#!/usr/bin/env bash
set -euo pipefail

namespace="${1:-tls-lab}"
secret_name="${2:-secure-web-tls}"
host="${3:-secure.k8s-lab.local}"
days="${4:-365}"

tmpdir="$(mktemp -d)"
trap 'rm -rf "$tmpdir"' EXIT

openssl req \
  -x509 \
  -nodes \
  -newkey rsa:2048 \
  -sha256 \
  -days "$days" \
  -keyout "$tmpdir/tls.key" \
  -out "$tmpdir/tls.crt" \
  -subj "/CN=${host}" \
  -addext "subjectAltName=DNS:${host}"

kubectl -n "$namespace" create secret tls "$secret_name" \
  --cert="$tmpdir/tls.crt" \
  --key="$tmpdir/tls.key" \
  --dry-run=client -o yaml | kubectl apply -f -

openssl x509 -in "$tmpdir/tls.crt" -noout -subject -issuer -dates -ext subjectAltName