package http

import (
	"context"
	"crypto/x509"
	"fmt"
	"strings"
	"sync"

	"knative.dev/func/pkg/k8s"
)

const openShiftRegistryHost = "image-registry.openshift-image-registry.svc"

// WithOpenShiftServiceCA enables trust to OpenShift's service CA for internal image registry
func WithOpenShiftServiceCA() Option {
	var err error
	var ca *x509.Certificate
	var o sync.Once

	selectCA := func(ctx context.Context, serverName string) (*x509.Certificate, error) {
		if strings.HasPrefix(serverName, openShiftRegistryHost) {
			o.Do(func() {
				ca, err = k8s.GetOpenShiftServiceCA(ctx)
				if err != nil {
					err = fmt.Errorf("cannot get CA: %w", err)
				}
			})
			if err != nil {
				return nil, err
			}
			return ca, nil
		}
		return nil, nil
	}

	return WithSelectCA(selectCA)
}