{{- if and .Values.tls.enabled (and .Values.tls.certs.selfSigner.enabled (not .Values.tls.certs.selfSigner.caProvided)) }}
  {{- if .Values.tls.certs.selfSigner.rotateCerts }}
    {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
apiVersion: batch/v1
    {{- else }}
apiVersion: batch/v1beta1
    {{- end }}
kind: CronJob
metadata:
  name: {{ template "rotatecerts.fullname" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    helm.sh/chart: {{ template "cockroachdb.chart" . }}
    app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name | quote }}
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
spec:
  schedule: {{ template "selfcerts.caRotateSchedule" . }}
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          restartPolicy: Never
          containers:
          - name: cert-rotate-job
            image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
            imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
            args:
            - rotate
            - --ca
            - --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
            - --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
            - --ca-cron={{ template "selfcerts.caRotateSchedule" . }}
            - --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
            - --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
            env:
            - name: STATEFULSET_NAME
              value: {{ template "cockroachdb.fullname" . }}
            - name: NAMESPACE
              value: {{ .Release.Namespace }}
            - name: CLUSTER_DOMAIN
              value: {{ .Values.clusterDomain}}
          serviceAccountName: {{ template "rotatecerts.fullname" . }}
  {{- end }}
{{- end }}