support custom CA certificate in the chart

Author: yonik-lr

CHANGELOG.md

@@ -226,7 +226,7 @@
 
 
 <a name="v3.24.0"></a>
-## [v3.24.0](https://github.com/lightrun-platform/lightrun-helm-chart/compare/v3.23.7...v3.24.0) - 2025-08-11
+## [v3.24.0](https://github.com/lightrun-platform/lightrun-helm-chart/compare/v3.23.8...v3.24.0) - 2025-08-11
 
 
 
@@ -266,6 +266,40 @@
 
 
 
+<a name="v3.23.8"></a>
+## [v3.23.8](https://github.com/lightrun-platform/lightrun-helm-chart/compare/v3.23.7...v3.23.8) - 2025-09-17
+
+
+
+### Versions
+
+| Image         | Tag                          |
+|---------------|------------------------------|
+| artifacts     | 1.64.6-release.d47d361a70    |
+| backend       | 1.64.6-release.d47d361a70    |
+| crons         | 1.64.6-release.d47d361a70    |
+| data_streamer | 4.56.0-alpine-3.22.0-r0.lr-0 |
+| frontend      | 1.64.6-release.d47d361a70    |
+| keycloak      | 1.64.6-release.d47d361a70    |
+| mysql         | 8.0.38                       |
+| rabbitmq      | 4.0.9-alpine-3.22.0-r0.lr-0  |
+| redis         | 7.2.10-alpine-3.22.0-r0.lr-1 |
+| router        | 1.28.0-alpine-3.22.0-r0.lr-1 |
+ 
+ 
+
+
+### Fixed (1 change)
+
+- [`router`-and-`chart-helper`-tags-to-resolve-CVE (#136) (#137)](https://github.com/lightrun-platform/lightrun-helm-chart/commit/53d29f5)
+ 
+ 
+ 
+ 
+
+ 
+
+
 <a name="v3.23.7"></a>
 ## [v3.23.7](https://github.com/lightrun-platform/lightrun-helm-chart/compare/v3.23.6...v3.23.7) - 2025-09-11
 

chart/templates/helpers/_helpers.tpl

@@ -460,7 +460,6 @@ Usage:
 {{- end -}}
 {{- end -}}
 
-
 {{- define "secrets.certificate.name" -}}
 {{- if .Values.certificate.existing_cert -}}
 {{ .Values.certificate.existing_cert }}
@@ -509,6 +508,10 @@ Usage:
 {{- end -}}
 {{- end -}}
 
+{{- define "secrets.custom_ca_certificate.name" -}}
+{{ include "lightrun.fullname" . }}-custom-ca-certificate
+{{- end -}}
+
 
 {{/*
 #####################
@@ -898,5 +901,3 @@ Usage: {{ include "lightrun.datadogAnnotations" (dict "serviceName" "lightrun-be
           }
 {{- end }}
 {{- end }}
-
-

chart/templates/keycloak-statefulset.yaml

@@ -112,6 +112,7 @@ spec:
                     .Values.general.internal_tls.enabled
                     .Values.deployments.keycloak.extraVolumeMounts
                     .Values.deployments.keycloak.asyncProfiler.enabled
+                    .Values.secrets.customCaCertificate
           }}
           volumeMounts:
           {{- include "lightrun-keycloak.volumeMounts.asyncProfiler" . | nindent 12 }}
@@ -127,6 +128,11 @@ spec:
               mountPath: /opt
               subPath: opt
           {{- end }}
+          {{- if .Values.secrets.customCaCertificate }}
+            - name: custom-ca-certificate
+              mountPath: /opt/keycloak/conf/truststores
+              readOnly: true
+          {{- end }}
           {{- if .Values.general.internal_tls.enabled }}
             - name: internal-cert
               mountPath: /etc/x509/https/
@@ -356,6 +362,7 @@ spec:
                 .Values.general.internal_tls.enabled
                 .Values.deployments.keycloak.extraVolumes
                 .Values.deployments.keycloak.asyncProfiler.enabled
+                .Values.secrets.customCaCertificate
       }}
       volumes:
       {{- include "lightrun-keycloak.volumes.asyncProfiler" . | nindent 8 }}
@@ -368,6 +375,11 @@ spec:
           emptyDir:
             sizeLimit: {{ .Values.general.readOnlyRootFilesystem_tmpfs_sizeLimit  }}
         {{ end }}
+        {{- if .Values.secrets.customCaCertificate }}
+        - name: custom-ca-certificate
+          secret:
+            secretName: {{ include "secrets.custom_ca_certificate.name" . }}
+        {{ end }}
         {{- if .Values.general.internal_tls.enabled }}
         - name: internal-cert
           secret:

chart/templates/secrets.yaml

@@ -89,5 +89,15 @@ stringData:
   KEYCLOAK_USER: admin
   KEYCLOAK_PASSWORD: {{ .Values.secrets.keycloak.password | quote }}
   DB_USER: {{ .Values.secrets.db.user | quote }}
-  DB_PASSWORD: {{ .Values.secrets.db.password | quote}}
+  DB_PASSWORD: {{ .Values.secrets.db.password | quote }}
+---
+{{ if .Values.secrets.customCaCertificate }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ include "secrets.custom_ca_certificate.name" . }}
+type: Opaque
+data:
+  custom-ca.pem: {{ .Values.secrets.customCaCertificate }}
+{{ end }}
 {{ end }}

chart/values.yaml

@@ -478,6 +478,7 @@ secrets:
     # redis authentication.
     # requires to enable auth in deployments.redis.auth.enabled by set to true
     password: ""
+  customCaCertificate: ""
   license:
     content: ""
     signature: ""
@@ -617,17 +618,17 @@ deployments:
       wait_for_keycloak:
         image:
           repository: lightruncom/chart-helper
-          tag: "0.3.0-alpine-3.22.0-r0.lr-0"
+          tag: "0.3.0-alpine-3.22.0-r0.lr-1"
           pullPolicy: ""
       p12_creator:
         image:
           repository: lightruncom/chart-helper
-          tag: "0.3.0-alpine-3.22.0-r0.lr-0"
+          tag: "0.3.0-alpine-3.22.0-r0.lr-1"
           pullPolicy: ""
       wait_for_rabbitmq:
         image:
           repository: lightruncom/chart-helper
-          tag: "0.3.0-alpine-3.22.0-r0.lr-0"
+          tag: "0.3.0-alpine-3.22.0-r0.lr-1"
           pullPolicy: ""
     podDisruptionBudget: {} # [minAvailable|maxUnavailable] either integer or percentage
     topologySpreadConstraints: []
@@ -771,12 +772,12 @@ deployments:
       cluster_cert:
         image:
           repository: lightruncom/chart-helper
-          tag: "0.3.0-alpine-3.22.0-r0.lr-0"
+          tag: "0.3.0-alpine-3.22.0-r0.lr-1"
           pullPolicy: ""
       wait_for_rabbitmq:
         image:
           repository: lightruncom/chart-helper
-          tag: "0.3.0-alpine-3.22.0-r0.lr-0"
+          tag: "0.3.0-alpine-3.22.0-r0.lr-1"
           pullPolicy: ""          
     topologySpreadConstraints: []
     affinity: {}
@@ -938,7 +939,7 @@ deployments:
           memory: 128Mi
         image:
           repository: lightruncom/chart-helper
-          tag: "0.3.0-alpine-3.22.0-r0.lr-0"
+          tag: "0.3.0-alpine-3.22.0-r0.lr-1"
           pullPolicy: ""
     # EmptyDir is used for rabbitmq data when mq.storage is set to 0
     emptyDir:
@@ -1061,7 +1062,7 @@ deployments:
       maxReplicas: 5
     image:
       repository: lightruncom/router
-      tag: "1.28.0-alpine-3.22.0-r0.lr-0"
+      tag: "1.28.0-alpine-3.22.0-r0.lr-1"
       pullPolicy: IfNotPresent
     podSecurityContext: {}
     containerSecurityContext: {}

docs/installation/versions_mapping.md

@@ -8,6 +8,7 @@
 | 3.25.0        | 1.66.0-release.4f92d4c5d0 |
 | 3.24.1        | 1.65.1-release.3b872fa607 |
 | 3.24.0        | 1.65.0-release.dbbc13e864 |
+| 3.23.8        | 1.64.6-release.d47d361a70 |
 | 3.23.7        | 1.64.5-release.60958a9009 |
 | 3.23.6        | 1.64.4-release.4d96a911d1 |
 | 3.23.5        | 1.64.4-release.4d96a911d1 |