apiVersion: gateway.tv2.dk/v1alpha1
kind: GatewayClassBlueprint
metadata:
  name: contour-istio-cert
spec:

  # The following are templates used to 'implement' a 'parent' Gateway
  gatewayTemplate:
    status:
      template: |
        addresses:
        {{ range (index .Resources.loadBalancer 0).status.loadBalancer.ingress }}
        - type: IPAddress
          value: {{ .ip }}
        {{ end }}
    resourceTemplates:
      childGateway: |
        apiVersion: gateway.networking.k8s.io/v1beta1
        kind: Gateway
        metadata:
          name: {{ .Gateway.metadata.name }}-child
          namespace: {{ .Gateway.metadata.namespace }}
          annotations:
            networking.istio.io/service-type: ClusterIP
        spec:
          gatewayClassName: istio
          listeners:
          {{- range .Gateway.spec.listeners }}
          - name: {{ .name }}
            port: 80
            protocol: HTTP
            {{ if get . "hostname" }}
            hostname: {{ .hostname | quote }}
            {{ end -}}
            {{ if get . "allowedRoutes" }}
            allowedRoutes:
              {{ toYaml .allowedRoutes | nindent 6 }}
            {{ end -}}
          {{- end }}
      loadBalancer: |
        apiVersion: networking.k8s.io/v1
        kind: Ingress
        metadata:
          name: {{ .Gateway.metadata.name }}
          namespace: {{ .Gateway.metadata.namespace }}
        spec:
          ingressClassName: contour
          tls:
          - hosts:
            {{- range .Gateway.spec.listeners }}
            - {{ .hostname | quote }}
            {{- end }}
            secretName: {{ .Gateway.metadata.name }}-tls
          rules:
          {{- range .Gateway.spec.listeners }}
          - host: {{ .hostname | quote }}
            http:
              paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: {{ $.Gateway.metadata.name }}-child-istio
                    port:
                      number: 80
          {{- end }}
      tlsCertificate: |
        apiVersion: cert-manager.io/v1
        kind: Certificate
        metadata:
          name: {{ .Gateway.metadata.name }}-cert
          namespace: {{ .Gateway.metadata.namespace }}
        spec:
          secretName: {{ .Gateway.metadata.name }}-tls
          duration: 2160h # 90d
          renewBefore: 360h # 15d
          subject:
            organizations:
              - acme-example-corp
          isCA: false
          privateKey:
            algorithm: RSA
            encoding: PKCS1
            size: 2048
          usages:
            - server auth
            - client auth
          dnsNames:
            {{- range .Hostnames.Intersection }}
            - {{ . | quote }}
            {{- end }}
          issuerRef:
            name: ca-issuer
            kind: ClusterIssuer
            group: cert-manager.io

  # The following are templates used to 'implement' a 'parent' HTTPRoute
  httpRouteTemplate:
    resourceTemplates:
      shadowHttproute: |
        apiVersion: gateway.networking.k8s.io/v1beta1
        kind: HTTPRoute
        metadata:
          name: {{ .HTTPRoute.metadata.name }}-child
          namespace: {{ .HTTPRoute.metadata.namespace }}
        spec:
          parentRefs:
          {{ range .HTTPRoute.spec.parentRefs }}
          - kind: {{ .kind }}
            name: {{ .name }}-child
            {{ if get . "namespace" }}
            namespace: {{ .namespace }}
            {{ end }}
          {{ end }}
          rules:
          {{ toYaml .HTTPRoute.spec.rules | nindent 4 }}