#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")
#@ load("@ytt:json", "json")
#@ load("helpers.lib.yaml", "defaultLabel", "labels", "deploymentPodLabel", "namespace", "defaultResourceName", "defaultResourceNameWithSuffix", "getAndValidateLogLevel", "pinnipedDevAPIGroupWithPrefix")
#@ load("@ytt:template", "template")

#@ if not data.values.into_namespace:
---
apiVersion: v1
kind: Namespace
metadata:
  name: #@ data.values.namespace
  labels:
    _: #@ template.replace(labels())
    #! When deploying onto a cluster which has PSAs enabled by default for namespaces,
    #! effectively disable them for this namespace. The kube-cert-agent Deployment's pod
    #! created by the Concierge in this namespace needs to be able to perform privileged
    #! actions. The regular Concierge pod containers created by the Deployment below do
    #! not need special privileges and are marked as such in their securityContext settings.
    pod-security.kubernetes.io/enforce: privileged
#@ end
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: #@ defaultResourceName()
  namespace: #@ namespace()
  labels: #@ labels()
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: #@ defaultResourceNameWithSuffix("kube-cert-agent")
  namespace: #@ namespace()
  labels: #@ labels()
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
  namespace: #@ namespace()
  labels: #@ labels()
  annotations:
    #! we need to create this service account before we create the secret
    kapp.k14s.io/change-group: "impersonation-proxy.concierge.pinniped.dev/serviceaccount"
secrets: #! make sure the token controller does not create any other secrets
- name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: #@ defaultResourceNameWithSuffix("config")
  namespace: #@ namespace()
  labels: #@ labels()
data:
  #! If names.apiService is changed in this ConfigMap, must also change name of the ClusterIP Service resource below.
  #@yaml/text-templated-strings
  pinniped.yaml: |
    discovery:
      url: (@= data.values.discovery_url or "null" @)
    api:
      servingCertificate:
        durationSeconds: (@= str(data.values.api_serving_certificate_duration_seconds) @)
        renewBeforeSeconds: (@= str(data.values.api_serving_certificate_renew_before_seconds) @)
    apiGroupSuffix: (@= data.values.api_group_suffix @)
    # aggregatedAPIServerPort may be set here, although other YAML references to the default port (10250) may also need to be updated
    # impersonationProxyServerPort may be set here, although other YAML references to the default port (8444) may also need to be updated
    names:
      servingCertificateSecret: (@= defaultResourceNameWithSuffix("api-tls-serving-certificate") @)
      credentialIssuer: (@= defaultResourceNameWithSuffix("config") @)
      apiService: (@= defaultResourceNameWithSuffix("api") @)
      impersonationLoadBalancerService: (@= defaultResourceNameWithSuffix("impersonation-proxy-load-balancer") @)
      impersonationClusterIPService: (@= defaultResourceNameWithSuffix("impersonation-proxy-cluster-ip") @)
      impersonationTLSCertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-tls-serving-certificate") @)
      impersonationCACertificateSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-ca-certificate") @)
      impersonationSignerSecret: (@= defaultResourceNameWithSuffix("impersonation-proxy-signer-ca-certificate") @)
      agentServiceAccount: (@= defaultResourceNameWithSuffix("kube-cert-agent") @)
    labels: (@= json.encode(labels()).rstrip() @)
    kubeCertAgent:
      namePrefix: (@= defaultResourceNameWithSuffix("kube-cert-agent-") @)
      (@ if data.values.kube_cert_agent_image: @)
      image: (@= data.values.kube_cert_agent_image @)
      (@ else: @)
      (@ if data.values.image_digest: @)
      image: (@= data.values.image_repo + "@" + data.values.image_digest @)
      (@ else: @)
      image: (@= data.values.image_repo + ":" + data.values.image_tag @)
      (@ end @)
      (@ end @)
      (@ if data.values.image_pull_dockerconfigjson: @)
      imagePullSecrets:
        - image-pull-secret
      (@ end @)
    (@ if data.values.log_level or data.values.deprecated_log_format: @)
    log:
      (@ if data.values.log_level: @)
      level: (@= getAndValidateLogLevel() @)
      (@ end @)
      (@ if data.values.deprecated_log_format: @)
      format: (@= data.values.deprecated_log_format @)
      (@ end @)
    (@ end @)
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1
kind: Secret
metadata:
  name: image-pull-secret
  namespace: #@ namespace()
  labels: #@ labels()
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
#@ end
---
#! THE DEPLOYMENT IS GONE!!!
#! THE DEPLOYMENT IS GONE!!!
#! THE DEPLOYMENT IS GONE!!! For initial prototype, just installing some simple things.
#! THE DEPLOYMENT IS GONE!!!
#! THE DEPLOYMENT IS GONE!!!
---
#! THE SERVICE IS GONE!!!
#! THE SERVICE IS GONE!!!
#! THE SERVICE IS GONE!!! For initial prototype, just installing some simple things.
#! THE SERVICE IS GONE!!!
#! THE SERVICE IS GONE!!!
---
#! THE SECOND SERVICE IS GONE!!!
#! THE SECOND SERVICE IS GONE!!!
#! THE SECOND SERVICE IS GONE!!! For initial prototype, just installing some simple things.
#! THE SECOND SERVICE IS GONE!!!
#! THE SECOND SERVICE IS GONE!!!
---
#! THE API SERVICE IS GONE!!!
#! THE API SERVICE IS GONE!!!
#! THE API SERVICE IS GONE!!!  For initial prototype, just installing some simple things.
#! THE API SERVICE IS GONE!!!
#! THE API SERVICE IS GONE!!!
---
#! THE SECOND API SERVICE IS GONE!!!
#! THE SECOND API SERVICE IS GONE!!!
#! THE SECOND API SERVICE IS GONE!!!  For initial prototype, just installing some simple things.
#! THE SECOND API SERVICE IS GONE!!!
#! THE SECOND API SERVICE IS GONE!!!
---
apiVersion: #@ pinnipedDevAPIGroupWithPrefix("config.concierge") + "/v1alpha1"
kind: CredentialIssuer
metadata:
  name: #@ defaultResourceNameWithSuffix("config")
  labels: #@ labels()
spec:
  impersonationProxy:
    mode: #@ data.values.impersonation_proxy_spec.mode
    #@ if data.values.impersonation_proxy_spec.external_endpoint:
    externalEndpoint: #@ data.values.impersonation_proxy_spec.external_endpoint
    #@ end
    service:
      type: #@ data.values.impersonation_proxy_spec.service.type
      #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip:
      loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip
      #@ end
      annotations: #@ data.values.impersonation_proxy_spec.service.annotations
---
apiVersion: v1
kind: Secret
metadata:
  name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
  namespace: #@ namespace()
  labels: #@ labels()
  annotations:
    #! wait until the SA exists to create this secret so that the token controller does not delete it
    #! we have this secret at the end so that kubectl will create the service account first
    kapp.k14s.io/change-rule: "upsert after upserting impersonation-proxy.concierge.pinniped.dev/serviceaccount"
    kubernetes.io/service-account.name: #@ defaultResourceNameWithSuffix("impersonation-proxy")
type: kubernetes.io/service-account-token