lightrun-platform · yonik-lr · Sep 25, 2025 · Sep 16, 2025 · Sep 18, 2025 · Sep 21, 2025
diff --git a/.pipelines/helm-chart-validation.yml b/.pipelines/helm-chart-validation.yml
@@ -70,6 +70,8 @@ steps:
         password: test123
       redis:
         password: test123
+      customCa:
+        customCaCertificate: $(CUSTOM_CA_CERTIFICATE)
       defaults:
         dockerhub_config:
           configContent: $(DOCKERHUB_CONFIG)
@@ -172,6 +174,27 @@ steps:
     fi
   displayName: 'Validate Templates'
 
+- script: |
+    set -euo pipefail
+
+    echo "Verifying Keycloak custom CA volume mount in Helm template"
+
+    # Redirect output to file
+    helm template $(RELEASE_NAME) $(CHART_PATH) -f values.yaml --namespace $(NAMESPACE) > template_output.yaml 2>&1
+
+    KEYCLOAK_CONTAINER="${RELEASE_NAME}-keycloak"
+
+    # Extract volume mounts for container $(RELEASE_NAME)-keycloak from the rendered template file
+    VOLUME_MOUNTS=$(yq e ".spec.template.spec.containers[] | select(.name==\"$KEYCLOAK_CONTAINER\") | .volumeMounts[].name" template_output.yaml)
+
+    if echo "$VOLUME_MOUNTS" | grep -q "^custom-ca-certificate$"; then
+      echo "Found 'custom-ca-certificate' volume mount in Helm template as expected"
+    else
+      echo "Missing 'custom-ca-certificate' volume mount in Helm template"
+      exit 1
+    fi
+  displayName: 'Check Keycloak custom CA volume in Helm template'
+
 - script: |
     set -euo pipefail
     kubectl create namespace $(NAMESPACE)

diff --git a/chart/templates/helpers/_helpers.tpl b/chart/templates/helpers/_helpers.tpl
@@ -460,7 +460,6 @@ Usage:
 {{- end -}}
 {{- end -}}
 
-
 {{- define "secrets.certificate.name" -}}
 {{- if .Values.certificate.existing_cert -}}
 {{ .Values.certificate.existing_cert }}
@@ -510,6 +509,30 @@ Usage:
 {{- end -}}
 
 
+{{- define "secrets.custom_ca_certificate.enabled" -}}
+{{- if and .Values.secrets.customCa.customCaCertificate .Values.secrets.customCa.existingCaSecret }}
+  {{- fail "You must set only one of secrets.customCa.customCaCertificate or secrets.customCa.existingCaSecret" }}
+{{- else if and (not (include "secrets.deploy_secrets" .)) .Values.secrets.customCa.customCaCertificate }}
+  {{- fail "deploy_secrets must be true if customCaCertificate is defined" }}
+{{- else if and (include "secrets.deploy_secrets" .) .Values.secrets.customCa.customCaCertificate (not .Values.secrets.customCa.existingCaSecret) }}
+true
+{{- else if and .Values.secrets.customCa.existingCaSecret (not .Values.secrets.customCa.customCaCertificate) }}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
+
+{{- define "secrets.custom_ca_certificate.name" -}}
+{{- if .Values.secrets.customCa.existingCaSecret -}}
+{{ .Values.secrets.customCa.existingCaSecret }}
+{{- else -}}
+{{ include "lightrun.fullname" . }}-custom-ca-certificate
+{{- end -}}
+{{- end -}}
+
+
 {{/*
 #####################
 ### JVM Heap size ###
@@ -898,5 +921,3 @@ Usage: {{ include "lightrun.datadogAnnotations" (dict "serviceName" "lightrun-be
           }
 {{- end }}
 {{- end }}
-
-
diff --git a/chart/templates/keycloak-statefulset.yaml b/chart/templates/keycloak-statefulset.yaml
@@ -112,6 +112,7 @@ spec:
                     .Values.general.internal_tls.enabled
                     .Values.deployments.keycloak.extraVolumeMounts
                     .Values.deployments.keycloak.asyncProfiler.enabled
+                    (include "secrets.custom_ca_certificate.enabled" . | trim | eq "true")
           }}
           volumeMounts:
           {{- include "lightrun-keycloak.volumeMounts.asyncProfiler" . | nindent 12 }}
@@ -127,6 +128,11 @@ spec:
               mountPath: /opt
               subPath: opt
           {{- end }}
+          {{- if (include "secrets.custom_ca_certificate.enabled" . | trim | eq "true") }}
+            - name: custom-ca-certificate
+              mountPath: /opt/keycloak/conf/truststores
+              readOnly: true
+          {{- end }}
           {{- if .Values.general.internal_tls.enabled }}
             - name: internal-cert
               mountPath: /etc/x509/https/
@@ -356,6 +362,7 @@ spec:
                 .Values.general.internal_tls.enabled
                 .Values.deployments.keycloak.extraVolumes
                 .Values.deployments.keycloak.asyncProfiler.enabled
+                (include "secrets.custom_ca_certificate.enabled" . | trim | eq "true")
       }}
       volumes:
       {{- include "lightrun-keycloak.volumes.asyncProfiler" . | nindent 8 }}
@@ -368,6 +375,11 @@ spec:
           emptyDir:
             sizeLimit: {{ .Values.general.readOnlyRootFilesystem_tmpfs_sizeLimit  }}
         {{ end }}
+        {{- if (include "secrets.custom_ca_certificate.enabled" . | trim | eq "true") }}
+        - name: custom-ca-certificate
+          secret:
+            secretName: {{ include "secrets.custom_ca_certificate.name" . }}
+        {{ end }}
         {{- if .Values.general.internal_tls.enabled }}
         - name: internal-cert
           secret:

diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml
@@ -89,5 +89,15 @@ stringData:
   KEYCLOAK_USER: admin
   KEYCLOAK_PASSWORD: {{ .Values.secrets.keycloak.password | quote }}
   DB_USER: {{ .Values.secrets.db.user | quote }}
-  DB_PASSWORD: {{ .Values.secrets.db.password | quote}}
+  DB_PASSWORD: {{ .Values.secrets.db.password | quote }}
+---
+{{- if and .Values.secrets.customCa.customCaCertificate (not .Values.secrets.customCa.existingCaSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "secrets.custom_ca_certificate.name" . }}
+type: Opaque
+data:
+  custom-ca.pem: {{ .Values.secrets.customCa.customCaCertificate }}
+{{ end }}
 {{ end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -478,6 +478,12 @@ secrets:
     # redis authentication.
     # requires to enable auth in deployments.redis.auth.enabled by set to true
     password: ""
+  customCa:
+    # Optional | If empty, will not be used
+    # Only *one* of `customCaCertificate` and `existingCaSecret` can be set at a time:
+    # Setting both will cause Helm to fail during rendering.
+    customCaCertificate: "" # Base64-encoded CA certificate content.
+    existingCaSecret: "" # Name of an existing Kubernetes secret containing the CA certificate.
   license:
     content: ""
     signature: ""

diff --git a/docs/advanced/custom_ca_certificate.md b/docs/advanced/custom_ca_certificate.md
@@ -0,0 +1,42 @@
+# Custom CA Certificate
+
+
+The `customCa` block allows you to provide a custom Certificate Authority (CA) certificate to the application. This is optional — if no values are provided, no custom CA will be used.
+
+> [!NOTE]
+> The certificate is loaded by Keycloak and required when using LDAP integration with a custom CA certificate.
+
+
+```yaml
+secrets:
+  customCa:
+    customCaCertificate: "" # Base64-encoded CA certificate content.
+    existingCaSecret: "" # Name of an existing Kubernetes secret containing the CA certificate.
+```
+
+### Option 1: Provide the CA certificate directly
+
+Use `customCaCertificate` to provide the base64-encoded content of your CA certificate.
+A new Kubernetes Secret will be automatically created by the Helm chart.
+
+`existingCaSecret` must not be set.
+
+```yaml
+secrets:
+  customCa:
+    customCaCertificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t..."
+```
+
+### Option 2: Use an existing Kubernetes Secret
+
+Use `existingCaSecret` to reference an existing secret that contains your CA certificate. The secret key must be base64 encoded.
+
+`customCaCertificate` must not be set.
+
+
+```yaml
+secrets:
+  customCa:
+    existingCaSecret: "<my-custom-ca-secret>"
+```
+