# TLS interno MongoDB (cert-manager).
# Catena: Issuer self-signed → CA cert → Issuer CA → cert membri replica set.
# Il Secret 'mongodb-tenant-tls' (creato da cert-manager) contiene tls.crt, tls.key, ca.crt.
#
# Note operative:
#   - mongod usa keyFile per cluster auth e TLS solo per il transport (non x.509).
#   - Il rinnovo del cert membri (renewBefore: 30d, duration: 1y) NON riavvia
#     automaticamente i pod mongo. Quando cert-manager riemette il Secret va
#     fatto manualmente: kubectl rollout restart statefulset/mongodb-tenant.
#   - SAN coprono: nome service headless, FQDN brevi e completi dei 3 pod.
#     Per connessioni da deploy.sh via 127.0.0.1 si usa --tlsAllowInvalidHostnames
#     (la CA è validata, solo l'hostname check è skippato).
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: mongodb-tenant-selfsigned
  namespace: ${NAMESPACE}
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mongodb-tenant-ca
  namespace: ${NAMESPACE}
spec:
  isCA: true
  commonName: mongodb-tenant-ca
  duration: 87600h    # 10 anni (CA interna)
  renewBefore: 720h   # 30 giorni
  secretName: mongodb-tenant-ca
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: mongodb-tenant-selfsigned
    kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: mongodb-tenant-ca
  namespace: ${NAMESPACE}
spec:
  ca:
    secretName: mongodb-tenant-ca
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mongodb-tenant-tls
  namespace: ${NAMESPACE}
spec:
  secretName: mongodb-tenant-tls
  duration: 8760h     # 1 anno
  renewBefore: 720h   # 30 giorni
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: mongodb-tenant-ca
    kind: Issuer
  dnsNames:
    - mongodb-tenant-headless
    - mongodb-tenant-headless.${NAMESPACE}.svc
    - mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local
    - mongodb-tenant-0
    - mongodb-tenant-1
    - mongodb-tenant-2
    - mongodb-tenant-0.mongodb-tenant-headless
    - mongodb-tenant-1.mongodb-tenant-headless
    - mongodb-tenant-2.mongodb-tenant-headless
    - mongodb-tenant-0.mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local
    - mongodb-tenant-1.mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local
    - mongodb-tenant-2.mongodb-tenant-headless.${NAMESPACE}.svc.cluster.local