From 0a71607546697db5658164cfff527f8d0c91bba8 Mon Sep 17 00:00:00 2001
From: Markus Bauer <markus.bauer@dilt.at>
Date: Thu, 26 Jun 2025 12:34:03 +0200
Subject: [PATCH 1/2] Add removeRootsFromChain option

---
 api/v1beta1/vaultpkisecret_types.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/api/v1beta1/vaultpkisecret_types.go b/api/v1beta1/vaultpkisecret_types.go
index e0ae08808..b487f15e7 100644
--- a/api/v1beta1/vaultpkisecret_types.go
+++ b/api/v1beta1/vaultpkisecret_types.go
@@ -118,6 +118,8 @@ type VaultPKISecretSpec struct {
 	// ExcludeCNFromSans from DNS or Email Subject Alternate Names.
 	// Default: false
 	ExcludeCNFromSans bool `json:"excludeCNFromSans,omitempty"`
+	// +kubebuilder:default=true
+	RemoveRootsFromChain bool `json:"removeRootsFromChain,omitempty"` 
 }
 
 // VaultPKISecretStatus defines the observed state of VaultPKISecret
@@ -163,7 +165,7 @@ func (v *VaultPKISecret) GetIssuerAPIData() map[string]interface{} {
 		"ttl":                     v.Spec.TTL,
 		"not_after":               v.Spec.NotAfter,
 		"exclude_cn_from_sans":    v.Spec.ExcludeCNFromSans,
-		"remove_roots_from_chain": true,
+		"remove_roots_from_chain": v.Spec.RemoveRootsFromChain,
 	}
 
 	if v.Spec.Format != "" {

From f0c86c8a0a91e8c9f5a4ae8e1841ed74ca044ff4 Mon Sep 17 00:00:00 2001
From: Markus Bauer <markus.bauer@dilt.at>
Date: Thu, 26 Jun 2025 12:35:25 +0200
Subject: [PATCH 2/2] Add test for removeRootsFromChain

---
 api/v1beta1/vaultpkisecret_types_test.go | 30 ++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/api/v1beta1/vaultpkisecret_types_test.go b/api/v1beta1/vaultpkisecret_types_test.go
index ac35aed56..3597e76c6 100644
--- a/api/v1beta1/vaultpkisecret_types_test.go
+++ b/api/v1beta1/vaultpkisecret_types_test.go
@@ -96,6 +96,36 @@ func TestVaultPKISecret_GetIssuerAPIData(t *testing.T) {
 				"remove_roots_from_chain": true,
 			},
 		},
+		{
+			name: "remove-roots-false",
+			spec: VaultPKISecretSpec{
+				CommonName:       "qux",
+				AltNames:         []string{"foo", "baz"},
+				IPSans:           []string{"buz", "qux"},
+				URISans:          []string{"*.foo.net", "*.baz.net"},
+				OtherSans:        []string{"other1", "other2"},
+				UserIDs:          []string{"12345", "67890"},
+				TTL:              "30s",
+				NotAfter:         "2026-05-01T00:00:00Z",
+				Format:           "pem",
+				PrivateKeyFormat: "rsa",
+				RemoveRootsFromChain: false,
+			},
+			want: map[string]interface{}{
+				"common_name":             "qux",
+				"alt_names":               "foo,baz",
+				"ip_sans":                 "buz,qux",
+				"uri_sans":                "*.foo.net,*.baz.net",
+				"other_sans":              "other1,other2",
+				"user_ids":                "12345,67890",
+				"ttl":                     "30s",
+				"not_after":               "2026-05-01T00:00:00Z",
+				"exclude_cn_from_sans":    false,
+				"format":                  "pem",
+				"private_key_format":      "rsa",
+				"remove_roots_from_chain": false,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {