From fbee2c07dc128c22064ceaaed7863003b4cb2ff6 Mon Sep 17 00:00:00 2001
From: Parfenov Ivan <parfenov_ivan_42a@mail.ru>
Date: Tue, 22 Jul 2025 09:04:15 +0300
Subject: [PATCH] [openvpn] Transferring routes from rotated certs (#382)

Signed-off-by: Paramoshka <parfenov_ivan_42a@mail.ru>
---
 kubernetes.go | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/kubernetes.go b/kubernetes.go
index 8aab004..8b4e4ca 100644
--- a/kubernetes.go
+++ b/kubernetes.go
@@ -32,7 +32,7 @@ const (
 	privKeyFileName  = "tls.key"
 )
 
-//<year><month><day><hour><minute><second>Z
+// <year><month><day><hour><minute><second>Z
 const indexTxtDateFormat = "060102150405Z"
 
 var namespace = "default"
@@ -470,6 +470,11 @@ func (openVPNPKI *OpenVPNPKI) easyrsaRotate(commonName, newPassword string) (err
 		return
 	}
 
+	err = openVPNPKI.transferRoutes(secret, commonName)
+	if err != nil {
+		return
+	}
+
 	err = openVPNPKI.indexTxtUpdate()
 	if err != nil {
 		return
@@ -774,3 +779,16 @@ func (openVPNPKI *OpenVPNPKI) secretCheckExists(name string) (bool, string) {
 	}
 	return true, secret.ResourceVersion
 }
+
+// transferRoutes transfers configured routes from revoked certs to a new one
+func (openVPNPKI *OpenVPNPKI) transferRoutes(revokedSecret *v1.Secret, newNameCert string) error {
+	ccd, ok := revokedSecret.Data["ccd"]
+	if !ok || len(ccd) == 0 {
+		log.Infof("No CCD data found in secret %s", revokedSecret.Name)
+		return nil
+	}
+
+	openVPNPKI.secretUpdateCcd(newNameCert, ccd)
+
+	return nil
+}