# Apply: kubectl apply -f manifests/core/ca-installer/ca-installer.yaml
# Delete: kubectl delete -f manifests/core/ca-installer/ca-installer.yaml
# Description: Nginx-based CA certificate installer serving ca.crt and iOS mobileconfig at ca.home.arpa.
#
# Pre-requisites (run once, or after CA cert rotation):
#   kubectl create configmap ca-installer-web -n ca-installer \
#     --from-file=index.html=manifests/core/ca-installer/web/index.html
#
#   kubectl create configmap ca-installer-files -n ca-installer \
#     --from-file=ca.crt=/tmp/homelab-ca.crt \
#     --from-file=ca.mobileconfig=/tmp/homelab-ca.mobileconfig
apiVersion: v1
kind: Namespace
metadata:
  name: ca-installer
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-config
  namespace: ca-installer
data:
  default.conf: |
    server {
        listen 80;
        server_name ca.home.arpa;
        root /usr/share/nginx/html;

        location = /ca.crt {
            default_type application/x-x509-ca-cert;
            try_files /ca.crt =404;
        }

        location = /ca.mobileconfig {
            default_type application/x-apple-aspen-config;
            try_files /ca.mobileconfig =404;
        }

        location / {
            try_files $uri $uri/ /index.html;
        }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ca-installer
  namespace: ca-installer
  labels:
    app: ca-installer
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ca-installer
  template:
    metadata:
      labels:
        app: ca-installer
    spec:
      containers:
        - name: nginx
          image: nginx:alpine
          ports:
            - containerPort: 80
          volumeMounts:
            - name: web-files
              mountPath: /usr/share/nginx/html/index.html
              subPath: index.html
            - name: ca-cert
              mountPath: /usr/share/nginx/html/ca.crt
              subPath: ca.crt
            - name: ca-mobileconfig
              mountPath: /usr/share/nginx/html/ca.mobileconfig
              subPath: ca.mobileconfig
            - name: nginx-config
              mountPath: /etc/nginx/conf.d/default.conf
              subPath: default.conf
      volumes:
        - name: web-files
          configMap:
            name: ca-installer-web
        - name: ca-cert
          configMap:
            name: ca-installer-files
        - name: ca-mobileconfig
          configMap:
            name: ca-installer-files
        - name: nginx-config
          configMap:
            name: nginx-config
---
apiVersion: v1
kind: Service
metadata:
  name: ca-installer
  namespace: ca-installer
spec:
  selector:
    app: ca-installer
  ports:
    - port: 80
      targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ca-installer
  namespace: ca-installer
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
spec:
  ingressClassName: traefik
  rules:
    - host: ca.home.arpa
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: ca-installer
                port:
                  number: 80