Skip to content

Add secondary hostname capabilities#129

Merged
amy-hashi merged 6 commits intohashicorp:mainfrom
munnep:secondary_hostname
Jun 24, 2025
Merged

Add secondary hostname capabilities#129
amy-hashi merged 6 commits intohashicorp:mainfrom
munnep:secondary_hostname

Conversation

@munnep
Copy link
Copy Markdown
Contributor

@munnep munnep commented May 26, 2025

Based on the requirement with internal reference TF-24247

I made sure of the following changes

The helm chart was not able to use the ability of the secondary hostname features because it was missing the option to add the secondary certificates as needed

To accomplish that I added the following option to the values

tlsSecondary:
  certificateSecret: terraform-enterprise-certificates-secondary
  certMountPath: /etc/ssl/private/terraform-enterprise-secondary/cert.pem
  keyMountPath: /etc/ssl/private/terraform-enterprise-secondary/key.pem
  # certData:
  # keyData:

If the tlsSecondary.certData and tlsSecondary.keyData is not specified then it will not create the secret or any reference in the pod itself

Also added the serviceSecondary to make sure you can specify alternative service configured for the second hostname. If the .Values.env.variables.TFE_HOSTNAME_SECONDARY is not specified it will not be created

serviceSecondary:
  annotations: null
  type: LoadBalancer

I tested in the following way.

no secondary hostname references
This should still work with the adjustments done to the PR. The environment gets created without issues.

Secondary hostname references
It should add the secondary hostname resources. The environment gets created without issues.

I add the following values

env:
  variables:
    TFE_HOSTNAME_SECONDARY: "<data>"
    TFE_OIDC_HOSTNAME_CHOICE: secondary
    TFE_VCS_HOSTNAME_CHOICE: secondary
    TFE_SAML_HOSTNAME_CHOICE: secondary
    TFE_RUN_TASK_HOSTNAME_CHOICE: secondary

serviceSecondary:
  annotations: null
  type: LoadBalancer  
  
tlsSecondary:
  certData: <data>
  keyData: <data>

I use the helm upgrade command

As a result

  • The service gets created
  • The secrets with certificates gets created
  • the deployment with references gets created for the secondary certificates and volumes

You now have 2 loadbalancers and you can connect to the secondary hostname with VCS

@munnep munnep requested a review from a team as a code owner May 26, 2025 14:46
@nikolasrieble nikolasrieble requested a review from Copilot May 27, 2025 08:04

This comment was marked as outdated.

Sign in to view

@munnep
Copy link
Copy Markdown
Contributor Author

munnep commented Jun 16, 2025

Customer who was testing mentioned that the following value didn't work properly

tlsSecondary.certificateSecret

Customer wanted to use only the above secret instead of using
tlsSecondary.certData
tlsSecondary.keyData

I added the logic for this to the helm chart

tests

  • Checked without the secondary hostname values in case a customer doesn't need it
    all worked

  • Checked with secondary hostname and values for
    tlsSecondary.certData
    tlsSecondary.keyData
    This worked

  • Checked with secondary hostname and values for
    tlsSecondary.certificateSecret
    This worked

  • Checked with secondary hostname and values for
    tlsSecondary.certificateSecret
    This worked

I think I tested the scenario's that should be working. Please verify carefully as the changes for this PR are getting bigger and bigger.

@amy-hashi amy-hashi requested a review from Copilot June 24, 2025 14:54
Copilot AI reviewed Jun 24, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds secondary hostname capabilities for Terraform Enterprise by extending the Helm chart to include secondary TLS and service configurations.

  • Introduces a new tlsSecondary block in values.yaml to support secondary certificate management.
  • Adds a new serviceSecondary configuration along with corresponding template changes in service.yaml, secret.yaml, deployment.yaml, and config-map.yaml.
  • Updates env-config.yaml and Chart.yaml to reflect secondary hostname settings and version bumps.

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
values.yaml Adds new tlsSecondary and serviceSecondary configurations.
templates/service.yaml Introduces conditional creation of a secondary service.
templates/secret.yaml Adds secret creation for secondary certificates based on provided data.
templates/deployment.yaml Mounts secondary certificate volumes if secondary TLS is enabled.
templates/config-map.yaml Adds secondary TLS file paths as environment variables.
env-config.yaml Provides commented out secondary hostname environment variables.
Chart.yaml Bumps chart and app version to reflect the new secondary feature.
Comments suppressed due to low confidence (2)

values.yaml:70

  • Clarify in the comments that the certificateSecret field is optional because a default value is used when not specified, to help users understand its role.
  # certificateSecret: terraform-enterprise-certificates-secondary

values.yaml:224

  • [nitpick] Review the indentation of comments under serviceSecondary to ensure consistency and improve readability of the YAML file.
    # Add annotations here for specific cloud provider configurations.

@amy-hashi amy-hashi merged commit 9863788 into hashicorp:main Jun 24, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sandrampeter sandrampeter sandrampeter approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@munnep @sandrampeter @amy-hashi