From b1218e2a76ade2e3a7db2a4487c2ac151e360e66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= <vcuadradojuan@suse.de>
Date: Thu, 27 Jul 2023 18:29:52 +0200
Subject: [PATCH] feat: Consume policy-server-root-ca Secret in auditScanner
 Cronjob
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is done with a volumeMount. The `policy-server-root-ca` is created
by the kubewarden-controller deployment, but only when there is a
policy-server. This means that the first installation of
kubearden-controller chart will deploy an audit-scanner cronjob that
will continously fail, until there's a policy-server instantiated.

This doesn't need to be this way, we can change the
kubewarden-controller reconcile loop so it creates the ca secret without
needing a policy-server first.

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
---
 .../templates/audit-scanner.yaml                     | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/charts/kubewarden-controller/templates/audit-scanner.yaml b/charts/kubewarden-controller/templates/audit-scanner.yaml
index 127a510f..7ae0dcaf 100644
--- a/charts/kubewarden-controller/templates/audit-scanner.yaml
+++ b/charts/kubewarden-controller/templates/audit-scanner.yaml
@@ -27,6 +27,11 @@ spec:
           {{- toYaml .Values.imagePullSecrets | nindent 12 }}
           {{- end }}
           restartPolicy: {{ .Values.auditScanner.containerRestartPolicy }}
+          volumes:
+          - name: policyservers-ca-cert
+            secret:
+              defaultMode: 420
+              secretName: policy-server-root-ca
           containers:
           - name: audit-scanner
             image: '{{ template "system_default_registry" . }}{{ .Values.auditScanner.image.repository }}:{{ .Values.auditScanner.image.tag }}'
@@ -34,6 +39,13 @@ spec:
             command:
               {{- include "audit-scanner.command" . | nindent 14 -}}
             {{- with .Values.containerSecurityContext }}
+            env:
+            - name: KUBEWARDEN_CACERT_PEM_POLICYSERVERS
+              value: "/pki/policy-server-root-ca-pem"
+            volumeMounts:
+            - mountPath: "/pki"
+              name: policyservers-ca-cert
+              readOnly: true
             securityContext:
               {{- toYaml . | nindent 14 }}
             {{- end }}