Skip to content

feat(helm): add optional custom TLS CA support via braintrust-secrets #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jeffmccollum merged 9 commits into from
Oct 30, 2025
Merged

feat(helm): add optional custom TLS CA support via braintrust-secrets #39

jeffmccollum merged 9 commits into from
Oct 30, 2025

Conversation

@hdaoud23
Copy link

@hdaoud23 hdaoud23 commented Oct 22, 2025
edited by mdeeks
Loading

This PR adds optional support for passing in a custom TLS Certificate Authority Bundle. The main use case for this is to provide a mechanism for the API and Brainstore services to trust Google Memorystore TLS certificates that are not signed by a trusted public CA. This feature can be used in a generic way to add a custom trust chain for any TLS connections established by the braintrust services.

  • Projects a CA bundle from the CA_PEM key in the existing Kubernetes Secret braintrust-secrets into the API and Brainstore pods.
  • Sets NODE_EXTRA_CA_CERTS on the API pod and SSL_CERT_FILE on the brainstore pods to that bundle when enabled.
  • Requires only one value to flip to true: customTLSCABundle

mdeeks
mdeeks reviewed Oct 27, 2025
View reviewed changes
mdeeks
mdeeks reviewed Oct 27, 2025
View reviewed changes
@jeffmccollum jeffmccollum requested a review from mdeeks October 27, 2025 22:41
mdeeks
mdeeks reviewed Oct 28, 2025
View reviewed changes
mdeeks
mdeeks reviewed Oct 28, 2025
View reviewed changes
@jeffmccollum jeffmccollum requested a review from mdeeks October 30, 2025 14:51
mdeeks
mdeeks approved these changes Oct 30, 2025
View reviewed changes
Copy link
Contributor

@mdeeks mdeeks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@mdeeks mdeeks changed the title feat(helm): add optional Redis TLS CA support for API via braintrust-secrets for API (GCP Memorystore) feat(helm): add optional TLS CA support via braintrust-secrets Oct 30, 2025
@mdeeks mdeeks changed the title feat(helm): add optional TLS CA support via braintrust-secrets feat(helm): add optional custom TLS CA support via braintrust-secrets Oct 30, 2025
@jeffmccollum jeffmccollum merged this pull request into braintrustdata:jeff/security-enhancements Oct 30, 2025
jeffmccollum added a commit that referenced this pull request Nov 4, 2025
@hdaoud23 @braintrust-bot
@jeffmccollum @knjiang
feat(helm): add optional custom TLS CA support via braintrust-secrets (
dd21825 
…#39)

* Update Chart version to 2.1.0

* Pull Request Proposal for Braintrust Helm Chart: Redis TLS CA support for API (GCP Memorystore)

* update redis tls to be a global setting, enabled only for google, and enabled for brainstore only when locking is set to redis.

* add realtime url to api and add redis secret

* simplify value and support any cloud

* add BRAINSTORE_REDIS_URL (#40)

* rename customRedisTLSCABundle to customTLSCABundle

* rename

---------

Co-authored-by: Braintrust Bot <215900051+braintrust-bot[bot]@users.noreply.github.com>
Co-authored-by: Jeff McCollum <jeff@braintrustdata.com>
Co-authored-by: Ken Jiang <39507362+knjiang@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdeeks mdeeks mdeeks approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hdaoud23 @mdeeks @jeffmccollum @knjiang