fix: native custom CA support for Redis and MinIO

[aron-muon]

Summary

Fixes native loading of custom CA certificates for Redis and MinIO/S3 TLS connections, and enables Redis authentication from individual env vars when the password comes from an external secret.

• MinIO CA certs: Render MINIO_CA_CERTS in configmap and pass it to the MinIO client via a custom urllib3.PoolManager, so S3 endpoints with self-signed CAs verify correctly
• Redis SSL context: Replace individual ssl_* kwargs with a proper ssl.SSLContext built from the configured CA/cert/key files, fixing CERTIFICATE_VERIFY_FAILED with self-signed Redis CAs
• Redis individual connection fields: Render REDIS_HOST/REDIS_PORT/REDIS_DB in the configmap and skip REDIS_URL in the secret when redis.host is set without redis.password, so the app can build the connection URL from individual env vars + an externally-provided password

Closes #53

Changes

Helm chart

• configmap.yaml — Added MINIO_CA_CERTS (when minio.caCerts is set) and REDIS_HOST/REDIS_PORT/REDIS_DB (when redis.host is set)
• secret.yaml — REDIS_URL is now omitted when redis.host is set without redis.password, allowing the app to build the URL from individual env vars + externally-provided password
• _helpers.tpl — Updated needsHelmSecret to account for when REDIS_URL is not needed
• values.yaml — Changed redis.url default from "redis://redis:6379/0" to "" so the redisUrl helper falls through to redis.host / default branches correctly

App code

• src/config/minio.py — Added ca_certs field (MINIO_CA_CERTS env var) and _get_http_client() that creates a urllib3.PoolManager with custom CA; passed http_client to all Minio() constructors
• src/config/redis.py — Added _build_ssl_context() that creates an ssl.SSLContext with cafile= when custom CA is configured; get_ssl_kwargs() now returns {"ssl_context": ctx} instead of individual ssl_* params

Tests

• tests/unit/test_minio_config.py — 3 new tests: CA cert field loading from env, _get_http_client() with/without CA
• tests/unit/test_redis_config.py — 14 new tests: get_url() URL building from individual fields, get_ssl_kwargs() SSL context construction (verify modes, hostname checking, CA cert loading)

Test plan

• All 1330 unit tests pass (just test-unit)
• Linter passes (just lint)
• Helm template renders MINIO_CA_CERTS when minio.caCerts is set
• Helm template renders REDIS_HOST/REDIS_PORT/REDIS_DB when redis.host is set
• Helm template omits REDIS_URL when redis.host is set without redis.password
• Helm template includes REDIS_URL when redis.host + redis.password are both set
• Helm template backward-compatible (default renders REDIS_URL: redis://redis:6379/0)
• Deploy with Redis TLS using custom CA cert
• Deploy with MinIO/S3 using custom CA cert
• Deploy with Redis password from external secret via env block

🤖 Generated with Claude Code

[github-actions]

🎉 This PR is included in version 3.3.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀