feat: mount audit-scanner cert secret; provide client-key and client-cert flags to audit-scanner command

Signed-off-by: Fabrizio Sestito <[email protected]>

Author: fabriziosestito

charts/kubewarden-controller/templates/_helpers.tpl

@@ -143,6 +143,10 @@ Create the name of the service account to use for kubewarden-controller
 {{- end }}
 - --extra-ca
 - "/pki/ca.crt"
+- --client-cert
+- "/client-cert/tls.crt"
+- --client-key
+- "/client-cert/tls.key"
 {{- if .Values.auditScanner.outputScan }}
 - --output-scan
 {{- end }}

charts/kubewarden-controller/templates/audit-scanner.yaml

@@ -35,6 +35,15 @@ spec:
               items:
               - key: ca.crt
                 path: "ca.crt"
+          - name: kubewarden-audit-scanner-client-cert
+            secret:
+              defaultMode: 420
+              secretName: kubewarden-audit-scanner-client-cert
+              items:
+              - key: tls.crt
+                path: "tls.crt"
+              - key: tls.key
+                path: "tls.key"
           {{- if .Values.global.affinity }}
           affinity: {{ .Values.global.affinity | toYaml | nindent 14 }}
           {{- end }}
@@ -56,6 +65,10 @@ spec:
             - mountPath: "/pki"
               name: kubewarden-ca
               readOnly: true
+            volumeMounts:
+            - mountPath: "/client-cert"
+              name: kubewarden-audit-scanner-client-cert
+              readOnly: true
             securityContext:
               {{- toYaml . | nindent 14 }}
             {{- end }}