From 1c3f54c91ed52908c302dc1e98fc66a6b5ba30e3 Mon Sep 17 00:00:00 2001
From: Andrew Karpow <andrew.karpow@sap.com>
Date: Tue, 9 Dec 2025 11:58:47 -0500
Subject: [PATCH] [certificates] install to ch directory

---
 charts/kvm-node-agent/templates/daemonset.yaml | 16 +++++++++++-----
 config/manager/manager.yaml                    | 12 ++++++++----
 internal/certificates/manage_libvirt.go        | 12 ++++++------
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/charts/kvm-node-agent/templates/daemonset.yaml b/charts/kvm-node-agent/templates/daemonset.yaml
index ab76551..105ac4b 100644
--- a/charts/kvm-node-agent/templates/daemonset.yaml
+++ b/charts/kvm-node-agent/templates/daemonset.yaml
@@ -27,8 +27,6 @@ spec:
                 operator: Exists
       containers:
       - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
-        command:
-        - /manager
         env:
         - name: HOSTNAME
           valueFrom:
@@ -86,13 +84,17 @@ spec:
           name: pki-libvirt
         - mountPath: /pki/qemu
           name: pki-qemu
+        - mountPath: /pki/ch
+          name: pki-ch
       initContainers:
       - command:
         - sh
         - -c
-        - cd /host/etc/pki && for i in CA libvirt qemu; do if [ -L ${i} ]; then rm ${i};
-          fi; done && mkdir -p CA libvirt qemu && chown 42438:42438 CA libvirt qemu && chmod
-          0755 CA libvirt qemu
+        - cd /host && for i in etc/pki/CA etc/pki/libvirt etc/pki/qemu var/lib/libvirt/ch/pki;
+          do if [ -L ${i} ]; then rm ${i}; fi; done && mkdir -p etc/pki/CA etc/pki/libvirt
+          etc/pki/qemu var/lib/libvirt/ch/pki && chown 42438:42438 etc/pki/CA etc/pki/libvirt
+          etc/pki/qemu var/lib/libvirt/ch/pki && chmod 0755 etc/pki/CA etc/pki/libvirt etc/pki/qemu
+          var/lib/libvirt/ch/pki
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
@@ -138,6 +140,10 @@ spec:
           path: /etc/pki/qemu
           type: DirectoryOrCreate
         name: pki-qemu
+      - hostPath:
+          path: /var/lib/libvirt/ch/pki
+          type: DirectoryOrCreate
+        name: pki-ch
       - hostPath:
           path: /
         name: host
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 7d77cd1..636414d 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -61,14 +61,12 @@ spec:
         securityContext:
           runAsUser: 0
         image: busybox:1.28
-        command: ['sh', '-c', 'cd /host/etc/pki && for i in CA libvirt qemu; do if [ -L ${i} ]; then rm ${i}; fi; done && mkdir -p CA libvirt qemu && chown 42438:42438 CA libvirt qemu && chmod 0755 CA libvirt qemu']
+        command: ['sh', '-c', 'cd /host && for i in etc/pki/CA etc/pki/libvirt etc/pki/qemu var/lib/libvirt/ch/pki; do if [ -L ${i} ]; then rm ${i}; fi; done && mkdir -p etc/pki/CA etc/pki/libvirt etc/pki/qemu var/lib/libvirt/ch/pki && chown 42438:42438 etc/pki/CA etc/pki/libvirt etc/pki/qemu var/lib/libvirt/ch/pki && chmod 0755 etc/pki/CA etc/pki/libvirt etc/pki/qemu var/lib/libvirt/ch/pki']
         volumeMounts:
         - mountPath: /host
           name: host
       containers:
-      - command:
-        - /manager
-        args:
+      - args:
           - --health-probe-bind-address=:8081
         env:
         - name: HOSTNAME
@@ -129,6 +127,8 @@ spec:
           name: pki-libvirt
         - mountPath: /pki/qemu
           name: pki-qemu
+        - mountPath: /pki/ch
+          name: pki-ch
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
@@ -156,6 +156,10 @@ spec:
         hostPath:
           path: /etc/pki/qemu
           type: DirectoryOrCreate
+      - name: pki-ch
+        hostPath:
+          path: /var/lib/libvirt/ch/pki
+          type: DirectoryOrCreate
       - name: host
         hostPath:
           path: /
diff --git a/internal/certificates/manage_libvirt.go b/internal/certificates/manage_libvirt.go
index 7ba99fc..a2b6d76 100644
--- a/internal/certificates/manage_libvirt.go
+++ b/internal/certificates/manage_libvirt.go
@@ -37,7 +37,7 @@ import (
 )
 
 func GetSecretAndCertName(host string) (secretName, certName string) {
-	return "tls-" + certName, "libvirt-" + host
+	return "tls-libvirt-" + host, "libvirt-" + host
 }
 
 var (
@@ -125,16 +125,16 @@ func EnsureCertificate(ctx context.Context, c client.Client, host string) error
 }
 
 var secretToFileMap = map[string][]string{
-	"ca.crt":  {"CA/cacert.pem", "qemu/ca-cert.pem"},
-	"tls.crt": {"libvirt/servercert.pem", "qemu/server-cert.pem"},
-	"tls.key": {"libvirt/private/serverkey.pem", "qemu/server-key.pem"},
+	"ca.crt":  {"CA/cacert.pem", "qemu/ca-cert.pem", "ch/ca-cert.pem"},
+	"tls.crt": {"libvirt/servercert.pem", "qemu/server-cert.pem", "ch/server-cert.pem"},
+	"tls.key": {"libvirt/private/serverkey.pem", "qemu/server-key.pem", "ch/server-key.pem"},
 }
 
 var symLinkMap = map[string][]string{
 	"servercert.pem":  {"libvirt/clientcert.pem"},
 	"serverkey.pem":   {"libvirt/private/clientkey.pem"},
-	"server-cert.pem": {"qemu/client-cert.pem"},
-	"server-key.pem":  {"qemu/client-key.pem"},
+	"server-cert.pem": {"qemu/client-cert.pem", "ch/client-cert.pem"},
+	"server-key.pem":  {"qemu/client-key.pem", "ch/client-key.pem"},
 }
 
 func UpdateTLSCertificate(ctx context.Context, data map[string][]byte) error {