diff --git a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
index 4d4e66ec96e73..ef51324c1ad5e 100644
--- a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
+++ b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
@@ -524,9 +524,18 @@ Service.
You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
+```code
$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+```
+
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
- The key containing the root CA in the secret must be `ca.pem`.
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
## `tolerations`
diff --git a/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx b/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
index 411a08044774c..e846c48b32b78 100644
--- a/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
+++ b/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
@@ -705,9 +705,14 @@ You must create a secret containing the CA certs in the same namespace as Telepo
$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
```
-
- The key containing the root CA in the secret must be `ca.pem`.
-
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
## `updater`
diff --git a/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx b/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx
index e3bbbb811eccf..9a77cba007ba3 100644
--- a/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx
+++ b/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx
@@ -344,6 +344,15 @@ command such as:
$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
```
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
+
## `podSecurityContext`
| Type | Default |
diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx
index 198acb623468e..735a21ac13fa4 100644
--- a/docs/pages/reference/helm-reference/teleport-cluster.mdx
+++ b/docs/pages/reference/helm-reference/teleport-cluster.mdx
@@ -1548,13 +1548,9 @@ in the pod logs.
You should create the secret in the same namespace as Teleport using a command like this:
```code
-kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
```
-
- The filename used for the root CA in the secret must be `ca.pem`.
-
-
`values.yaml` example:
```yaml
@@ -1562,6 +1558,21 @@ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
existingCASecretName: my-root-ca
```
+## `tls.existingCASecretKeyName`
+
+| Type | Default value |
+|----------|---------------|
+| `string` | `"ca.pem"` |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret will be used as a trusted CA bundle file.
+
+`values.yaml` example:
+
+ ```yaml
+ tls:
+ existingCASecretKeyName: "ca.pem"
+ ```
+
## `image`
| Type | Default value |
diff --git a/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml
index a767c9076f74a..39f5b33d2917e 100644
--- a/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml
+++ b/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml
@@ -1,2 +1,3 @@
tls:
existingCASecretName: "helm-lint-existing-tls-secret-ca"
+ existingCASecretKeyName: "helm-lint-existing-tls-secret-key-name"
diff --git a/examples/chart/event-handler/templates/deployment.yaml b/examples/chart/event-handler/templates/deployment.yaml
index 360e1f796eb88..1e316e4078c15 100644
--- a/examples/chart/event-handler/templates/deployment.yaml
+++ b/examples/chart/event-handler/templates/deployment.yaml
@@ -58,7 +58,7 @@ spec:
value: "true"
{{- if .Values.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 12 }}
diff --git a/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap
index 0ab7a26d233df..c67db8d209469 100644
--- a/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap
+++ b/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap
@@ -86,7 +86,7 @@ should mount tls.existingCASecretName and set environment when set in values:
- name: TELEPORT_PLUGIN_FAIL_FAST
value: "true"
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
image: public.ecr.aws/gravitational/teleport-plugin-event-handler:19.0.0-dev
imagePullPolicy: IfNotPresent
name: teleport-plugin-event-handler
diff --git a/examples/chart/event-handler/tests/configmap_test.yaml b/examples/chart/event-handler/tests/configmap_test.yaml
index 7ba683e9f9d9c..cf352679c04b2 100644
--- a/examples/chart/event-handler/tests/configmap_test.yaml
+++ b/examples/chart/event-handler/tests/configmap_test.yaml
@@ -48,4 +48,4 @@ tests:
- isSubset:
path: metadata.labels
content:
- test-key: test-label-config
\ No newline at end of file
+ test-key: test-label-config
diff --git a/examples/chart/event-handler/tests/deployment_test.yaml b/examples/chart/event-handler/tests/deployment_test.yaml
index 7655ec9e83754..d8eb188ed334a 100644
--- a/examples/chart/event-handler/tests/deployment_test.yaml
+++ b/examples/chart/event-handler/tests/deployment_test.yaml
@@ -38,7 +38,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- matchSnapshot:
path: spec.template.spec
- it: should not contain deployment or pod annotations when not defined
diff --git a/examples/chart/event-handler/values.schema.json b/examples/chart/event-handler/values.schema.json
index 73787f6603a77..5aa97de174da0 100644
--- a/examples/chart/event-handler/values.schema.json
+++ b/examples/chart/event-handler/values.schema.json
@@ -289,13 +289,19 @@
"$id": "#/properties/tls",
"type": "object",
"required": [
- "existingCASecretName"
+ "existingCASecretName",
+ "existingCASecretKeyName"
],
"properties": {
"existingCASecretName": {
"$id": "#/properties/tls/properties/existingCASecretName",
"type": "string",
"default": ""
+ },
+ "existingCASecretKeyName": {
+ "$id": "#/properties/tls/properties/existingCASecretKeyName",
+ "type": "string",
+ "default": "ca.pem"
}
}
},
diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml
index bd1b92a09b257..ef5adac45243e 100644
--- a/examples/chart/event-handler/values.yaml
+++ b/examples/chart/event-handler/values.yaml
@@ -267,10 +267,13 @@ tls:
#
# You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
#
+ # ```code
# $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
- #
- # The key containing the root CA in the secret must be `ca.pem`.
+ # ```
existingCASecretName: ""
+ # tls.existingCASecretKeyName(string) -- determines which key in the CA secret
+ # will be used as a trusted CA bundle file.
+ existingCASecretKeyName: "ca.pem"
# tolerations(list) -- sets the tolerations for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
diff --git a/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml
index 086c628b0e8f0..9a99cb5f0097c 100644
--- a/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml
+++ b/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml
@@ -2,3 +2,4 @@ clusterName: test-cluster-name
tls:
existingSecretName: helm-lint-existing-tls-secret
existingCASecretName: helm-lint-existing-tls-secret-ca
+ existingCASecretKeyName: helm-lint-existing-tls-secret-key-name
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml
index 354a5e26475b8..aa33234e9d584 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml
@@ -1,5 +1,6 @@
tls:
existingCASecretName: helm-lint-existing-tls-secret-ca
+ existingCASecretKeyName: helm-lint-existing-tls-secret-key-name
teleportAddress: "teleport.example.com:3080"
token: "my-operator-bot"
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/deployment.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/deployment.yaml
index 8f47e0f545e6b..d22e8beddf5c2 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/deployment.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/deployment.yaml
@@ -70,7 +70,7 @@ spec:
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- if .Values.teleportClusterName }}
- name: KUBERNETES_TOKEN_PATH
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml
index 50b4f90dad6fc..5e4e004814d6e 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml
@@ -98,7 +98,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- it: mounts tokens through projected volumes
values:
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/values.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/values.yaml
index a8c6034d99406..cf2081e32fafb 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/values.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/values.yaml
@@ -199,6 +199,9 @@ tls:
# $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
# ```
existingCASecretName: ""
+ # tls.existingCASecretKeyName(string) -- determines which key in the CA secret
+ # will be used as a trusted CA bundle file.
+ existingCASecretKeyName: "ca.pem"
# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
diff --git a/examples/chart/teleport-cluster/templates/auth/deployment.yaml b/examples/chart/teleport-cluster/templates/auth/deployment.yaml
index e5108b39cd6f6..43b12bf69bbce 100644
--- a/examples/chart/teleport-cluster/templates/auth/deployment.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/deployment.yaml
@@ -169,7 +169,7 @@ spec:
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- end }}
args:
diff --git a/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml b/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
index 36161ebc12fb1..248513a4bb973 100644
--- a/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
+++ b/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
@@ -46,7 +46,7 @@ spec:
{{- end }}
{{- if $auth.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- end }}
command:
diff --git a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
index f2daf4e30b73a..052e566ac9a1f 100644
--- a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
@@ -188,7 +188,7 @@ spec:
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- end }}
args:
diff --git a/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml b/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
index 237f66ba767c8..e059f84ea9741 100644
--- a/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
+++ b/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
@@ -46,7 +46,7 @@ spec:
{{- end }}
{{- if $proxy.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- end }}
command:
diff --git a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
index b13778d0b19c9..012a7248b2862 100644
--- a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
+++ b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
@@ -709,7 +709,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- it: should mount tls.existingCASecretName and set extra environment when set in values
template: auth/deployment.yaml
@@ -733,7 +733,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- contains:
path: spec.template.spec.containers[0].env
content:
diff --git a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
index c36e7f1d513fc..39e1299e2d58f 100644
--- a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
+++ b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
@@ -845,7 +845,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- it: should mount tls.existingCASecretName and set extra environment when set in values
template: proxy/deployment.yaml
@@ -869,7 +869,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- contains:
path: spec.template.spec.containers[0].env
content:
diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json
index cadc25b5999dc..5bac6bc580ea3 100644
--- a/examples/chart/teleport-cluster/values.schema.json
+++ b/examples/chart/teleport-cluster/values.schema.json
@@ -712,7 +712,8 @@
"type": "object",
"required": [
"existingSecretName",
- "existingCASecretName"
+ "existingCASecretName",
+ "existingCASecretKeyName"
],
"properties": {
"existingSecretName": {
@@ -724,6 +725,11 @@
"$id": "#/properties/tls/properties/existingCASecretName",
"type": "string",
"default": ""
+ },
+ "existingCASecretKeyName": {
+ "$id": "#/properties/tls/properties/existingCASecretKeyName",
+ "type": "string",
+ "default": "ca.pem"
}
}
},
diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml
index 4d66fd5853825..650a9ea237d80 100644
--- a/examples/chart/teleport-cluster/values.yaml
+++ b/examples/chart/teleport-cluster/values.yaml
@@ -585,8 +585,9 @@ tls:
# Useful for building trust when using intermediate certificate authorities.
# This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
# Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
- # The filename inside the secret is important - it _must_ be ca.pem
existingCASecretName: ""
+ # (optional) Name of an existing key in the CA secret which will be used as a trusted CA bundle file.
+ existingCASecretKeyName: "ca.pem"
##################################################
# Values that you shouldn't need to change.
diff --git a/examples/chart/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml
index a8e2a468fd7a3..d3fe2c117f10a 100644
--- a/examples/chart/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml
+++ b/examples/chart/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml
@@ -4,3 +4,4 @@ roles: kube
kubeClusterName: test-kube-cluster
tls:
existingCASecretName: "helm-lint-existing-tls-secret-ca"
+ existingCASecretKeyName: "helm-lint-existing-tls-secret-key-name"
diff --git a/examples/chart/teleport-kube-agent/templates/statefulset.yaml b/examples/chart/teleport-kube-agent/templates/statefulset.yaml
index f85de3e9e097b..0c393644fbab1 100644
--- a/examples/chart/teleport-kube-agent/templates/statefulset.yaml
+++ b/examples/chart/teleport-kube-agent/templates/statefulset.yaml
@@ -190,7 +190,7 @@ spec:
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 10 }}
diff --git a/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml b/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml
index 4ca69aadf21be..fa850c8b88426 100644
--- a/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml
+++ b/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml
@@ -56,7 +56,7 @@ spec:
{{- end }}
{{- if $updater.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- end }}
args:
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
index 7097044e9193f..83c0fa7c39083 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
@@ -1547,7 +1547,7 @@ should mount tls.existingCASecretName and set environment when set in values:
- name: TELEPORT_KUBE_CLUSTER_DOMAIN
value: cluster.local
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
image: public.ecr.aws/gravitational/teleport-distroless:19.0.0-dev
imagePullPolicy: IfNotPresent
livenessProbe:
@@ -1644,7 +1644,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu
- name: TELEPORT_KUBE_CLUSTER_DOMAIN
value: cluster.local
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- name: HTTPS_PROXY
value: http://username:password@my.proxy.host:3128
image: public.ecr.aws/gravitational/teleport-distroless:19.0.0-dev
diff --git a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml
index 8e3c49551d096..0261665642596 100644
--- a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml
@@ -649,7 +649,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- matchSnapshot:
path: spec.template.spec
@@ -675,7 +675,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- contains:
path: spec.template.spec.containers[0].env
content:
diff --git a/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml b/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml
index e8147c7f9b423..47ad551fb7100 100644
--- a/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml
@@ -242,7 +242,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca/ca.pem
+ value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
- it: sets the updater container extraEnv
values:
- ../.lint/updater.yaml
diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json
index 0a99223dd10df..193a5b829eca8 100644
--- a/examples/chart/teleport-kube-agent/values.schema.json
+++ b/examples/chart/teleport-kube-agent/values.schema.json
@@ -272,13 +272,19 @@
"$id": "#/properties/tls",
"type": "object",
"required": [
- "existingCASecretName"
+ "existingCASecretName",
+ "existingCASecretKeyName"
],
"properties": {
"existingCASecretName": {
"$id": "#/properties/tls/properties/existingCASecretName",
"type": "string",
"default": ""
+ },
+ "existingCASecretKeyName": {
+ "$id": "#/properties/tls/properties/existingCASecretKeyName",
+ "type": "string",
+ "default": "ca.pem"
}
}
},
diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml
index 24e44d2995d66..a35e2dfec547a 100644
--- a/examples/chart/teleport-kube-agent/values.yaml
+++ b/examples/chart/teleport-kube-agent/values.yaml
@@ -588,11 +588,10 @@ tls:
# ```code
# $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
# ```
- #
- #
- # The key containing the root CA in the secret must be `ca.pem`.
- #
existingCASecretName: ""
+ # tls.existingCASecretKeyName(string) -- determines which key in the CA secret
+ # will be used as a trusted CA bundle file.
+ existingCASecretKeyName: "ca.pem"
# updater -- controls whether the Kube Agent Updater should be deployed alongside
# the `teleport-kube-agent`. The updater fetches the target version, validates the
diff --git a/examples/chart/teleport-relay/templates/deployment.yaml b/examples/chart/teleport-relay/templates/deployment.yaml
index e335c1603f55d..17d8459d74a88 100644
--- a/examples/chart/teleport-relay/templates/deployment.yaml
+++ b/examples/chart/teleport-relay/templates/deployment.yaml
@@ -161,7 +161,7 @@ spec:
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca.pem
+ value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}"
{{- end }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 12 }}
@@ -220,9 +220,9 @@ spec:
name: join-sa-token
{{- end }}
{{- if .Values.tls.existingCASecretName }}
- - mountPath: /etc/teleport-tls-ca.pem
+ - mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
- subPath: {{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName | quote }}
+ readOnly: true
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
diff --git a/examples/chart/teleport-relay/tests/deployment_test.yaml b/examples/chart/teleport-relay/tests/deployment_test.yaml
index 430b9a92c1730..bb36ab3a05576 100644
--- a/examples/chart/teleport-relay/tests/deployment_test.yaml
+++ b/examples/chart/teleport-relay/tests/deployment_test.yaml
@@ -308,14 +308,14 @@ tests:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
- mountPath: /etc/teleport-tls-ca.pem
+ mountPath: /etc/teleport-tls-ca
name: teleport-tls-ca
- subPath: randomCASecretKeyName
+ readOnly: true
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_FILE
- value: /etc/teleport-tls-ca.pem
+ value: /etc/teleport-tls-ca/randomCASecretKeyName
- it: sets GOMEMLIMIT by default (SI unit)
template: deployment.yaml