From 47b46e5d0f3df275e31be91deca600535554f8ae Mon Sep 17 00:00:00 2001
From: Vanessa Gaube <dev@vanessagaube.de>
Date: Mon, 5 Jan 2026 20:25:26 +0100
Subject: [PATCH] fix/workaround: add value alternativeClientCa

Signed-off-by: Vanessa Gaube <dev@vanessagaube.de>
---
 valkey/templates/_helpers.tpl       | 10 ++++++++++
 valkey/templates/deploy_valkey.yaml |  4 ++--
 valkey/templates/statefulset.yaml   |  4 ++--
 valkey/templates/tests/auth.yaml    |  4 ++--
 valkey/values.schema.json           |  3 +++
 valkey/values.yaml                  |  3 +++
 6 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/valkey/templates/_helpers.tpl b/valkey/templates/_helpers.tpl
index 593cf77..b3240a7 100644
--- a/valkey/templates/_helpers.tpl
+++ b/valkey/templates/_helpers.tpl
@@ -188,3 +188,13 @@ Validate replica authentication configuration
 {{- end }}
 {{- end -}}
 
+{{/*
+Which caFile to use
+*/}}
+{{- define "valkey.caFile" -}}
+{{- if .Values.tls.alternativeClientCa }}
+{{- .Values.tls.alternativeClientCa }}
+{{- else }}
+{{- printf "/tls/%s" .Values.tls.caPublicKey }}
+{{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/valkey/templates/deploy_valkey.yaml b/valkey/templates/deploy_valkey.yaml
index da7cd71..a37cf22 100644
--- a/valkey/templates/deploy_valkey.yaml
+++ b/valkey/templates/deploy_valkey.yaml
@@ -115,14 +115,14 @@ spec:
           startupProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
           livenessProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
diff --git a/valkey/templates/statefulset.yaml b/valkey/templates/statefulset.yaml
index f1eef65..f537119 100644
--- a/valkey/templates/statefulset.yaml
+++ b/valkey/templates/statefulset.yaml
@@ -132,14 +132,14 @@ spec:
           startupProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
           livenessProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
diff --git a/valkey/templates/tests/auth.yaml b/valkey/templates/tests/auth.yaml
index d10477a..3adb3d4 100644
--- a/valkey/templates/tests/auth.yaml
+++ b/valkey/templates/tests/auth.yaml
@@ -35,7 +35,7 @@ spec:
 
           {{- if .Values.tls.enabled }}
           # TLS flags
-          TLS_FLAGS="--tls --cacert /tls/{{ .Values.tls.caPublicKey }}"
+          TLS_FLAGS="--tls --cacert {{ include "valkey.caFile" . }}"
           {{- else }}
           TLS_FLAGS=""
           {{- end }}
@@ -107,7 +107,7 @@ spec:
 
           {{- if .Values.tls.enabled }}
           # TLS flags
-          TLS_FLAGS="--tls --cacert /tls/{{ .Values.tls.caPublicKey }}"
+          TLS_FLAGS="--tls --cacert {{ include "valkey.caFile" . }}"
           {{- else }}
           TLS_FLAGS=""
           {{- end }}
diff --git a/valkey/values.schema.json b/valkey/values.schema.json
index f1384e2..78ce49f 100644
--- a/valkey/values.schema.json
+++ b/valkey/values.schema.json
@@ -519,6 +519,9 @@
                 "caPublicKey": {
                     "type": "string"
                 },
+                "alternativeClientCa": {
+                    "type": "string"
+                },
                 "dhParamKey": {
                     "type": "string"
                 },
diff --git a/valkey/values.yaml b/valkey/values.yaml
index 3bd36bb..185706e 100644
--- a/valkey/values.yaml
+++ b/valkey/values.yaml
@@ -269,6 +269,9 @@ tls:
   serverKey: server.key
   # Secret key name containing Certificate Authority public certificate
   caPublicKey: ca.crt
+  # in case the caPublicKey does not work for the client (e.g. valkey-cli), you can set an alternative CA cert as an absolute path here. 
+  # Useful e.g. for trust-manager in combination with cert-manager-generated ACME certs.
+  alternativeClientCa: ""
   # Secret key name containing DH parameters (optional)
   dhParamKey: ""
   # Require that clients authenticate with a certificate