fix/workaround: add value alternativeClientCa

Signed-off-by: Vanessa Gaube <dev@vanessagaube.de>

Author: margau

valkey/templates/deploy_valkey.yaml

@@ -115,14 +115,22 @@ spec:
           startupProbe:
             exec:
               {{- if .Values.tls.enabled }}
+              {{- if .Values.tls.alternativeClientCa }}
+              command: [ "sh", "-c", "valkey-cli --cacert {{ .Values.tls.alternativeClientCa }} --tls ping" ]
+              {{- else }}
               command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              {{- end }}
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
           livenessProbe:
             exec:
               {{- if .Values.tls.enabled }}
+              {{- if .Values.tls.alternativeClientCa }}
+              command: [ "sh", "-c", "valkey-cli --cacert {{ .Values.tls.alternativeClientCa }} --tls ping" ]
+              {{- else }}
               command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              {{- end }}
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}

valkey/templates/statefulset.yaml

@@ -128,14 +128,22 @@ spec:
           startupProbe:
             exec:
               {{- if .Values.tls.enabled }}
+              {{- if .Values.tls.alternativeClientCa }}
+              command: [ "sh", "-c", "valkey-cli --cacert {{ .Values.tls.alternativeClientCa }} --tls ping" ]
+              {{- else }}
               command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              {{- end }}
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
           livenessProbe:
             exec:
               {{- if .Values.tls.enabled }}
+              {{- if .Values.tls.alternativeClientCa }}
+              command: [ "sh", "-c", "valkey-cli --cacert {{ .Values.tls.alternativeClientCa }} --tls ping" ]
+              {{- else }}
               command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              {{- end }}
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}

valkey/templates/tests/auth.yaml

@@ -35,7 +35,11 @@ spec:
 
           {{- if .Values.tls.enabled }}
           # TLS flags
+          {{- if .Values.tls.alternativeClientCa }}
+          TLS_FLAGS="--tls --cacert {{ .Values.tls.alternativeClientCa }}"
+          {{- else }}
           TLS_FLAGS="--tls --cacert /tls/{{ .Values.tls.caPublicKey }}"
+          {{- end }}
           {{- else }}
           TLS_FLAGS=""
           {{- end }}

valkey/values.schema.json

@@ -499,6 +499,9 @@
                 "caPublicKey": {
                     "type": "string"
                 },
+                "alternativeClientCa": {
+                    "type": "string"
+                },
                 "dhParamKey": {
                     "type": "string"
                 },

valkey/values.yaml

@@ -253,6 +253,9 @@ tls:
   serverKey: server.key
   # Secret key name containing Certificate Authority public certificate
   caPublicKey: ca.crt
+  # in case the caPublicKey does not work for the client (e.g. valkey-cli), you can set an alternative CA cert as an absolute path here. 
+  # Useful e.g. for trust-manager in combination with cert-manager-generated ACME certs.
+  alternativeClientCa: ""
   # Secret key name containing DH parameters (optional)
   dhParamKey: ""
   # Require that clients authenticate with a certificate