#!/bin/bash
set -e

LAYEROPS_API_ACCESS_FILE={{ layerops_api_access_file }}
LAYEROPS_SIGNATURE_FILE={{ layerops_signature_file }}
CA_FILE={{ layerops_tls_ca_file }}
CERT_FILE={{ layerops_tls_cert_file }}
KEY_FILE={{ layerops_tls_key_file }}

INSTANCE_API_URL=$(jq -r '.instance_api_url' $LAYEROPS_API_ACCESS_FILE)
INSTANCE_TOKEN=$(jq -r '.instance_token' $LAYEROPS_API_ACCESS_FILE)
INSTANCE_UUID=$(jq -r '.instance_uuid' $LAYEROPS_API_ACCESS_FILE)

CURL_FAIL_OPT="--fail-with-body"

echo "Get new instance certificate for $INSTANCE_UUID"

{% if layerops_instance_type == "client" %}
INSTANCE_SIGNATURE=$(cat $LAYEROPS_SIGNATURE_FILE)
INSTANCE_POOL_UUID=$(jq -r '.instance_pool_uuid' $LAYEROPS_API_ACCESS_FILE)
CERT_JSON=$(curl $CURL_FAIL_OPT -A {{ layerops_curl_user_agent }} -H "instance-token: $INSTANCE_TOKEN" ${INSTANCE_API_URL}/secrets/getNewInstanceCertificate/${INSTANCE_POOL_UUID}/${INSTANCE_UUID}/${INSTANCE_SIGNATURE})
{% endif %}

{% if layerops_instance_type == "load_balancer" %}
INSTANCE_SIGNATURE=$(cat $LAYEROPS_SIGNATURE_FILE)
ORCHESTRATOR_UUID=$(jq -r '.orchestrator_uuid' $LAYEROPS_API_ACCESS_FILE)
CERT_JSON=$(curl $CURL_FAIL_OPT -A {{ layerops_curl_user_agent }} -H "instance-token: $INSTANCE_TOKEN" ${INSTANCE_API_URL}/secrets/getNewLoadBalancerInstanceCertificate/${ORCHESTRATOR_UUID}/${INSTANCE_UUID}/${INSTANCE_SIGNATURE})
{% endif %}

{% if layerops_instance_type == "orchestrator" %}
INSTANCE_SIGNATURE=$(cat $LAYEROPS_SIGNATURE_FILE)
ORCHESTRATOR_UUID=$(jq -r '.orchestrator_uuid' $LAYEROPS_API_ACCESS_FILE)
CERT_JSON=$(curl $CURL_FAIL_OPT -A {{ layerops_curl_user_agent }} -H "instance-token: $INSTANCE_TOKEN" ${INSTANCE_API_URL}/secrets/getNewOrchestratorInstanceCertificate/${ORCHESTRATOR_UUID}/${INSTANCE_UUID}/${INSTANCE_SIGNATURE})
{% endif %}

echo $CERT_JSON | jq -r '.ca' > $CA_FILE
echo $CERT_JSON | jq -r '.cert' > $CERT_FILE
echo $CERT_JSON | jq -r '.key' > $KEY_FILE

chmod 640 $KEY_FILE
chown root:{{ hashistack_group }} $KEY_FILE