feat(helm): add optional custom TLS CA support via braintrust-secrets

braintrust/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: braintrust
-version: 2.0.4
+version: 2.1.0
 description: A Helm chart to run the Braintrust services for the self-hosted data plane
 type: application
 home: https://github.com/braintrustdata/helm

braintrust/README.md

@@ -14,6 +14,7 @@ The `braintrust-secrets` secret must contain the following keys:
 | `PG_URL` | PostgreSQL connection URL | `postgres://<username>:<password>@<host>:<port>/<database>` (append `?sslmode=require` if using TLS) |
 | `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page |
 | `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string |
+| `CA_PEM` | Custom TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customTLSCABundle: true`. |
 | `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) |
 | `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) |
 | `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) |

braintrust/templates/api-deployment.yaml

@@ -106,19 +106,46 @@ spec:
             {{- if .Values.api.extraEnvVars }}
             {{- toYaml .Values.api.extraEnvVars | nindent 12 }}
             {{- end }}
-          {{- if .Values.azureKeyVaultCSI.enabled }}
+            {{- if .Values.realtime.enabled }}
+            - name: REALTIME_URL
+              value: "http://{{ .Values.realtime.service.name | default .Values.realtime.name }}:{{ .Values.realtime.service.port }}"
+            {{- end }}
+            {{- if .Values.customTLSCABundle }}
+            - name: NODE_EXTRA_CA_CERTS
+              value: "/etc/braintrust/tls/ca-bundle.pem"
+            {{- end }}
+          {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }}
           volumeMounts:
+            {{- if .Values.azureKeyVaultCSI.enabled }}
             - name: secrets-store-inline
               mountPath: "/mnt/secrets-store"
               readOnly: true
+            {{- end }}
+            {{- if .Values.customTLSCABundle }}
+            - name: tls-ca
+              mountPath: "/etc/braintrust/tls"
+              readOnly: true
+            {{- end }}
           {{- end }}
-      {{- if .Values.azureKeyVaultCSI.enabled }}
+      {{- if or .Values.azureKeyVaultCSI.enabled .Values.customTLSCABundle }}
       volumes:
+        {{- if .Values.customTLSCABundle }}
+        - name: tls-ca
+          projected:
+            sources:
+              - secret:
+                  name: "braintrust-secrets"
+                  items:
+                    - key: "CA_PEM"
+                      path: "ca-bundle.pem"
+        {{- end }}
+        {{- if .Values.azureKeyVaultCSI.enabled }}
         - name: secrets-store-inline
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
               secretProviderClass: {{ .Values.azureKeyVaultCSI.name }}
+        {{- end }}
       {{- end }}
 

braintrust/templates/brainstore-reader-deployment.yaml

@@ -97,6 +97,11 @@ spec:
                 secretKeyRef:
                   name: braintrust-secrets
                   key: PG_URL
+            - name: BRAINSTORE_REDIS_URL
+              valueFrom:
+                secretKeyRef:
+                  name: braintrust-secrets
+                  key: REDIS_URL
             {{- if eq .Values.brainstore.locksBackend "redis" }}
             - name: BRAINSTORE_LOCKS_URI
               valueFrom:
@@ -112,6 +117,10 @@ spec:
             {{- if .Values.brainstore.reader.extraEnvVars }}
             {{- toYaml .Values.brainstore.reader.extraEnvVars | nindent 12 }}
             {{- end }}
+            {{- if .Values.customTLSCABundle }}
+            - name: SSL_CERT_FILE
+              value: "/etc/braintrust/tls/ca-bundle.pem"
+            {{- end }}
           volumeMounts:
             - name: cache-volume
               mountPath: {{ .Values.brainstore.reader.cacheDir }}
@@ -120,6 +129,11 @@ spec:
               mountPath: "/mnt/secrets-store"
               readOnly: true
             {{- end }}
+            {{- if .Values.customTLSCABundle }}
+            - name: tls-ca
+              mountPath: "/etc/braintrust/tls"
+              readOnly: true
+            {{- end }}
       volumes:
         - name: cache-volume
           emptyDir: {}
@@ -131,3 +145,13 @@ spec:
             volumeAttributes:
               secretProviderClass: {{ .Values.azureKeyVaultCSI.name }}
         {{- end }}
+        {{- if .Values.customTLSCABundle }}
+        - name: tls-ca
+          projected:
+            sources:
+              - secret:
+                  name: "braintrust-secrets"
+                  items:
+                    - key: "CA_PEM"
+                      path: "ca-bundle.pem"
+        {{- end }}

braintrust/templates/brainstore-writer-deployment.yaml

@@ -97,6 +97,11 @@ spec:
                 secretKeyRef:
                   name: braintrust-secrets
                   key: PG_URL
+            - name: BRAINSTORE_REDIS_URL
+              valueFrom:
+                secretKeyRef:
+                  name: braintrust-secrets
+                  key: REDIS_URL
             {{- if eq .Values.brainstore.locksBackend "redis" }}
             - name: BRAINSTORE_LOCKS_URI
               valueFrom:
@@ -112,6 +117,10 @@ spec:
             {{- if .Values.brainstore.writer.extraEnvVars }}
             {{- toYaml .Values.brainstore.writer.extraEnvVars | nindent 12 }}
             {{- end }}
+            {{- if .Values.customTLSCABundle }}
+            - name: SSL_CERT_FILE
+              value: "/etc/braintrust/tls/ca-bundle.pem"
+            {{- end }}
           volumeMounts:
             - name: cache-volume
               mountPath: {{ .Values.brainstore.writer.cacheDir }}
@@ -120,6 +129,11 @@ spec:
               mountPath: "/mnt/secrets-store"
               readOnly: true
             {{- end }}
+            {{- if .Values.customTLSCABundle }}
+            - name: tls-ca
+              mountPath: "/etc/braintrust/tls"
+              readOnly: true
+            {{- end }}
       volumes:
         - name: cache-volume
           emptyDir: {}
@@ -131,3 +145,13 @@ spec:
             volumeAttributes:
               secretProviderClass: {{ .Values.azureKeyVaultCSI.name }}
         {{- end }}
+        {{- if .Values.customTLSCABundle }}
+        - name: tls-ca
+          projected:
+            sources:
+              - secret:
+                  name: "braintrust-secrets"
+                  items:
+                    - key: "CA_PEM"
+                      path: "ca-bundle.pem"
+        {{- end }}

braintrust/templates/realtime-deployment.yaml

@@ -57,8 +57,13 @@ spec:
             - containerPort: {{ .Values.realtime.service.port }}
           resources:
             {{- toYaml .Values.realtime.resources | nindent 12 }}
-          {{- if .Values.realtime.extraEnvVars }}
           env:
+            - name: REDIS_URL
+              valueFrom:
+                secretKeyRef:
+                  name: braintrust-secrets
+                  key: REDIS_URL
+            {{- if .Values.realtime.extraEnvVars }}
             {{- toYaml .Values.realtime.extraEnvVars | nindent 12 }}
-          {{- end }}
+            {{- end }}
 {{- end }}

braintrust/values.yaml

@@ -23,6 +23,13 @@ global:
 # Cloud provider configuration
 cloud: "google"  # or "azure" or "aws"
 
+# Custom TLS CA Bundle configuration
+# When enabled, appends custom CA certificates to the system trust store for secure connections
+# This is useful for private CAs, self-signed certificates, or custom certificate chains
+# The custom CA bundle is added in addition to the default system CA certificates
+# Requires CA_PEM secret to be set (see README for details)
+customTLSCABundle: false
+
 # Optional: Google Cloud specific configuration
 google:
   # GKE mode: "autopilot" or "standard"