chore(libvirt): add secret clean-up
diff --git a/charts/libvirt/templates/bin/_cert-init.sh.tpl b/charts/libvirt/templates/bin/_cert-init.sh.tpl
index 96be379..bb4f33c 100644
--- a/charts/libvirt/templates/bin/_cert-init.sh.tpl
+++ b/charts/libvirt/templates/bin/_cert-init.sh.tpl
@@ -43,6 +43,12 @@
kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
certificate/${POD_NAME}-${TYPE}
+# NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
+# is deleted, so we should add an owner reference to the secret
+# to ensure that it is cleaned up when the pod is deleted.
+kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
+ --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
+
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
diff --git a/charts/libvirt/templates/role-cert-manager.yaml b/charts/libvirt/templates/role-cert-manager.yaml
index 7ddc346..094bdc6 100644
--- a/charts/libvirt/templates/role-cert-manager.yaml
+++ b/charts/libvirt/templates/role-cert-manager.yaml
@@ -48,6 +48,7 @@
- ""
verbs:
- get
+ - patch
resources:
- secrets
{{- end -}}