apiVersion: batch/v1
kind: CronJob
metadata:
  name: router-cert
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          volumes:
          - secret:
              secretName: router-gmem-ca
            name: cert
          containers:
            - command:
                - /bin/bash
                - -c
                - >
                  curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/start"

                  export LOGIN=$(echo -n "${LOGIN_USERNAME}:${LOGIN_PASSWORD}" | base64 -w0)

                  curl "https://${BASE_URL}/login.cgi"
                  -H "Content-Type: application/x-www-form-urlencoded"
                  -H "Referer: https://${BASE_URL}/Main_Login.asp"
                  --data-urlencode "login_authorization=${LOGIN}"
                  -c /tmp/cookie.txt -k

                  curl "https://${BASE_URL}/upload_cert_key.cgi"
                  -H "Referer: https://${BASE_URL}/Advanced_ASUSDDNS_Content.asp"
                  -F "file_key=@/data/tls.key"
                  -F "file_cert=@/data/tls.crt"
                  -F "le_enable=2"
                  -b /tmp/cookie.txt -k

                  curl "https://${BASE_URL}/Logout.asp"
                  -H "Referer: https://${BASE_URL}/index.asp"
                  -b /tmp/cookie.txt -k

                  curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}"
              envFrom:
                - configMapRef:
                    name: router-cert
                - secretRef:
                    name: router-cert
              image: git.gmem.ca/arch/kutils
              name: upload-certificate
              volumeMounts:
              - mountPath: /data
                name: cert
          restartPolicy: Never
  schedule: "0 0 1 * *"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: router-gmem-ca
  namespace: default
spec:
  # Secret names are always required.
  secretName: router-gmem-ca

  duration: 2160h # 90d
  renewBefore: 360h # 15d

  dnsNames:
    - router.gmem.ca
  issuerRef:
    name: le-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: ClusterIssuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
---
apiVersion: v1
data:
  BASE_URL: router.gmem.ca
kind: ConfigMap
metadata:
  name: router-cert
  namespace: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: router-cert
  namespace: default
spec:
  destination:
    create: true
    name: router-cert
  mount: kv
  path: default/router-cert
  refreshAfter: 30s
  type: kv-v2
  vaultAuthRef: vault