{{ if and .Values.headscale.keys.create (not .Values.headscale.keys.existingSecret ) }}
{{ $name := (print ( include "headscale.fullname" . ) "-keys") }}
{{ $secretName := (print ( include "headscale.fullname" . ) "-keys") }}
---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    helm.sh/resource-policy: keep
  name: {{ $name }}
type: Opaque
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ $name }}
  labels:
    app.kubernetes.io/component: keys-job
    {{- include "headscale.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": "pre-install,pre-upgrade"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ $name }}
  labels:
    app.kubernetes.io/component: keys-job
    {{- include "headscale.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": "pre-install,pre-upgrade"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    resourceNames:
      - {{ $secretName }}
    verbs:
      - get
      - update
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ $name }}
  labels:
    app.kubernetes.io/component: keys-job
    {{- include "headscale.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": "pre-install,pre-upgrade"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ $name }}
subjects:
  - kind: ServiceAccount
    name: {{ $name }}
    namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ $name }}
  labels:
    {{- include "headscale.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": "pre-install,pre-upgrade"
    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
spec:
  template:
    spec:
      restartPolicy: "Never"
      serviceAccount: {{ $name }}
      initContainers:
       - name: generate-key
         {{- with .Values.image }}
         image: "{{ .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}-debug"
         {{- end }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
          - sh 
          - -c
          - |
            set -e
            echo "generate private-keys"
            headscale generate private-key --output json > /etc/headscale/secrets/wireguard.json
            headscale generate private-key --output json > /etc/headscale/secrets/noise.json
            headscale generate private-key --output json > /etc/headscale/secrets/derp.json
            ls /etc/headscale/secrets/
         volumeMounts:
          - name: config
            mountPath: "/etc/headscale"
            readOnly: true
          - mountPath: "/etc/headscale/secrets"
            name: secrets
      containers:
       - name: upload-key
         image: bitnami/kubectl
         command:
          - sh
          - -c
          - |
            # check if key already exists
            key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data}" 2> /dev/null)
            [ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1
            if ! echo $key | jq -e 'has("wireguard.key")' 2> /dev/null ; then
              echo "store wireguard.key"
              kubectl patch secret {{ $secretName }} -p "{\"data\":{\"wireguard.key\":\"$(jq -r '.["private_key"] | split(":")[1] | @base64' /etc/headscale/secrets/wireguard.json)\"}}"
            fi
            if ! echo $key | jq -e 'has("noise.key")' 2> /dev/null ; then
              echo "store noise.key"
              kubectl patch secret {{ $secretName }} -p "{\"data\":{\"noise.key\":\"$(jq -r '.["private_key"] | @base64' /etc/headscale/secrets/noise.json)\"}}"
            elif ! echo $key | jq -e '.["noise.key"] |@base64d | contains("privkey")' 2> /dev/null ; then
              echo "patch noise.key"
              newKey="privkey:$(echo $key | jq -r '.["noise.key"]|@base64d')"
              kubectl patch secret {{ $secretName }} -p "{\"data\":{\"noise.key\":\"$(echo $newKey | base64 -w0)\"}}"
            fi
            if ! echo $key | jq -e 'has("derp.key")' 2> /dev/null ; then
              echo "store derp.key"
              kubectl patch secret {{ $secretName }} -p "{\"data\":{\"derp.key\":\"$(jq -r '.["private_key"] | @base64' /etc/headscale/secrets/derp.json)\"}}"
            fi
            [ $? -ne 0 ] && echo "Failed to update secret." && exit 1
            echo "Signing key successfully created."
         volumeMounts:
          - mountPath: /etc/headscale/secrets
            name: secrets
            readOnly: true
      volumes:
       - name: config
         secret:
           secretName: {{ include "headscale.fullname" . }}
           items:
            - key: "config.yaml"
              path: "config.yaml"
       - name: secrets
         emptyDir: {}
  parallelism: 1
  completions: 1
  backoffLimit: 1
{{ end }}