resource "kubectl_manifest" "issuer" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Issuer"
    metadata:
      name: "cdi-selfsigned"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      selfSigned: {}
  EOF
}
resource "kubectl_manifest" "cdi-apiserver-signer-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: cdi-apiserver-signer
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      isCA: true
      duration: "${var.duration}"
      commonName: "cdi-apiserver-signer"
      secretName: cdi-apiserver-signer
      issuerRef:
        name: cdi-selfsigned
  EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-signer-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: cdi-uploadproxy-signer
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      isCA: true
      duration: "${var.duration}"
      commonName: "cdi-uploadproxy-signer"
      secretName: cdi-uploadproxy-signer
      issuerRef:
        name: cdi-selfsigned
  EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-signer-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: cdi-uploadserver-client-signer
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      isCA: true
      duration: "${var.duration}"
      commonName: "cdi-uploadserver-client-signer"
      secretName: cdi-uploadserver-client-signer
      issuerRef:
        name: cdi-selfsigned
  EOF
}
resource "kubectl_manifest" "cdi-uploadserver-signer-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: cdi-uploadserver-signer
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      isCA: true
      duration: "${var.duration}"
      commonName: "cdi-uploadserver-signer"
      secretName: cdi-uploadserver-signer
      issuerRef:
        name: cdi-selfsigned
  EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-signer" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Issuer"
    metadata:
      name: "cdi-uploadproxy-signer"
      namespace: ${var.namespace}
      labels: ${jsonencode(local.common-labels)}
    spec:
      ca:
        secretName: "cdi-uploadproxy-signer"
  EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-signer" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Issuer"
    metadata:
      name: "cdi-uploadserver-client-signer"
      namespace: ${var.namespace}
      labels: ${jsonencode(local.common-labels)}
    spec:
      ca:
        secretName: "cdi-uploadserver-client-signer"
  EOF
}
resource "kubectl_manifest" "cdi-apiserver-signer" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Issuer"
    metadata:
      name: "cdi-apiserver-signer"
      namespace: ${var.namespace}
      labels: ${jsonencode(local.common-labels)}
    spec:
      ca:
        secretName: "cdi-apiserver-signer"
  EOF
}
resource "kubectl_manifest" "cdi-apiserver-server-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "cdi-apiserver-server-cert"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      dnsNames:
      - cdi-api
      - cdi-api.${var.namespace}
      - cdi-api.${var.namespace}.svc
      - cdi-api.${var.namespace}.svc.cluster.local
      issuerRef:
        kind: Issuer
        name: cdi-apiserver-signer
      secretName: cdi-apiserver-server-cert
      subject:
        organizationalUnits:
        - cdi-api
  EOF
}
resource "kubectl_manifest" "cdi-uploadproxy-server-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "cdi-uploadproxy-server-cert"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      dnsNames:
      - cdi-uploadproxy
      - cdi-uploadproxy.${var.namespace}
      - cdi-uploadproxy.${var.namespace}.svc
      - cdi-uploadproxy.${var.namespace}.svc.cluster.local
      issuerRef:
        kind: Issuer
        name: cdi-uploadproxy-signer
      secretName: cdi-uploadproxy-server-cert
      subject:
        organizationalUnits:
        - cdi-uploadproxy
  EOF
}
resource "kubectl_manifest" "cdi-uploadserver-client-cert" {
  yaml_body  = <<-EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "cdi-uploadserver-client-cert"
      labels: ${jsonencode(local.common-labels)}
      namespace: ${var.namespace}
    spec:
      usages:
      - digital signature
      - client auth
      commonName: "cdi-uploadserver-client-cert"
      issuerRef:
        kind: Issuer
        name: cdi-uploadserver-client-signer
      secretName: cdi-uploadserver-client-cert
      subject:
        organizationalUnits:
        - cdi-uploadserver-client
  EOF
}