.azureKeyVaultCSI.name }} {{- end }} {{- if .Values.customTLSCABundle }} - - name: redis-tls-ca + - name: tls-ca projected: sources: - secret: name: "braintrust-secrets" items: - - key: "REDIS_CA_PEM" - path: "redis-bundle.pem" + - key: "CA_PEM" + path: "ca-bundle.pem" {{- end }} diff --git a/braintrust/values.yaml b/braintrust/values.yaml index 606b9e9..e1f1a1d 100644 --- a/braintrust/values.yaml +++ b/braintrust/values.yaml @@ -27,9 +27,7 @@ cloud: "google" # or "azure" or "aws" # When enabled, appends custom CA certificates to the system trust store for secure connections # This is useful for private CAs, self-signed certificates, or custom certificate chains # The custom CA bundle is added in addition to the default system CA certificates -# - API: Always gets TLS CA bundle when enabled (used for Redis and other connections) -# - Brainstore: Always gets TLS CA bundle when enabled (used for Redis and other connections) -# Requires REDIS_CA_PEM secret to be set (see README for details) +# Requires CA_PEM secret to be set (see README for details) customTLSCABundle: false # Optional: Google Cloud specific configuration