{{- if and (.Values.gitlab_runner.enabled) (.Values.gitlab_runner.createCertSecret) }}
# Pod to update certificates from master nodes
# only runs on control plane nodes (etcd)
# Mounts cert files rotatet by nixos service.mgr and uses it to update gitlab secret
# Always create certs on initial creation,
# Otherwise, cert creation would not happen until cronJob runs
apiVersion: batch/v1
kind: Job
metadata:
  name: cert-create
  namespace: gitlab
spec:
  template:
    metadata:
      labels:
        block-egress: "true"
      annotations:
        linkerd.io/inject: disabled
    spec:
      restartPolicy: Never
      serviceAccountName: cert-secret-updater
      securityContext:
        runAsUser: 12000
        runAsGroup: 13000
        fsGroup: 10000
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node-role.kubernetes.io
                operator: In
                values:
                - control-plane
      tolerations:
      - key: unschedulable
        value: "true"
        effect: NoSchedule
      containers:
      - image: bitnami/kubectl:1.24
        name: kubectl
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
        command:
        - "/bin/sh"
        - -c
        - /tmp/renew-certs/renew-certs.sh
        volumeMounts:
          - name: ca-pem
            mountPath: /tmp/ca.pem
          - name: ca-key-pem
            mountPath: /tmp/ca-key.pem
          - name: certs-script
            mountPath: /tmp/renew-certs
      volumes:
        - name: ca-pem
          hostPath:
            path: {{.Values.cluster_config.initca}}/ca.pem
            type: File
        - name: ca-key-pem
          hostPath:
            path: {{.Values.cluster_config.initca}}/ca-key.pem
            type: File
        - name: certs-script
          configMap:
            name: renew-certs-script
            defaultMode: 0755
---
apiVersion: v1
data:
  renew-certs.sh: |
    #! /bin/bash
    kubectl create secret tls -n gitlab itp-cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
    kubectl apply -f /tmp/new-secret.yaml
kind: ConfigMap
metadata:
  name: renew-certs-script
  namespace: gitlab
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-secret-updater
  namespace: gitlab
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-secret-updater-role
  namespace: gitlab
rules:
- apiGroups:
  - ""
  resourceNames:
  - itp-cluster-ca
  resources:
  - secrets
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cert-secret-updater-rbinding
  namespace: gitlab
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-secret-updater-role
subjects:
- kind: ServiceAccount
  name: cert-secret-updater
  namespace: gitlab
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: gitlab
spec:
  podSelector:
    matchLabels:
      block-egress: "true"
  policyTypes:
  - Egress
---
{{- end }}