Add support for standard TLS secret key names for helm charts

docs/pages/includes/helm-reference/zz_generated.event-handler.mdx

@@ -524,9 +524,18 @@ Service.
 
 You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
 
+```code
 $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+```
+
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
 
-  The key containing the root CA in the secret must be `ca.pem`.
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
 
 ## `tolerations`
 

docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx

@@ -705,9 +705,14 @@ You must create a secret containing the CA certs in the same namespace as Telepo
 $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
 ```
 
-<Admonition type="warning" title="Root CA filename">
-  The key containing the root CA in the secret must be `ca.pem`.
-</Admonition>
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
 
 ## `updater`
 

docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx

@@ -344,6 +344,15 @@ command such as:
 $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
 ```
 
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
+
 ## `podSecurityContext`
 
 | Type | Default |

docs/pages/reference/helm-reference/teleport-cluster.mdx

@@ -1548,20 +1548,31 @@ in the pod logs.
 You should create the secret in the same namespace as Teleport using a command like this:
 
 ```code
-kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
 ```
 
-<Admonition type="warning" title="Root CA filename">
-  The filename used for the root CA in the secret must be `ca.pem`.
-</Admonition>
-
 `values.yaml` example:
 
   ```yaml
   tls:
     existingCASecretName: my-root-ca
   ```
 
+## `tls.existingCASecretKeyName`
+
+| Type     | Default value |
+|----------|---------------|
+| `string` | `"ca.pem"`    |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret will be used as a trusted CA bundle file.
+
+`values.yaml` example:
+
+  ```yaml
+  tls:
+    existingCASecretKeyName: "ca.pem"
+  ```
+
 ## `image`
 
 | Type     | Default value                           |

examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml

@@ -1,2 +1,3 @@
 tls:
   existingCASecretName: "helm-lint-existing-tls-secret-ca"
+  existingCASecretKeyName: "helm-lint-existing-tls-secret-key-name"

examples/chart/event-handler/templates/deployment.yaml

@@ -58,7 +58,7 @@ spec:
               value: "true"
             {{- if .Values.tls.existingCASecretName }}
             - name: SSL_CERT_FILE
-              value: /etc/teleport-tls-ca/ca.pem
+              value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
             {{- end }}
             {{- with .Values.extraEnv }}
             {{- toYaml . | nindent 12 }}

examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap

@@ -86,7 +86,7 @@ should mount tls.existingCASecretName and set environment when set in values:
       - name: TELEPORT_PLUGIN_FAIL_FAST
         value: "true"
       - name: SSL_CERT_FILE
-        value: /etc/teleport-tls-ca/ca.pem
+        value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       image: public.ecr.aws/gravitational/teleport-plugin-event-handler:19.0.0-dev
       imagePullPolicy: IfNotPresent
       name: teleport-plugin-event-handler

examples/chart/event-handler/tests/configmap_test.yaml

@@ -48,4 +48,4 @@ tests:
       - isSubset:
           path: metadata.labels
           content:
-            test-key: test-label-config
+            test-key: test-label-config

examples/chart/event-handler/tests/deployment_test.yaml

@@ -38,7 +38,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - matchSnapshot:
           path: spec.template.spec
   - it: should not contain deployment or pod annotations when not defined

examples/chart/event-handler/values.schema.json

@@ -289,13 +289,19 @@
             "$id": "#/properties/tls",
             "type": "object",
             "required": [
-                "existingCASecretName"
+                "existingCASecretName",
+                "existingCASecretKeyName"
             ],
             "properties": {
                 "existingCASecretName": {
                     "$id": "#/properties/tls/properties/existingCASecretName",
                     "type": "string",
                     "default": ""
+                },
+                "existingCASecretKeyName": {
+                    "$id": "#/properties/tls/properties/existingCASecretKeyName",
+                    "type": "string",
+                    "default": "ca.pem"
                 }
             }
         },

examples/chart/event-handler/values.yaml

@@ -267,10 +267,13 @@ tls:
   #
   # You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
   #
+  # ```code
   # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
-  #
-  #   The key containing the root CA in the secret must be `ca.pem`.
+  # ```
   existingCASecretName: ""
+  # tls.existingCASecretKeyName(string) -- determines which key in the CA secret
+  # will be used as a trusted CA bundle file.
+  existingCASecretKeyName: "ca.pem"
 
 # tolerations(list) -- sets the tolerations for any pods created by the chart.
 # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)

examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml

@@ -2,3 +2,4 @@ clusterName: test-cluster-name
 tls:
   existingSecretName: helm-lint-existing-tls-secret
   existingCASecretName: helm-lint-existing-tls-secret-ca
+  existingCASecretKeyName: helm-lint-existing-tls-secret-key-name

examples/chart/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml

@@ -1,5 +1,6 @@
 tls:
   existingCASecretName: helm-lint-existing-tls-secret-ca
+  existingCASecretKeyName: helm-lint-existing-tls-secret-key-name
 
 teleportAddress: "teleport.example.com:3080"
 token: "my-operator-bot"

examples/chart/teleport-cluster/charts/teleport-operator/templates/deployment.yaml

@@ -70,7 +70,7 @@ spec:
     {{- end }}
     {{- if .Values.tls.existingCASecretName }}
             - name: SSL_CERT_FILE
-              value: /etc/teleport-tls-ca/ca.pem
+              value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
     {{- end }}
     {{- if .Values.teleportClusterName }}
             - name: KUBERNETES_TOKEN_PATH

examples/chart/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml

@@ -98,7 +98,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
 
   - it: mounts tokens through projected volumes
     values:

examples/chart/teleport-cluster/charts/teleport-operator/values.yaml

@@ -199,6 +199,9 @@ tls:
   # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
   # ```
   existingCASecretName: ""
+  # tls.existingCASecretKeyName(string) -- determines which key in the CA secret
+  # will be used as a trusted CA bundle file.
+  existingCASecretKeyName: "ca.pem"
 
 # podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
 # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)

examples/chart/teleport-cluster/templates/auth/deployment.yaml

@@ -169,7 +169,7 @@ spec:
         {{- end }}
         {{- if $auth.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
         {{- end }}
         {{- end }}
         args:

examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml

@@ -46,7 +46,7 @@ spec:
   {{- end }}
   {{- if $auth.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
   {{- end }}
 {{- end }}
         command:

examples/chart/teleport-cluster/templates/proxy/deployment.yaml

@@ -188,7 +188,7 @@ spec:
         {{- end }}
         {{- if $proxy.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
         {{- end }}
         {{- end }}
         args:

examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml

@@ -46,7 +46,7 @@ spec:
   {{- end }}
   {{- if $proxy.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
   {{- end }}
 {{- end }}
         command:

examples/chart/teleport-cluster/tests/auth_deployment_test.yaml

@@ -709,7 +709,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
 
   - it: should mount tls.existingCASecretName and set extra environment when set in values
     template: auth/deployment.yaml
@@ -733,7 +733,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - contains:
           path: spec.template.spec.containers[0].env
           content:

examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml

@@ -845,7 +845,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
 
   - it: should mount tls.existingCASecretName and set extra environment when set in values
     template: proxy/deployment.yaml
@@ -869,7 +869,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - contains:
           path: spec.template.spec.containers[0].env
           content:

examples/chart/teleport-cluster/values.schema.json

@@ -712,7 +712,8 @@
             "type": "object",
             "required": [
                 "existingSecretName",
-                "existingCASecretName"
+                "existingCASecretName",
+                "existingCASecretKeyName"
             ],
             "properties": {
                 "existingSecretName": {
@@ -724,6 +725,11 @@
                     "$id": "#/properties/tls/properties/existingCASecretName",
                     "type": "string",
                     "default": ""
+                },
+                "existingCASecretKeyName": {
+                    "$id": "#/properties/tls/properties/existingCASecretKeyName",
+                    "type": "string",
+                    "default": "ca.pem"
                 }
             }
         },

examples/chart/teleport-cluster/values.yaml

@@ -585,8 +585,9 @@ tls:
   # Useful for building trust when using intermediate certificate authorities.
   # This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
   # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
-  # The filename inside the secret is important - it _must_ be ca.pem
   existingCASecretName: ""
+  # (optional) Name of an existing key in the CA secret which will be used as a trusted CA bundle file.
+  existingCASecretKeyName: "ca.pem"
 
 ##################################################
 # Values that you shouldn't need to change.

examples/chart/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml

@@ -4,3 +4,4 @@ roles: kube
 kubeClusterName: test-kube-cluster
 tls:
   existingCASecretName: "helm-lint-existing-tls-secret-ca"
+  existingCASecretKeyName: "helm-lint-existing-tls-secret-key-name"

examples/chart/teleport-kube-agent/templates/statefulset.yaml

@@ -190,7 +190,7 @@ spec:
           {{- end }}
           {{- if .Values.tls.existingCASecretName }}
           - name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
           {{- end }}
           {{- if .Values.extraEnv }}
             {{- toYaml .Values.extraEnv | nindent 10 }}

examples/chart/teleport-kube-agent/templates/updater/deployment.yaml

@@ -56,7 +56,7 @@ spec:
   {{- end }}
   {{- if $updater.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
   {{- end }}
 {{- end }}
         args:

examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap

@@ -1547,7 +1547,7 @@ should mount tls.existingCASecretName and set environment when set in values:
       - name: TELEPORT_KUBE_CLUSTER_DOMAIN
         value: cluster.local
       - name: SSL_CERT_FILE
-        value: /etc/teleport-tls-ca/ca.pem
+        value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       image: public.ecr.aws/gravitational/teleport-distroless:19.0.0-dev
       imagePullPolicy: IfNotPresent
       livenessProbe:
@@ -1644,7 +1644,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu
       - name: TELEPORT_KUBE_CLUSTER_DOMAIN
         value: cluster.local
       - name: SSL_CERT_FILE
-        value: /etc/teleport-tls-ca/ca.pem
+        value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - name: HTTPS_PROXY
         value: http://username:password@my.proxy.host:3128
       image: public.ecr.aws/gravitational/teleport-distroless:19.0.0-dev

examples/chart/teleport-kube-agent/tests/statefulset_test.yaml

@@ -649,7 +649,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - matchSnapshot:
           path: spec.template.spec
 
@@ -675,7 +675,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - contains:
           path: spec.template.spec.containers[0].env
           content:

examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml

@@ -242,7 +242,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
   - it: sets the updater container extraEnv
     values:
       - ../.lint/updater.yaml

examples/chart/teleport-kube-agent/values.schema.json

@@ -272,13 +272,19 @@
             "$id": "#/properties/tls",
             "type": "object",
             "required": [
-                "existingCASecretName"
+                "existingCASecretName",
+                "existingCASecretKeyName"
             ],
             "properties": {
                 "existingCASecretName": {
                     "$id": "#/properties/tls/properties/existingCASecretName",
                     "type": "string",
                     "default": ""
+                },
+                "existingCASecretKeyName": {
+                    "$id": "#/properties/tls/properties/existingCASecretKeyName",
+                    "type": "string",
+                    "default": "ca.pem"
                 }
             }
         },