chore(libvirt): enable tls cert issuance
diff --git a/charts/libvirt/templates/bin/_cert-init.sh.tpl b/charts/libvirt/templates/bin/_cert-init.sh.tpl
new file mode 100644
index 0000000..1e4bec3
--- /dev/null
+++ b/charts/libvirt/templates/bin/_cert-init.sh.tpl
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+{{/*
+Copyright (c) 2023 VEXXHOST, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+cat <<EOF | kubectl apply -f -
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${POD_NAME}-${TYPE}
+  namespace: ${POD_NAMESPACE}
+  ownerReferences:
+    - apiVersion: v1
+      kind: Pod
+      name: ${POD_NAME}
+      uid: ${POD_UID}
+spec:
+  secretName: ${POD_NAME}-${TYPE}
+  usages:
+  - server auth
+  dnsNames:
+  - ${HOSTNAME}
+  ipAddresses:
+  - ${POD_IP}
+  issuerRef:
+    kind: Issuer
+    name: libvirt-${TYPE}
+EOF
+
+kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
+  certificate/${POD_NAME}-${TYPE}
diff --git a/charts/libvirt/templates/configmap-bin.yaml b/charts/libvirt/templates/configmap-bin.yaml
index 621e981..40bc463 100644
--- a/charts/libvirt/templates/configmap-bin.yaml
+++ b/charts/libvirt/templates/configmap-bin.yaml
@@ -26,6 +26,10 @@
 {{- end }}
   libvirt.sh: |
 {{ tuple "bin/_libvirt.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if or (eq .Values.conf.libvirt.listen_tls "1") (eq .Values.conf.qemu.vnc_tls "1") }}
+  cert-init.sh: |
+{{ tuple "bin/_cert-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}
 {{- if .Values.conf.ceph.enabled }}
   ceph-keyring.sh: |
 {{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
index 2c0ccda..71e3e3a 100644
--- a/charts/libvirt/templates/daemonset-libvirt.yaml
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -76,6 +76,60 @@
       initContainers:
 {{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
 {{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+{{- if eq .Values.conf.libvirt.listen_tls "1" }}
+        - name: cert-init-api
+{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "cert_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/cert-init.sh
+          env:
+            - name: TYPE
+              value: api
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE:
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: libvirt-bin
+              mountPath: /tmp/cert-init.sh
+              subPath: cert-init.sh
+              readOnly: true
+{{- end }}
+{{- if eq .Values.conf.qemu.vnc_tls "1" }}
+        - name: cert-init-vnc
+{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "cert_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/cert-init.sh
+          env:
+            - name: TYPE
+              value: vnc
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE:
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: libvirt-bin
+              mountPath: /tmp/cert-init.sh
+              subPath: cert-init.sh
+              readOnly: true
+{{- end }}
 {{- if .Values.conf.ceph.enabled }}
         {{- if empty .Values.conf.ceph.cinder.keyring }}
         - name: ceph-admin-keyring-placement
@@ -227,10 +281,6 @@
             {{- end }}
 {{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
       volumes:
-        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
-        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
         - name: pod-tmp
           emptyDir: {}
         - name: libvirt-bin
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
index b6cab8d..4c3f79b 100644
--- a/charts/libvirt/values.yaml
+++ b/charts/libvirt/values.yaml
@@ -26,6 +26,7 @@
 
 images:
   tags:
+    kubectl: docker.io/bitnami/kubectl:latest
     libvirt: docker.io/openstackhelm/libvirt:latest-ubuntu_bionic
     ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_bionic-20200217'
     dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
@@ -214,6 +215,9 @@
   job_image_repo_sync: true
   network_policy: false
 
+tls:
+  enabled: false
+
 secrets:
   tls:
     server: libvirt-tls-server