import { Construct } from "constructs";
import { Certificate, CertificateOptions } from "./base";

/**
 * Private TLS certificate issued by the internal cluster CA.
 *
 * This subclass automatically injects:
 *
 *   issuerRef:
 *     name: "cluster-issuer"
 *     kind: "ClusterIssuer"
 *
 * Use this for:
 * - Internal service-to-service TLS (HTTP, gRPC, Webhooks)
 * - mTLS server certificates
 * - mTLS client certificates
 * - Internal wildcard certificates
 * - Databases, queues, operators, controllers, etc.
 *
 * Users of this class should NOT specify issuerRef manually.
 */
export class PrivateCertificate extends Certificate {
  constructor(
    scope: Construct,
    id: string,
    opts: Omit<CertificateOptions, "issuerRef" | "privateKey">,
  ) {
    super(scope, id, {
      ...opts,
      issuerRef: {
        name: "cluster-issuer", // internal CA
        kind: "ClusterIssuer",
      },
      privateKey: {
        algorithm: "ECDSA",
        size: 384,
      },
      usages: ["digital signature", "key encipherment", "server auth"],
    });
  }
}