From 6bf59059c8a90772d692c73baff5b700a5b939e2 Mon Sep 17 00:00:00 2001
From: Rafal Korepta <rafal.korepta@gmail.com>
Date: Wed, 16 Oct 2024 16:56:50 +0200
Subject: [PATCH] Use certification path const in all places

---
 charts/redpanda/configmap.tpl.go            | 20 ++++++------
 charts/redpanda/console.tpl.go              |  2 +-
 charts/redpanda/helpers.go                  |  4 +--
 charts/redpanda/secrets.go                  |  2 +-
 charts/redpanda/templates/_configmap.go.tpl | 16 +++++-----
 charts/redpanda/templates/_console.go.tpl   |  2 +-
 charts/redpanda/templates/_helpers.go.tpl   |  4 +--
 charts/redpanda/templates/_secrets.go.tpl   |  2 +-
 charts/redpanda/templates/_values.go.tpl    | 16 +++++-----
 charts/redpanda/values.go                   | 35 +++++++++++----------
 10 files changed, 53 insertions(+), 50 deletions(-)

diff --git a/charts/redpanda/configmap.tpl.go b/charts/redpanda/configmap.tpl.go
index a78e012ada..ad266c324c 100644
--- a/charts/redpanda/configmap.tpl.go
+++ b/charts/redpanda/configmap.tpl.go
@@ -350,8 +350,8 @@ func rpkKafkaClientTLSConfiguration(dot *helmette.Dot) map[string]any {
 	}
 
 	if tls.RequireClientAuth {
-		result["cert_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.crt", Fullname(dot))
-		result["key_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.key", Fullname(dot))
+		result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(dot))
+		result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(dot))
 	}
 
 	return result
@@ -374,8 +374,8 @@ func rpkAdminAPIClientTLSConfiguration(dot *helmette.Dot) map[string]any {
 	}
 
 	if tls.RequireClientAuth {
-		result["cert_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.crt", Fullname(dot))
-		result["key_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.key", Fullname(dot))
+		result["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(dot))
+		result["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(dot))
 	}
 
 	return result
@@ -409,8 +409,8 @@ func kafkaClient(dot *helmette.Dot) map[string]any {
 		}
 
 		if kafkaTLS.RequireClientAuth {
-			brokerTLS["cert_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.crt", Fullname(dot))
-			brokerTLS["key_file"] = fmt.Sprintf("/etc/tls/certs/%s-client/tls.key", Fullname(dot))
+			brokerTLS["cert_file"] = fmt.Sprintf("%s/%s-client/tls.crt", certificateMountPoint, Fullname(dot))
+			brokerTLS["key_file"] = fmt.Sprintf("%s/%s-client/tls.key", certificateMountPoint, Fullname(dot))
 		}
 
 	}
@@ -496,8 +496,8 @@ func rpcListenersTLS(dot *helmette.Dot) map[string]any {
 
 	return map[string]any{
 		"enabled":             true,
-		"cert_file":           fmt.Sprintf("/etc/tls/certs/%s/tls.crt", certName),
-		"key_file":            fmt.Sprintf("/etc/tls/certs/%s/tls.key", certName),
+		"cert_file":           fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName),
+		"key_file":            fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName),
 		"require_client_auth": r.TLS.RequireClientAuth,
 		"truststore_file":     r.TLS.TrustStoreFilePath(&values.TLS),
 	}
@@ -521,8 +521,8 @@ func createInternalListenerTLSCfg(tls *TLS, internal InternalTLS) map[string]any
 	return map[string]any{
 		"name":                "internal",
 		"enabled":             true,
-		"cert_file":           fmt.Sprintf("/etc/tls/certs/%s/tls.crt", internal.Cert),
-		"key_file":            fmt.Sprintf("/etc/tls/certs/%s/tls.key", internal.Cert),
+		"cert_file":           fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, internal.Cert),
+		"key_file":            fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, internal.Cert),
 		"require_client_auth": internal.RequireClientAuth,
 		"truststore_file":     internal.TrustStoreFilePath(tls),
 	}
diff --git a/charts/redpanda/console.tpl.go b/charts/redpanda/console.tpl.go
index 61e88e3a25..2f57c863be 100644
--- a/charts/redpanda/console.tpl.go
+++ b/charts/redpanda/console.tpl.go
@@ -147,7 +147,7 @@ func consoleTLSVolumesMounts(dot *helmette.Dot) []corev1.VolumeMount {
 
 		mounts = append(mounts, corev1.VolumeMount{
 			Name:      fmt.Sprintf("redpanda-%s-cert", tlsCfg.Cert),
-			MountPath: fmt.Sprintf("/etc/tls/certs/%s", tlsCfg.Cert),
+			MountPath: fmt.Sprintf("%s/%s", certificateMountPoint, tlsCfg.Cert),
 		})
 	}
 
diff --git a/charts/redpanda/helpers.go b/charts/redpanda/helpers.go
index a38e935f83..6a56c96491 100644
--- a/charts/redpanda/helpers.go
+++ b/charts/redpanda/helpers.go
@@ -220,7 +220,7 @@ func CommonMounts(dot *helmette.Dot) []corev1.VolumeMount {
 
 			mounts = append(mounts, corev1.VolumeMount{
 				Name:      fmt.Sprintf("redpanda-%s-cert", name),
-				MountPath: fmt.Sprintf("/etc/tls/certs/%s", name),
+				MountPath: fmt.Sprintf("%s/%s", certificateMountPoint, name),
 			})
 		}
 
@@ -228,7 +228,7 @@ func CommonMounts(dot *helmette.Dot) []corev1.VolumeMount {
 		if adminTLS.RequireClientAuth {
 			mounts = append(mounts, corev1.VolumeMount{
 				Name:      "mtls-client",
-				MountPath: fmt.Sprintf("/etc/tls/certs/%s-client", Fullname(dot)),
+				MountPath: fmt.Sprintf("%s/%s-client", certificateMountPoint, Fullname(dot)),
 			})
 		}
 	}
diff --git a/charts/redpanda/secrets.go b/charts/redpanda/secrets.go
index e6f0a7af5f..a9a41ca145 100644
--- a/charts/redpanda/secrets.go
+++ b/charts/redpanda/secrets.go
@@ -685,7 +685,7 @@ func adminTLSCurlFlags(dot *helmette.Dot) string {
 	}
 
 	if values.Listeners.Admin.TLS.RequireClientAuth {
-		path := fmt.Sprintf("/etc/tls/certs/%s-client", Fullname(dot))
+		path := fmt.Sprintf("%s/%s-client", certificateMountPoint, Fullname(dot))
 		return fmt.Sprintf("--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key", path, path, path)
 	}
 
diff --git a/charts/redpanda/templates/_configmap.go.tpl b/charts/redpanda/templates/_configmap.go.tpl
index 5f234bfecd..5425d6e8ea 100644
--- a/charts/redpanda/templates/_configmap.go.tpl
+++ b/charts/redpanda/templates/_configmap.go.tpl
@@ -282,8 +282,8 @@
 {{- end -}}
 {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}}
 {{- if $tls.requireClientAuth -}}
-{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
-{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
 {{- end -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" $result) | toJson -}}
@@ -304,8 +304,8 @@
 {{- end -}}
 {{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}}
 {{- if $tls.requireClientAuth -}}
-{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
-{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
 {{- end -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" $result) | toJson -}}
@@ -330,8 +330,8 @@
 {{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}}
 {{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}}
 {{- if $kafkaTLS.requireClientAuth -}}
-{{- $_ := (set $brokerTLS "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
-{{- $_ := (set $brokerTLS "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $brokerTLS "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $brokerTLS "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
 {{- end -}}
 {{- end -}}
 {{- $cfg := (dict "brokers" $brokerList ) -}}
@@ -422,7 +422,7 @@
 {{- end -}}
 {{- $certName := $r.tls.cert -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (dict "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}}
+{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}
@@ -449,7 +449,7 @@
 {{- break -}}
 {{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $internal.cert) "key_file" (printf "/etc/tls/certs/%s/tls.key" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}}
+{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $internal.cert) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}
diff --git a/charts/redpanda/templates/_console.go.tpl b/charts/redpanda/templates/_console.go.tpl
index 8a257ee63b..bee783a823 100644
--- a/charts/redpanda/templates/_console.go.tpl
+++ b/charts/redpanda/templates/_console.go.tpl
@@ -71,7 +71,7 @@
 {{- continue -}}
 {{- end -}}
 {{- $_ := (set $visitedCert $tlsCfg.cert true) -}}
-{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) "mountPath" (printf "/etc/tls/certs/%s" $tlsCfg.cert) )))) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) "mountPath" (printf "%s/%s" "/etc/tls/certs" $tlsCfg.cert) )))) -}}
 {{- end -}}
 {{- if $_is_returning -}}
 {{- break -}}
diff --git a/charts/redpanda/templates/_helpers.go.tpl b/charts/redpanda/templates/_helpers.go.tpl
index 58805d14c5..0314d29a41 100644
--- a/charts/redpanda/templates/_helpers.go.tpl
+++ b/charts/redpanda/templates/_helpers.go.tpl
@@ -235,14 +235,14 @@
 {{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}}
 {{- continue -}}
 {{- end -}}
-{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "/etc/tls/certs/%s" $name) )))) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "%s/%s" "/etc/tls/certs" $name) )))) -}}
 {{- end -}}
 {{- if $_is_returning -}}
 {{- break -}}
 {{- end -}}
 {{- $adminTLS := $values.listeners.admin.tls -}}
 {{- if $adminTLS.requireClientAuth -}}
-{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}}
 {{- end -}}
 {{- end -}}
 {{- $_is_returning = true -}}
diff --git a/charts/redpanda/templates/_secrets.go.tpl b/charts/redpanda/templates/_secrets.go.tpl
index 5b91c2ce61..7baaa0d4a7 100644
--- a/charts/redpanda/templates/_secrets.go.tpl
+++ b/charts/redpanda/templates/_secrets.go.tpl
@@ -332,7 +332,7 @@ echo "passed"`) -}}
 {{- break -}}
 {{- end -}}
 {{- if $values.listeners.admin.tls.requireClientAuth -}}
-{{- $path := (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $path := (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
 {{- $_is_returning = true -}}
 {{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}}
 {{- break -}}
diff --git a/charts/redpanda/templates/_values.go.tpl b/charts/redpanda/templates/_values.go.tpl
index b17648f6d7..386b647f67 100644
--- a/charts/redpanda/templates/_values.go.tpl
+++ b/charts/redpanda/templates/_values.go.tpl
@@ -602,7 +602,7 @@
 {{- end -}}
 {{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- $_is_returning = true -}}
@@ -618,11 +618,11 @@
 {{- $_is_returning := false -}}
 {{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (printf "/etc/tls/certs/%s/tls.crt" $t.cert)) | toJson -}}
+{{- (dict "r" (printf "%s/%s/tls.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}
@@ -663,7 +663,7 @@
 {{- end -}}
 {{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- $_is_returning = true -}}
@@ -754,7 +754,7 @@
 {{- continue -}}
 {{- end -}}
 {{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
-{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
 {{- end -}}
 {{- if $_is_returning -}}
 {{- break -}}
@@ -852,7 +852,7 @@
 {{- continue -}}
 {{- end -}}
 {{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
-{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
 {{- end -}}
 {{- if $_is_returning -}}
 {{- break -}}
@@ -950,7 +950,7 @@
 {{- continue -}}
 {{- end -}}
 {{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
-{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
 {{- end -}}
 {{- if $_is_returning -}}
 {{- break -}}
@@ -1078,7 +1078,7 @@
 {{- continue -}}
 {{- end -}}
 {{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
-{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
 {{- end -}}
 {{- if $_is_returning -}}
 {{- break -}}
diff --git a/charts/redpanda/values.go b/charts/redpanda/values.go
index d64aecd0b3..b8cdbbbb4b 100644
--- a/charts/redpanda/values.go
+++ b/charts/redpanda/values.go
@@ -32,7 +32,10 @@ const (
 	// job's container.
 	PostUpgradeContainerName = "post-upgrade"
 
-	certificationMountPoint = "/etc/tls/certs"
+	// certificateMountPoint is a common mount point for any TLS certificate
+	// defined as external truststore or as certificate that would be
+	// created by cert-manager.
+	certificateMountPoint = "/etc/tls/certs"
 )
 
 // values.go contains a collection of go structs that (loosely) map to
@@ -1049,7 +1052,7 @@ func (t *InternalTLS) TrustStoreFilePath(tls *TLS) string {
 	}
 
 	if tls.Certs.MustGet(t.Cert).CAEnabled {
-		return fmt.Sprintf("/etc/tls/certs/%s/ca.crt", t.Cert)
+		return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.Cert)
 	}
 
 	return defaultTruststorePath
@@ -1059,14 +1062,14 @@ func (t *InternalTLS) TrustStoreFilePath(tls *TLS) string {
 // verify a connection with this server.
 func (t *InternalTLS) ServerCAPath(tls *TLS) string {
 	if tls.Certs.MustGet(t.Cert).CAEnabled {
-		return fmt.Sprintf("/etc/tls/certs/%s/ca.crt", t.Cert)
+		return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.Cert)
 	}
 	// Strange but technically correct, if CAEnabled is false, we can't safely
 	// assume that a ca.crt file will exist. So we fallback to using the
 	// server's certificate itself.
 	// Other options would be: failing or falling back to the container's
 	// default truststore.
-	return fmt.Sprintf("/etc/tls/certs/%s/tls.crt", t.Cert)
+	return fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, t.Cert)
 }
 
 // ExternalTLS is the TLS configuration associated with a given "external"
@@ -1097,7 +1100,7 @@ func (t *ExternalTLS) TrustStoreFilePath(i *InternalTLS, tls *TLS) string {
 	}
 
 	if t.GetCert(i, tls).CAEnabled {
-		return fmt.Sprintf("/etc/tls/certs/%s/ca.crt", t.GetCertName(i))
+		return fmt.Sprintf("%s/%s/ca.crt", certificateMountPoint, t.GetCertName(i))
 	}
 
 	return defaultTruststorePath
@@ -1140,7 +1143,7 @@ func (l *AdminListeners) ConsoleTLS(tls *TLS) ConsoleTLS {
 		return t
 	}
 
-	adminAPIPrefix := fmt.Sprintf("%s/%s", certificationMountPoint, l.TLS.Cert)
+	adminAPIPrefix := fmt.Sprintf("%s/%s", certificateMountPoint, l.TLS.Cert)
 
 	// Strange but technically correct, if CAEnabled is false, we can't safely
 	// assume that a ca.crt file will exist. So we fallback to using the
@@ -1200,8 +1203,8 @@ func (l *AdminListeners) ListenersTLS(tls *TLS) []map[string]any {
 		admin = append(admin, map[string]any{
 			"name":                k,
 			"enabled":             true,
-			"cert_file":           fmt.Sprintf("/etc/tls/certs/%s/tls.crt", certName),
-			"key_file":            fmt.Sprintf("/etc/tls/certs/%s/tls.key", certName),
+			"cert_file":           fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName),
+			"key_file":            fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName),
 			"require_client_auth": ptr.Deref(lis.TLS.RequireClientAuth, false),
 			"truststore_file":     lis.TLS.TrustStoreFilePath(&l.TLS, tls),
 		})
@@ -1316,8 +1319,8 @@ func (l *HTTPListeners) ListenersTLS(tls *TLS) []map[string]any {
 		pp = append(pp, map[string]any{
 			"name":                k,
 			"enabled":             true,
-			"cert_file":           fmt.Sprintf("/etc/tls/certs/%s/tls.crt", certName),
-			"key_file":            fmt.Sprintf("/etc/tls/certs/%s/tls.key", certName),
+			"cert_file":           fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName),
+			"key_file":            fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName),
 			"require_client_auth": ptr.Deref(lis.TLS.RequireClientAuth, false),
 			"truststore_file":     lis.TLS.TrustStoreFilePath(&l.TLS, tls),
 		})
@@ -1445,8 +1448,8 @@ func (l *KafkaListeners) ListenersTLS(tls *TLS) []map[string]any {
 		kafka = append(kafka, map[string]any{
 			"name":                k,
 			"enabled":             true,
-			"cert_file":           fmt.Sprintf("/etc/tls/certs/%s/tls.crt", certName),
-			"key_file":            fmt.Sprintf("/etc/tls/certs/%s/tls.key", certName),
+			"cert_file":           fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName),
+			"key_file":            fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName),
 			"require_client_auth": ptr.Deref(lis.TLS.RequireClientAuth, false),
 			"truststore_file":     lis.TLS.TrustStoreFilePath(&l.TLS, tls),
 		})
@@ -1481,7 +1484,7 @@ func (k *KafkaListeners) ConsoleTLS(tls *TLS) ConsoleTLS {
 		return t
 	}
 
-	kafkaPathPrefix := fmt.Sprintf("%s/%s", certificationMountPoint, k.TLS.Cert)
+	kafkaPathPrefix := fmt.Sprintf("%s/%s", certificateMountPoint, k.TLS.Cert)
 
 	// Strange but technically correct, if CAEnabled is false, we can't safely
 	// assume that a ca.crt file will exist. So we fallback to using the
@@ -1600,8 +1603,8 @@ func (l *SchemaRegistryListeners) ListenersTLS(tls *TLS) []map[string]any {
 		listeners = append(listeners, map[string]any{
 			"name":                k,
 			"enabled":             true,
-			"cert_file":           fmt.Sprintf("/etc/tls/certs/%s/tls.crt", certName),
-			"key_file":            fmt.Sprintf("/etc/tls/certs/%s/tls.key", certName),
+			"cert_file":           fmt.Sprintf("%s/%s/tls.crt", certificateMountPoint, certName),
+			"key_file":            fmt.Sprintf("%s/%s/tls.key", certificateMountPoint, certName),
 			"require_client_auth": ptr.Deref(lis.TLS.RequireClientAuth, false),
 			"truststore_file":     lis.TLS.TrustStoreFilePath(&l.TLS, tls),
 		})
@@ -1636,7 +1639,7 @@ func (sr *SchemaRegistryListeners) ConsoleTLS(tls *TLS) ConsoleTLS {
 		return t
 	}
 
-	schemaRegistryPrefix := fmt.Sprintf("%s/%s", certificationMountPoint, sr.TLS.Cert)
+	schemaRegistryPrefix := fmt.Sprintf("%s/%s", certificateMountPoint, sr.TLS.Cert)
 
 	// Strange but technically correct, if CAEnabled is false, we can't safely
 	// assume that a ca.crt file will exist. So we fallback to using the