# PKI mount for etcd-ca
resource "vault_mount" "k8s_etcd_ca" {
  path                  = "k8s/etcd-ca"
  type                  = "pki"
  description           = "PKI for k8s etcd certificates"
  max_lease_ttl_seconds = 86400 * 365 * 10
}

# Generate the root CA for etcd
resource "vault_pki_secret_backend_root_cert" "etcd_ca_root" {
  backend     = vault_mount.k8s_etcd_ca.path
  type        = "internal"
  common_name = "etcd-ca"
  ttl         = 86400 * 365 * 10
  key_type    = "rsa"
  key_bits    = 4096
}

# PKI role for kube-etcd
resource "vault_pki_secret_backend_role" "kube_etcd" {
  backend            = vault_mount.k8s_etcd_ca.path
  name               = "kube-etcd"
  allowed_domains    = ["kube-etcd", "*.main.unkin.net", "localhost"]
  allow_ip_sans      = true
  enforce_hostnames  = true
  allow_subdomains   = true
  allow_glob_domains = true
  allow_localhost    = true
  max_ttl            = 86400 * 90
  ttl                = 86400 * 90
  key_usage          = ["DigitalSignature", "KeyEncipherment"]
  server_flag        = true
  client_flag        = true
}

# PKI role for kube-etcd-peer
resource "vault_pki_secret_backend_role" "kube_etcd_peer" {
  backend            = vault_mount.k8s_etcd_ca.path
  name               = "kube-etcd-peer"
  allowed_domains    = ["kube-etcd-peer", "*.main.unkin.net", "localhost"]
  allow_ip_sans      = true
  enforce_hostnames  = true
  allow_subdomains   = true
  allow_glob_domains = true
  allow_localhost    = true
  max_ttl            = 86400 * 90
  ttl                = 86400 * 90
  key_usage          = ["DigitalSignature", "KeyEncipherment"]
  server_flag        = true
  client_flag        = true
}

# PKI role for kube-etcd-healthcheck-client
resource "vault_pki_secret_backend_role" "kube_etcd_healthcheck_client" {
  backend            = vault_mount.k8s_etcd_ca.path
  name               = "kube-etcd-healthcheck-client"
  allowed_domains    = ["kube-etcd-healthcheck-client", "*.main.unkin.net", "localhost"]
  allow_ip_sans      = true
  enforce_hostnames  = true
  allow_subdomains   = true
  allow_glob_domains = true
  allow_localhost    = true
  max_ttl            = 86400 * 90
  ttl                = 86400 * 90
  key_usage          = ["DigitalSignature", "KeyEncipherment"]
  server_flag        = false
  client_flag        = true
}

# PKI role for kube-apiserver-etcd-client
resource "vault_pki_secret_backend_role" "kube-apiserver-etcd-client" {
  backend            = vault_mount.k8s_etcd_ca.path
  name               = "kube-apiserver-etcd-client"
  allowed_domains    = ["kube-apiserver-etcd-client", "*.main.unkin.net", "localhost"]
  allow_ip_sans      = true
  enforce_hostnames  = true
  allow_subdomains   = true
  allow_glob_domains = true
  allow_localhost    = true
  max_ttl            = 86400 * 90
  ttl                = 86400 * 90
  key_usage          = ["DigitalSignature", "KeyEncipherment"]
  server_flag        = false
  client_flag        = true
}