{{- if and (eq .Values.installMode "host") (eq .Values.certs.mode "auto") }}
{{- $name := include "karmada.name" . -}}
{{- $namespace := include "karmada.namespace" . -}}
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ $name }}-config
  namespace: {{ $namespace }}
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "2"
data:
  cert.yaml: |-
    apiVersion: v1
    kind: Secret
    metadata:
      name: {{ $name }}-cert
      namespace: {{ $namespace }}
    type: Opaque
    data:
      server-ca.crt: |-
        {{ print "{{ ca_crt }}" }}
      karmada.crt: |-
        {{ print "{{ crt }}" }}
      karmada.key: |-
        {{ print "{{ key }}" }}
      front-proxy-ca.crt: |-
        {{ print "{{ front_proxy_ca_crt }}" }}
      front-proxy-client.crt: |-
        {{ print "{{ front_proxy_crt }}" }}
      front-proxy-client.key: |-
        {{ print "{{ front_proxy_key }}" }}
  webhook-cert.yaml: |-
    apiVersion: v1
    kind: Secret
    metadata:
      name: {{ $name }}-webhook-cert
      namespace: {{ $namespace }}
    type: kubernetes.io/tls
    data:
      tls.crt: |-
        {{ print "{{ crt }}" }}
      tls.key: |-
        {{ print "{{ key }}" }}
  kubeconfig.yaml: |-
    apiVersion: v1
    kind: Secret
    metadata:
      name: {{ $name }}-kubeconfig
      namespace: {{ $namespace }}
    stringData:
      kubeconfig: |-
        apiVersion: v1
        kind: Config
        clusters:
          - cluster:
              certificate-authority-data: {{ print "{{ ca_crt }}" }}
              insecure-skip-tls-verify: false
              server: https://{{ $name }}-apiserver.{{ $namespace }}.svc.{{ .Values.clusterDomain }}:5443
            name: {{ $name }}-apiserver
        users:
          - user:
              client-certificate-data: {{ print "{{ crt }}" }}
              client-key-data: {{ print "{{ key }}" }}
            name: {{ $name }}-apiserver
        contexts:
          - context:
              cluster: {{ $name }}-apiserver
              user: {{ $name }}-apiserver
            name: {{ $name }}-apiserver
        current-context: {{ $name }}-apiserver
  static-resources-configmaps.yaml: |-
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: {{ $name }}-static-resources
      namespace: {{ $namespace }}
    data:
      {{- print "webhook-configuration.yaml: " | nindent 6 }} |-
        {{- include "karmada.webhook.configuration" . | nindent 8 }}
      {{- print "system-namespace.yaml: " | nindent 6 }} |-
        {{- include "karmada.systemNamespace" . | nindent 8 }}
      {{- print "karmada-aggregated-apiserver-apiservice.yaml: " | nindent 6 }} |-
        {{- include "karmada.apiservice" . | nindent 8 }}
      {{- print "cluster-proxy-admin-rbac.yaml: " | nindent 6 }} |-
        {{- include "karmada.proxyRbac" . | nindent 8 }}
  crds-configmaps.yaml: |-
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: {{ $name }}-crds
      namespace: {{ $namespace }}
    data:
      {{ range $path, $bytes := .Files.Glob (printf "_crds/**")}}
      {{ $name := base $path }}
      {{- (printf "%s: " $name) | nindent 6 }} |-
        {{- $.Files.Get $path | nindent 8 }}
      {{ end }}
  crds-bases-configmaps.yaml: |-
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: {{ $name }}-crds-bases
      namespace: {{ $namespace }}
    data:
      {{ range $path, $bytes := .Files.Glob (printf "_crds/bases/**")}}
      {{ $name := base $path }}
      {{- (printf "%s: " $name) | nindent 6 }} |-
        {{- $.Files.Get $path | nindent 8 }}
      {{ end }}
  crds-patches-configmaps.yaml: |-
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: {{ $name }}-crds-patches
      namespace: {{ $namespace }}
    data:
      {{- print "webhook_in_clusterresourcebindings.yaml: " | nindent 6 }} |-
        {{- include "karmada.crd.patch.webhook.clusterresourcebinding" . | nindent 8 }}
      {{- print "webhook_in_resourcebindings.yaml: " | nindent 6 }} |-
        {{- include "karmada.crd.patch.webhook.resourcebinding" . | nindent 8 }}
      
---
apiVersion: batch/v1
kind: Job
metadata:
  name: "{{ $name }}-pre-install"
  namespace: {{ $namespace }}
  annotations:
    # This is what defines this resource as a hook. Without this line, the
    # job is considered part of the release.
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "3"
    "helm.sh/hook-delete-policy": hook-succeeded
spec:
  parallelism: 1
  completions: 1
  template:
    metadata:
      name: {{ $name }}
      labels:
        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
        app.kubernetes.io/instance: {{ $name | quote }}
        helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    spec:
      serviceAccountName: {{ $name }}-pre-job
      restartPolicy: Never
      initContainers:
      - name: init
        image: {{ .Values.preInstallJob.initContainerImage }}
        imagePullPolicy: IfNotPresent
        workingDir: /opt/mount
        command:
        - /bin/sh
        - -c
        - |
          bash <<'EOF'
          set -ex
          mkdir -p /opt/configs
          mkdir -p /opt/certs
          cp -r -L /opt/mount/* /opt/configs/
          openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/server-ca.key" -out "/opt/certs/server-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
          openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/front-proxy-ca.key" -out "/opt/certs/front-proxy-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
          echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/server-ca-config.json"
          echo '{"CN":"system:admin","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/server-ca.crt -ca-key=/opt/certs/server-ca.key -config=/opt/certs/server-ca-config.json - | cfssljson -bare /opt/certs/karmada
          echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/front-proxy-ca-config.json"
          echo '{"CN":"front-proxy-client","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/front-proxy-ca.crt -ca-key=/opt/certs/front-proxy-ca.key -config=/opt/certs/front-proxy-ca-config.json - | cfssljson -bare /opt/certs/front-proxy-client
          karmada_ca=$(base64 /opt/certs/server-ca.crt | tr -d '\r\n')
          karmada_crt=$(base64 /opt/certs/karmada.pem | tr -d '\r\n')
          karmada_key=$(base64 /opt/certs/karmada-key.pem | tr -d '\r\n')
          front_proxy_ca=$(base64 /opt/certs/front-proxy-ca.crt | tr -d '\r\n')
          front_proxy_client_crt=$(base64 /opt/certs/front-proxy-client.pem | tr -d '\r\n')
          front_proxy_client_key=$(base64 /opt/certs/front-proxy-client-key.pem | tr -d '\r\n')
          sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/cert.yaml
          sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/cert.yaml
          sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/cert.yaml
          sed -i'' -e "s/{{ print "{{ front_proxy_ca_crt }}" }}/${front_proxy_ca}/g" /opt/configs/cert.yaml
          sed -i'' -e "s/{{ print "{{ front_proxy_crt }}" }}/${front_proxy_client_crt}/g" /opt/configs/cert.yaml
          sed -i'' -e "s/{{ print "{{ front_proxy_key }}" }}/${front_proxy_client_key}/g" /opt/configs/cert.yaml
          sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/kubeconfig.yaml
          sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/kubeconfig.yaml
          sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/kubeconfig.yaml
          sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/webhook-cert.yaml
          sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/webhook-cert.yaml
          sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/static-resources-configmaps.yaml
          sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/crds-patches-configmaps.yaml
          EOF
        volumeMounts:
        - name: mount
          mountPath: /opt/mount
        - name: configs
          mountPath: /opt/configs
      containers:
      - name: pre-install
        image: {{ .Values.preInstallJob.preInstallContainerImage }}
        imagePullPolicy: IfNotPresent
        workingDir: /opt/mount
        command:
        - /bin/sh
        - -c
        - |
          bash <<'EOF'
          set -ex
          kubectl apply --server-side -f /opt/configs/
          EOF
        volumeMounts:
        - name: mount
          mountPath: /opt/mount
        - name: configs
          mountPath: /opt/configs
      volumes:
      - name: mount
        configMap:
          name: {{ $name }}-config
      - name: configs
        emptyDir: {}

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $name }}-pre-job
  namespace: {{ $namespace }}
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ $name }}-pre-job
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "1"
rules:
  - apiGroups: ['*']
    resources: ['*']
    verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
  - nonResourceURLs: ['*']
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ $name }}-pre-job
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-weight": "1"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ $name }}-pre-job
subjects:
  - kind: ServiceAccount
    name: {{ $name }}-pre-job
    namespace: {{ $namespace }}
---
{{- end }}