apiVersion: v1
kind: ServiceAccount
metadata:
  name: certs-creator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-creator
rules:
  - apiGroups: [ "" ]
    resources: [ "secrets" ]
    verbs: [ "create", "patch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: certs-creator
subjects:
  - kind: ServiceAccount
    name:  certs-creator
roleRef:
  kind: Role
  name: secret-creator
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
  name: create-certs
spec:
  template:
    spec:
      restartPolicy: OnFailure
      serviceAccountName: certs-creator
      containers:
      - command:
          - /usr/local/bin/bash
          - -ecx
          - |
            apk add openssl curl
            
            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt

            function createKey() {
              USER=$1
              openssl genrsa -out ${USER}.key 2048
              echo "created ${USER}.key"
            }

            function createSigningRequest() {
              USER=$1
              openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
              echo "created ${USER}.csr"
            }

            function generateServerConfig() {
              cat<<EOF
              [req]
              distinguished_name = req_distinguished_name
              x509_extensions = v3_req
              prompt = no
              [req_distinguished_name]
              CN = db-postgresql
              [v3_req]
              keyUsage = keyEncipherment, dataEncipherment
              extendedKeyUsage = serverAuth
              subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
            EOF
            }

            function signCertificate() {
              INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
              openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
            }

            function secretJson {
              USER=$1
              cat<<EOF
              {
                "apiVersion": "v1",
                "kind": "Secret",
                "data": {
                  "ca.crt": "$(base64 -w 0 ./ca.crt)",
                  "tls.crt": "$(base64 -w 0 ./${USER}.crt)",
                  "tls.key": "$(base64 -w 0 ./${USER}.key)"
                },
                "metadata": {
                  "name": "${USER}-cert"
                },
                "type": "kubernetes.io/tls"
              }
            EOF
            }

            function createCertSecret {
              USER=$1
              echo "CACERT value: ${CACERT}"
              echo "TOKEN value: ${TOKEN}"
              echo "APISERVER value: ${APISERVER}"
              echo "NAMESPACE value: ${NAMESPACE}"
              curl \
              --cacert ${CACERT} \
              --header "Authorization: Bearer ${TOKEN}" \
              --header "Content-Type: application/json" \
              -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
              --data "$(echo -n $(secretJson ${USER}) | tr -d '\n')"
            }

            # Create a CA key and cert for signing other certs
            createKey ca
            openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"

            createKey postgres
            createSigningRequest postgres
            signCertificate postgres.csr postgres.crt ca.crt ca.key
            createCertSecret postgres

            createKey zitadel
            createSigningRequest zitadel
            signCertificate zitadel.csr zitadel.crt ca.crt ca.key
            createCertSecret zitadel
        image: bash:5.2.15
        imagePullPolicy: IfNotPresent
        name: create-certs