feat: expose orgCABundle.configMapName for TLS trust injection#38
Merged
Conversation
Adds an optional `orgCABundle.configMapName` value. When set, the chart mounts the named ConfigMap into the nebi pod at `/etc/ssl/certs/org-ca.crt` (via subPath) and sets `SSL_CERT_FILE` to point at it. Required on clusters with a TLS-intercepting egress proxy whose CA isn't in the container's default trust store — otherwise pixi/rattler outbound HTTPS to conda-forge / pypi / github fails with "unknown CA". Rust's rustls-native-certs (used by pixi/rattler under the hood) honours `SSL_CERT_FILE` but does NOT iterate `/etc/ssl/certs/`, so both the bind mount AND the env var are required — the env var is set automatically when the value is non-empty. The named ConfigMap must already exist in the release namespace with key `ca-bundle.crt` containing PEM-encoded CA certs. Creation is out of scope for the chart: use gitops / sealed-secrets / external-secrets / whatever the operator already runs. Mirrors the shape already shipped in nebari-rayserve-pack#16. When `orgCABundle.configMapName` is empty (default), `helm template` output is byte-identical to before this change. Verified by rendering both trees with `--set nebariapp.hostname=nebi.example.com` and diffing — 418 lines vs 418 lines, no diff. Closes nebari-dev#36.
pmeier
approved these changes
Jul 2, 2026
pmeier
pushed a commit
that referenced
this pull request
Jul 2, 2026
Triggers the release workflow to publish nebari-nebi-pack-0.1.1. Changes since 0.1.0 (one merged PR): - #38 — expose `orgCABundle.configMapName` for TLS trust injection. Adds an optional value that, when set, mounts a pre-provisioned ConfigMap of PEM CA certs into the nebi pod at `/etc/ssl/certs/org-ca.crt` and sets `SSL_CERT_FILE`. Backwards- compatible: `helm template` output is byte-identical when the value is left at its empty default. Required on clusters with a TLS- intercepting egress proxy (pixi/rattler fail with "unknown CA" otherwise). Mirrors the pattern in nebari-rayserve-pack#16. Versioning note: this is a single backwards-compatible feature add. Strict semver would call for a minor bump (0.2.0); using a patch bump here matches the project's pre-1.0 convention where the 0.1.0-alpha.N line rolled feature additions through patch-level increments. Bump to 0.2.0 instead if the maintainer prefers strict semver — the release workflow keys off whatever is in Chart.yaml. `appVersion` stays at "0.13" — the nebi image hasn't changed, only the chart's rendering does.
This was referenced Jul 7, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #36.
Summary
Adds an optional
orgCABundle.configMapNamevalue. When set, the chart mounts the named ConfigMap into the nebi pod at/etc/ssl/certs/org-ca.crt(via subPath) and setsSSL_CERT_FILEto point at it.Required on clusters with a TLS-intercepting egress proxy whose CA isn't in the container's default trust store — otherwise pixi/rattler outbound HTTPS to conda-forge / pypi / github fails with
unknown CA.Mirrors the shape already shipped in nebari-rayserve-pack#16. Same pattern I've been driving through
kubectl patch+ ArgoignoreDifferenceson real deployments for weeks — this puts the config surface where it belongs (a helm value) so those out-of-band patches can retire.Why both the bind mount AND
SSL_CERT_FILERust's
rustls-native-certs(used by pixi/rattler under the hood) honorsSSL_CERT_FILEbut does NOT iterate/etc/ssl/certs/. So a bare subPath mount at/etc/ssl/certs/org-ca.crtis invisible to pixi without the env var. This is a subtle difference from Go and Python tooling, both of which pick up the directory entry. The chart sets both automatically when the value is non-empty.Changes
values.yaml— new top-levelorgCABundle.configMapNamevalue defaulted to"", with a docstring covering the intercepting-proxy use case, the SSL_CERT_FILE reasoning, the ConfigMap key requirement (ca-bundle.crt), and the byte-identity guarantee when unset.templates/deployment.yaml— three changes:SSL_CERT_FILEenv var appended to the existing env block.volumeMountsto compose the existingenvironmentsmount and the neworg-ca-bundlemount independently (guarded on either being enabled).volumesto compose the existingenvironmentsPVC and the neworg-ca-bundleConfigMap independently.The refactor of
volumeMountsandvolumesfrom{{- if .Values.persistence.enabled }}to{{- if or .Values.persistence.enabled .Values.orgCABundle.configMapName }}preserves the existing behavior exactly (both defaults evaluate to the same output) while allowing either or both to render independently.Verification
Rendered both trees with
helm template test . --set nebariapp.hostname=nebi.example.com:orgCABundle.configMapName=\"\") — 418 lines, byte-identical vsmain:orgCABundle.configMapName=my-ca-bundle— exactly the expected additions in the right places (env var, volumeMount, volume), no unrelated diffs:helm lint— clean (the pre-existingmissing required value: nebariapp.hostnamewarning is unrelated).Not included in this PR
kubectl create). The chart only consumes a reference.values.yamlis fairly comprehensive already, and the README is currently thin on configuration reference (values.yaml is de facto the docs).Rollout risk
Zero for existing users: the value defaults to
""and the render is byte-identical, so no diff would land on any current deployment.