[v9] helm: Add support for mounting existing TLS secrets with optional root CA (#11295)

examples/chart/teleport-cluster/.lint/existing-tls-secret-with-ca.yaml

@@ -0,0 +1,4 @@
+clusterName: test-cluster-name
+tls:
+  existingSecretName: helm-lint-existing-tls-secret
+  existingCASecretName: helm-lint-existing-tls-secret-ca

examples/chart/teleport-cluster/.lint/existing-tls-secret.yaml

@@ -0,0 +1,3 @@
+clusterName: test-cluster-name
+tls:
+  existingSecretName: helm-lint-existing-tls-secret

examples/chart/teleport-cluster/.lint/extra-env.yaml

@@ -0,0 +1,4 @@
+clusterName: helm-lint.example.com
+extraEnv:
+  - name: SOME_ENVIRONMENT_VARIABLE
+    value: "some-value"

examples/chart/teleport-cluster/templates/config.yaml

@@ -109,7 +109,7 @@ data:
     {{- end }}
   {{- end }}
       enabled: true
-  {{- if .Values.highAvailability.certManager.enabled }}
+  {{- if or .Values.highAvailability.certManager.enabled .Values.tls.existingSecretName }}
       https_keypairs:
       - key_file: /etc/teleport-tls/tls.key
         cert_file: /etc/teleport-tls/tls.crt

examples/chart/teleport-cluster/templates/deployment.yaml

@@ -1,9 +1,15 @@
 {{- if and (.Values.acme) (gt (int .Values.highAvailability.replicaCount) 1) }}
-{{- fail "Cannot enable built-in ACME support with more than one replica, use highAvailability.certManager.enabled instead" }}
+{{- fail "Cannot enable built-in ACME support with more than one replica, use highAvailability.certManager.enabled or tls.existingSecretName instead" }}
 {{- end }}
 {{- if and (eq .Values.chartMode "standalone") (gt (int .Values.highAvailability.replicaCount) 1) }}
 {{- fail "Cannot enable multiple replicas in standalone mode, use a different chartMode which supports high availability - see README and docs" }}
 {{- end }}
+{{- if and .Values.highAvailability.certManager.enabled .Values.tls.existingSecretName }}
+{{- fail "Cannot set both highAvailability.certManager.enabled and tls.existingSecretName, choose one or the other" }}
+{{- end }}
+{{- if and .Values.acme .Values.tls.existingSecretName }}
+{{- fail "Cannot set both acme.enabled and tls.existingSecretName, choose one or the other" }}
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -96,6 +102,10 @@ spec:
         - mountPath: /etc/teleport-tls
           name: "teleport-tls"
           readOnly: true
+  {{- else if .Values.tls.existingSecretName }}
+        - mountPath: /etc/teleport-tls
+          name: "teleport-tls"
+          readOnly: true
   {{- end }}
         - mountPath: /etc/teleport
           name: "config"
@@ -110,10 +120,16 @@ spec:
       - name: "teleport"
         image: "{{ if .Values.enterprise }}{{ .Values.enterpriseImage }}{{ else }}{{ .Values.image }}{{ end }}:{{ if .Values.teleportVersionOverride }}{{ .Values.teleportVersionOverride }}{{ else }}{{ .Chart.Version }}{{ end }}"
         imagePullPolicy: {{ .Values.imagePullPolicy }}
-        {{- if .Values.extraEnv }}
+        {{- if or .Values.extraEnv .Values.tls.existingCASecretName }}
         env:
+        {{- if (gt (len .Values.extraEnv) 0) }}
           {{- toYaml .Values.extraEnv | nindent 8 }}
         {{- end }}
+        {{- if .Values.tls.existingCASecretName }}
+        - name: SSL_CERT_FILE
+          value: /etc/teleport-tls-ca/ca.pem
+        {{- end }}
+        {{- end }}
         args:
         - "--diag-addr=0.0.0.0:3000"
         {{- if .Values.insecureSkipProxyTLSVerify }}
@@ -167,6 +183,15 @@ spec:
         - mountPath: /etc/teleport-tls
           name: "teleport-tls"
           readOnly: true
+{{- else if .Values.tls.existingSecretName }}
+        - mountPath: /etc/teleport-tls
+          name: "teleport-tls"
+          readOnly: true
+        {{- if .Values.tls.existingCASecretName }}
+        - mountPath: /etc/teleport-tls-ca
+          name: "teleport-tls-ca"
+          readOnly: true
+        {{- end }}
 {{- end }}
         - mountPath: /etc/teleport
           name: "config"
@@ -191,6 +216,15 @@ spec:
       - name: teleport-tls
         secret:
           secretName: teleport-tls
+{{- else if .Values.tls.existingSecretName }}
+      - name: teleport-tls
+        secret:
+          secretName: {{ .Values.tls.existingSecretName }}
+      {{- if .Values.tls.existingCASecretName }}
+      - name: teleport-tls-ca
+        secret:
+          secretName: {{ .Values.tls.existingCASecretName }}
+      {{- end }}
 {{- end }}
       - name: "config"
         configMap:

examples/chart/teleport-cluster/values.schema.json

@@ -9,6 +9,7 @@
         "labels",
         "chartMode",
         "highAvailability",
+        "tls",
         "image",
         "enterpriseImage",
         "log",
@@ -306,6 +307,26 @@
                 }
             }
         },
+        "tls": {
+            "$id": "#/properties/tls",
+            "type": "object",
+            "required": [
+                "existingSecretName",
+                "existingCASecretName"
+            ],
+            "properties": {
+                "existingSecretName": {
+                    "$id": "#/properties/tls/properties/existingSecretName",
+                    "type": "string",
+                    "default": ""
+                },
+                "existingCASecretName": {
+                    "$id": "#/properties/tls/properties/existingCASecretName",
+                    "type": "string",
+                    "default": ""
+                }
+            }
+        },
         "image": {
             "$id": "#/properties/image",
             "type": "string",

examples/chart/teleport-cluster/values.yaml

@@ -39,8 +39,10 @@ separateMongoListener: false
 
 # ACME is a protocol for getting Web X.509 certificates
 # Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
+# For HA configurations, see either the "highAvailability.certManager" or "tls" values.
 # Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
 # Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
+# This section is mutually exclusive with the "tls" value below.
 acme: false
 # acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement)
 acmeEmail: ""
@@ -149,6 +151,7 @@ highAvailability:
     enabled: false
     minAvailable: 1
   # Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
+  # These settings are mutually exclusive with the "tls" value below.
   certManager:
     # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
     addCommonName: false
@@ -164,6 +167,19 @@ highAvailability:
     # This defaults to 'cert-manager.io' which is the default Issuer group.
     issuerGroup: cert-manager.io
 
+# Settings for mounting your own TLS keypair to secure Teleport's web UI.
+# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above.
+tls:
+  # Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml.
+  # Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file`
+  # See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
+  existingSecretName: ""
+  # (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
+  # Useful for building trust when using intermediate certificate authorities.
+  # This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
+  # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
+  # The filename inside the secret is important - it _must_ be ca.pem
+  existingCASecretName: ""
 
 ##################################################
 # Values that you shouldn't need to change.

examples/chart/teleport-kube-agent/templates/deployment.yaml

@@ -119,7 +119,7 @@ spec:
         {{- end }}
         {{- if .Values.extraEnv }}
         env:
-          {{- toYaml .Values.extraEnv | nindent 10 }}
+          {{- toYaml .Values.extraEnv | nindent 8 }}
         {{- end }}
         args:
         - "--diag-addr=0.0.0.0:3000"