diff --git a/valkey/templates/_helpers.tpl b/valkey/templates/_helpers.tpl index 593cf77c..b3240a70 100644 --- a/valkey/templates/_helpers.tpl +++ b/valkey/templates/_helpers.tpl @@ -188,3 +188,13 @@ Validate replica authentication configuration {{- end }} {{- end -}} +{{/* +Which caFile to use +*/}} +{{- define "valkey.caFile" -}} +{{- if .Values.tls.alternativeClientCa }} +{{- .Values.tls.alternativeClientCa }} +{{- else }} +{{- printf "/tls/%s" .Values.tls.caPublicKey }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/valkey/templates/deploy_valkey.yaml b/valkey/templates/deploy_valkey.yaml index 7bc9a5a8..29a29f51 100644 --- a/valkey/templates/deploy_valkey.yaml +++ b/valkey/templates/deploy_valkey.yaml @@ -119,14 +119,14 @@ spec: startupProbe: exec: {{- if .Values.tls.enabled }} - command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ] + command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ] {{- else }} command: [ "sh", "-c", "valkey-cli ping" ] {{- end }} livenessProbe: exec: {{- if .Values.tls.enabled }} - command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ] + command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ] {{- else }} command: [ "sh", "-c", "valkey-cli ping" ] {{- end }} diff --git a/valkey/templates/statefulset.yaml b/valkey/templates/statefulset.yaml index 4a8d4caa..5232a802 100644 --- a/valkey/templates/statefulset.yaml +++ b/valkey/templates/statefulset.yaml @@ -136,14 +136,14 @@ spec: startupProbe: exec: {{- if .Values.tls.enabled }} - command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ] + command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ] {{- else }} command: [ "sh", "-c", "valkey-cli ping" ] {{- end }} livenessProbe: exec: {{- if .Values.tls.enabled }} - command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ] + command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ] {{- else }} command: [ "sh", "-c", "valkey-cli ping" ] {{- end }} diff --git a/valkey/templates/tests/auth.yaml b/valkey/templates/tests/auth.yaml index b289bb98..a3a1e74d 100644 --- a/valkey/templates/tests/auth.yaml +++ b/valkey/templates/tests/auth.yaml @@ -35,7 +35,7 @@ spec: {{- if .Values.tls.enabled }} # TLS flags - TLS_FLAGS="--tls --cacert /tls/{{ .Values.tls.caPublicKey }}" + TLS_FLAGS="--tls --cacert {{ include "valkey.caFile" . }}" {{- else }} TLS_FLAGS="" {{- end }} @@ -107,7 +107,7 @@ spec: {{- if .Values.tls.enabled }} # TLS flags - TLS_FLAGS="--tls --cacert /tls/{{ .Values.tls.caPublicKey }}" + TLS_FLAGS="--tls --cacert {{ include "valkey.caFile" . }}" {{- else }} TLS_FLAGS="" {{- end }} diff --git a/valkey/values.schema.json b/valkey/values.schema.json index 5db0f4ac..1717e000 100644 --- a/valkey/values.schema.json +++ b/valkey/values.schema.json @@ -519,6 +519,9 @@ "caPublicKey": { "type": "string" }, + "alternativeClientCa": { + "type": "string" + }, "dhParamKey": { "type": "string" }, diff --git a/valkey/values.yaml b/valkey/values.yaml index 20e00b62..6d88e332 100644 --- a/valkey/values.yaml +++ b/valkey/values.yaml @@ -275,6 +275,9 @@ tls: serverKey: server.key # Secret key name containing Certificate Authority public certificate caPublicKey: ca.crt + # in case the caPublicKey does not work for the client (e.g. valkey-cli), you can set an alternative CA cert as an absolute path here. + # Useful e.g. for trust-manager in combination with cert-manager-generated ACME certs. + alternativeClientCa: "" # Secret key name containing DH parameters (optional) dhParamKey: "" # Require that clients authenticate with a certificate