locals {
    annotations = {
      "vynil.solidite.fr/meta"   = var.component
      "vynil.solidite.fr/name"   = var.namespace
    }
    annotations_default = {
      "default.vynil.solidite.fr/sso_vynil" = var.sso_vynil
      "default.vynil.solidite.fr/domain_name" = var.domain_name
      "default.vynil.solidite.fr/timezone" = var.timezone
      "default.vynil.solidite.fr/language" = var.language
      "default.vynil.solidite.fr/domain" = var.domain
      "default.vynil.solidite.fr/issuer" = var.issuer
      "default.vynil.solidite.fr/ingress_class" = var.ingress_class
      "default.vynil.solidite.fr/app_group" = var.app_group
      "default.vynil.solidite.fr/backups.enable" = var.backups.enable
      "default.vynil.solidite.fr/backups.use_barman" = var.backups.use_barman
      "default.vynil.solidite.fr/backups.endpoint" = var.backups.endpoint
      "default.vynil.solidite.fr/backups.secret_name" = var.backups.secret_name
      "default.vynil.solidite.fr/backups.key_id_key" = var.backups.key_id_key
      "default.vynil.solidite.fr/backups.secret_key" = var.backups.secret_key
      "default.vynil.solidite.fr/backups.restic_key" = var.backups.restic_key
      "default.vynil.solidite.fr/storage.volume.accessMode" = var.storage.volume.accessMode
      "default.vynil.solidite.fr/storage.volume.class" = var.storage.volume.class
    }
    global = {
      "sso_vynil"     = var.sso_vynil
      "domain_name"   = var.domain_name
      "timezone"      = var.timezone
      "language"      = var.language
      "domain"        = var.domain
      "issuer"        = var.issuer
      "ingress_class" = var.ingress_class
      "app_group"     = var.app_group
    }
    global-backups = {
      "enable"      = var.backups.enable
      "use_barman"  = var.backups.use_barman
      "endpoint"    = var.backups.endpoint
      "secret_name" = var.backups.secret_name
      "key_id_key"  = var.backups.key_id_key
      "secret_key"  = var.backups.secret_key
      "restic_key"  = var.backups.restic_key
    }
    global-volume = {
      "accessMode" = var.storage.volume.accessMode
      "class"      = var.storage.volume.class
    }
    authentik = merge(local.global,{ for k, v in var.authentik : k => v if !contains(["enable","storage","backups"],k) },{
      backups = merge(local.global-backups, lookup(var.authentik, "backups", {}))
      storage = merge({ for k, v in lookup(var.authentik, "storage", {}) : k => v if !contains(["volume"],k) }, {
        volume = merge(local.global-volume, lookup(lookup(var.authentik, "storage", {}), "volume", {}))
      })
    })
    authentik-ldap = merge(local.global,{ for k, v in var.authentik-ldap : k => v if !contains(["enable","storage","backups"],k) },{
      backups = merge(local.global-backups, lookup(var.authentik-ldap, "backups", {}))
      storage = merge({ for k, v in lookup(var.authentik-ldap, "storage", {}) : k => v if !contains(["volume"],k) }, {
        volume = merge(local.global-volume, lookup(lookup(var.authentik-ldap, "storage", {}), "volume", {}))
      })
    })
    authentik-forward = merge(local.global,{ for k, v in var.authentik-forward : k => v if !contains(["enable","storage","backups"],k) },{
      backups = merge(local.global-backups, lookup(var.authentik-forward, "backups", {}))
      storage = merge({ for k, v in lookup(var.authentik-forward, "storage", {}) : k => v if !contains(["volume"],k) }, {
        volume = merge(local.global-volume, lookup(lookup(var.authentik-forward, "storage", {}), "volume", {}))
      })
    })
}

resource "kubernetes_namespace_v1" "auth-ns" {
  count = var.authentik.enable || var.authentik-ldap.enable || var.authentik-forward.enable ? 1 : 0
  metadata {
    annotations = merge(local.annotations, local.annotations_default)
    labels = merge(local.common_labels, local.annotations)
    name = "${var.namespace}-auth"
  }
}

resource "kubectl_manifest" "authentik" {
  count = var.authentik.enable || var.authentik-ldap.enable || var.authentik-forward.enable ? 1 : 0
  depends_on = [kubernetes_namespace_v1.auth-ns]
  yaml_body  = <<-EOF
    apiVersion: "vynil.solidite.fr/v1"
    kind: "Install"
    metadata:
      name: "authentik"
      namespace: "${var.namespace}-auth"
      labels: ${jsonencode(local.common_labels)}
    spec:
      distrib: "${var.distributions.domain}"
      category: "share"
      component: "authentik"
      options: ${jsonencode(local.authentik)}
  EOF
}

resource "kubectl_manifest" "authentik-ldap" {
  count = var.authentik-ldap.enable ? 1 : 0
  depends_on = [kubernetes_namespace_v1.auth-ns]
  yaml_body  = <<-EOF
    apiVersion: "vynil.solidite.fr/v1"
    kind: "Install"
    metadata:
      name: "authentik-ldap"
      namespace: "${var.namespace}-auth"
      labels: ${jsonencode(local.common_labels)}
    spec:
      distrib: "${var.distributions.domain}"
      category: "share"
      component: "authentik-ldap"
      options: ${jsonencode(local.authentik-ldap)}
  EOF
}

resource "kubectl_manifest" "authentik-forward" {
  count = var.authentik-forward.enable ? 1 : 0
  depends_on = [kubernetes_namespace_v1.auth-ns]
  yaml_body  = <<-EOF
    apiVersion: "vynil.solidite.fr/v1"
    kind: "Install"
    metadata:
      name: "authentik-forward"
      namespace: "${var.namespace}-auth"
      labels: ${jsonencode(local.common_labels)}
    spec:
      distrib: "${var.distributions.domain}"
      category: "share"
      component: "authentik-forward"
      options: ${jsonencode(local.authentik-forward)}
  EOF
}