---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: tls1-letsencrypt-certs
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 50Mi
  storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: tls1-webroot
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Mi
  storageClassName: rook-cephfs
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tls1-http
spec:
  selector:
    matchLabels:
      app: tls1-nginx
      ssl: no
  replicas: 1
  template:
    metadata:
      labels:
        app: tls1-nginx
        ssl: no
    spec:
      containers:
        - name: nginx-80
          image: nginx:1.20.0-alpine
          ports:
            - containerPort: 80
          volumeMounts:
            - name: nginx-config-80
              mountPath: "/etc/nginx/conf.d/"
            - name: etcletsencrypt
              mountPath: "/etc/letsencrypt"
            - name: webroot
              mountPath: "/usr/share/nginx/html"
      volumes:
        - name: nginx-config-80
          configMap:
            name: nginx-80-config
        - name: etcletsencrypt
          persistentVolumeClaim:
            claimName: tls1-letsencrypt-certs
        - name: webroot
          persistentVolumeClaim:
            claimName: tls1-webroot

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tls1-https
spec:
  selector:
    matchLabels:
      app: tls1-nginx
      ssl: yes
  replicas: 1
  template:
    metadata:
      labels:
        app: tls1-nginx
        ssl: yes
    spec:
      containers:
        - name: nginx-443
          image: nginx:1.20.0-alpine
          ports:
            - containerPort: 443
          volumeMounts:
            - name: nginx-config-443
              mountPath: "/etc/nginx/conf.d/"
            - name: etcletsencrypt
              mountPath: "/etc/letsencrypt"
            - name: webroot
              mountPath: "/usr/share/nginx/html"
      volumes:
        - name: nginx-config-443
          configMap:
            name: nginx-443-config
        - name: etcletsencrypt
          persistentVolumeClaim:
            claimName: tls1-letsencrypt-certs
        - name: webroot
          persistentVolumeClaim:
            claimName: tls1-webroot

---
apiVersion: v1
kind: Service
metadata:
  name: tls1
  labels:
    app: tls1
spec:
  type: ClusterIP
  ports:
   - port: 80
     name: http
   - port: 443
     name: https
  selector:
   app: tls1-nginx
---
apiVersion: batch/v1
kind: Job
metadata:
  name: tls1-getcert
spec:
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: certbot
        image: ungleich/ungleich-certbot
        command:
          - certbot
          - certonly
          - --agree-tos
          - --cert-name
          - 'tls1.default.svc.c2.k8s.ooo'
          - --email
          - sre@ungleich.ch
          - --expand
          - --non-interactive
          - --webroot
          - --webroot-path
          - /usr/share/nginx/html
          - --domain
          - 'tls1.default.svc.c2.k8s.ooo'
          - --staging
        volumeMounts:
          - name: etcletsencrypt
            mountPath: "/etc/letsencrypt"
          - name: webroot
            mountPath: "/usr/share/nginx/html"
      volumes:
        - name: etcletsencrypt
          persistentVolumeClaim:
            claimName: tls1-letsencrypt-certs
        - name: webroot
          persistentVolumeClaim:
            claimName: tls1-webroot
  backoffLimit: 3