From c0832ff59b53dcf7dff4f6287aaf78ef9a41e10e Mon Sep 17 00:00:00 2001
From: "d.viti" <d.viti@vargroup.it>
Date: Wed, 8 Oct 2025 13:19:57 +0200
Subject: [PATCH] Add private key config to certificate template and values

---
 helm/api7ee-demo-k8s/templates/certificate.yaml | 7 ++++++-
 helm/api7ee-demo-k8s/values.yaml                | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/helm/api7ee-demo-k8s/templates/certificate.yaml b/helm/api7ee-demo-k8s/templates/certificate.yaml
index 5bec334..2114c5a 100644
--- a/helm/api7ee-demo-k8s/templates/certificate.yaml
+++ b/helm/api7ee-demo-k8s/templates/certificate.yaml
@@ -15,6 +15,11 @@ spec:
     {{- range .Values.api7.hosts }}
     - {{ . | quote }}
     {{- end }}
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: {{ .Values.api7.tls.privateKey.rotationPolicy | default "Always" }}
   usages:
     - digital signature
     - key encipherment
@@ -22,4 +27,4 @@ spec:
     - client auth
   duration: 2160h  # 90 days
   renewBefore: 720h  # 30 days before expiry
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm/api7ee-demo-k8s/values.yaml b/helm/api7ee-demo-k8s/values.yaml
index 49de9e3..2db9664 100644
--- a/helm/api7ee-demo-k8s/values.yaml
+++ b/helm/api7ee-demo-k8s/values.yaml
@@ -242,6 +242,9 @@ api7:
       enabled: true
       issuer: cloudflare-acme-prod # ClusterIssuer name
       issuerKind: ClusterIssuer # or Issuer
+    # Private key configuration
+    privateKey:
+      rotationPolicy: Always # Always or Never (cert-manager >= v1.18.0 default is Always)
     # Option 2: Use existing secret
     secretName: "" # Name of existing TLS secret
     # Option 3: Provide certificates directly (not recommended for production)