---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: letsencrypt-production
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: {{ .Values.clusterConfig.acme_email }}
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
    - http01:
        ingress:
          class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: letsencrypt-staging
spec:
  acme:
    # The ACME server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: {{ .Values.clusterConfig.acme_email }}
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: ca-issuer
spec:
  ca:
    secretName: cluster-ca
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: selfsigning-issuer
spec:
  selfSigned: {}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: front-proxy-client
subjects:
  - kind: User
    name: front-proxy-client
    apiGroup: rbac.authorization.k8s.io
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: front-proxy-client
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: front-proxy-client
rules:
- apiGroups:
  - "webhook.cert-manager.io"
  resources:
  - mutations
  - validations
  verbs: [ "*" ]
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch
---

{{ if .Values.clusterConfig.initca }}

# Pod to update certificates from master nodes
# only runs on control plane nodes (etcd)
# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
# Always create certs on initial creation,
# Otherwise, cert creation would not happen until cronJob runs
apiVersion: batch/v1
kind: Job
metadata:
  name: cert-create
  namespace: cert-manager
spec:
  backoffLimit: 1
  template:
    metadata:
      labels:
        block-egress: "true"
      annotations:
        linkerd.io/inject: disabled
    spec:
      restartPolicy: Never
      serviceAccountName: cert-secret-updater
      securityContext:
        runAsUser: 12000
        runAsGroup: 13000
        fsGroup: 10000
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node-role.kubernetes.io
                operator: In
                values:
                - control-plane
      tolerations:
      - key: unschedulable
        value: "true"
        effect: NoSchedule
      containers:
      - image: bitnami/kubectl:1.24
        name: kubectl
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
        command: 
        - "/bin/sh" 
        - -c
        - /tmp/renew-certs/renew-certs.sh
        volumeMounts:
          - name: ca-pem
            mountPath: /tmp/ca.pem
          - name: ca-key-pem
            mountPath: /tmp/ca-key.pem
          - name: certs-script
            mountPath: /tmp/renew-certs
      volumes:
        - name: ca-pem
          hostPath:
            path: {{.Values.clusterConfig.initca}}/ca.pem
            type: File
        - name: ca-key-pem
          hostPath:
            path: {{.Values.clusterConfig.initca}}/ca-key.pem
            type: File
        - name: certs-script
          configMap:
            name: renew-certs-script
            defaultMode: 0755
---
apiVersion: v1
data:
  renew-certs.sh: |
    #! /bin/bash
    kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
    kubectl apply -f /tmp/new-secret.yaml
kind: ConfigMap
metadata:
  name: renew-certs-script
  namespace: cert-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-secret-updater
  namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-secret-updater-role
  namespace: cert-manager
rules:
- apiGroups:
  - ""
  resourceNames:
  - cluster-ca
  resources:
  - secrets
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cert-secret-updater-rbinding
  namespace: cert-manager
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-secret-updater-role
subjects:
- kind: ServiceAccount
  name: cert-secret-updater
  namespace: cert-manager
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: cert-manager
spec:
  podSelector: 
    matchLabels:
      block-egress: "true"
  policyTypes:
  - Egress
---
{{ end }}