Helm Security Enhancements #43
Conversation
…#39) * Update Chart version to 2.1.0 * Pull Request Proposal for Braintrust Helm Chart: Redis TLS CA support for API (GCP Memorystore) * update redis tls to be a global setting, enabled only for google, and enabled for brainstore only when locking is set to redis. * add realtime url to api and add redis secret * simplify value and support any cloud * add BRAINSTORE_REDIS_URL (#40) * rename customRedisTLSCABundle to customTLSCABundle * rename --------- Co-authored-by: Braintrust Bot <215900051+braintrust-bot[bot]@users.noreply.github.com> Co-authored-by: Jeff McCollum <jeff@braintrustdata.com> Co-authored-by: Ken Jiang <39507362+knjiang@users.noreply.github.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| {{- if .Values.customTLSCABundle }} | ||
| - name: SSL_CERT_FILE | ||
| value: "/etc/braintrust/tls/ca-bundle.pem" |
There was a problem hiding this comment.
When customTLSCABundle is enabled the reader container sets SSL_CERT_FILE to /etc/braintrust/tls/ca-bundle.pem. In Go/OpenSSL this variable replaces the entire trust store rather than augmenting it, so the reader will stop trusting system CAs and will fail on connections to services using public certificates (e.g., S3/GCS) once the feature is turned on. The values comments describe the feature as appending custom CAs, so this implementation likely breaks that use case. Consider concatenating the custom bundle with the system CA file or using SSL_CERT_DIR so defaults remain available.
Useful? React with 👍 / 👎.
| {{- if .Values.customTLSCABundle }} | ||
| - name: SSL_CERT_FILE | ||
| value: "/etc/braintrust/tls/ca-bundle.pem" |
There was a problem hiding this comment.
The writer deployment applies the same SSL_CERT_FILE override. Setting this variable points Go to use only /etc/braintrust/tls/ca-bundle.pem, dropping every system CA and causing outbound TLS to public endpoints to fail whenever customTLSCABundle is enabled. This contradicts the feature description that custom certificates are appended to the default trust. A safer approach would be to merge the custom bundle with the system bundle or load it via SSL_CERT_DIR instead of replacing the file.
Useful? React with 👍 / 👎.
jeffmccollum
force-pushed
the
jeff/security-enhancements
branch
from
eff44fd to
0d993b5
Compare
This PR adds additional optional security enhancements.
Custom TLS CA Bundle
Pod-level and container-level security contexts.
The Braintrust Realtime service can optionally be deployed. This should only be deployed by customers that are not able to use our hosted Realtime service.