# PKI Certificate Web Interface
# Placeholder nginx serving step-ca certificate info
# ArgoCD managed - BlueJay Lab
---
apiVersion: v1
kind: Namespace
metadata:
  name: pki
  labels:
    app.kubernetes.io/part-of: bluejay-infra
---
# PKI Web HTML placeholder
apiVersion: v1
kind: ConfigMap
metadata:
  name: pki-web-html
  namespace: pki
data:
  index.html: |
    <!DOCTYPE html>
    <html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>BlueJay Lab - PKI Portal</title>
        <style>
            * { margin: 0; padding: 0; box-sizing: border-box; }
            body {
                font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
                background: linear-gradient(135deg, #0a1628 0%, #1a2744 50%, #0d1f3c 100%);
                color: #e0e8f0;
                min-height: 100vh;
                display: flex;
                align-items: center;
                justify-content: center;
            }
            .container {
                text-align: center;
                padding: 3rem;
                max-width: 600px;
            }
            h1 {
                font-size: 2rem;
                color: #4a9eff;
                margin-bottom: 0.5rem;
            }
            h2 {
                font-size: 1rem;
                color: #7ab3ff;
                font-weight: 300;
                margin-bottom: 2rem;
            }
            .card {
                background: rgba(74, 158, 255, 0.1);
                border: 1px solid rgba(74, 158, 255, 0.3);
                border-radius: 8px;
                padding: 1.5rem;
                margin-bottom: 1rem;
                text-align: left;
            }
            .card h3 { color: #4a9eff; margin-bottom: 0.5rem; }
            .card p { color: #a0b8d0; line-height: 1.6; font-size: 0.9rem; }
            code {
                background: rgba(0,0,0,0.3);
                padding: 0.1rem 0.4rem;
                border-radius: 3px;
                font-size: 0.85rem;
            }
        </style>
    </head>
    <body>
        <div class="container">
            <h1>BlueJay PKI Portal</h1>
            <h2>IAmWorkin ACME Certificate Authority</h2>
            <div class="card">
                <h3>Internal CA</h3>
                <p>ClusterIssuer: <code>step-ca-acme</code></p>
                <p>Domain: <code>*.iamworkin.lan</code></p>
                <p>Validity: 30 days, auto-renewed by cert-manager</p>
            </div>
            <div class="card">
                <h3>Cloudflare Origin Certs</h3>
                <p><code>*.flowercore.io</code> and <code>*.iamwork.in</code></p>
                <p>15-year RSA certificates for public domains</p>
            </div>
            <div class="card">
                <h3>Download Root CA</h3>
                <p>Install the IAmWorkin Root CA certificate to trust internal services.</p>
                <p><em>Root CA download will be available here.</em></p>
            </div>
        </div>
    </body>
    </html>
---
# nginx configuration
apiVersion: v1
kind: ConfigMap
metadata:
  name: pki-web-nginx-conf
  namespace: pki
data:
  default.conf: |
    server {
        listen 80;
        server_name _;
        root /usr/share/nginx/html;
        index index.html;

        location / {
            try_files $uri $uri/ =404;
        }

        location /healthz {
            access_log off;
            return 200 "ok";
            add_header Content-Type text/plain;
        }
    }
---
# PKI Web Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pki-web
  namespace: pki
  labels:
    app: pki-web
spec:
  replicas: 1
  selector:
    matchLabels:
      app: pki-web
  template:
    metadata:
      labels:
        app: pki-web
      annotations:
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      containers:
        - name: nginx
          image: nginx:alpine
          ports:
            - containerPort: 80
              name: http
          volumeMounts:
            - name: nginx-conf
              mountPath: /etc/nginx/conf.d/default.conf
              subPath: default.conf
            - name: html
              mountPath: /usr/share/nginx/html
          resources:
            requests:
              memory: 16Mi
              cpu: 5m
            limits:
              memory: 64Mi
              cpu: 50m
          livenessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 5
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /healthz
              port: 80
              httpHeaders:
                - name: X-Forwarded-Proto
                  value: https
            initialDelaySeconds: 3
            periodSeconds: 5
      volumes:
        - name: nginx-conf
          configMap:
            name: pki-web-nginx-conf
        - name: html
          configMap:
            name: pki-web-html
---
apiVersion: v1
kind: Service
metadata:
  name: pki-web
  namespace: pki
spec:
  selector:
    app: pki-web
  ports:
    - port: 80
      targetPort: 80
      name: http
---
# TLS Certificate via cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pki-tls
  namespace: pki
spec:
  secretName: pki-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - pki.iamworkin.lan
---
# Internal-only route: if a public twin is ever operator-approved, gate it with Host(`<public-host>`) && (Method(`GET`) || Method(`HEAD`)).
# Traefik IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: pki-web
  namespace: pki
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`pki.iamworkin.lan`)
      kind: Rule
      services:
        - name: pki-web
          port: 80
  tls:
    secretName: pki-tls