#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
rules:
  - apiGroups: [""]
    resources: [secrets]
    verbs: [create, get, patch, update, watch, delete]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
subjects:
  - kind: ServiceAccount
    name: cert-issuer
    namespace: tools
roleRef:
  kind: Role
  name: cert-issuer
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
  name: cert-issuer
  namespace: tools
  labels:
    app: cert-issuer
spec:
  template:
    spec:
      serviceAccountName: cert-issuer
      initContainers:
      - name: generate-certs
        image: cfssl/cfssl:1.5.0
        imagePullPolicy: IfNotPresent
        command: ["/bin/bash"]
        args:
        - -c
        - |
          cd /var/certs
          cfssl print-defaults config > /tmp/cfssl-default.json
          echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > /tmp/csr.json

          echo "generating CA key..."
          cfssl genkey \
            -config /tmp/cfssl-default.json \
            -initca /tmp/csr.json \
            | cfssljson -bare ca

          echo "generating Dex server certificate..."
          cfssl gencert \
            -ca ca.pem -ca-key ca-key.pem \
            -config /tmp/cfssl-default.json \
            -profile www \
            -cn "dex.tools.svc.cluster.local" \
            -hostname "dex.tools.svc.cluster.local" \
            /tmp/csr.json \
            | cfssljson -bare dex

          # Cheat and add 127.0.0.1 as an IP SAN so we can use the ldaps port through port forwarding.
          # Also allow the server to be accessed by multiple Service names to different Services
          # can provide/hide different ports.
          echo "generating LDAP server certificate..."
          cfssl gencert \
            -ca ca.pem -ca-key ca-key.pem \
            -config /tmp/cfssl-default.json \
            -profile www \
            -cn "ldap.tools.svc.cluster.local" \
            -hostname "ldap.tools.svc.cluster.local,ldaps.tools.svc.cluster.local,ldapstarttls.tools.svc.cluster.local,127.0.0.1" \
            /tmp/csr.json \
            | cfssljson -bare ldap

          chmod -R 777 /var/certs

          echo
          echo "generated certificates:"
          ls -l /var/certs
          echo
          echo "CA cert..."
          cat ca.pem | openssl x509 -text
          echo
          echo "Dex cert..."
          cat dex.pem | openssl x509 -text
          echo
          echo "LDAP cert..."
          cat ldap.pem | openssl x509 -text
        volumeMounts:
        - name: certs
          mountPath: /var/certs
      containers:
      - name: save-certs
        image: bitnami/kubectl
        command: ["/bin/bash"]
        args:
        - -c
        - |
          kubectl create secret generic -n tools certs --from-file=/var/certs \
            --dry-run=client --output yaml | kubectl apply -f -
        volumeMounts:
        - name: certs
          mountPath: /var/certs
      volumes:
      - name: certs
        emptyDir: {}
      restartPolicy: Never