Trusting a custom root CA when using the teleport-kube-agent chart

[webvictim]

In #11295 we added support for tls.existingSecretName to the teleport-cluster chart, which allows you to more easily set up a Teleport cluster in Kubernetes using an existing TLS certificate/key pair - one signed by a private root CA, for example. This functionality also allows you to provide the public part of the root CA to Teleport so it can build a full root -> intermediate -> cert trust chain itself.

This PR has been backported (#11922) and should be released along with Teleport 9.0.5 when the chart is next published.

If you do this, however, you will also need to configure any agents using the teleport-kube-agent chart to trust the same root CA. Otherwise, you may get an error like this:

2022-04-20T20:06:51Z ERRO [PROC:1] App failed to establish connection to cluster: Post "https://teleport.example.com:443/v1/webapi/host/credentials": x509: certificate signed by unknown authority, invalid character '<' looking for beginning of value. service/connect.go:82

How to add the root CA

Here's how you can configure the teleport-kube-agent chart to also validate against a root CA and join a cluster:

1. Add the root CA as a Kubernetes secret in the namespace you want to use for running your teleport-kube-agent:

# create the namespace
kubectl create namespace teleport-kube-agent

# add the CA as a secret
# note that the file MUST be named ca.pem
kubectl -n teleport-kube-agent create secret generic root-ca-secret --from-file=ca.pem=/path/to/ca.pem

2. Add the extraVolumes, extraVolumeMounts and extraEnv values to your existing chart values (see https://goteleport.com/docs/kubernetes-access/getting-started/agent for details):

extraVolumes:
- name: "root-ca-volume"
  secret:
    secretName: "root-ca-secret"
extraVolumeMounts:
- name: "root-ca-volume"
  mountPath: "/etc/teleport-ca"
extraEnv:
- name: SSL_CERT_FILE
  value: /etc/teleport-ca/ca.pem

After this, install the chart as normal with something like helm install -n teleport-kube-agent teleport-kube-agent teleport/teleport-kube-agent -f values.yaml and your CA should then be trusted.

Note on multiple CAs

You can add multiple CAs to the ca.pem to build a chain if needed. The easiest way to do this is to use the cat command to join multiple certificates into one:

# build a file containing both intermediate and root CAs
cat root.pem intermediate.pem > ca.pem

After this you can create the secret as described above.