resource "kubectl_manifest" "oauth2-secret" {
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${var.component}-${var.instance}-id"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      forceRegenerate: false
      fields:
      - fieldName: "client-id"
        length: "32"
  EOF
}
data "kubernetes_secret_v1" "oauth2-client-id" {
  depends_on = [kubectl_manifest.gitea_ldap]
  metadata {
    name = kubectl_manifest.oauth2-secret.name
    namespace = var.namespace
  }
}

data "authentik_scope_mapping" "oauth2" {
  managed_list = [
    "goauthentik.io/providers/oauth2/scope-email",
    "goauthentik.io/providers/oauth2/scope-openid",
    "goauthentik.io/providers/oauth2/scope-profile"
  ]
}
data "authentik_flow" "default-authorization-flow" {
  slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
  slug = "default-authentication-flow"
}

resource "authentik_provider_oauth2" "oauth2" {
  name                = "${var.component}-${var.instance}"
  client_id           = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}"
  authentication_flow = data.authentik_flow.default-authentication-flow.id
  authorization_flow  = data.authentik_flow.default-authorization-flow.id
  client_type         = "confidential"
  sub_mode            = "user_username"
  property_mappings   = data.authentik_scope_mapping.oauth2.ids
  redirect_uris       = [
    "https://${local.dns-name}/apps/user_oidc/code"
  ]
}

resource "kubernetes_secret_v1" "oauth2-client-secret" {
  metadata {
    name = "${var.component}-${var.instance}-secret"
    namespace = var.namespace
  }
  data = {
    client-secret = authentik_provider_oauth2.oauth2.client_secret
  }
}