VPS: add ca.crt from issuing CA for tls secret type

controllers/vaultpkisecret_controller.go

@@ -4,10 +4,12 @@
 package controllers
 
 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"maps"
 	"strings"
 	"time"
 
@@ -244,16 +246,7 @@ func (r *VaultPKISecretReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	}
 	// If using data transformation (templates), avoid generating tls.key and tls.crt.
 	if o.Spec.Destination.Type == corev1.SecretTypeTLS && len(transOption.KeyedTemplates) == 0 {
-		data[corev1.TLSCertKey] = data["certificate"]
-		// the ca_chain includes the issuing ca
-		if len(data["ca_chain"]) > 0 {
-			data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], []byte("\n")...)
-			data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], []byte(data["ca_chain"])...)
-		} else if len(data["issuing_ca"]) > 0 {
-			data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], []byte("\n")...)
-			data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], data["issuing_ca"]...)
-		}
-		data[corev1.TLSPrivateKeyKey] = data["private_key"]
+		data = convertToK8sTLSSecretData(data)
 	}
 
 	if b, err := json.Marshal(data); err == nil {
@@ -494,3 +487,31 @@ func computePKIRenewalWindow(ctx context.Context, o *secretsv1beta1.VaultPKISecr
 
 	return horizon, inWindow
 }
+
+func convertToK8sTLSSecretData(data map[string][]byte) map[string][]byte {
+	ret := maps.Clone(data)
+	if v, ok := ret["certificate"]; ok {
+		ret[corev1.TLSCertKey] = v
+	}
+
+	if v, ok := ret["private_key"]; ok {
+		ret[corev1.TLSPrivateKeyKey] = v
+	}
+
+	// the ca_chain includes the issuing ca
+	var caData []byte
+	if v, ok := data["ca_chain"]; ok && len(v) > 0 {
+		caData = v
+	} else if v, ok := data["issuing_ca"]; ok && len(v) > 0 {
+		ret[corev1.ServiceAccountRootCAKey] = v
+		caData = v
+	}
+
+	if len(caData) > 0 {
+		if _, ok := ret[corev1.TLSCertKey]; ok {
+			ret[corev1.TLSCertKey] = bytes.Join([][]byte{ret[corev1.TLSCertKey], caData}, []byte("\n"))
+		}
+	}
+
+	return ret
+}

controllers/vaultpkisecret_controller_test.go

@@ -177,3 +177,67 @@ func Test_computePKIRenewalWindow(t *testing.T) {
 		})
 	}
 }
+
+func Test_convertToK8sTLSSecretData(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name string
+		data map[string][]byte
+		want map[string][]byte
+	}{
+		{
+			name: "empty",
+			data: map[string][]byte{},
+			want: map[string][]byte{},
+		},
+		{
+			name: "without-ca",
+			data: map[string][]byte{
+				"private_key": []byte("v_private_key"),
+				"certificate": []byte("v_certificate"),
+			},
+			want: map[string][]byte{
+				"private_key": []byte("v_private_key"),
+				"certificate": []byte("v_certificate"),
+				"tls.key":     []byte("v_private_key"),
+				"tls.crt":     []byte("v_certificate"),
+			},
+		},
+		{
+			name: "with-ca-chain",
+			data: map[string][]byte{
+				"private_key": []byte("v_private_key"),
+				"certificate": []byte("v_certificate"),
+				"ca_chain":    []byte("v_ca_chain"),
+			},
+			want: map[string][]byte{
+				"private_key": []byte("v_private_key"),
+				"certificate": []byte("v_certificate"),
+				"ca_chain":    []byte("v_ca_chain"),
+				"tls.key":     []byte("v_private_key"),
+				"tls.crt":     []byte("v_certificate\nv_ca_chain"),
+			},
+		},
+		{
+			name: "with-issuing-ca",
+			data: map[string][]byte{
+				"private_key": []byte("v_private_key"), "certificate": []byte("v_certificate"),
+				"issuing_ca": []byte("v_issuing_ca"),
+			},
+			want: map[string][]byte{
+				"private_key": []byte("v_private_key"),
+				"certificate": []byte("v_certificate"),
+				"issuing_ca":  []byte("v_issuing_ca"),
+				"tls.key":     []byte("v_private_key"),
+				"tls.crt":     []byte("v_certificate\nv_issuing_ca"),
+				"ca.crt":      []byte("v_issuing_ca"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, convertToK8sTLSSecretData(tt.data), "convertToK8sTLSSecretData(%v)", tt.data)
+		})
+	}
+}

test/integration/vaultpkisecret/terraform/deployment.tf

@@ -41,8 +41,9 @@ resource "kubernetes_deployment" "vso" {
           }
         }
         container {
-          image = "nginx:latest"
-          name  = "example"
+          image             = "nginx:latest"
+          name              = "example"
+          image_pull_policy = "IfNotPresent"
 
           volume_mount {
             name       = "secrets"