#!/bin/sh

set -e

[[- $c := merge .kafka .]]
[[ template "common/vault.mkpki.sh" $c ]]

# Role for the brokers
vault write [[ $c.vault.pki.path ]]/roles/[[ .instance ]]-broker \
  allowed_domains="[[ .instance ]]-broker[[ .consul.suffix ]],[[ .instance ]]-broker[[ .consul.suffix ]].service.[[ .consul.domain ]]" \
  allow_bare_domains=true \
  allow_subdomains=true \
  allow_localhost=true \
  allow_ip_sans=true \
  server_flag=true \
  client_flag=true \
  allow_wildcard_certificates=false \
  max_ttl=720h \
  ou="[[ $c.vault.pki.ou ]]"

# Role for the prometheus exporter
vault write [[ $c.vault.pki.path ]]/roles/[[ .instance ]]-exporter \
  allowed_domains="[[ .instance ]]-exporter" \
  allow_bare_domains=true \
  allow_subdomains=false \
  allow_localhost=false \
  allow_ip_sans=false \
  server_flag=false \
  client_flag=true \
  allow_wildcard_certificates=false \
  max_ttl=72h \
  ou="[[ $c.vault.pki.ou ]]"

# Role for Jikkou (topic and ACL management tool)
vault write [[ $c.vault.pki.path ]]/roles/[[ .instance ]]-jikkou \
  allowed_domains="[[ .instance ]]-jikkou" \
  allow_bare_domains=true \
  allow_subdomains=false \
  allow_localhost=false \
  allow_ip_sans=false \
  server_flag=false \
  client_flag=true \
  allow_wildcard_certificates=false \
  max_ttl=1h \
  ou="[[ $c.vault.pki.ou ]]"