Skip to content

chore: [Running GitHub actions for #9378] #9846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
justin-tahara wants to merge 5 commits into from
Closed

chore: [Running GitHub actions for #9378] #9846

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2b6408f
feat(helm): add runUpdateCaCertificates flag to api-server
alex000kim Mar 16, 2026
fb217df
bump version
alex000kim Mar 16, 2026
216c42c
update comment
alex000kim Mar 16, 2026
5e58b10
add note
alex000kim Mar 17, 2026
4ab1f83
Update deployment/helm/charts/onyx/values.yaml
alex000kim Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion deployment/helm/charts/onyx/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ home: https://www.onyx.app/
sources:
- "https://github.com/onyx-dot-app/onyx"
type: application
version: 0.4.39
version: 0.4.40
appVersion: latest
annotations:
category: Productivity
Expand Down
3 changes: 3 additions & 0 deletions deployment/helm/charts/onyx/templates/api-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ spec:
- "/bin/sh"
- "-c"
- |
{{- if .Values.api.runUpdateCaCertificates }}
update-ca-certificates &&
{{- end }}
Comment on lines +70 to +72
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Custom CA update limited to API server only

update-ca-certificates is only wired into the API deployment, but the Celery workers (celery-worker-docfetching, celery-worker-docprocessing, celery-worker-primary, etc.) also run Python and make outbound HTTPS requests to user-configured data sources during indexing. If a user mounts a custom CA and enables runUpdateCaCertificates: true, the system CA bundle at /etc/ssl/certs/ca-certificates.crt is updated only in the API container. The Celery worker containers share the same image but never run update-ca-certificates, so their CA bundle is unchanged.

Combined with the documented requirement to set REQUESTS_CA_BUNDLE/SSL_CERT_FILE (which point to the system bundle), this creates a situation where:

  • API server: custom CA works ✅
  • Celery workers: env vars point to system bundle, but system bundle was never updated → HTTPS calls to custom-CA-protected endpoints still fail ❌

The feature needs to be extended to the Celery worker templates (and potentially mcp-server-deployment.yaml) to be functionally complete for the primary use case (indexing from internal HTTPS sources).

Prompt To Fix With AI 
This is a comment left during a code review.
Path: deployment/helm/charts/onyx/templates/api-deployment.yaml
Line: 70-72

Comment:
**Custom CA update limited to API server only**

`update-ca-certificates` is only wired into the API deployment, but the Celery workers (`celery-worker-docfetching`, `celery-worker-docprocessing`, `celery-worker-primary`, etc.) also run Python and make outbound HTTPS requests to user-configured data sources during indexing. If a user mounts a custom CA and enables `runUpdateCaCertificates: true`, the system CA bundle at `/etc/ssl/certs/ca-certificates.crt` is updated **only** in the API container. The Celery worker containers share the same image but never run `update-ca-certificates`, so their CA bundle is unchanged.

Combined with the documented requirement to set `REQUESTS_CA_BUNDLE`/`SSL_CERT_FILE` (which point to the system bundle), this creates a situation where:
- **API server**: custom CA works ✅
- **Celery workers**: env vars point to system bundle, but system bundle was never updated → HTTPS calls to custom-CA-protected endpoints still fail ❌

The feature needs to be extended to the Celery worker templates (and potentially `mcp-server-deployment.yaml`) to be functionally complete for the primary use case (indexing from internal HTTPS sources).

How can I resolve this? If you propose a fix, please make it concise.

alembic upgrade head &&
echo "Starting Onyx Api Server" &&
uvicorn onyx.main:app --host {{ .Values.global.host }} --port {{ .Values.api.containerPorts.server }}
Expand Down
12 changes: 12 additions & 0 deletions deployment/helm/charts/onyx/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -504,6 +504,18 @@ api:
tolerations: []
affinity: {}

# Run update-ca-certificates before starting the server.
# Useful when mounting custom CA certificates via volumes/volumeMounts.
# NOTE: Requires the container to run as root (runAsUser: 0).
# CA certificate files must be mounted under /usr/local/share/ca-certificates/
# with a .crt extension (e.g. /usr/local/share/ca-certificates/my-ca.crt).
# NOTE: Python HTTP clients (requests, httpx) use certifi's bundle by default
# and will not pick up the system CA store automatically. Set the following
# environment variables via configMap values (loaded through envFrom) to make them use the updated system bundle:
# REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt
# SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
runUpdateCaCertificates: false


######################################################################
#
Expand Down
Loading