From 699743ed7035126665f3ef8bfe964fdffb15a0e6 Mon Sep 17 00:00:00 2001
From: Andrew Azores <aazores@redhat.com>
Date: Mon, 20 Jan 2025 13:16:05 -0500
Subject: [PATCH] mount only TLS certs, not key

---
 .../resource_definitions/resource_definitions.go       | 10 ++++++++++
 internal/test/resources.go                             | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/internal/controllers/common/resource_definitions/resource_definitions.go b/internal/controllers/common/resource_definitions/resource_definitions.go
index 7c132b6b..d87ef0f1 100644
--- a/internal/controllers/common/resource_definitions/resource_definitions.go
+++ b/internal/controllers/common/resource_definitions/resource_definitions.go
@@ -549,6 +549,16 @@ func NewPodForCR(cr *model.CryostatInstance, specs *ServiceSpecs, imageTags *Ima
 				Secret: &corev1.SecretVolumeSource{
 					SecretName:  tls.DatabaseSecret,
 					DefaultMode: &readOnlyMode,
+					Items: []corev1.KeyToPath{
+						{
+							Key:  "tls.crt",
+							Path: "tls.crt",
+						},
+						{
+							Key:  "ca.crt",
+							Path: "ca.crt",
+						},
+					},
 				},
 			},
 		}
diff --git a/internal/test/resources.go b/internal/test/resources.go
index 23573ba8..a5e64b2e 100644
--- a/internal/test/resources.go
+++ b/internal/test/resources.go
@@ -2998,6 +2998,16 @@ func (r *TestResources) newVolumes(certProjections []corev1.VolumeProjection) []
 					Secret: &corev1.SecretVolumeSource{
 						SecretName:  r.Name + "-database-tls",
 						DefaultMode: &readOnlymode,
+						Items: []corev1.KeyToPath{
+							{
+								Key:  "tls.crt",
+								Path: "tls.crt",
+							},
+							{
+								Key:  "ca.crt",
+								Path: "ca.crt",
+							},
+						},
 					},
 				},
 			},