Helm chart to allow mysql TLS w/o client certs (#10794)

This will allow MySQL TLS to be enabled for fleet in the helm chart with a self-signed CA but without requiring client certs to be utilized. It should be backwards compatible with previous values.yaml files that had these TLS values specified, but might require someone to uncomment them if they did not explicitly define them in their own values. Note: this resolves #8207
2026-05-24 09:28:54 +00:00 · 2023-03-30 12:45:22 -05:00 · 2023-03-30 12:45:22 -05:00 · 8561b74177
commit 8561b74177
parent f42ea50cff
4 changed files with 18 additions and 4 deletions
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@ -4,7 +4,7 @@ name: fleet
 keywords:
  - fleet
  - osquery
-version: v5.0.0
+version: v5.0.1
 home: https://github.com/fleetdm/fleet
 sources:
  - https://github.com/fleetdm/fleet.git
--- a/charts/fleet/templates/deployment.yaml
+++ b/charts/fleet/templates/deployment.yaml
@ -116,12 +116,18 @@ spec:
          - name: FLEET_MYSQL_CONN_MAX_LIFETIME
            value: "{{ .Values.mysql.connMaxLifetime }}"
          {{- if .Values.mysql.tls.enabled }}
+          {{- if .Values.mysql.tls.caCertKey }}
          - name: FLEET_MYSQL_TLS_CA
            value: "/secrets/mysql/{{ .Values.mysql.tls.caCertKey }}"
+          {{- end }}
+          {{- if .Values.mysql.tls.certKey }}
          - name: FLEET_MYSQL_TLS_CERT
            value: "/secrets/mysql/{{ .Values.mysql.tls.certKey }}"
+          {{- end }}
+          {{- if .Values.mysql.tls.keyKey }}
          - name: FLEET_MYSQL_TLS_KEY
            value: "/secrets/mysql/{{ .Values.mysql.tls.keyKey }}"
+          {{- end }}
          - name: FLEET_MYSQL_TLS_CONFIG
            value: "{{ .Values.mysql.tls.config }}"
          - name: FLEET_MYSQL_TLS_SERVER_NAME
--- a/charts/fleet/templates/job-migration.yaml
+++ b/charts/fleet/templates/job-migration.yaml
@ -90,12 +90,18 @@ spec:
          - name: FLEET_MYSQL_CONN_MAX_LIFETIME
            value: "{{ .Values.mysql.connMaxLifetime }}"
          {{- if .Values.mysql.tls.enabled }}
+          {{- if .Values.mysql.tls.caCertKey }}
          - name: FLEET_MYSQL_TLS_CA
            value: "/secrets/mysql/{{ .Values.mysql.tls.caCertKey }}"
+          {{- end }}
+          {{- if .Values.mysql.tls.certKey }}
          - name: FLEET_MYSQL_TLS_CERT
            value: "/secrets/mysql/{{ .Values.mysql.tls.certKey }}"
+          {{- end }}
+          {{- if .Values.mysql.tls.keyKey }}
          - name: FLEET_MYSQL_TLS_KEY
            value: "/secrets/mysql/{{ .Values.mysql.tls.keyKey }}"
+          {{- end }}
          - name: FLEET_MYSQL_TLS_CONFIG
            value: "{{ .Values.mysql.tls.config }}"
          - name: FLEET_MYSQL_TLS_SERVER_NAME
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@ -160,9 +160,11 @@ mysql:
  connMaxLifetime: 0
  tls:
    enabled: false
-    caCertKey: ca.cert
-    certKey: client.cert
-    keyKey: client.key
+    ## Commented options below are optional.  Uncomment to use.
+    # caCertKey: ca.cert
+    ## Client certificates require both the certKey and keyKey
+    # certKey: client.cert
+    # keyKey: client.key
    config: ""
    serverName: ""