locals {
  mongo-labels = merge(local.common-labels, {
    "app.kubernetes.io/component" = "mongo"
  })
}
resource "kubectl_manifest" "prj_mongo_secret" {
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${var.instance}-${var.component}-mongo"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo-labels)}
    spec:
      forceRegenerate: false
      fields:
      - fieldName: "password"
        length: "16"
  EOF
}
data "kubernetes_secret_v1" "prj_mongo_secret" {
  depends_on = [ kubectl_manifest.prj_mongo_secret ]
  metadata {
    name = "${var.instance}-${var.component}-mongo"
    namespace = var.namespace
  }
}
locals {
  mongo-password = data.kubernetes_secret_v1.prj_mongo_secret.data["password"]
}
resource "kubectl_manifest" "prj_mongo" {
  yaml_body  = <<-EOF
    apiVersion: mongodbcommunity.mongodb.com/v1
    kind: MongoDBCommunity
    metadata:
      name: "${var.instance}-${var.component}-mongo"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo-labels)}
    spec:
      members: 1
      type: ReplicaSet
      version: "7.0.2"
      statefulSet:
        spec:
          template:
            metadata:
              annotations:
                "k8up.io/backupcommand": "sh -c 'mongodump --username=$MONGODB_USER --password=$MONGODB_PASSWORD mongodb://localhost/$MONGODB_NAME --archive'"
                "k8up.io/file-extension": ".archive"
            spec:
              containers:
              - name: mongod
                imagePullPolicy: "${var.images.webmail.pull_policy}"
                resources:
                  limits:
                    cpu: "1"
                    memory: "1100M"
                  requests:
                    cpu: "0.3"
                    memory: "400M"
                env:
                - name: MONGODB_NAME
                  value: ${var.component}
                - name: MONGODB_USER
                  value: ${var.component}
                - name: MONGODB_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: "${var.instance}-${var.component}-mongo"
                      key: password
      security:
        authentication:
          modes: ["SCRAM"]
      additionalMongodConfig:
        storage.wiredTiger.engineConfig.cacheSizeGB: 1
      users:
      - name: ${var.component}
        db: ${var.component}
        passwordSecretRef:
          name: "${var.instance}-${var.component}-mongo"
        roles:
        - db: ${var.component}
          name: readWrite
        scramCredentialsSecretName: "${var.instance}-${var.component}-mongo-scram"
  EOF
}
resource "kubectl_manifest" "prj_mongo_sa" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: "mongodb-database"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo-labels)}
  EOF
}
resource "kubectl_manifest" "prj_mongo_role" {
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: "mongodb-database"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo-labels)}
    rules:
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["patch", "delete", "get"]
  EOF
}
resource "kubectl_manifest" "prj_mongo_rb" {
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: "mongodb-database"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo-labels)}
    subjects:
    - kind: ServiceAccount
      name: mongodb-database
    roleRef:
      kind: Role
      name: mongodb-database
      apiGroup: rbac.authorization.k8s.io
  EOF
}