{{- if and (eq (include "multicluster.role" .) "host") .Values.ksExtensionRepository.enabled }}

{{- $ca := genCA "self-signed-ca" 3650 }}
{{- $cn := printf "%s-extensions-museum" .Release.Name }}
{{- $altName1 := printf "extensions-museum.%s" .Release.Namespace }}
{{- $altName2 := printf "extensions-museum.%s.svc" .Release.Namespace }}
{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}

apiVersion: apps/v1
kind: Deployment
metadata:
  name: extensions-museum
  labels:
    app: extensions-museum
spec:
  replicas: 1
  selector:
    matchLabels:
      app: extensions-museum
  template:
    metadata:
      labels:
        app: extensions-museum
      annotations:
        # force restart ks-apiserver after the upgrade is complete if kubesphere-config changes
        checksum/cert: {{ sha256sum $cert.Cert }}
    spec:
      {{- if .Values.global.imagePullSecrets }}
      imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 8 }}
      {{- end }}
      containers:
        - name: extensions-museum
          image: {{ template "extensionRepo.image" . }}
          command:
            - "/chartmuseum"
            - "--storage-local-rootdir"
            - "/charts"
            - "--storage"
            - "local"
            - "--tls-cert"
            - "/etc/certs/tls.crt"
            - "--tls-key"
            - "/etc/certs/tls.key"
          ports:
            - containerPort: 8080
          volumeMounts:
            - name: certs
              mountPath: /etc/certs/
      volumes:
        - name: certs
          secret:
            secretName: extensions-museum-certs

---
apiVersion: v1
kind: Secret
metadata:
  name: extensions-museum-certs
type: kubernetes.io/tls
data:
  ca.crt: {{ b64enc $ca.Cert }}
  tls.crt: {{ b64enc $cert.Cert }}
  tls.key: {{ b64enc $cert.Key }}

---
apiVersion: v1
kind: Service
metadata:
  name: extensions-museum
spec:
  selector:
    app: extensions-museum
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8080

---
apiVersion: kubesphere.io/v1alpha1
kind: Repository
metadata:
  name: extensions-museum
spec:
  url: https://extensions-museum.{{ .Release.Namespace }}.svc
  caBundle: {{ b64enc $ca.Cert }}

---
apiVersion: {{ if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version }}batch/v1{{ else }}batch/v1beta1{{end}}
kind: CronJob
metadata:
  name: restart-extensions-museum
  namespace: {{ .Release.Namespace }}
spec:
  schedule: "0 0 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - name: restart-extensions-museum
              image: {{ template "kubectl.image" . }}
              command:
                - /bin/sh
                - -c
                - "kubectl rollout restart deployment/extensions-museum -n {{ .Release.Namespace }}"
          restartPolicy: OnFailure
          serviceAccountName: {{ template "ks-core.serviceAccountName" . }}
{{end}}