fix/workaround: allow external/alternative CAs for the client commands when using TLS.

valkey/templates/_helpers.tpl

@@ -188,3 +188,13 @@ Validate replica authentication configuration
 {{- end }}
 {{- end -}}
 
+{{/*
+Which caFile to use
+*/}}
+{{- define "valkey.caFile" -}}
+{{- if .Values.tls.alternativeClientCa }}
+{{- .Values.tls.alternativeClientCa }}
+{{- else }}
+{{- printf "/tls/%s" .Values.tls.caPublicKey }}
+{{- end }}
+{{- end -}}

valkey/templates/deploy_valkey.yaml

@@ -115,14 +115,14 @@ spec:
           startupProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
           livenessProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}

valkey/templates/statefulset.yaml

@@ -132,14 +132,14 @@ spec:
           startupProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}
           livenessProbe:
             exec:
               {{- if .Values.tls.enabled }}
-              command: [ "sh", "-c", "valkey-cli --cacert /tls/{{ .Values.tls.caPublicKey }} --tls ping" ]
+              command: [ "sh", "-c", "valkey-cli --cacert {{ include "valkey.caFile" . }} --tls ping" ]
               {{- else }}
               command: [ "sh", "-c", "valkey-cli ping" ]
               {{- end }}

valkey/templates/tests/auth.yaml

@@ -35,7 +35,7 @@ spec:
 
           {{- if .Values.tls.enabled }}
           # TLS flags
-          TLS_FLAGS="--tls --cacert /tls/{{ .Values.tls.caPublicKey }}"
+          TLS_FLAGS="--tls --cacert {{ include "valkey.caFile" . }}"
           {{- else }}
           TLS_FLAGS=""
           {{- end }}
@@ -107,7 +107,7 @@ spec:
 
           {{- if .Values.tls.enabled }}
           # TLS flags
-          TLS_FLAGS="--tls --cacert /tls/{{ .Values.tls.caPublicKey }}"
+          TLS_FLAGS="--tls --cacert {{ include "valkey.caFile" . }}"
           {{- else }}
           TLS_FLAGS=""
           {{- end }}

valkey/values.schema.json

@@ -519,6 +519,9 @@
                 "caPublicKey": {
                     "type": "string"
                 },
+                "alternativeClientCa": {
+                    "type": "string"
+                },
                 "dhParamKey": {
                     "type": "string"
                 },

valkey/values.yaml

@@ -269,6 +269,9 @@ tls:
   serverKey: server.key
   # Secret key name containing Certificate Authority public certificate
   caPublicKey: ca.crt
+  # in case the caPublicKey does not work for the client (e.g. valkey-cli), you can set an alternative CA cert as an absolute path here. 
+  # Useful e.g. for trust-manager in combination with cert-manager-generated ACME certs.
+  alternativeClientCa: ""
   # Secret key name containing DH parameters (optional)
   dhParamKey: ""
   # Require that clients authenticate with a certificate