#!/usr/bin/env bash
# =============================================================================
# generate-certs.sh — Generate a custom CA and TLS certificates for ELK stack
# =============================================================================
set -euo pipefail

CERT_DIR="${1:-./certs}"
DAYS_VALID=825
CA_SUBJECT="/C=US/ST=State/L=City/O=ELK-Lab/OU=Infrastructure/CN=ELK-Lab-CA"
DOMAIN="elk.local"

mkdir -p "${CERT_DIR}"

echo ">>> Generating Custom CA..."
openssl genrsa -out "${CERT_DIR}/ca.key" 4096
openssl req -x509 -new -nodes \
  -key "${CERT_DIR}/ca.key" \
  -sha256 -days ${DAYS_VALID} \
  -out "${CERT_DIR}/ca.crt" \
  -subj "${CA_SUBJECT}"

# --- Function to generate a certificate signed by the CA ---
generate_cert() {
  local NAME="$1"
  local CN="$2"
  local SANS="$3"

  echo ">>> Generating certificate for ${NAME} (CN=${CN})..."

  openssl genrsa -out "${CERT_DIR}/${NAME}.key" 2048

  cat > "${CERT_DIR}/${NAME}.cnf" <<SSLCNF
[req]
distinguished_name = req_dn
req_extensions     = v3_req
prompt             = no

[req_dn]
C  = US
ST = State
L  = City
O  = ELK-Lab
OU = ${NAME}
CN = ${CN}

[v3_req]
basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
extendedKeyUsage     = serverAuth, clientAuth
subjectAltName       = ${SANS}
SSLCNF

  openssl req -new -nodes \
    -key "${CERT_DIR}/${NAME}.key" \
    -out "${CERT_DIR}/${NAME}.csr" \
    -config "${CERT_DIR}/${NAME}.cnf"

  openssl x509 -req \
    -in "${CERT_DIR}/${NAME}.csr" \
    -CA "${CERT_DIR}/ca.crt" \
    -CAkey "${CERT_DIR}/ca.key" \
    -CAcreateserial \
    -out "${CERT_DIR}/${NAME}.crt" \
    -days ${DAYS_VALID} \
    -sha256 \
    -extensions v3_req \
    -extfile "${CERT_DIR}/${NAME}.cnf"

  rm -f "${CERT_DIR}/${NAME}.csr" "${CERT_DIR}/${NAME}.cnf"
}

# --- Elasticsearch ---
generate_cert "elasticsearch" "elasticsearch" \
  "DNS:elasticsearch,DNS:elasticsearch.elk.svc.cluster.local,DNS:elasticsearch.elk.svc,DNS:localhost,IP:127.0.0.1"

# --- Kibana ---
generate_cert "kibana" "kibana" \
  "DNS:kibana,DNS:kibana.elk.svc.cluster.local,DNS:kibana.elk.svc,DNS:localhost,IP:127.0.0.1"

# --- Logstash ---
generate_cert "logstash" "logstash" \
  "DNS:logstash,DNS:logstash.elk.svc.cluster.local,DNS:logstash.elk.svc,DNS:localhost,IP:127.0.0.1"

# --- NGINX ---
generate_cert "nginx" "kibana.${DOMAIN}" \
  "DNS:kibana.${DOMAIN},DNS:nginx,DNS:nginx.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"

# --- Authentik ---
generate_cert "authentik" "authentik.${DOMAIN}" \
  "DNS:authentik.${DOMAIN},DNS:authentik,DNS:authentik-server,DNS:authentik-server.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"

# --- Create Elasticsearch PKCS12 keystore ---
echo ">>> Creating Elasticsearch PKCS12 keystore..."
openssl pkcs12 -export \
  -in "${CERT_DIR}/elasticsearch.crt" \
  -inkey "${CERT_DIR}/elasticsearch.key" \
  -CAfile "${CERT_DIR}/ca.crt" \
  -chain \
  -out "${CERT_DIR}/elasticsearch.p12" \
  -passout pass:changeit

# --- Create Elasticsearch HTTP PKCS12 keystore ---
cp "${CERT_DIR}/elasticsearch.p12" "${CERT_DIR}/elastic-http.p12"

# --- Cleanup serial file ---
rm -f "${CERT_DIR}/ca.srl"

echo ""
echo "=== Certificates generated in ${CERT_DIR}/ ==="
ls -la "${CERT_DIR}/"
echo ""
echo "CA certificate:       ${CERT_DIR}/ca.crt"
echo "CA private key:       ${CERT_DIR}/ca.key"
echo "Elasticsearch cert:   ${CERT_DIR}/elasticsearch.crt"
echo "Kibana cert:          ${CERT_DIR}/kibana.crt"
echo "Logstash cert:        ${CERT_DIR}/logstash.crt"
echo "NGINX cert:           ${CERT_DIR}/nginx.crt"
echo "Authentik cert:       ${CERT_DIR}/authentik.crt"