boostrapping CA key from pre-existing secrets

[amarao]

Good day.

I'm trying to find if I can bootstrap TP cluster with my own CA/CA key.

The usecase I'm trying to solve is:

We have gitops-managed k8s cluster (e.g. it's installed by Terraform/Ansible/Helm), Teleport is living in it, all secrets are normally coming from the deployment code. When we recover cluster we overwrite all objects in the cluster (including those provided by gitops). The assumption is, that everything done by gitops is reproducible, so overwriting it is not a big deal.

But, we install Teleport at that moment, and it generates own CA key. Then, if we recover, we overwrite it with different CA key. I see some big mess coming from this.

We already do this (pre-provision CA) for kuberenetes itself and this approach works well. Can we do the same with Teleport? I read the docs but all related to CA bootstrapping is kinda vague.

If not, what is the best idiomatic way to combine gitops-stage of recovery (idempotent convergence) with backup recovery of the later changes (e.g. TP database)?

[mg1986jp]

This is doable but it depends a bit on your deployment method. If you're deploying via Helm, you can inject the CA certificate and private key through Kubernetes Secrets before the Teleport auth server starts up. The auth server checks for existing state data on first boot.

The general approach:

1. Generate your own CA cert/key pair
2. Create the Teleport state Secret manually in the namespace before deploying:

kubectl create secret generic teleport-auth-state \
  --from-file=ca.key=/path/to/ca.key \
  --from-file=ca.cert=/path/to/ca.cert

3. When Teleport starts, if it finds existing CA data in its state backend, it should use that instead of generating new keys

That said, I'm not 100% sure the Secret format is exactly right — the internal state format has changed across versions. You might want to let Teleport generate the CA once, then extract the state Secret and store that in your gitops repo. On recovery, you'd apply the saved state Secret before deploying Teleport.

Worth checking the Teleport Helm chart docs for persistence options and how state is managed in your version.