---
# Example: External Redis with TLS
#
# This example demonstrates connecting to an external Redis instance with TLS encryption.
# It shows the TLS configuration options available for Redis connections using the
# cluster's tlsKeychain to reference CA certificates for server verification.
#
# For production use, always use proper certificate verification.

---
# Secret containing Redis TLS certificates
# Create this secret with your Redis CA certificate:
#
#   kubectl create secret generic redis-tls-certs \
#     --from-file=ca.crt=/path/to/redis-ca.pem
#
# apiVersion: v1
# kind: Secret
# metadata:
#   name: redis-tls-certs
#   namespace: netbox-enterprise
# type: Opaque
# data:
#   # Base64-encoded CA certificate
#   ca.crt: |
#     LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi4uLiBiYXNlNjQtZW5jb2RlZCBjYSBjZXJ0aWZpY2F0ZSAuLi4KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

# ---
# # Secret containing Redis authentication password
# apiVersion: v1
# kind: Secret
# metadata:
#   name: redis-auth-secret
#   namespace: netbox-enterprise
# type: Opaque
# stringData:
#   password: "your-redis-password-here"

---
# NetBoxEnterprise using external Redis with TLS
apiVersion: netboxlabs.com/v1alpha1
kind: NetBoxEnterprise
metadata:
  name: netbox-external-redis-tls
  namespace: netbox-enterprise
spec:
  imagePullPolicy: IfNotPresent

  # Register the Redis CA certificate in the cluster's TLS keychain.
  # This makes it available for reference by name in tlsConfig sections.
  tlsKeychain:
    caCertificateSecrets:
      - name: redis-ca
        secret: redis-tls-certs
        key: ca.crt

  netbox:
    replicas: 1
    image:
      pullPolicy: IfNotPresent
    worker:
      replicas: 1
    # Configure Redis connection details
    config:
      redis:
        host: "redis.example.com"
        port: 6379
        username: "default" # Redis username for ACL authentication (if required)
        # Reference to the Redis password secret
        # This password is used for both the tasks queue and cache connections
        password:
          name: redis-auth-secret
          key: password

  diode:
    enabled: false

  # Operator-managed PostgreSQL (default)
  postgresql:
    external: false

  # External Redis with TLS configuration
  redis:
    external: true
    # Enable authentication for Redis connections
    requireAuth: true

    # TLS configuration using keychain-based certificate references.
    # The presence of this section enables TLS for Redis connections.
    tlsConfig:
      # Skip TLS certificate verification (NOT recommended for production!)
      # Set to true only for testing with self-signed certificates
      insecureSkipVerify: false
      # Reference CA certificates from the tlsKeychain by name
      keychainCaCertificates: ['redis-ca']

---
# Alternative: AWS ElastiCache Redis with TLS
#
# For connecting to AWS ElastiCache Redis with encryption in-transit enabled,
# download the Amazon root CA certificates and create a secret:
#
#   wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
#   kubectl create secret generic elasticache-ca-cert \
#     --from-file=ca.crt=global-bundle.pem
#
# apiVersion: netboxlabs.com/v1alpha1
# kind: NetBoxEnterprise
# metadata:
#   name: netbox-elasticache
# spec:
#   tlsKeychain:
#     caCertificateSecrets:
#       - name: elasticache-ca
#         secret: elasticache-ca-cert
#         key: ca.crt
#   redis:
#     external: true
#     requireAuth: true
#     tlsConfig:
#       insecureSkipVerify: false
#       keychainCaCertificates: ['elasticache-ca']
#   netbox:
#     config:
#       redis:
#         # ElastiCache primary endpoint
#         host: "my-redis.xxxxxx.ng.0001.use1.cache.amazonaws.com"
#         port: 6379
#         password:
#           name: elasticache-auth-token
#           key: token