apiVersion: v1
kind: ServiceAccount
metadata:
  name: certs-creator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: secret-creator
rules:
  - apiGroups: [ "" ]
    resources: [ "secrets" ]
    verbs: [ "create", "patch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: certs-creator
subjects:
  - kind: ServiceAccount
    name:  certs-creator
roleRef:
  kind: Role
  name: secret-creator
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
  name: create-certs
spec:
  template:
    spec:
      restartPolicy: OnFailure
      serviceAccountName: certs-creator
      initContainers:
      - command:
          - /bin/ash
          - -c
          - |
            function createKey() {
              USER=$1
              openssl genrsa -out ${USER}.key 2048
              echo "created ${USER}.key"
            }

            function createSigningRequest() {
              USER=$1
              openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
              echo "created ${USER}.csr"
            }

            function generateServerConfig() {
              cat<<EOF
              [req]
              distinguished_name = req_distinguished_name
              x509_extensions = v3_req
              prompt = no
              [req_distinguished_name]
              CN = db-postgresql
              [v3_req]
              keyUsage = keyEncipherment, dataEncipherment
              extendedKeyUsage = serverAuth
              subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
            EOF
            }

            function signCertificate() {
              INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
              openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
            }

            function secretJson {
              USER=$1
              cat<<EOF
              {
                "apiVersion": "v1",
                "kind": "Secret",
                "data": {
                  "ca.crt": "$(base64 -w 0 ./ca.crt)",
                  "tls.crt": "$(base64 -w 0 ./${USER}.crt)",
                  "tls.key": "$(base64 -w 0 ./${USER}.key)"
                },
                "metadata": {
                  "name": "${USER}-cert"
                },
                "type": "kubernetes.io/tls"
              }
            EOF
            }

            function createCertSecret {
              USER=$1
              secretJson ${USER} >> ${USER}-cert.json
            }

            cd /secret

            # Create a CA key and cert for signing other certs
            createKey ca
            openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"

            createKey postgres
            createSigningRequest postgres
            signCertificate postgres.csr postgres.crt ca.crt ca.key
            createCertSecret postgres

            createKey zitadel
            createSigningRequest zitadel
            signCertificate zitadel.csr zitadel.crt ca.crt ca.key
            createCertSecret zitadel
        image: alpine/openssl
        imagePullPolicy: IfNotPresent
        name: create-certs
        volumeMounts:
          - mountPath: /secret
            name: secret
      containers:
      - image: alpine/curl
        name: apply-certs
        imagePullPolicy: IfNotPresent
        command:
          - /bin/ash
          - -c
          - |
            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt

            function uploadSecret {
              USER=$1
              curl \
                --cacert ${CACERT} \
                --header "Authorization: Bearer ${TOKEN}" \
                --header "Content-Type: application/json" \
                -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
                --data "$(tr -d '\n' < /secret/${USER}-cert.json)" \
                > /dev/null || echo "error uploading ${USER} secret: $?"
            }
        
            uploadSecret postgres
            uploadSecret zitadel
        volumeMounts:
          - mountPath: /secret
            name: secret
      volumes:
        - name: secret
          emptyDir:
            medium: Memory