apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-exporter
  namespace: cert-manager

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cert-exporter
  namespace: cert-manager
data:
  config.yml: |
    git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
    certs:
    - name: pyrocufflink-cert
      namespace: default
      key: certificates/_.pyrocufflink.net.key
      cert: certificates/_.pyrocufflink.net.crt
      bundle: certificates/_.pyrocufflink.net.pem
    - name: dustinhatchname-cert
      namespace: default
      key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
      cert: acme.sh/dustin.hatch.name/fullchain.cer
    - name: hatchchat-cert
      namespace: default
      key: certificates/hatch.chat.key
      cert: certificates/hatch.chat.crt
      bundle: certificates/hatch.chat.pem
    - name: tabitha-cert
      namespace: default
      key: certificates/tabitha.biz.key
      cert: certificates/tabitha.biz.crt
      bundle: certificates/tabitha.biz.pem
  known-hosts-command.ssh_config: |
    KnownHostsCommand /usr/bin/curl -fsL https://files.pyrocufflink.blue/ssh_known_hosts

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-exporter
rules:
- apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - get
  resourceNames:
  - pyrocufflink-cert
  - dustinhatchname-cert
  - hatchchat-cert
  - tabitha-cert

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cert-exporter
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-exporter
subjects:
- kind: ServiceAccount
  name: cert-exporter
  namespace: cert-manager

---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: cert-exporter
  namespace: cert-manager
spec:
  timeZone: America/Chicago
  schedule: '27 20 * * *'
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - image: git.pyrocufflink.net/containerimages/cert-exporter
            name: cert-exporter
            volumeMounts:
            - mountPath: /etc/cert-exporter/config.yml
              name: config
              subPath: config.yml
              readOnly: true
            - mountPath: /home/cert-exporter/.ssh/id_ed25519
              name: sshkeys
              subPath: cert-exporter.pem
              readOnly: true
            - mountPath: /etc/ssh/ssh_config.d/known-hosts-command.conf
              name: config
              subPath: known-hosts-command.ssh_config
              readOnly: true
          securityContext:
            fsGroup: 1000
          serviceAccount: cert-exporter
          volumes:
          - name: config
            configMap:
              name: cert-exporter
          - name: sshkeys
            secret:
              secretName: cert-exporter-sshkey
              defaultMode: 00440
          restartPolicy: Never