apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-exporter
  namespace: cert-manager

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: cert-exporter
rules:
- apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - get
  resourceNames:
  - pyrocufflink-cert
  - dustinhatchname-cert
  - dustinandtabitha-cert
  - hlc-cert

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cert-exporter
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: cert-exporter
subjects:
- kind: ServiceAccount
  name: cert-exporter
  namespace: cert-manager

---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: cert-exporter
  namespace: cert-manager
spec:
  timeZone: America/Chicago
  schedule: '27 9,20 * * *'
  jobTemplate: &jobtemplate
    spec:
      template:
        spec:
          containers:
          - image: git.pyrocufflink.net/containerimages/cert-exporter
            name: cert-exporter
            volumeMounts:
            - mountPath: /etc/cert-exporter/config.yml
              name: config
              subPath: config.yml
              readOnly: true
            - mountPath: /home/cert-exporter/.ssh/id_ed25519
              name: sshkeys
              subPath: cert-exporter.pem
              readOnly: true
            - mountPath: /etc/ssh/ssh_known_hosts
              name: sshkeys
              subPath: ssh_known_hosts
              readOnly: true
          securityContext:
            fsGroup: 1000
          serviceAccount: cert-exporter
          volumes:
          - name: config
            configMap:
              name: cert-exporter
          - name: sshkeys
            secret:
              secretName: cert-exporter-sshkey
              defaultMode: 00440
          restartPolicy: Never