locals {
  secrets-labels = merge(local.common-labels, {
    "app.kubernetes.io/component" = "backup-secret"
  })
  secret-labels = merge(local.secrets-labels, {
    "k8up.io/backup" = "true"
  })
}

resource "kubectl_manifest" "authentik_secret" {
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${var.component}"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secret-labels)}
    spec:
      forceRegenerate: false
      fields:
      - fieldName: "AUTHENTIK_SECRET_KEY"
        length: "128"
      - fieldName: "AUTHENTIK_BOOTSTRAP_PASSWORD"
        length: "32"
      - fieldName: "AUTHENTIK_BOOTSTRAP_TOKEN"
        length: "64"
      - fieldName: "AUTHENTIK_REDIS__PASSWORD"
        length: "32"
  EOF
}
resource "kubectl_manifest" "pre_backup_sa" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: backup-secret
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets-labels)}
  EOF
}
resource "kubectl_manifest" "pre_backup_role" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: backup-secret
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets-labels)}
    rules:
    - apiGroups:
      - ""
      resources:
      - secrets
      verbs:
      - get
      - list
  EOF
}
resource "kubectl_manifest" "pre_backup_rb" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: backup-secret
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets-labels)}
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: backup-secret
    subjects:
    - kind: ServiceAccount
      name: backup-secret
      namespace: "${var.namespace}"
  EOF
}
resource "kubectl_manifest" "pre_backup_pod" {
  count = var.backups.enable?1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: k8up.io/v1
    kind: PreBackupPod
    metadata:
      name: secret
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.secrets-labels)}
    spec:
      backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true
      pod:
        spec:
          containers:
          - command:
            - cat
            image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}"
            imagePullPolicy: "${var.images.kubectl.pull_policy}"
            name: secret
            tty: true
          serviceAccount: backup-secret
          serviceAccountName: backup-secret
  EOF
}