[certificates] install to ch directory

notandy · notandy · commit a7c5ada96742 · 2025-12-10T14:51:17.000-05:00
diff --git a/charts/kvm-node-agent/templates/daemonset.yaml b/charts/kvm-node-agent/templates/daemonset.yaml
@@ -86,6 +86,8 @@ spec:
           name: pki-libvirt
         - mountPath: /pki/qemu
           name: pki-qemu
+        - mountPath: /pki/ch
+          name: pki-ch
       initContainers:
       - command:
         - sh
@@ -138,6 +140,10 @@ spec:
           path: /etc/pki/qemu
           type: DirectoryOrCreate
         name: pki-qemu
+      - hostPath:
+          path: /var/lib/libvirt/pki/ch
+          type: DirectoryOrCreate
+        name: pki-ch
       - hostPath:
           path: /
         name: host
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -129,6 +129,8 @@ spec:
           name: pki-libvirt
         - mountPath: /pki/qemu
           name: pki-qemu
+        - mountPath: /pki/ch
+          name: pki-ch
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
       volumes:
@@ -156,6 +158,10 @@ spec:
         hostPath:
           path: /etc/pki/qemu
           type: DirectoryOrCreate
+      - name: pki-ch
+        hostPath:
+          path: /var/lib/libvirt/pki/ch
+          type: DirectoryOrCreate
       - name: host
         hostPath:
           path: /
diff --git a/internal/certificates/manage_libvirt.go b/internal/certificates/manage_libvirt.go
@@ -125,16 +125,16 @@ func EnsureCertificate(ctx context.Context, c client.Client, host string) error
 }
 
 var secretToFileMap = map[string][]string{
-	"ca.crt":  {"CA/cacert.pem", "qemu/ca-cert.pem"},
-	"tls.crt": {"libvirt/servercert.pem", "qemu/server-cert.pem"},
-	"tls.key": {"libvirt/private/serverkey.pem", "qemu/server-key.pem"},
+	"ca.crt":  {"CA/cacert.pem", "qemu/ca-cert.pem", "ch/ca-cert.pem"},
+	"tls.crt": {"libvirt/servercert.pem", "qemu/server-cert.pem", "ch/server-cert.pem"},
+	"tls.key": {"libvirt/private/serverkey.pem", "qemu/server-key.pem", "ch/server-key.pem"},
 }
 
 var symLinkMap = map[string][]string{
 	"servercert.pem":  {"libvirt/clientcert.pem"},
 	"serverkey.pem":   {"libvirt/private/clientkey.pem"},
-	"server-cert.pem": {"qemu/client-cert.pem"},
-	"server-key.pem":  {"qemu/client-key.pem"},
+	"server-cert.pem": {"qemu/client-cert.pem", "ch/client-cert.pem"},
+	"server-key.pem":  {"qemu/client-key.pem", "ch/client-key.pem"},
 }
 
 func UpdateTLSCertificate(ctx context.Context, data map[string][]byte) error {

Original file line number	Diff line number	Diff line change
`@@ -125,16 +125,16 @@ func EnsureCertificate(ctx context.Context, c client.Client, host string) error`
`125`	`125`	`}`
`126`	`126`
`127`	`127`	`var secretToFileMap = map[string][]string{`
`128`		`- "ca.crt": {"CA/cacert.pem", "qemu/ca-cert.pem"},`
`129`		`- "tls.crt": {"libvirt/servercert.pem", "qemu/server-cert.pem"},`
`130`		`- "tls.key": {"libvirt/private/serverkey.pem", "qemu/server-key.pem"},`
	`128`	`+ "ca.crt": {"CA/cacert.pem", "qemu/ca-cert.pem", "ch/ca-cert.pem"},`
	`129`	`+ "tls.crt": {"libvirt/servercert.pem", "qemu/server-cert.pem", "ch/server-cert.pem"},`
	`130`	`+ "tls.key": {"libvirt/private/serverkey.pem", "qemu/server-key.pem", "ch/server-key.pem"},`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`var symLinkMap = map[string][]string{`
`134`	`134`	`"servercert.pem": {"libvirt/clientcert.pem"},`
`135`	`135`	`"serverkey.pem": {"libvirt/private/clientkey.pem"},`
`136`		`- "server-cert.pem": {"qemu/client-cert.pem"},`
`137`		`- "server-key.pem": {"qemu/client-key.pem"},`
	`136`	`+ "server-cert.pem": {"qemu/client-cert.pem", "ch/client-cert.pem"},`
	`137`	`+ "server-key.pem": {"qemu/client-key.pem", "ch/client-key.pem"},`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`func UpdateTLSCertificate(ctx context.Context, data map[string][]byte) error {`