Skip to content

Helm Security Enhancements #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
jeffmccollum wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Helm Security Enhancements #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
04512ad
add support for run as specific user
jeffmccollum Oct 13, 2025
cd856b7
add drop all
jeffmccollum Oct 13, 2025
23c5cb6
add optional realtime service, disabled by default
jeffmccollum Oct 14, 2025
dd21825
feat(helm): add optional custom TLS CA support via braintrust-secrets…
hdaoud23 Oct 30, 2025
0d993b5
Merge branch 'main' into jeff/security-enhancements
jeffmccollum Dec 15, 2025
6b2d367
optional tlscabundle
jeffmccollum Dec 15, 2025
31b2b8c
update .gitignore
jeffmccollum Dec 15, 2025
19a8643
Merge remote-tracking branch 'origin/main' into jeff/security-enhance…
jeffmccollum Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ Chart.lock
**/secrets.yml
values-local.yaml
values-local.yml
values-*.yaml
values-*.yml

# Helm output and temporary files
*.tmp
Expand Down
1 change: 1 addition & 0 deletions braintrust/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ The `braintrust-secrets` secret must contain the following keys:
| `PG_URL` | PostgreSQL connection URL | `postgres://<username>:<password>@<host>:<port>/<database>` (append `?sslmode=require` if using TLS) |
| `BRAINSTORE_LICENSE_KEY` | Brainstore license key | Valid Brainstore license key from the Braintrust Data Plane settings page |
| `FUNCTION_SECRET_KEY` | Random string for encrypting function secrets | Random string |
| `CA_PEM` | Custom TLS CA bundle | Full PEM bundle as a multiline string (BEGIN/END blocks). Only required if `customTLSCABundle: true`. |
| `AZURE_STORAGE_CONNECTION_STRING` | Azure storage connection string | Valid Azure storage connection string (only required if `cloud` is `azure`) |
| `GCS_ACCESS_KEY_ID` | Google HMAC Access ID string | Valid S3 API Key Id (only required if `cloud` is `google`) |
| `GCS_SECRET_ACCESS_KEY` | Google HMAC Secret string | Valid S3 Secret string (only required if `cloud` is `google`) |
Expand Down
39 changes: 37 additions & 2 deletions braintrust/templates/api-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ .Values.api.serviceAccount.name }}
{{- with .Values.api.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.api.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -59,6 +63,10 @@ spec:
- name: api
image: "{{ .Values.api.image.repository }}:{{ .Values.api.image.tag }}"
imagePullPolicy: {{ .Values.api.image.pullPolicy }}
{{- with .Values.api.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- containerPort: {{ .Values.api.service.port }}
resources:
Expand Down Expand Up @@ -121,19 +129,46 @@ spec:
{{- if .Values.api.extraEnvVars }}
{{- toYaml .Values.api.extraEnvVars | nindent 12 }}
{{- end }}
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
{{- if .Values.realtime.enabled }}
- name: REALTIME_URL
value: "http://{{ .Values.realtime.service.name | default .Values.realtime.name }}:{{ .Values.realtime.service.port }}"
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: NODE_EXTRA_CA_CERTS
value: "/etc/braintrust/tls/ca-bundle.pem"
{{- end }}
{{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
volumeMounts:
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: tls-ca
mountPath: "/etc/braintrust/tls"
readOnly: true
{{- end }}
{{- end }}
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
{{- if or (and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver) .Values.customTLSCABundle }}
volumes:
{{- if .Values.customTLSCABundle }}
- name: tls-ca
projected:
sources:
- secret:
name: "braintrust-secrets"
items:
- key: "CA_PEM"
path: "ca-bundle.pem"
{{- end }}
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureKeyVaultDriver }}
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: {{ .Values.azure.keyVaultName }}
{{- end }}
{{- end }}

27 changes: 27 additions & 0 deletions braintrust/templates/brainstore-reader-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ .Values.brainstore.serviceAccount.name }}
{{- with .Values.brainstore.reader.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.brainstore.reader.nodeSelector (and (eq .Values.cloud "google") (eq .Values.google.mode "autopilot")) }}
nodeSelector:
{{- with .Values.brainstore.reader.nodeSelector }}
Expand All @@ -66,6 +70,10 @@ spec:
- name: brainstore-reader
image: "{{ .Values.brainstore.image.repository }}:{{ .Values.brainstore.image.tag }}"
imagePullPolicy: {{ .Values.brainstore.image.pullPolicy }}
{{- with .Values.brainstore.reader.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
command: ["brainstore"]
args: ["web"]
ports:
Expand Down Expand Up @@ -127,6 +135,10 @@ spec:
{{- if .Values.brainstore.reader.extraEnvVars }}
{{- toYaml .Values.brainstore.reader.extraEnvVars | nindent 12 }}
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: SSL_CERT_FILE
value: "/etc/braintrust/tls/ca-bundle.pem"
Comment on lines +138 to +140
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid replacing default CAs when enabling custom TLS bundle (reader)

When customTLSCABundle is enabled the reader container sets SSL_CERT_FILE to /etc/braintrust/tls/ca-bundle.pem. In Go/OpenSSL this variable replaces the entire trust store rather than augmenting it, so the reader will stop trusting system CAs and will fail on connections to services using public certificates (e.g., S3/GCS) once the feature is turned on. The values comments describe the feature as appending custom CAs, so this implementation likely breaks that use case. Consider concatenating the custom bundle with the system CA file or using SSL_CERT_DIR so defaults remain available.

Useful? React with 👍 / 👎.

{{- end }}
volumeMounts:
- name: cache-volume
mountPath: {{ .Values.brainstore.reader.cacheDir }}
Expand All @@ -135,6 +147,11 @@ spec:
mountPath: "/mnt/secrets-store"
readOnly: true
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: tls-ca
mountPath: "/etc/braintrust/tls"
readOnly: true
{{- end }}
volumes:
- name: cache-volume
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureContainerStorageDriver }}
Expand All @@ -158,3 +175,13 @@ spec:
volumeAttributes:
secretProviderClass: {{ .Values.azure.keyVaultName }}
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: tls-ca
projected:
sources:
- secret:
name: "braintrust-secrets"
items:
- key: "CA_PEM"
path: "ca-bundle.pem"
{{- end }}
27 changes: 27 additions & 0 deletions braintrust/templates/brainstore-writer-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,10 @@ spec:
{{- end }}
spec:
serviceAccountName: {{ .Values.brainstore.serviceAccount.name }}
{{- with .Values.brainstore.writer.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.brainstore.writer.nodeSelector (and (eq .Values.cloud "google") (eq .Values.google.mode "autopilot")) }}
nodeSelector:
{{- with .Values.brainstore.writer.nodeSelector }}
Expand All @@ -66,6 +70,10 @@ spec:
- name: brainstore-writer
image: "{{ .Values.brainstore.image.repository }}:{{ .Values.brainstore.image.tag }}"
imagePullPolicy: {{ .Values.brainstore.image.pullPolicy }}
{{- with .Values.brainstore.writer.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
command: ["brainstore"]
args: ["web"]
ports:
Expand Down Expand Up @@ -127,6 +135,10 @@ spec:
{{- if .Values.brainstore.writer.extraEnvVars }}
{{- toYaml .Values.brainstore.writer.extraEnvVars | nindent 12 }}
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: SSL_CERT_FILE
value: "/etc/braintrust/tls/ca-bundle.pem"
Comment on lines +138 to +140
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Avoid replacing default CAs when enabling custom TLS bundle (writer)

The writer deployment applies the same SSL_CERT_FILE override. Setting this variable points Go to use only /etc/braintrust/tls/ca-bundle.pem, dropping every system CA and causing outbound TLS to public endpoints to fail whenever customTLSCABundle is enabled. This contradicts the feature description that custom certificates are appended to the default trust. A safer approach would be to merge the custom bundle with the system bundle or load it via SSL_CERT_DIR instead of replacing the file.

Useful? React with 👍 / 👎.

{{- end }}
volumeMounts:
- name: cache-volume
mountPath: {{ .Values.brainstore.writer.cacheDir }}
Expand All @@ -135,6 +147,11 @@ spec:
mountPath: "/mnt/secrets-store"
readOnly: true
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: tls-ca
mountPath: "/etc/braintrust/tls"
readOnly: true
{{- end }}
volumes:
- name: cache-volume
{{- if and (eq .Values.cloud "azure") .Values.azure.enableAzureContainerStorageDriver }}
Expand All @@ -158,3 +175,13 @@ spec:
volumeAttributes:
secretProviderClass: {{ .Values.azure.keyVaultName }}
{{- end }}
{{- if .Values.customTLSCABundle }}
- name: tls-ca
projected:
sources:
- secret:
name: "braintrust-secrets"
items:
- key: "CA_PEM"
path: "ca-bundle.pem"
{{- end }}
69 changes: 69 additions & 0 deletions braintrust/templates/realtime-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{{- if .Values.realtime.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.realtime.name }}
namespace: {{ include "braintrust.namespace" . }}
{{- with (merge .Values.global.labels .Values.realtime.labels) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.realtime.annotations.deployment }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.realtime.replicas }}
selector:
matchLabels:
app: {{ .Values.realtime.name }}
template:
metadata:
labels:
app: {{ .Values.realtime.name }}
{{- with (merge .Values.global.labels .Values.realtime.labels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
annotations:
{{- with .Values.realtime.annotations.pod }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.realtime.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.realtime.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.realtime.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.realtime.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: realtime
image: "{{ .Values.realtime.image.repository }}:{{ .Values.realtime.image.tag }}"
imagePullPolicy: {{ .Values.realtime.image.pullPolicy }}
{{- with .Values.realtime.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- containerPort: {{ .Values.realtime.service.port }}
resources:
{{- toYaml .Values.realtime.resources | nindent 12 }}
env:
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: braintrust-secrets
key: REDIS_URL
{{- if .Values.realtime.extraEnvVars }}
{{- toYaml .Values.realtime.extraEnvVars | nindent 12 }}
{{- end }}
{{- end }}
24 changes: 24 additions & 0 deletions braintrust/templates/realtime-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- if .Values.realtime.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.realtime.service.name | default .Values.realtime.name }}
namespace: {{ include "braintrust.namespace" . }}
{{- with (merge .Values.global.labels .Values.realtime.labels) }}
labels:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.realtime.annotations.service }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
app: {{ .Values.realtime.name }}
ports:
- name: {{ .Values.realtime.service.portName }}
protocol: TCP
port: {{ .Values.realtime.service.port }}
targetPort: {{ .Values.realtime.service.port }}
type: {{ .Values.realtime.service.type }}
{{- end }}
Loading