#!/bin/bash -x
CHART_VERSION="v1.10.1"
NAMESPACE="cert-manager"
EMAIL="amarpreet@minhas.io"
VAULT_AUTH_NAMESPACE="k8s-teapot"

kubectl create ns ${NAMESPACE}
kubectl apply -n ${NAMESPACE} -f external-secrets.yaml

HOST_IP=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
TOKEN="$(kubectl get secret serviceaccounttoken -n cert-manager -o go-template='{{ .data.token }}' | base64 -d)"

vault write auth/${VAULT_AUTH_NAMESPACE}/role/cert-manager \
    bound_service_account_names=cert-manager \
    bound_service_account_namespaces=cert-manager \
    policies=cert-manager \
    ttl=24h

vault write auth/${VAULT_AUTH_NAMESPACE}/login role=cert-manager jwt=${TOKEN} iss=https://${HOST_IP}:6443

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install \
	cert-manager \
	jetstack/cert-manager \
	-n cert-manager \
	--version ${CHART_VERSION} \
	--set installCRDs=true \
	--create-namespace \
	--cleanup-on-fail

cat <<EOH | kubectl apply -f -
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: serviceaccounttoken
  namespace: cert-manager
  annotations:
    kubernetes.io/service-account.name: "cert-manager"
...
EOH

helm upgrade -install \
        cert-manager-csi-driver \
        jetstack/cert-manager-csi-driver \
        -n ${NAMESPACE} \
        --wait \
        --cleanup-on-fail

git clone https://github.com/kelvie/cert-manager-webhook-namecheap

pushd cert-manager-webhook-namecheap
helm upgrade --install \
        -n ${NAMESPACE} \
        namecheap-webhook \
        deploy/cert-manager-webhook-namecheap/ \
        --wait \
        --cleanup-on-fail

helm upgrade --install \
        -n ${NAMESPACE} \
        --set email=${EMAIL} \
        letsencrypt-namecheap-issuer \
        deploy/letsencrypt-namecheap-issuer/ \
        --wait \
        --cleanup-on-fail
popd

rm -rf cert-manager-webhook-namecheap

kubectl apply -f issuers.yaml