{{- /* ================================================================== */ -}}
{{- /* Cert-Manager Certificate Configuration for ntfy                    */ -}}
{{- /* ================================================================== */ -}}
{{- /*
    Creates a Certificate resource for cert-manager.
    Prerequisites:
    - cert-manager installed in the cluster.
    - An Issuer or ClusterIssuer (referenced in values.yaml) exists.
    - ingress.enabled = true
    - certManager.enabled = true
    - At least one entry in ingress.tls with secretName and hosts.
*/}}
{{- if and .Values.ingress.enabled .Values.certManager.enabled .Values.ingress.tls }}
{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}}
{{- $issuerName := .Values.certManager.issuer.name -}}
{{- $issuerKind := .Values.certManager.issuer.kind -}}
{{- if not $issuerName }}
  {{- fail "ERROR: certManager.enabled is true but certManager.issuer.name is not set!" }}
{{- end }}
{{- if not $issuerKind }}
  {{- fail "ERROR: certManager.enabled is true but certManager.issuer.kind is not set!" }}
{{- end }}

{{- /* Loop through each TLS entry defined in ingress.tls */}}
{{- range .Values.ingress.tls }}
{{- $secretName := .secretName }}
{{- $hosts := .hosts }}
{{- if not $secretName }}
  {{- fail "ERROR: certManager.enabled is true but ingress.tls contains an entry without a 'secretName'." }}
{{- end }}
{{- if not $hosts }}
  {{- fail (printf "ERROR: certManager.enabled is true but ingress.tls entry for secret '%s' contains no 'hosts'." $secretName) }}
{{- end }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  # Name the Certificate resource (often same as secretName)
  name: {{ $secretName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "ntfy.labels" $ | nindent 4 }}
    {{- with $.Values.certManager.certificate.extraLabels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with $.Values.certManager.certificate.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  # secretName: Where cert-manager stores the Secret. MUST match Gateway's credentialName.
  secretName: {{ $secretName }}

  # issuerRef: Points to the Issuer/ClusterIssuer defined in values.yaml
  issuerRef:
    name: {{ $issuerName }}
    kind: {{ $issuerKind }}
    # group: cert-manager.io # Usually implicit

  # dnsNames: Domains the certificate will be valid for.
  dnsNames:
    {{- range $hosts }}
    - {{ . | quote }}
    {{- end }}

  # Optional: Set Common Name (CN)
  {{- $firstHost := first $hosts -}}
  {{- if $firstHost }}
  commonName: {{ $firstHost | quote }}
  {{- end }}

  # Optional: Add other spec fields like duration, renewBefore etc.
  # duration: 2160h # 90d
  # renewBefore: 360h # 15d
{{- end }} {{/* end range .Values.ingress.tls */}}
{{- end }} {{/* end if certManager.enabled */}}