{{- if not .Values.pxc.disableTLS }}
{{- if not .Values.pxc.certManager }}
{{- $nameDB := printf "%s" (include "pxc-database.fullname" .) }}
{{ $ca := genCA (printf "%s-ca" $nameDB ) 365 }}
{{- if not (hasKey .Values.secrets.tls "cluster") }}
---
{{- $name := printf "%s-proxysql" $nameDB }}
{{- $altNames := list ( printf "%s-pxc" $nameDB ) ( printf "*.%s-pxc" $nameDB ) ( printf "*.%s-proxysql" $nameDB ) -}}
{{ $cert := genSignedCert $name nil $altNames 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ $nameDB }}-ssl
  labels:
{{ include "pxc-database.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
  ca.crt: {{ $ca.Cert | b64enc }}
  tls.crt: {{ $cert.Cert | b64enc }}
  tls.key: {{ $cert.Key | b64enc }}
{{- end }}
{{- if not (hasKey .Values.secrets.tls "internal") }}
---
{{- $name := printf "%s-pxc" $nameDB }}
{{- $altNames := list ( printf "%s" $name ) ( printf "*.%s" $name ) ( printf "%s-haproxy-replicas.%s.svc.cluster.local" $nameDB .Release.Namespace ) ( printf "%s-haproxy-replicas.%s" $nameDB .Release.Namespace ) ( printf "%s-haproxy-replicas" $nameDB ) ( printf "%s-haproxy.%s.svc.cluster.local" $nameDB .Release.Namespace ) ( printf "%s-haproxy.%s" $nameDB .Release.Namespace ) ( printf "%s-haproxy" $nameDB ) -}}
{{ $cert := genSignedCert $name nil $altNames 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ $nameDB }}-ssl-internal
  labels:
{{ include "pxc-database.labels" . | indent 4 }}
type: kubernetes.io/tls
data:
  ca.crt: {{ $ca.Cert | b64enc }}
  tls.crt: {{ $cert.Cert | b64enc }}
  tls.key: {{ $cert.Key | b64enc }}
{{- end }}
{{- end }}
{{- end }}