Skip to content

Add support for standard TLS secret key names for helm charts#62222

Merged
kshi36 merged 11 commits intomasterfrom
kevin/helm-tls-secret-standard
Dec 22, 2025
Merged

Add support for standard TLS secret key names for helm charts#62222
kshi36 merged 11 commits intomasterfrom
kevin/helm-tls-secret-standard

Conversation

@kshi36
Copy link
Copy Markdown
Contributor

@kshi36 kshi36 commented Dec 12, 2025
edited
Loading

Fixes #59389
Part of #60411

This PR adds support for standard TLS secret key names (eg. from tools like cert-manager, or type: kubernetes.io/tls secrets) for helm charts. This allows users to specify a TLS secret key name via setting a new field existingCASecretKeyName, such as tls.crt or ca.crt. Backwards compatibility is preserved by setting default to ca.pem.

This includes teleport-plugin-event-handler, teleport-cluster, teleport-operator, teleport-kube-agent charts.

changelog: Added support for standard TLS secret key names for helm charts: teleport-plugin-event-handler, teleport-cluster, teleport-operator, teleport-kube-agent

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Dec 12, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
kevin/helm-tls-secret-standard 5f989d6 8 ✅SUCCEED kevin-helm-tls-secret-standard 2025-12-16 20:19:30

@kshi36 kshi36 marked this pull request as ready for review December 12, 2025 22:13
hugoShaka
hugoShaka reviewed Dec 15, 2025
View reviewed changes
Comment thread examples/chart/event-handler/templates/deployment.yaml Outdated
Comment thread docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
@kshi36
Copy link
Copy Markdown
Contributor Author

kshi36 commented Dec 15, 2025

As a side note: currently teleport-relay chart implements this feature to provide standard tls secret key names, mounting the CA file to /etc/teleport-tls-ca.pem.

deployment.yaml

            {{- if .Values.tls.existingCASecretName }}
            - name: SSL_CERT_FILE
              value: /etc/teleport-tls-ca.pem
            {{- end }}

Should this be standardized and renamed to /etc/teleport-tls-ca/{{ .Values.tls.existingCASecretKeyName }} as in this PR? This maintains the directory-based CA file as in the previous hard-coded version.

This will then change the volume mount from

            {{- if .Values.tls.existingCASecretName }}
            - mountPath: /etc/teleport-tls-ca.pem
              name: teleport-tls-ca
              subPath: {{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName | quote }}
            {{- end }}

to

          {{- if .Values.tls.existingCASecretName }}
            - mountPath: /etc/teleport-tls-ca
              name: "teleport-tls-ca"
          {{- end }}

Alternatively, we can standardize the CA file path in this PR to /etc/teleport-tls-ca.pem, which unifies the value for the env var SSL_CERT_FILE regardless of chosen key name, but specifies a subpath in the volume mount.

Which approach is preferred?

bernardjkim
bernardjkim reviewed Dec 16, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@bernardjkim bernardjkim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good call to standardize our approach here. I don't have a strong opinion on what we choose, but if I understand correctly, using the first approach has the small benefit of providing the helpful error message when the required value is missing.

Comment thread examples/chart/teleport-kube-agent/values.schema.json Outdated
kshi36
kshi36 commented Dec 16, 2025
View reviewed changes
Comment thread examples/chart/teleport-relay/templates/deployment.yaml
Comment on lines 162 to 165
{{- if .Values.tls.existingCASecretName }}
- name: SSL_CERT_FILE
value: /etc/teleport-tls-ca.pem
value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
Copy link
Copy Markdown
Contributor Author

@kshi36 kshi36 Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In teleport-relay chart, migrated the required check (and standardized CA file name) from volumeMounts. This removes subPath from the volume mount. LMK if the other way is preferred (for all charts).

@kshi36 kshi36 requested a review from hugoShaka December 18, 2025 17:47
@marcoandredinis marcoandredinis removed their request for review December 19, 2025 17:55
@kshi36 kshi36 added this pull request to the merge queue Dec 22, 2025
Merged via the queue into master with commit dda5634 Dec 22, 2025
43 checks passed
@kshi36 kshi36 deleted the kevin/helm-tls-secret-standard branch December 22, 2025 18:29
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Dec 22, 2025

@kshi36 See the table below for backport results.

Branch Result
branch/v18 Failed

kshi36 added a commit that referenced this pull request Dec 22, 2025
@kshi36
Add support for standard TLS secret key names for helm charts (#62222)
046c97b 
* Add support for standard TLS secret key names for Event Handler helm chart

* Add support for Teleport Cluster helm chart

* Add support for Teleport Operator and Kube Agent; update comments for Teleport Cluster

* Re-render/update docs

* Minor fix for Teleport Cluster chart docs

* Remove redundant default in templates

* Add newline

* Add required and error msgs; standardize teleport-relay chart

* Re-render docs
@kshi36 kshi36 mentioned this pull request Dec 22, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jan 2, 2026
@kshi36
Add support for standard TLS secret key names for helm charts (#62222) (
e357f7f 
#62451)

* Add support for standard TLS secret key names for Event Handler helm chart

* Add support for Teleport Cluster helm chart

* Add support for Teleport Operator and Kube Agent; update comments for Teleport Cluster

* Re-render/update docs

* Minor fix for Teleport Cluster chart docs

* Remove redundant default in templates

* Add newline

* Add required and error msgs; standardize teleport-relay chart

* Re-render docs
21KennethTran pushed a commit that referenced this pull request Jan 6, 2026
@kshi36 @21KennethTran
Add support for standard TLS secret key names for helm charts (#62222)
361aea7 
* Add support for standard TLS secret key names for Event Handler helm chart

* Add support for Teleport Cluster helm chart

* Add support for Teleport Operator and Kube Agent; update comments for Teleport Cluster

* Re-render/update docs

* Minor fix for Teleport Cluster chart docs

* Remove redundant default in templates

* Add newline

* Add required and error msgs; standardize teleport-relay chart

* Re-render docs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bernardjkim bernardjkim bernardjkim approved these changes

@hugoShaka hugoShaka hugoShaka approved these changes

Assignees

No one assigned

Labels

backport/branch/v18 documentation helm size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support type: kubernetes.io/tls secrets for CAs specified in the Helm chart

3 participants

@kshi36 @bernardjkim @hugoShaka