local kube = import "../../../kube/kube.libsonnet";

{
    Environment(clusterShort, realm): {
        local env = self,

        realm:: realm,
        clusterShort:: clusterShort,
        clusterFQDN:: "%s.%s" % [clusterShort, realm],

        namespace:: "cert-manager", // https://github.com/jetstack/cert-manager/issues/2130

        // An issuer that self-signs certificates, used for the CA certificate.
        selfSignedIssuer: kube.Issuer("pki-selfsigned") {
            metadata+: {
                namespace: env.namespace,
            },
            spec: {
                selfSigned: {},
            },
        },
        
        // CA keypair, self-signed by the above issuer.
        selfSignedCert: kube.Certificate("pki-selfsigned") {
            metadata+: {
                namespace: env.namespace,
            },
            spec: {
                secretName: "pki-selfsigned-cert",
                duration: "43800h0m0s", // 5 years,
                isCA: true,
                issuerRef: {
                    name: env.selfSignedIssuer.metadata.name,
                },
                commonName: "pki-ca",
            },
        },
        
        // CA issuer, used to issue certificates signed by the CA.
        issuer: kube.ClusterIssuer("pki-ca") {
            spec: {
                ca: {
                    secretName: env.selfSignedCert.spec.secretName,
                },
            },
        },
    },
}