#!/bin/bash

# https://cloud.yandex.ru/docs/managed-kubernetes/solutions/kubernetes-lockbox-secrets#configure-k8s

# Retrieve key from Yandex Vault and save it as $KEY_FILE_NAME .

# Uncomment what needed.

# Prod and preprod.
#export KEY_FILE_NAME="yc-walle-preprod-external-secrets-operator-sa-key.json"
# Testing.
export KEY_FILE_NAME="yc-walle-testing-external-secrets-operator-sa-testing-key.json"

# For using api.cloud-preprod.yandex.net in preprod and testing secret store.
# Uncomment if needed.
wget https://crls.yandex.net/YandexInternalRootCA.crt -O /tmp/YandexInternalRootCA.crt
kubectl create secret generic ya-internal-root-ca \
        --from-file=/tmp/YandexInternalRootCA.crt

kubectl create secret generic secret-store-auth \
    --from-file=authorized-key=/tmp/${KEY_FILE_NAME}

# Prod.
#kubectl apply -f - <<< '
#apiVersion: external-secrets.io/v1beta1
#kind: SecretStore
#metadata:
#  name: secret-store
#spec:
#  provider:
#    yandexlockbox:
#      auth:
#        authorizedKeySecretRef:
#          name: secret-store-auth
#          key: authorized-key'

# Preprod, testing.
#kubectl apply -f - <<< '
#apiVersion: external-secrets.io/v1beta1
#kind: SecretStore
#metadata:
#  name: secret-store
#spec:
#  provider:
#    yandexlockbox:
#      apiEndpoint: api.cloud-preprod.yandex.net:443
#      caProvider:
#        certSecretRef:
#          name: ya-internal-root-ca
#          key: YandexInternalRootCA.crt
#      auth:
#        authorizedKeySecretRef:
#          name: secret-store-auth
#          key: authorized-key'
