diff --git a/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml new file mode 100644 index 0000000000000..086c628b0e8f0 --- /dev/null +++ b/examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml @@ -0,0 +1,4 @@ +clusterName: test-cluster-name +tls: + existingSecretName: helm-lint-existing-tls-secret + existingCASecretName: helm-lint-existing-tls-secret-ca diff --git a/examples/chart/teleport-cluster/.lint/existing-tls-secret.yaml b/examples/chart/teleport-cluster/.lint/existing-tls-secret.yaml new file mode 100644 index 0000000000000..37f07ea90507e --- /dev/null +++ b/examples/chart/teleport-cluster/.lint/existing-tls-secret.yaml @@ -0,0 +1,3 @@ +clusterName: test-cluster-name +tls: + existingSecretName: helm-lint-existing-tls-secret diff --git a/examples/chart/teleport-cluster/.lint/extra-env.yaml b/examples/chart/teleport-cluster/.lint/extra-env.yaml new file mode 100644 index 0000000000000..ea0d122b938c6 --- /dev/null +++ b/examples/chart/teleport-cluster/.lint/extra-env.yaml @@ -0,0 +1,4 @@ +clusterName: helm-lint.example.com +extraEnv: + - name: SOME_ENVIRONMENT_VARIABLE + value: "some-value" diff --git a/examples/chart/teleport-cluster/templates/config.yaml b/examples/chart/teleport-cluster/templates/config.yaml index 1ea5cd11727e8..696d1f06a2367 100644 --- a/examples/chart/teleport-cluster/templates/config.yaml +++ b/examples/chart/teleport-cluster/templates/config.yaml @@ -109,7 +109,7 @@ data: {{- end }} {{- end }} enabled: true - {{- if .Values.highAvailability.certManager.enabled }} + {{- if or .Values.highAvailability.certManager.enabled .Values.tls.existingSecretName }} https_keypairs: - key_file: /etc/teleport-tls/tls.key cert_file: /etc/teleport-tls/tls.crt diff --git a/examples/chart/teleport-cluster/templates/deployment.yaml b/examples/chart/teleport-cluster/templates/deployment.yaml index 828ddb656da0e..8ab4edf61cd6f 100644 --- a/examples/chart/teleport-cluster/templates/deployment.yaml +++ b/examples/chart/teleport-cluster/templates/deployment.yaml @@ -1,9 +1,15 @@ {{- if and (.Values.acme) (gt (int .Values.highAvailability.replicaCount) 1) }} -{{- fail "Cannot enable built-in ACME support with more than one replica, use highAvailability.certManager.enabled instead" }} +{{- fail "Cannot enable built-in ACME support with more than one replica, use highAvailability.certManager.enabled or tls.existingSecretName instead" }} {{- end }} {{- if and (eq .Values.chartMode "standalone") (gt (int .Values.highAvailability.replicaCount) 1) }} {{- fail "Cannot enable multiple replicas in standalone mode, use a different chartMode which supports high availability - see README and docs" }} {{- end }} +{{- if and .Values.highAvailability.certManager.enabled .Values.tls.existingSecretName }} +{{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }} +{{- end }} +{{- if and .Values.acme .Values.tls.existingSecretName }} +{{- fail "Cannot set both acme.enabled and tls.existingSecretName, choose one or the other" }} +{{- end }} apiVersion: apps/v1 kind: Deployment metadata: @@ -96,6 +102,10 @@ spec: - mountPath: /etc/teleport-tls name: "teleport-tls" readOnly: true + {{- else if .Values.tls.existingSecretName }} + - mountPath: /etc/teleport-tls + name: "teleport-tls" + readOnly: true {{- end }} - mountPath: /etc/teleport name: "config" @@ -110,10 +120,16 @@ spec: - name: "teleport" image: "{{ if .Values.enterprise }}{{ .Values.enterpriseImage }}{{ else }}{{ .Values.image }}{{ end }}:{{ if .Values.teleportVersionOverride }}{{ .Values.teleportVersionOverride }}{{ else }}{{ .Chart.Version }}{{ end }}" imagePullPolicy: {{ .Values.imagePullPolicy }} - {{- if .Values.extraEnv }} + {{- if or .Values.extraEnv .Values.tls.existingCASecretName }} env: + {{- if (gt (len .Values.extraEnv) 0) }} {{- toYaml .Values.extraEnv | nindent 8 }} {{- end }} + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} + {{- end }} args: - "--diag-addr=0.0.0.0:3000" {{- if .Values.insecureSkipProxyTLSVerify }} @@ -167,6 +183,15 @@ spec: - mountPath: /etc/teleport-tls name: "teleport-tls" readOnly: true +{{- else if .Values.tls.existingSecretName }} + - mountPath: /etc/teleport-tls + name: "teleport-tls" + readOnly: true + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} {{- end }} - mountPath: /etc/teleport name: "config" @@ -191,6 +216,15 @@ spec: - name: teleport-tls secret: secretName: teleport-tls +{{- else if .Values.tls.existingSecretName }} + - name: teleport-tls + secret: + secretName: {{ .Values.tls.existingSecretName }} + {{- if .Values.tls.existingCASecretName }} + - name: teleport-tls-ca + secret: + secretName: {{ .Values.tls.existingCASecretName }} + {{- end }} {{- end }} - name: "config" configMap: diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json index eb932c3800117..5176a882edb10 100644 --- a/examples/chart/teleport-cluster/values.schema.json +++ b/examples/chart/teleport-cluster/values.schema.json @@ -9,6 +9,7 @@ "labels", "chartMode", "highAvailability", + "tls", "image", "enterpriseImage", "log", @@ -306,6 +307,26 @@ } } }, + "tls": { + "$id": "#/properties/tls", + "type": "object", + "required": [ + "existingSecretName", + "existingCASecretName" + ], + "properties": { + "existingSecretName": { + "$id": "#/properties/tls/properties/existingSecretName", + "type": "string", + "default": "" + }, + "existingCASecretName": { + "$id": "#/properties/tls/properties/existingCASecretName", + "type": "string", + "default": "" + } + } + }, "image": { "$id": "#/properties/image", "type": "string", diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml index 85b71aa8c9e89..2686cd0be2932 100644 --- a/examples/chart/teleport-cluster/values.yaml +++ b/examples/chart/teleport-cluster/values.yaml @@ -39,8 +39,10 @@ separateMongoListener: false # ACME is a protocol for getting Web X.509 certificates # Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations. +# For HA configurations, see either the "highAvailability.certManager" or "tls" values. # Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt. # Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI. +# This section is mutually exclusive with the "tls" value below. acme: false # acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement) acmeEmail: "" @@ -149,6 +151,7 @@ highAvailability: enabled: false minAvailable: 1 # Settings for cert-manager (can be used for provisioning TLS certs in HA mode) + # These settings are mutually exclusive with the "tls" value below. certManager: # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs. addCommonName: false @@ -164,6 +167,19 @@ highAvailability: # This defaults to 'cert-manager.io' which is the default Issuer group. issuerGroup: cert-manager.io +# Settings for mounting your own TLS keypair to secure Teleport's web UI. +# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above. +tls: + # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml. + # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file` + # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information. + existingSecretName: "" + # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format. + # Useful for building trust when using intermediate certificate authorities. + # This will automatically set the SSL_CERT_FILE environment variable to trust the CA. + # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem + # The filename inside the secret is important - it _must_ be ca.pem + existingCASecretName: "" ################################################## # Values that you shouldn't need to change. diff --git a/examples/chart/teleport-kube-agent/templates/deployment.yaml b/examples/chart/teleport-kube-agent/templates/deployment.yaml index 581fdf8ed0ad9..d268ed4ec2b30 100644 --- a/examples/chart/teleport-kube-agent/templates/deployment.yaml +++ b/examples/chart/teleport-kube-agent/templates/deployment.yaml @@ -119,7 +119,7 @@ spec: {{- end }} {{- if .Values.extraEnv }} env: - {{- toYaml .Values.extraEnv | nindent 10 }} + {{- toYaml .Values.extraEnv | nindent 8 }} {{- end }} args: - "--diag-addr=0.0.0.0:3000"