{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ template "selfcerts.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  annotations:
    # This is what defines this resource as a hook. Without this line, the
    # job is considered part of the release.
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "4"
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
  labels:
    helm.sh/chart: {{ template "cockroachdb.chart" . }}
    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
spec:
  template:
    metadata:
      name: {{ template "selfcerts.fullname" . }}
      labels:
        helm.sh/chart: {{ template "cockroachdb.chart" . }}
        app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name | quote }}
        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
    spec:
      restartPolicy: Never
      containers:
        - name: cert-generate-job
          image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
          imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
          args:
            - generate
            {{- if .Values.tls.certs.selfSigner.caProvided }}
            - --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }}
            {{- else }}
            - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
            - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
            {{- end }}
            - --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }}
            - --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }}
            - --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }}
            - --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }}
          env:
          - name: STATEFULSET_NAME
            value: {{ template "cockroachdb.fullname" . }}
          - name: NAMESPACE
            value: {{ .Release.Namespace | quote }}
          - name: CLUSTER_DOMAIN
            value: {{ .Values.clusterDomain}}
      serviceAccountName: {{ template "selfcerts.fullname" . }}
{{- end}}