docs: Add Helm docs for tls.existingSecretName #11306
Conversation
webvictim
changed the title
| | - | - | - | | ||
| | `string` | `""` | ✅ | | ||
|
|
||
| `tls.existingSecretNameCA` sets the `SSL_CERT_FILE` environment variable to load a trusted CA or bundle in PEM format into Teleport pods. |
There was a problem hiding this comment.
Is it just the Auth Service that reads this environment variable?
Also, will readers be expected to understand the use of SSL_CERT_FILE more than (or before they) understand tls.existingSecretNameCA? If not, I think we can make this paragraph clearer by removing the mention of the env var.
There was a problem hiding this comment.
Is it just the Auth Service that reads this environment variable?
It's the proxy service that's potentially reading it here to establish a full trust chain when serving Teleport's TLS listener.
I mostly put this here for competent readers who might Ctrl+F SSL_CERT_FILE against the reference to see whether we have some way to override this. It's fairly well documented online that SSL_CERT_FILE and SSL_CERT_DIR are some ways to solve this - I figured it wouldn't hurt if people are deep enough into PKI.
Docs counterpart to #11295
webvictim
force-pushed
the
gus/docs/helm/add-existing-tls-secret
branch
from
d665ec0
to
63ba4e2
Compare
|
Waiting for #11295 to merge |
Docs counterpart to #11295
Forward-ports needed:
master