apiVersion: airshipit.org/v1alpha1
kind: Templater
metadata:
  name: secret-template
  annotations:
    config.kubernetes.io/function: |
      container:
        image: localhost/templater
values:
  sshKeyGen:
    encBit: 4096
  ephemeralCluster:
    ca:
      subj: "/CN=Kubernetes API"
      validity: 3650
    kubeconfigCert:
      subj: "/CN=admin/O=system:masters"
      validity: 365
  targetCluster:
    ca:
      subj: "/CN=Kubernetes API"
      validity: 3650
    kubeconfigCert:
      subj: "/CN=admin/O=system:masters"
      validity: 365
template: |
  apiVersion: airshipit.org/v1alpha1
  kind: VariableCatalogue
  metadata:
    labels:
      airshipit.org/deploy-k8s: "false"
    name: generated-secrets
    annotations:
      config.kubernetes.io/path: secrets.yaml
  {{- $ephemeralClusterCa := genCAEx .ephemeralCluster.ca.subj .ephemeralCluster.ca.validity }}
  {{- $ephemeralKubeconfigCert := genSignedCertEx .ephemeralCluster.kubeconfigCert.subj nil nil .ephemeralCluster.kubeconfigCert.validity $ephemeralClusterCa }}
  ephemeralClusterCa:
    crt: {{ $ephemeralClusterCa.Cert|b64enc|quote }}
    key: {{ $ephemeralClusterCa.Key|b64enc|quote }}
  ephemeralKubeconfig:
    certificate-authority-data: {{ $ephemeralClusterCa.Cert|b64enc|quote }}
    client-certificate-data: {{ $ephemeralKubeconfigCert.Cert|b64enc|quote }}
    client-key-data: {{ $ephemeralKubeconfigCert.Key|b64enc|quote }}
  {{- $targetClusterCa := genCAEx .targetCluster.ca.subj .targetCluster.ca.validity }}
  {{- $targetKubeconfigCert := genSignedCertEx .targetCluster.kubeconfigCert.subj nil nil .targetCluster.kubeconfigCert.validity $targetClusterCa }}
  targetClusterCa:
    tls.crt: {{ $targetClusterCa.Cert|b64enc|quote }}
    tls.key: {{ $targetClusterCa.Key|b64enc|quote }}
  targetKubeconfig:
    certificate-authority-data: {{ $targetClusterCa.Cert|b64enc|quote }}
    client-certificate-data: {{ $targetKubeconfigCert.Cert|b64enc|quote }}
    client-key-data: {{ $targetKubeconfigCert.Key|b64enc|quote }}
  isoImage:
    passwords:
      root: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }}
      deployer: {{ derivePassword 1 "long" (randAscii 10) "user" "airshipit.org"|quote }}
  {{- $sshKey := genSSHKeyPair .sshKeyGen.encBit }}
  sshKeys:
    privateKey: {{ $sshKey.Private|quote }}
    publicKey: {{ $sshKey.Public|quote }}
  dex:
    oidc:
      clientSecret: {{ regexGen "^[a-zA-Z0-9]{34}$" 34|quote }}