feat: Add support for custom Root CA configuration in Helm chart (#129)

* feat: Add support for custom Root CA configuration in Helm chart * fix: Remove default value for customRootCA in Helm chart
2026-04-06 00:32:03 +02:00 · 2025-12-09 19:36:52 +03:00
parent d27b885fc1
commit 1f5c9d3d01
3 changed files with 43 additions and 0 deletions
--- a/deploy/helm/README.md
+++ b/deploy/helm/README.md
@@ -32,6 +32,29 @@ Then open `http://localhost:4005` in your browser.
 | `image.pullPolicy` | Image pull policy  | `Always`                    |
 | `replicaCount`     | Number of replicas | `1`                         |

+### Custom Root CA
+
+| Parameter      | Description                              | Default Value |
+| -------------- | ---------------------------------------- | ------------- |
+| `customRootCA` | Name of Secret containing CA certificate | `""`          |
+
+To trust a custom CA certificate (e.g., for internal services with self-signed certificates):
+
+1. Create a Secret with your CA certificate:
+
+```bash
+kubectl create secret generic my-root-ca \
+  --from-file=ca.crt=./path/to/ca-certificate.crt
+```
+
+2. Reference it in values:
+
+```yaml
+customRootCA: my-root-ca
+```
+
+The certificate will be mounted to `/etc/ssl/certs/custom-root-ca.crt` and the `SSL_CERT_FILE` environment variable will be set automatically.
+
 ### Service

 | Parameter                  | Description             | Default Value |
--- a/deploy/helm/templates/statefulset.yaml
+++ b/deploy/helm/templates/statefulset.yaml
@@ -39,6 +39,11 @@ spec:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.customRootCA }}
+          env:
+            - name: SSL_CERT_FILE
+              value: /etc/ssl/certs/custom-root-ca.crt
+          {{- end }}
          ports:
            - name: http
              containerPort: {{ .Values.service.targetPort }}
@@ -46,6 +51,12 @@ spec:
          volumeMounts:
            - name: postgresus-storage
              mountPath: {{ .Values.persistence.mountPath }}
+            {{- if .Values.customRootCA }}
+            - name: custom-root-ca
+              mountPath: /etc/ssl/certs/custom-root-ca.crt
+              subPath: ca.crt
+              readOnly: true
+            {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          {{- if .Values.livenessProbe.enabled }}
@@ -66,6 +77,12 @@ spec:
            timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
            failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
          {{- end }}
+      {{- if .Values.customRootCA }}
+      volumes:
+        - name: custom-root-ca
+          secret:
+            secretName: {{ .Values.customRootCA }}
+      {{- end }}
  {{- if .Values.persistence.enabled }}
  volumeClaimTemplates:
    - metadata:
--- a/deploy/helm/values.yaml
+++ b/deploy/helm/values.yaml
@@ -9,6 +9,9 @@ image:
 # StatefulSet configuration
 replicaCount: 1

+# RootCA setup, need name of secret in same namespace
+customRootCA: ""
+
 # Service configuration
 service:
  type: ClusterIP