gravitational · kshi36 · Jan 2, 2026 · Dec 22, 2025 · Jan 2, 2026
diff --git a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
@@ -524,9 +524,18 @@ Service.
 
 You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
 
+```code
 $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+```
+
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
 
-  The key containing the root CA in the secret must be `ca.pem`.
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
 
 ## `tolerations`
 

diff --git a/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx b/docs/pages/includes/helm-reference/zz_generated.teleport-kube-agent.mdx
@@ -705,9 +705,14 @@ You must create a secret containing the CA certs in the same namespace as Telepo
 $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
 ```
 
-<Admonition type="warning" title="Root CA filename">
-  The key containing the root CA in the secret must be `ca.pem`.
-</Admonition>
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
 
 ## `updater`
 

diff --git a/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx b/docs/pages/includes/helm-reference/zz_generated.teleport-operator.mdx
@@ -344,6 +344,15 @@ command such as:
 $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
 ```
 
+### `tls.existingCASecretKeyName`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.pem"` |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret
+will be used as a trusted CA bundle file.
+
 ## `podSecurityContext`
 
 | Type | Default |

diff --git a/docs/pages/reference/helm-reference/teleport-cluster.mdx b/docs/pages/reference/helm-reference/teleport-cluster.mdx
@@ -1548,20 +1548,31 @@ in the pod logs.
 You should create the secret in the same namespace as Teleport using a command like this:
 
 ```code
-kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
 ```
 
-<Admonition type="warning" title="Root CA filename">
-  The filename used for the root CA in the secret must be `ca.pem`.
-</Admonition>
-
 `values.yaml` example:
 
   ```yaml
   tls:
     existingCASecretName: my-root-ca
   ```
 
+## `tls.existingCASecretKeyName`
+
+| Type     | Default value |
+|----------|---------------|
+| `string` | `"ca.pem"`    |
+
+`tls.existingCASecretKeyName` determines which key in the CA secret will be used as a trusted CA bundle file.
+
+`values.yaml` example:
+
+  ```yaml
+  tls:
+    existingCASecretKeyName: "ca.pem"
+  ```
+
 ## `image`
 
 | Type     | Default value                           |

diff --git a/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml
@@ -1,2 +1,3 @@
 tls:
   existingCASecretName: "helm-lint-existing-tls-secret-ca"
+  existingCASecretKeyName: "helm-lint-existing-tls-secret-key-name"
diff --git a/examples/chart/event-handler/templates/deployment.yaml b/examples/chart/event-handler/templates/deployment.yaml
@@ -58,7 +58,7 @@ spec:
               value: "true"
             {{- if .Values.tls.existingCASecretName }}
             - name: SSL_CERT_FILE
-              value: /etc/teleport-tls-ca/ca.pem
+              value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
             {{- end }}
             {{- with .Values.extraEnv }}
             {{- toYaml . | nindent 12 }}

diff --git a/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap
@@ -86,7 +86,7 @@ should mount tls.existingCASecretName and set environment when set in values:
       - name: TELEPORT_PLUGIN_FAIL_FAST
         value: "true"
       - name: SSL_CERT_FILE
-        value: /etc/teleport-tls-ca/ca.pem
+        value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       image: public.ecr.aws/gravitational/teleport-plugin-event-handler:18.6.1
       imagePullPolicy: IfNotPresent
       name: teleport-plugin-event-handler

diff --git a/examples/chart/event-handler/tests/configmap_test.yaml b/examples/chart/event-handler/tests/configmap_test.yaml
@@ -48,4 +48,4 @@ tests:
       - isSubset:
           path: metadata.labels
           content:
-            test-key: test-label-config
+            test-key: test-label-config
diff --git a/examples/chart/event-handler/tests/deployment_test.yaml b/examples/chart/event-handler/tests/deployment_test.yaml
@@ -38,7 +38,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - matchSnapshot:
           path: spec.template.spec
   - it: should not contain deployment or pod annotations when not defined

diff --git a/examples/chart/event-handler/values.schema.json b/examples/chart/event-handler/values.schema.json
@@ -289,13 +289,19 @@
             "$id": "#/properties/tls",
             "type": "object",
             "required": [
-                "existingCASecretName"
+                "existingCASecretName",
+                "existingCASecretKeyName"
             ],
             "properties": {
                 "existingCASecretName": {
                     "$id": "#/properties/tls/properties/existingCASecretName",
                     "type": "string",
                     "default": ""
+                },
+                "existingCASecretKeyName": {
+                    "$id": "#/properties/tls/properties/existingCASecretKeyName",
+                    "type": "string",
+                    "default": "ca.pem"
                 }
             }
         },

diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml
@@ -267,10 +267,13 @@ tls:
   #
   # You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
   #
+  # ```code
   # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
-  #
-  #   The key containing the root CA in the secret must be `ca.pem`.
+  # ```
   existingCASecretName: ""
+  # tls.existingCASecretKeyName(string) -- determines which key in the CA secret
+  # will be used as a trusted CA bundle file.
+  existingCASecretKeyName: "ca.pem"
 
 # tolerations(list) -- sets the tolerations for any pods created by the chart.
 # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)

diff --git a/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml
@@ -2,3 +2,4 @@ clusterName: test-cluster-name
 tls:
   existingSecretName: helm-lint-existing-tls-secret
   existingCASecretName: helm-lint-existing-tls-secret-ca
+  existingCASecretKeyName: helm-lint-existing-tls-secret-key-name
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/.lint/existing-tls-ca.yaml
@@ -1,5 +1,6 @@
 tls:
   existingCASecretName: helm-lint-existing-tls-secret-ca
+  existingCASecretKeyName: helm-lint-existing-tls-secret-key-name
 
 teleportAddress: "teleport.example.com:3080"
 token: "my-operator-bot"

diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/deployment.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/deployment.yaml
@@ -70,7 +70,7 @@ spec:
     {{- end }}
     {{- if .Values.tls.existingCASecretName }}
             - name: SSL_CERT_FILE
-              value: /etc/teleport-tls-ca/ca.pem
+              value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
     {{- end }}
     {{- if .Values.teleportClusterName }}
             - name: KUBERNETES_TOKEN_PATH

diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/tests/deployment_test.yaml
@@ -98,7 +98,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
 
   - it: mounts tokens through projected volumes
     values:

diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/values.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/values.yaml
@@ -199,6 +199,9 @@ tls:
   # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
   # ```
   existingCASecretName: ""
+  # tls.existingCASecretKeyName(string) -- determines which key in the CA secret
+  # will be used as a trusted CA bundle file.
+  existingCASecretKeyName: "ca.pem"
 
 # podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
 # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)

diff --git a/examples/chart/teleport-cluster/templates/auth/deployment.yaml b/examples/chart/teleport-cluster/templates/auth/deployment.yaml
@@ -169,7 +169,7 @@ spec:
         {{- end }}
         {{- if $auth.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
         {{- end }}
         {{- end }}
         args:

diff --git a/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml b/examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml
@@ -46,7 +46,7 @@ spec:
   {{- end }}
   {{- if $auth.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
   {{- end }}
 {{- end }}
         command:

diff --git a/examples/chart/teleport-cluster/templates/proxy/deployment.yaml b/examples/chart/teleport-cluster/templates/proxy/deployment.yaml
@@ -188,7 +188,7 @@ spec:
         {{- end }}
         {{- if $proxy.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
         {{- end }}
         {{- end }}
         args:

diff --git a/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml b/examples/chart/teleport-cluster/templates/proxy/predeploy_job.yaml
@@ -46,7 +46,7 @@ spec:
   {{- end }}
   {{- if $proxy.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
   {{- end }}
 {{- end }}
         command:

diff --git a/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml b/examples/chart/teleport-cluster/tests/auth_deployment_test.yaml
@@ -709,7 +709,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
 
   - it: should mount tls.existingCASecretName and set extra environment when set in values
     template: auth/deployment.yaml
@@ -733,7 +733,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - contains:
           path: spec.template.spec.containers[0].env
           content:

diff --git a/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml b/examples/chart/teleport-cluster/tests/proxy_deployment_test.yaml
@@ -845,7 +845,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
 
   - it: should mount tls.existingCASecretName and set extra environment when set in values
     template: proxy/deployment.yaml
@@ -869,7 +869,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - contains:
           path: spec.template.spec.containers[0].env
           content:

diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json
@@ -712,7 +712,8 @@
             "type": "object",
             "required": [
                 "existingSecretName",
-                "existingCASecretName"
+                "existingCASecretName",
+                "existingCASecretKeyName"
             ],
             "properties": {
                 "existingSecretName": {
@@ -724,6 +725,11 @@
                     "$id": "#/properties/tls/properties/existingCASecretName",
                     "type": "string",
                     "default": ""
+                },
+                "existingCASecretKeyName": {
+                    "$id": "#/properties/tls/properties/existingCASecretKeyName",
+                    "type": "string",
+                    "default": "ca.pem"
                 }
             }
         },

diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml
@@ -585,8 +585,9 @@ tls:
   # Useful for building trust when using intermediate certificate authorities.
   # This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
   # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
-  # The filename inside the secret is important - it _must_ be ca.pem
   existingCASecretName: ""
+  # (optional) Name of an existing key in the CA secret which will be used as a trusted CA bundle file.
+  existingCASecretKeyName: "ca.pem"
 
 ##################################################
 # Values that you shouldn't need to change.

diff --git a/examples/chart/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/teleport-kube-agent/.lint/existing-tls-secret-with-ca.yaml
@@ -4,3 +4,4 @@ roles: kube
 kubeClusterName: test-kube-cluster
 tls:
   existingCASecretName: "helm-lint-existing-tls-secret-ca"
+  existingCASecretKeyName: "helm-lint-existing-tls-secret-key-name"
diff --git a/examples/chart/teleport-kube-agent/templates/statefulset.yaml b/examples/chart/teleport-kube-agent/templates/statefulset.yaml
@@ -189,7 +189,7 @@ spec:
           {{- end }}
           {{- if .Values.tls.existingCASecretName }}
           - name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
           {{- end }}
           {{- if .Values.extraEnv }}
             {{- toYaml .Values.extraEnv | nindent 10 }}

diff --git a/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml b/examples/chart/teleport-kube-agent/templates/updater/deployment.yaml
@@ -56,7 +56,7 @@ spec:
   {{- end }}
   {{- if $updater.tls.existingCASecretName }}
         - name: SSL_CERT_FILE
-          value: /etc/teleport-tls-ca/ca.pem
+          value: "/etc/teleport-tls-ca/{{ required "tls.existingCASecretKeyName must be set if tls.existingCASecretName is set in chart values" .Values.tls.existingCASecretKeyName }}" 
   {{- end }}
 {{- end }}
         args:

diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
@@ -1530,7 +1530,7 @@ should mount tls.existingCASecretName and set environment when set in values:
       - name: TELEPORT_KUBE_CLUSTER_DOMAIN
         value: cluster.local
       - name: SSL_CERT_FILE
-        value: /etc/teleport-tls-ca/ca.pem
+        value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       image: public.ecr.aws/gravitational/teleport-distroless:18.6.1
       imagePullPolicy: IfNotPresent
       livenessProbe:
@@ -1626,7 +1626,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu
       - name: TELEPORT_KUBE_CLUSTER_DOMAIN
         value: cluster.local
       - name: SSL_CERT_FILE
-        value: /etc/teleport-tls-ca/ca.pem
+        value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - name: HTTPS_PROXY
         value: http://username:password@my.proxy.host:3128
       image: public.ecr.aws/gravitational/teleport-distroless:18.6.1

diff --git a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml
@@ -649,7 +649,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - matchSnapshot:
           path: spec.template.spec
 
@@ -675,7 +675,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
       - contains:
           path: spec.template.spec.containers[0].env
           content:

diff --git a/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml b/examples/chart/teleport-kube-agent/tests/updater_deployment_test.yaml
@@ -242,7 +242,7 @@ tests:
           path: spec.template.spec.containers[0].env
           content:
             name: SSL_CERT_FILE
-            value: /etc/teleport-tls-ca/ca.pem
+            value: /etc/teleport-tls-ca/helm-lint-existing-tls-secret-key-name
   - it: sets the updater container extraEnv
     values:
       - ../.lint/updater.yaml

diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json
@@ -272,13 +272,19 @@
             "$id": "#/properties/tls",
             "type": "object",
             "required": [
-                "existingCASecretName"
+                "existingCASecretName",
+                "existingCASecretKeyName"
             ],
             "properties": {
                 "existingCASecretName": {
                     "$id": "#/properties/tls/properties/existingCASecretName",
                     "type": "string",
                     "default": ""
+                },
+                "existingCASecretKeyName": {
+                    "$id": "#/properties/tls/properties/existingCASecretKeyName",
+                    "type": "string",
+                    "default": "ca.pem"
                 }
             }
         },