commit be4c9025967e0c6563e4133965f1f6d0e83ce2e5
author Yaguang Tang <yaguang.tang@vexxhost.com> Fri Nov 29 23:05:47 2024 +0800
committer GitHub <noreply@github.com> Fri Nov 29 15:05:47 2024 +0000
tree bb815eaffc81d01b41d6b5f95b82e4e4a1f7459d
parent 374ed5bf2f856a6f06e279ecff292e18df111f10

[ATMOSPHERE-595] stable/zed update libvirt-tls-sidecar image tag to latest (#2169)

Fixes #2168

Dockerfile

diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 7c4809e..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,18 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-# Atmosphere-Rebuild-Time: 2024-06-28T12:14:26Z
-
-ARG RELEASE
-
-FROM golang:1.22 AS go-builder
-COPY go.mod go.sum /src/
-WORKDIR /src
-RUN go mod download
-
-FROM go-builder AS libvirt-tls-sidecar-builder
-COPY cmd/ /src/cmd/
-COPY internal/ /src/internal/
-RUN go build -o main ./cmd/libvirt-tls-sidecar/main.go
-
-FROM registry.atmosphere.dev/library/ubuntu:${RELEASE} AS libvirt-tls-sidecar
-COPY --from=libvirt-tls-sidecar-builder /src/main /usr/bin/libvirt-tls-sidecar
-ENTRYPOINT ["/usr/bin/libvirt-tls-sidecar"]

cmd/libvirt-tls-sidecar/main.go

diff --git a/cmd/libvirt-tls-sidecar/main.go b/cmd/libvirt-tls-sidecar/main.go
deleted file mode 100644
index c94f5c8..0000000
--- a/cmd/libvirt-tls-sidecar/main.go
+++ /dev/null
@@ -1,97 +0,0 @@
-// Copyright (c) 2024 VEXXHOST, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License"); you may
-// not use this file except in compliance with the License. You may obtain
-// a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-// License for the specific language governing permissions and limitations
-// under the License.
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"os"
-
-	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
-	log "github.com/sirupsen/logrus"
-	"k8s.io/client-go/rest"
-
-	"github.com/vexxhost/atmosphere/internal/tls"
-)
-
-const (
-	EnvVarApiIssuerKind = "API_ISSUER_KIND"
-	EnvVarApiIssuerName = "API_ISSUER_NAME"
-	EnvVarVncIssuerKind = "VNC_ISSUER_KIND"
-	EnvVarVncIssuerName = "VNC_ISSUER_NAME"
-)
-
-func main() {
-	config, err := rest.InClusterConfig()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	required := []string{
-		EnvVarApiIssuerKind,
-		EnvVarApiIssuerName,
-		EnvVarVncIssuerKind,
-		EnvVarVncIssuerName,
-	}
-
-	for _, env := range required {
-		if os.Getenv(env) == "" {
-			log.Fatal(fmt.Sprintf("missing required environment variable: %s", env))
-		}
-	}
-
-	ctx := context.Background()
-	go createCertificateSpec(ctx, config, tls.LibvirtCertificateTypeAPI)
-	go createCertificateSpec(ctx, config, tls.LibvirtCertificateTypeVNC)
-
-	<-ctx.Done()
-}
-
-func createCertificateSpec(ctx context.Context, config *rest.Config, certificateType tls.LibvirtCertificateType) {
-	var issuerRef cmmeta.ObjectReference
-	switch certificateType {
-	case tls.LibvirtCertificateTypeAPI:
-		issuerRef = cmmeta.ObjectReference{
-			Kind: os.Getenv(EnvVarApiIssuerKind),
-			Name: os.Getenv(EnvVarApiIssuerName),
-		}
-	case tls.LibvirtCertificateTypeVNC:
-		issuerRef = cmmeta.ObjectReference{
-			Kind: os.Getenv(EnvVarVncIssuerKind),
-			Name: os.Getenv(EnvVarVncIssuerName),
-		}
-	}
-
-	spec := &tls.LibvirtCertificateSpec{
-		Type:      certificateType,
-		IssuerRef: issuerRef,
-	}
-
-	manager, err := tls.NewLibvirtManager(config, spec)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = manager.Create(ctx)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	log.WithFields(log.Fields{
-		"certificateType": certificateType,
-	}).Info("certificate created")
-
-	go manager.Watch(ctx)
-}

go.mod

diff --git a/go.mod b/go.mod
index 13def11..41a9305 100644
--- a/go.mod
+++ b/go.mod
@@ -3,8 +3,7 @@
 go 1.22.0
 
 require (
-	github.com/cert-manager/cert-manager v1.14.2
-	github.com/containers/image/v5 v5.29.2
+	github.com/containers/image/v5 v5.30.1
 	github.com/erikgeiser/promptkit v0.9.0
 	github.com/goccy/go-yaml v1.11.3
 	github.com/nsf/jsondiff v0.0.0-20230430225905-43f6cf3098c1
@@ -44,6 +43,7 @@
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cert-manager/cert-manager v1.14.5 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/charmbracelet/bubbles v0.16.1 // indirect
@@ -59,7 +59,7 @@
 	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.5.0 // indirect
-	github.com/docker/cli v25.0.1+incompatible // indirect
+	github.com/docker/cli v25.0.3+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v27.0.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
@@ -93,7 +93,7 @@
 	github.com/google/pprof v0.0.0-20240711041743-f6c9dda6c6da // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
@@ -192,7 +192,6 @@
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/controller-runtime v0.17.0 // indirect
-	sigs.k8s.io/gateway-api v1.0.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.17.2 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect

go.sum

diff --git a/go.sum b/go.sum
index 2d94a47..02cf386 100644
--- a/go.sum
+++ b/go.sum
@@ -53,8 +53,8 @@
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cert-manager/cert-manager v1.14.2 h1:C/uci6yxiCRO04PWomBbSX+T4JT58FIIpDj5SZ6Ks6I=
-github.com/cert-manager/cert-manager v1.14.2/go.mod h1:pik7K6jXfgh++lfVJ/i1HzEnDluSUtTVLXSHikj8Lho=
+github.com/cert-manager/cert-manager v1.14.5 h1:uuM1O2g2S80nxiH3eW2cZYMGiL2zmDFVdAzg8sibWuc=
+github.com/cert-manager/cert-manager v1.14.5/go.mod h1:fmr/cU5jiLxWj69CroDggSOa49RljUK+dU583TaQUXM=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
@@ -81,8 +81,8 @@
 github.com/containerd/errdefs v0.1.0/go.mod h1:YgWiiHtLmSeBrvpw+UfPijzbLaB77mEG1WwJTDETIV0=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containers/image/v5 v5.29.2 h1:b8U0XYWhaQbKucK73IbmSm8WQyKAhKDbAHQc45XlsOw=
-github.com/containers/image/v5 v5.29.2/go.mod h1:kQ7qcDsps424ZAz24thD+x7+dJw1vgur3A9tTDsj97E=
+github.com/containers/image/v5 v5.30.1 h1:AKrQMgOKI1oKx5FW5eoU2xoNyzACajHGx1O3qxobvFM=
+github.com/containers/image/v5 v5.30.1/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.1.9 h1:2Csfba4jse85Raxk5HIyEk8OwZNjRvfkhEGijOjIdEM=
@@ -102,8 +102,8 @@
 github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
 github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v25.0.1+incompatible h1:mFpqnrS6Hsm3v1k7Wa/BO23oz0k121MTbTO1lpcGSkU=
-github.com/docker/cli v25.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v25.0.3+incompatible h1:KLeNs7zws74oFuVhgZQ5ONGZiXUUdgsdy6/EsX/6284=
+github.com/docker/cli v25.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE=
@@ -227,8 +227,8 @@
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
@@ -403,8 +403,8 @@
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
-github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -595,8 +595,8 @@
 gorm.io/gorm v1.25.10 h1:dQpO+33KalOA+aFYGlK+EfxcI5MbO7EP2yYygwh9h+s=
 gorm.io/gorm v1.25.10/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
-gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
+gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 helm.sh/helm/v3 v3.16.2 h1:Y9v7ry+ubQmi+cb5zw1Llx8OKHU9Hk9NQ/+P+LGBe2o=
 helm.sh/helm/v3 v3.16.2/go.mod h1:SyTXgKBjNqi2NPsHCW5dDAsHqvGIu0kdNYNH9gQaw70=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -627,8 +627,6 @@
 oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
 sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s=
 sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s=
-sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs=
-sigs.k8s.io/gateway-api v1.0.0/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g=

internal/net/hostname.go

diff --git a/internal/net/hostname.go b/internal/net/hostname.go
deleted file mode 100644
index a2a7c96..0000000
--- a/internal/net/hostname.go
+++ /dev/null
@@ -1,21 +0,0 @@
-package net
-
-import (
-	"os"
-	"os/exec"
-	"strings"
-)
-
-func Hostname() (string, error) {
-	return os.Hostname()
-}
-
-func FQDN() (string, error) {
-	cmd := exec.Command("/bin/hostname", "--fqdn")
-	out, err := cmd.Output()
-	if err != nil {
-		return "", err
-	}
-
-	return strings.TrimSpace(string(out)), nil
-}

internal/tls/libvirt.go

diff --git a/internal/tls/libvirt.go b/internal/tls/libvirt.go
deleted file mode 100644
index 227dd6f..0000000
--- a/internal/tls/libvirt.go
+++ /dev/null
@@ -1,317 +0,0 @@
-package tls
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	"time"
-
-	cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
-	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
-	cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1"
-	log "github.com/sirupsen/logrus"
-	"github.com/vexxhost/atmosphere/internal/net"
-	v1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/apimachinery/pkg/watch"
-	kubernetes "k8s.io/client-go/kubernetes/typed/core/v1"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/cache"
-)
-
-type LibvirtCertificateType string
-
-const (
-	LibvirtCertificateTypeAPI LibvirtCertificateType = "api"
-	LibvirtCertificateTypeVNC LibvirtCertificateType = "vnc"
-)
-
-const (
-	EnvVarPodUID       = "POD_UID"
-	EnvVarPodName      = "POD_NAME"
-	EnvVarPodNamespace = "POD_NAMESPACE"
-	EnvVarPodIP        = "POD_IP"
-)
-
-type LibvirtCertificateSpec struct {
-	Type      LibvirtCertificateType
-	IssuerRef cmmeta.ObjectReference
-}
-
-type LibvirtManager struct {
-	logger            *log.Entry
-	spec              *LibvirtCertificateSpec
-	certificate       *cmv1.Certificate
-	certificateName   string
-	certificateClient cmclient.CertificateInterface
-	secretClient      kubernetes.SecretInterface
-}
-
-func NewLibvirtManager(config *rest.Config, spec *LibvirtCertificateSpec) (*LibvirtManager, error) {
-	required := []string{
-		EnvVarPodName,
-		EnvVarPodNamespace,
-		EnvVarPodUID,
-		EnvVarPodIP,
-	}
-
-	for _, env := range required {
-		if os.Getenv(env) == "" {
-			return nil, fmt.Errorf("missing required environment variable: %s", env)
-		}
-	}
-
-	mgr := &LibvirtManager{}
-
-	hostname, err := net.Hostname()
-	if err != nil {
-		return nil, err
-	}
-
-	fqdn, err := net.FQDN()
-	if err != nil {
-		return nil, err
-	}
-
-	clientset, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		return nil, err
-	}
-
-	cmClient, err := cmclient.NewForConfig(config)
-	if err != nil {
-		return nil, err
-	}
-
-	podUID := types.UID(os.Getenv(EnvVarPodUID))
-	podNamespace := os.Getenv(EnvVarPodNamespace)
-	podName := os.Getenv(EnvVarPodName)
-	podIP := os.Getenv(EnvVarPodIP)
-
-	mgr.spec = spec
-	mgr.secretClient = clientset.Secrets(podNamespace)
-	mgr.certificateClient = cmClient.Certificates(podNamespace)
-	mgr.certificateName = fmt.Sprintf("%s-%s", podName, spec.Type)
-
-	mgr.logger = log.WithFields(log.Fields{
-		"certificateName": mgr.certificateName,
-		"podName":         podName,
-		"podNamespace":    podNamespace,
-		"podUID":          podUID,
-		"podIP":           podIP,
-		"hostname":        hostname,
-		"fqdn":            fqdn,
-		"issuerKind":      spec.IssuerRef.Kind,
-		"issuerName":      spec.IssuerRef.Name,
-	})
-
-	mgr.certificate = &cmv1.Certificate{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      mgr.certificateName,
-			Namespace: podNamespace,
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					APIVersion: "v1",
-					Kind:       "Pod",
-					Name:       podName,
-					UID:        podUID,
-				},
-			},
-		},
-		Spec: cmv1.CertificateSpec{
-			SecretName: mgr.certificateName,
-			CommonName: podIP,
-			Usages: []cmv1.KeyUsage{
-				cmv1.UsageClientAuth,
-				cmv1.UsageServerAuth,
-			},
-			DNSNames:    []string{hostname, fqdn},
-			IPAddresses: []string{podIP},
-			IssuerRef:   spec.IssuerRef,
-		},
-	}
-
-	return mgr, nil
-}
-
-func (m *LibvirtManager) Create(ctx context.Context) error {
-	// Create certificate
-	_, err := m.certificateClient.Create(ctx, m.certificate, metav1.CreateOptions{})
-	if err != nil && !errors.IsAlreadyExists(err) {
-		return err
-	}
-
-	m.logger.Info("certificate created")
-
-	// Wait for certificate to become ready
-	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, 300*time.Second, true, func(ctx context.Context) (bool, error) {
-		certificate, err := m.certificateClient.Get(ctx, m.certificateName, metav1.GetOptions{})
-		if err != nil {
-			return false, err
-		}
-
-		for _, condition := range certificate.Status.Conditions {
-			if condition.Type == cmv1.CertificateConditionReady {
-				if condition.Status == cmmeta.ConditionTrue {
-					return true, nil
-				}
-
-				m.logger.WithFields(log.Fields{
-					"reason":  condition.Reason,
-					"message": condition.Message,
-				}).Info("certificate not ready")
-			}
-		}
-
-		return false, nil
-	})
-	if err != nil {
-		return err
-	}
-
-	m.logger.Info("certificate ready")
-
-	// Create patch with ownerReference so the secret is garbage collected
-	patch := []map[string]interface{}{
-		{
-			"op":    "add",
-			"path":  "/metadata/ownerReferences",
-			"value": m.certificate.OwnerReferences,
-		},
-	}
-	patchBytes, err := json.Marshal(patch)
-	if err != nil {
-		return err
-	}
-
-	m.logger.Info("patching secret")
-
-	// Patch secret with ownerReference
-	_, err = m.secretClient.Patch(ctx, m.certificateName, types.JSONPatchType, patchBytes, metav1.PatchOptions{})
-	return err
-}
-
-func (m *LibvirtManager) Watch(ctx context.Context) {
-	for {
-		m.watch(ctx)
-		m.logger.Info("watch closed or disconnected, retrying in 5 seconds")
-
-		time.Sleep(5 * time.Second)
-	}
-}
-
-func (m *LibvirtManager) watch(ctx context.Context) {
-	fieldSelector := fields.OneTermEqualSelector("metadata.name", m.certificateName).String()
-
-	listWatcher := &cache.ListWatch{
-		ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
-			options.FieldSelector = fieldSelector
-			return m.secretClient.List(ctx, options)
-		},
-		WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
-			options.FieldSelector = fieldSelector
-			return m.secretClient.Watch(ctx, options)
-		},
-	}
-
-	_, controller := cache.NewInformer(
-		listWatcher,
-		&v1.Secret{},
-		time.Minute,
-		cache.ResourceEventHandlerFuncs{
-			AddFunc: func(obj interface{}) {
-				secret := obj.(*v1.Secret)
-				m.write(secret)
-			},
-			UpdateFunc: func(oldObj, newObj interface{}) {
-				secret := newObj.(*v1.Secret)
-				m.write(secret)
-			},
-			DeleteFunc: func(obj interface{}) {
-				m.logger.Fatal("secret deleted")
-			},
-		},
-	)
-
-	stop := make(chan struct{})
-	defer close(stop)
-	controller.Run(stop)
-}
-
-func (m *LibvirtManager) write(secret *v1.Secret) {
-	switch m.spec.Type {
-	case LibvirtCertificateTypeAPI:
-		m.createDirectory("/etc/pki/libvirt/private")
-		m.writeFile("/etc/pki/CA/cacert.pem", secret.Data["ca.crt"])
-		m.writeFile("/etc/pki/libvirt/servercert.pem", secret.Data["tls.crt"])
-		m.writeFile("/etc/pki/libvirt/private/serverkey.pem", secret.Data["tls.key"])
-		m.writeFile("/etc/pki/libvirt/clientcert.pem", secret.Data["tls.crt"])
-		m.writeFile("/etc/pki/libvirt/private/clientkey.pem", secret.Data["tls.key"])
-		m.createDirectory("/etc/pki/qemu")
-		m.writeFile("/etc/pki/qemu/ca-cert.pem", secret.Data["ca.crt"])
-		m.writeFile("/etc/pki/qemu/server-cert.pem", secret.Data["tls.crt"])
-		m.writeFile("/etc/pki/qemu/server-key.pem", secret.Data["tls.key"])
-		m.writeFile("/etc/pki/qemu/client-cert.pem", secret.Data["tls.crt"])
-		m.writeFile("/etc/pki/qemu/client-key.pem", secret.Data["tls.key"])
-	case LibvirtCertificateTypeVNC:
-		m.createDirectory("/etc/pki/libvirt-vnc")
-		m.writeFile("/etc/pki/libvirt-vnc/ca-cert.pem", secret.Data["ca.crt"])
-		m.writeFile("/etc/pki/libvirt-vnc/server-cert.pem", secret.Data["tls.crt"])
-		m.writeFile("/etc/pki/libvirt-vnc/server-key.pem", secret.Data["tls.key"])
-	}
-}
-
-func (m *LibvirtManager) createDirectory(path string) {
-	if _, err := os.Stat(path); !os.IsNotExist(err) {
-		return
-	}
-
-	m.logger.WithFields(log.Fields{
-		"path": path,
-	}).Info("creating directory")
-
-	err := os.MkdirAll(path, 0755)
-	if err != nil {
-		m.logger.Fatal(err)
-	}
-}
-
-func (m *LibvirtManager) writeFile(path string, data []byte) {
-	log := m.logger.WithFields(log.Fields{
-		"path": path,
-	})
-
-	existingData, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			log.Info("file does not exist, creating file")
-
-			err = os.WriteFile(path, data, 0644)
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			return
-		}
-
-		m.logger.Fatal(err)
-	}
-
-	if bytes.Equal(existingData, data) {
-		return
-	}
-
-	log.Info("file contents changed, updating file")
-
-	err = os.WriteFile(path, data, 0644)
-	if err != nil {
-		log.Fatal(err)
-	}
-}

roles/defaults/vars/main.yml

diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index b7de635..81e3ae2 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -120,7 +120,7 @@
   kube_vip: ghcr.io/kube-vip/kube-vip:v0.6.4
   kubectl: docker.io/bitnami/kubectl:1.27.3
   libvirt: "registry.atmosphere.dev/library/libvirtd:{{ atmosphere_release }}"
-  libvirt_tls_sidecar: "registry.atmosphere.dev/library/libvirt-tls-sidecar:{{ atmosphere_release }}"
+  libvirt_tls_sidecar: registry.atmosphere.dev/library/libvirt-tls-sidecar:latest
   libvirt_exporter: registry.atmosphere.dev/library/libvirtd-exporter:latest
   local_path_provisioner_helper: docker.io/library/busybox:1.36.0
   local_path_provisioner: docker.io/rancher/local-path-provisioner:v0.0.24

zuul.d/container-images/libvirt-tls-sidecar.yaml

diff --git a/zuul.d/container-images/libvirt-tls-sidecar.yaml b/zuul.d/container-images/libvirt-tls-sidecar.yaml
deleted file mode 100644
index 93d997f..0000000
--- a/zuul.d/container-images/libvirt-tls-sidecar.yaml
+++ /dev/null
@@ -1,71 +0,0 @@
-# Copyright (c) 2024 VEXXHOST, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-- project:
-    check:
-      jobs:
-        - atmosphere-build-container-image-libvirt-tls-sidecar
-    gate:
-      jobs:
-        - atmosphere-upload-container-image-libvirt-tls-sidecar
-    promote:
-      jobs:
-        - atmosphere-promote-container-image-libvirt-tls-sidecar
-
-- job:
-    name: atmosphere-build-container-image-libvirt-tls-sidecar
-    parent: atmosphere-build-container-image
-    dependencies:
-      - name: atmosphere-buildset-registry
-        soft: false
-      - name: atmosphere-build-container-image-ubuntu
-        soft: true
-    vars: &container_image_vars
-      promote_container_image_job: atmosphere-upload-container-image-libvirt-tls-sidecar
-      container_images:
-        - context: .
-          target: libvirt-tls-sidecar
-          registry: registry.atmosphere.dev
-          repository: registry.atmosphere.dev/library/libvirt-tls-sidecar
-          arch:
-            - linux/amd64
-            - linux/arm64
-          build_args:
-            - "RELEASE={{ zuul.branch | replace('stable/', '') }}"
-          tags:
-            - "{{ zuul.branch | replace('stable/', '') }}"
-    files: &container_image_files
-      - images/ubuntu/.*
-      - cmd/.*
-      - internal/.*
-      - Dockerfile
-      - go.mod
-      - go.sum
-
-- job:
-    name: atmosphere-upload-container-image-libvirt-tls-sidecar
-    parent: atmosphere-upload-container-image
-    dependencies:
-      - name: atmosphere-buildset-registry
-        soft: false
-      - name: atmosphere-upload-container-image-ubuntu
-        soft: true
-    vars: *container_image_vars
-    files: *container_image_files
-
-- job:
-    name: atmosphere-promote-container-image-libvirt-tls-sidecar
-    parent: atmosphere-promote-container-image
-    vars: *container_image_vars
-    files: *container_image_files

zuul.d/project.yaml

diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index c7571cf..3558db5 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -44,8 +44,6 @@
                 soft: true
               - name: atmosphere-build-container-image-kubernetes-entrypoint
                 soft: true
-              - name: atmosphere-build-container-image-libvirt-tls-sidecar
-                soft: true
               - name: atmosphere-build-container-image-libvirtd
                 soft: true
               - name: atmosphere-build-container-image-magnum
@@ -114,8 +112,6 @@
                 soft: true
               - name: atmosphere-upload-container-image-kubernetes-entrypoint
                 soft: true
-              - name: atmosphere-upload-container-image-libvirt-tls-sidecar
-                soft: true
               - name: atmosphere-upload-container-image-libvirtd
                 soft: true
               - name: atmosphere-upload-container-image-magnum