chore(libvirt): add secret clean-up
diff --git a/charts/libvirt/templates/bin/_cert-init.sh.tpl b/charts/libvirt/templates/bin/_cert-init.sh.tpl
index 96be379..bb4f33c 100644
--- a/charts/libvirt/templates/bin/_cert-init.sh.tpl
+++ b/charts/libvirt/templates/bin/_cert-init.sh.tpl
@@ -43,6 +43,12 @@
 kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
   certificate/${POD_NAME}-${TYPE}
 
+# NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
+#               is deleted, so we should add an owner reference to the secret
+#               to ensure that it is cleaned up when the pod is deleted.
+kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
+  --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
+
 kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
 kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
 kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
diff --git a/charts/libvirt/templates/role-cert-manager.yaml b/charts/libvirt/templates/role-cert-manager.yaml
index 7ddc346..094bdc6 100644
--- a/charts/libvirt/templates/role-cert-manager.yaml
+++ b/charts/libvirt/templates/role-cert-manager.yaml
@@ -48,6 +48,7 @@
       - ""
     verbs:
       - get
+      - patch
     resources:
       - secrets
 {{- end -}}