resource "kubectl_manifest" "middleware" {
  yaml_body = <<-EOF
    apiVersion: traefik.io/v1alpha1
    kind: Middleware
    metadata:
        name: "${local.app_slug}-gatekeeper"
        namespace: "${var.namespace}"
        labels: ${jsonencode(local.ak_gatekeeper_labels)}
    spec:
      forwardAuth:
        address: http://authentik.${var.domain}-auth.svc:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
        - X-authentik-username
        - X-authentik-email
        - X-authentik-groups
        - X-authentik-name
        - X-authentik-uid
        - X-authentik-jwt
        - X-authentik-meta-jwks
        - X-authentik-meta-outpost
        - X-authentik-meta-provider
        - X-authentik-meta-app
        - X-authentik-meta-version
  EOF
}