Setup TLS certificates for the Control-API

commodore catalog compile ${CLUSTER_ID}"

# Adjust the lifetime as necessary
lifetime=3650
# Adjust API server servicename if the namespace differs
servicename=control-api-apiserver.appuio-control-api.svc
openssl req -x509 -newkey rsa:4096 -nodes -keyout apiserver.key -out apiserver.crt -days ${lifetime} -subj "/CN=$servicename" -addext "subjectAltName = DNS:$servicename"

# Adjust admission webhook servicename if the namespace differs
servicename=webhook-service.appuio-control-api.svc
openssl req -x509 -newkey rsa:4096 -nodes -keyout webhook.key -out webhook.crt -days ${lifetime} -subj "/CN=$servicename" -addext "subjectAltName = DNS:$servicename"

instance=control-api
parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}"

# Use the 'patch' subcommand to add to existing secret
vault kv patch "${parent}/${instance}" apiserver-key=@apiserver.key
vault kv patch "${parent}/${instance}" webhook-key=@webhook.key

apicert=$(cat apiserver.crt)
yq eval -i ".parameters.control_api.apiserver.tls.serverCert = \"${apicert}\"" \
  inventory/classes/${TENANT_ID}/${CLUSTER_ID}.yml
webhookcert=$(cat webhook.crt)
yq eval -i ".parameters.control_api.controller.webhookTls.certificate = \"${webhookcert}\"" \
  inventory/classes/${TENANT_ID}/${CLUSTER_ID}.yml
yq eval -i '.parameters.control_api.controller.webhookTls.caCertificate = "${control_api:controller:webhookTls:certificate}"' \
  inventory/classes/${TENANT_ID}/${CLUSTER_ID}.yml

cd inventory/classes/${TENANT_ID}
git add ${CLUSTER_ID}.yml
git commit -m "Configure Control API APIService and admission webhook certificates"
git push origin master
popd

rm apiserver.{key,crt} webhook.{key,crt}