locals {
  authentik_url = "http://authentik.${var.domain}-auth.svc"
  authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
  directus-labels = merge(local.common-labels, {
    "app.kubernetes.io/component" = "directus"
  })
  directus-icon     = "admin/img/directus-white.png"
  directus-dns_name = "directus.${local.dns_name}"
  directus-service = {
    "name"  = "directus-${var.instance}"
    "port" = {
      "number" = 80
    }
  }
}

data "kubernetes_secret_v1" "authentik" {
  metadata {
    name      = "authentik"
    namespace = "${var.domain}-auth"
  }
}

data "kubernetes_ingress_v1" "authentik" {
  metadata {
    name = "authentik"
    namespace = "${var.domain}-auth"
  }
}

resource "kubectl_manifest" "directus_config" {
  count = var.extentions.directus.enable ? 1:0
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: "${var.component}-${var.instance}-directus"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.directus-labels)}
    data:
      PORT: "8055"
      DB_CLIENT: "pg"
      DB_DATABASE: "${var.instance}"
      DB_HOST: "${var.instance}-${var.component}-rw.${var.namespace}.svc"
      DB_PORT: "5432"
      STORAGE_LOCATIONS: "local"
      STORAGE_LOCAL_ROOT: "/var/store"
      ADMIN_EMAIL: "admin@${var.domain-name}"
      NODE_EXTRA_CA_CERTS: "/etc/local-ca/ca.crt"
      TELEMETRY: "false"
      AUTH_PROVIDERS: "VYNIL"
      AUTH_VYNIL_DRIVER: "openid"
      AUTH_VYNIL_ALLOW_PUBLIC_REGISTRATION: "true"
      AUTH_VYNIL_ISSUER_URL: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/directus-${replace(var.sub-domain, ".", "-")}-${var.instance}/.well-known/openid-configuration"
      AUTH_VYNIL_IDENTIFIER_KEY: "email"
      PUBLIC_URL: "https://${local.directus-dns_name}"
  EOF
}

resource "kubectl_manifest" "directus_secret" {
  count = var.extentions.directus.enable ? 1:0
  ignore_fields = ["metadata.annotations"]
  yaml_body  = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${var.component}-${var.instance}-directus"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.directus-labels)}
    spec:
      forceRegenerate: false
      fields:
      - fieldName: "KEY"
        length: "32"
      - fieldName: "SECRET"
        length: "32"
      - fieldName: "ADMIN_PASSWORD"
        length: "16"
  EOF
}

resource "kubectl_manifest" "directus_pvc" {
  count = var.extentions.directus.enable ? 1:0
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: "${var.component}-${var.instance}-directus"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common-labels)}
    spec:
      accessModes:
      - "${var.extentions.directus.storage.accessMode}"
      resources:
        requests:
          storage: "${var.extentions.directus.storage.size}"
      volumeMode: "${var.extentions.directus.storage.type}"
  EOF
}


resource "kubectl_manifest" "directus_deploy" {
  count = var.extentions.directus.enable ? 1:0
  yaml_body  = <<EOF
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: "${var.component}-${var.instance}-directus"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.directus-labels)}
    spec:
      replicas: 1
      selector:
        matchLabels: ${jsonencode(local.directus-labels)}
      template:
        metadata:
          labels: ${jsonencode(local.directus-labels)}
        spec:
          securityContext:
            fsGroup: 1000
            runAsGroup: 1000
            runAsUser: 1000
          restartPolicy: Always
          containers:
          - name: directus
            securityContext:
              fsGroup: 1000
              runAsGroup: 1000
              runAsNonRoot: true
              runAsUser: 1000
            env:
            - name: AUTH_VYNIL_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  key: "client-id"
                  name: "directus-${replace(var.sub-domain, ".", "-")}-${var.instance}-id"
            - name: AUTH_VYNIL_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  key: "client-secret"
                  name: "directus-${replace(var.sub-domain, ".", "-")}-${var.instance}-secret"
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  key: username
                  name: "${var.instance}-${var.component}-app"
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: "${var.instance}-${var.component}-app"
            envFrom:
            - secretRef:
                name: "${var.component}-${var.instance}-directus"
            - configMapRef:
                name: "${var.component}-${var.instance}-directus"
            image: "${var.extentions.directus.image.registry}/${var.extentions.directus.image.repository}:${var.extentions.directus.image.tag}"
            imagePullPolicy: "${var.extentions.directus.image.pullPolicy}"
            ports:
            - containerPort: 8055
              name: http
              protocol: TCP
            livenessProbe:
              failureThreshold: 3
              httpGet:
                path: /server/health
                port: http
                scheme: HTTP
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /server/health
                port: http
                scheme: HTTP
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            volumeMounts:
            - name: store
              mountPath: /var/store
            - name: certs
              mountPath: /etc/local-ca
              readOnly: true
          volumes:
          - name: certs
            secret:
              secretName: "${var.instance}-directus-cert"
              defaultMode: 0444
          - name: store
            persistentVolumeClaim:
              claimName: "${var.component}-${var.instance}-directus"
EOF
}

module "directus-service" {
  count = var.extentions.directus.enable ? 1 : 0
  source = "/dist/modules/service"
  component         = "directus"
  instance          = var.instance
  namespace         = var.namespace
  labels            = local.directus-labels
  target            = "http"
  port              = local.directus-service.port.number
  providers = {
    kubectl = kubectl
  }
}

module "directus-ingress" {
  count = var.extentions.directus.enable ? 1 : 0
  source = "/dist/modules/ingress"
  component         = "directus"
  instance          = var.instance
  namespace         = var.namespace
  issuer            = var.issuer
  ingress-class     = var.ingress-class
  labels            = local.directus-labels
  dns_names         = [local.directus-dns_name]
  create-redirect   = true
  middlewares       = []
  service           = local.directus-service
  providers = {
    kubectl = kubectl
  }
}

module "directus-application" {
  count = var.extentions.directus.enable ? 1 : 0
  source = "/dist/modules/application"
  component         = "directus-${replace(var.sub-domain, ".", "-")}"
  instance          = var.instance
  app-group         = var.app-group
  dns_name          = local.directus-dns_name
  icon              = local.directus-icon
  protocol_provider = module.directus-oauth2[0].provider-id
  providers = {
    authentik = authentik
  }
}

module "directus-oauth2" {
  count = var.extentions.directus.enable ? 1 : 0
  source = "/dist/modules/oauth2"
  component         = "directus-${replace(var.sub-domain, ".", "-")}"
  instance          = var.instance
  namespace         = var.namespace
  labels            = local.directus-labels
  dns_name          = local.directus-dns_name
  redirect-path     = "auth/login/VYNIL/callback"
  providers = {
    kubernetes = kubernetes
    kubectl = kubectl
    authentik = authentik
  }
}