hashicorp · amy-hashi · Jun 24, 2025 · May 26, 2025 · May 26, 2025 · May 27, 2025
@@ -1,2 +1,3 @@
 docs/example/terraform-enterprise-prereqs/charts
 .DS_Store
+overrides.yaml
@@ -6,5 +6,5 @@ name: terraform-enterprise
 kubeVersion: ">=1.21.0-0"
 description: Official HashiCorp Terraform-Enterprise Chart
 type: application
-version: 1.6.3
+version: 1.6.4
 appVersion: "v202506-1"
@@ -40,3 +40,8 @@
 # TFE_VAULT_ROLE_ID: ""
 # TFE_IACT_SUBNETS: ""
 # TFE_IACT_TIME_LIMIT: ""
+# TFE_HOSTNAME_SECONDARY: ""
+# TFE_OIDC_HOSTNAME_CHOICE: ""
+# TFE_VCS_HOSTNAME_CHOICE: ""
+# TFE_SAML_HOSTNAME_CHOICE: ""
+# TFE_RUN_TASK_HOSTNAME_CHOICE: ""
@@ -20,6 +20,10 @@ data:
   TFE_VAULT_DISABLE_MLOCK: "true"
   TFE_HTTP_PORT: "{{ .Values.tfe.privateHttpPort }}"
   TFE_HTTPS_PORT: "{{ .Values.tfe.privateHttpsPort }}"
+  {{- if or (and .Values.tlsSecondary.certData .Values.tlsSecondary.keyData) .Values.tlsSecondary.certificateSecret }}
+  TFE_TLS_CERT_FILE_SECONDARY: "{{ .Values.tlsSecondary.certMountPath }}"
+  TFE_TLS_KEY_FILE_SECONDARY:  "{{ .Values.tlsSecondary.keyMountPath }}"
+  {{- end }}
   TFE_TLS_CERT_FILE: "{{ .Values.tls.certMountPath }}"
   TFE_TLS_KEY_FILE:  "{{ .Values.tls.keyMountPath }}"
   {{- if .Values.tls.caCertData }}

@@ -54,6 +54,11 @@ spec:
         - name: certificates
           secret:
             secretName: {{ .Values.tls.certificateSecret }}
+        {{- if or (and .Values.tlsSecondary.certData .Values.tlsSecondary.keyData) .Values.tlsSecondary.certificateSecret }}
+        - name: certificates-secondary
+          secret:
+            secretName: {{ .Values.tlsSecondary.certificateSecret | default "terraform-enterprise-certificates-secondary" }}  
+        {{- end }}
         {{- if .Values.tls.caCertData }}
         - name: ca-certificates
           secret:
@@ -128,6 +133,14 @@ spec:
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         volumeMounts:
+          {{- if or (and .Values.tlsSecondary.certData .Values.tlsSecondary.keyData) .Values.tlsSecondary.certificateSecret }}
+          - name: certificates-secondary
+            mountPath: {{ .Values.tlsSecondary.certMountPath }}
+            subPath: tls.crt
+          - name: certificates-secondary
+            mountPath: {{ .Values.tlsSecondary.keyMountPath }}
+            subPath: tls.key        
+          {{- end }}  
           - name: certificates
             mountPath: {{ .Values.tls.certMountPath }}
             subPath: tls.crt

@@ -15,6 +15,20 @@ data:
   tls.key: {{ .Values.tls.keyData }}
 {{- end }}
 
+{{- if and .Values.tlsSecondary.certData .Values.tlsSecondary.keyData }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.tlsSecondary.certificateSecret | default "terraform-enterprise-certificates-secondary" }}
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.tlsSecondary.certData }}
+  tls.key: {{ .Values.tlsSecondary.keyData }}
+{{- end }}
+
+
 {{- if .Values.tls.caCertData }}
 ---
 apiVersion: v1

@@ -31,3 +31,34 @@ spec:
       appProtocol: {{ .Values.service.appProtocol }}
   selector:
     app: terraform-enterprise
+---
+{{- if .Values.env.variables.TFE_HOSTNAME_SECONDARY }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: terraform-enterprise-secondary
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.serviceSecondary.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.serviceSecondary.labels }}
+  labels:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.serviceSecondary.type }}
+  {{- if and (eq .Values.serviceSecondary.type "LoadBalancer") .Values.serviceSecondary.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.serviceSecondary.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: https-port
+      port: {{ .Values.serviceSecondary.port }}
+      {{- if eq .Values.serviceSecondary.type "NodePort" }}
+      nodePort: {{ .Values.serviceSecondary.nodePort }}
+      {{- end }}
+      targetPort: {{ .Values.tfe.privateHttpsPort }}
+      appProtocol: {{ .Values.serviceSecondary.appProtocol }}
+  selector:
+    app: terraform-enterprise    
+{{- end}}
@@ -65,6 +65,14 @@ tls:
   # keyData:
   # caCertData:
 
+
+tlsSecondary:
+  # certificateSecret: terraform-enterprise-certificates-secondary
+  certMountPath: /etc/ssl/private/terraform-enterprise-secondary/cert.pem
+  keyMountPath: /etc/ssl/private/terraform-enterprise-secondary/key.pem
+  # certData:
+  # keyData:
+
 tfe:
   metrics:
     enable: false
@@ -211,6 +219,35 @@ service:
   loadBalancerIP: null # If service.type is LoadBalancer, you can optionally set a specific external IP.
                        # Useful for static IP requirements or pre-existing IP reservations.
 
+serviceSecondary:
+  annotations: {}
+    # Add annotations here for specific cloud provider configurations.
+    # Examples:
+    # - For Google Cloud, use the NEG (Network Endpoint Group) annotation:
+    #   cloud.google.com/neg: '{"ingress": true}'
+    # - For Azure, configure the health probe request path for HTTPS health checks:
+    #   service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/_health_check"
+  labels: {}
+    # Add labels to the service created for Terraform Enterprise. Helpful if your metrics collection
+    # depends on ServiceMonitors instead of pod annotations.
+
+  type: ClusterIP    # The type of service to create. Options: LoadBalancer, ClusterIP, NodePort.
+                     # - LoadBalancer: Exposes the service externally using a cloud provider's load balancer.
+                     # - ClusterIP: Default type; exposes the service only within the cluster.
+                     # - NodePort: Exposes the service on a static port on each cluster node.
+
+  port: 443          # The port exposed by the service (external port).
+
+  nodePort: 32443    # If service.type is NodePort, this sets the external port on cluster nodes.
+                     # Ignored for LoadBalancer and ClusterIP types.
+
+  appProtocol: tcp   # Application protocol for the service.
+                     # - Default is "tcp" for broad compatibility across cloud providers.
+                     # - Set to "https" if Gateway API or Layer 7 features are required.
+
+  loadBalancerIP: null # If service.type is LoadBalancer, you can optionally set a specific external IP.
+                       # Useful for static IP requirements or pre-existing IP reservations.
+
 
 # Custom pod template to define your own specifications for the creation of the agent worker pods.
 # This should be YAML representing a valid corev1.PodTemplateSpec. This format is documented