{{- if .Values.common.domainCertWatch.enabled -}}
apiVersion: batch/v1
kind: CronJob
metadata:
  name: {{ template "domainCertWatch.appName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    dplane: "domain-cert-watch-job"
spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      ttlSecondsAfterFinished: {{ .Values.common.domainCertWatch.job_ttl }}
      template:
        metadata:
          labels:
            dplane: "domain-cert-watch-job"
        spec:
          serviceAccountName: {{ include "domainCertWatch.serviceAccountName" . }}
          containers:
            - image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
              imagePullPolicy: {{ .Values.global.image.pullPolicy }}
              command: [ "/bin/sh", "-c" ]
              args:
                - |
                  cm_name={{ template "domainCertWatch.appName" . }}
                  if dcert=$(kubectl get secrets domain-certificate -o jsonpath='{.data}'); then
                    dc_sha=$(echo -n $dcert | sha1sum | awk '{print $1}');
                    echo "Generated domain-certificate secret sha - $dc_sha";
                    if dcert_cm=$(kubectl get configmap $cm_name -o json); then
                      stored_sha=$(echo -n $dcert_cm | jq -r .data.sha);
                      echo "Retrieved domain-certificate stored sha - $stored_sha";
                      if [[ "$stored_sha" == "UNINITIALIZED" || "$stored_sha" != "$dc_sha" ]]; then
                        echo "Stored sha found in configmap $cm_name does not match, updating entry";
                        if kubectl create configmap $cm_name --from-literal=sha="$dc_sha" -o yaml --dry-run=client | kubectl apply -f -; then
                          echo "Updated configmap $cm_name with new sha - $dc_sha";
                          if [[ "$stored_sha" != "UNINITIALIZED" ]]; then
                            echo "The domain-certificate secret has changed, rolling envoy and inbound-worker deployments";
                            kubectl rollout restart deployment -l dplane=envoy;
                            kubectl rollout restart deployment -l dplane=inbound-worker;
                          fi
                          exit 0;
                        else
                          echo "Failed to update configmap $cm_name";
                          exit 1;
                        fi
                      else
                        echo "The secret domain-certificate has not changed, no action needed";
                        exit 0;
                      fi
                    else
                      echo "Failed to retrieve stored domain-certificate sha";
                      exit 1;
                    fi
                  else
                    echo "Could not get the secret domain-certificate";
                    exit 1;
                  fi
              name: domain-cert-watch
              {{- with .Values.common.domainCertWatch.securityContext }}
              securityContext:
                {{- toYaml . | nindent 16 }}
              {{- end }}
          restartPolicy: Never
          {{- with .Values.global.image.imagePullSecrets }}
          imagePullSecrets:
            {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- if .Values.common.domainCertWatch.podSecurityContextEnabled -}}
          {{- with .Values.common.domainCertWatch.podSecurityContext }}
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          {{- end }}
  schedule: {{ .Values.common.domainCertWatch.schedule | squote }}
  successfulJobsHistoryLimit: 1
  suspend: false
{{- end }}